8 Most Common Techniques Used To Steal Passwords
8 Most Common Techniques Used To Steal Passwords
Most people must have heard the term "data breach". Surely many people think this was caused by a malicious hacker sitting in front of a screen covered in Matrix-style digital text? Or a powerful supercomputer trying to hack the whole world?
Hacking is all about one thing which is getting the password. If someone can guess your password, they don't need complicated hacking techniques and supercomputers. They'll just walk in, act as you guys. If your password is short and simple, it's game over. There are actually eight of the most common techniques used to steal passwords. Let's see.
The first in the guide to the most common techniques used to steal passwords is a dictionary attack or dictionary attack. Why is it called a dictionary attack? Because it automatically tries every word in the specified “dictionary” against the password. The dictionary here is different from the one you use at school.
Actually the meaning of the dictionary here is a small file that also contains the most commonly used password combinations. That includes 123456, qwerty, password, iloveyou, and all-time classic, hunter2. The table above details the most leaked passwords in 2016.
The table below details the most leaked passwords of 2020. Pay attention to the similarities between the two and make sure you don't fall for this ridiculously simple option.
To avoid dictionary attacks. Use strong one-time passwords for each account, along with a password management application. Password managers allow you to store your other passwords in a repository. Then, you can use one very strong password for each site.
2. Brute Force
Next comes the brute force attack, in which the attacker tries every possible combination of characters. The tried password will match the specifications for complexity rules, for example, include one uppercase letter, one lowercase letter, decimal Pi and so on.
A brute force attack will also try the most commonly used alphanumeric character combinations first. This includes the previously registered passwords, as well as 1q2w3e4r5t, zxcvbnm, and qwertyuiop. It can take a very long time to figure out the password using this method, but it depends entirely on the complexity of the password.
To stay safe from brute force attacks. Make sure you always use a variety of character combinations, and if possible, use additional symbols to increase complexity.
This is not just “hacking”, but falling prey to a phishing or spear-phishing attempt will usually end badly. Common phishing emails are sent by the billions to all types of internet users around the world. Phishing emails usually work like this:
1. The target user receives a fake email claiming to be from a large organization or business
2. The fake email demands immediate attention, displays a link to a website
3. The link to the website actually links to a fake login portal, which is made up to look exactly like a legitimate site
4. Unsuspecting target users enter their login credentials and are redirected or asked to try again
5. User credentials are stolen, sold, or maliciously used (or both)
The daily volume of spam sent around the world is consistently high every year, accounting for more than half of all email sent globally. Also, the volume of malicious attachments is high, Kaspersky recorded more than 92 million malicious attachments from January to June 2020. Remember, this is only from Kaspersky, so the actual number is much higher.
One way to avoid getting caught in phishing attacks is to increase your spam filter to its highest setting or, better yet, use a proactive whitelist. Use the link checker to make sure if the email link is legit before clicking.
Social engineering is basically phishing in the real world. A core part of any security audit is measuring what the entire workforce understands. In these cases, the security company will call the business they are auditing. The “attacker” tells the person on the phone that they are the new office tech support team, and they need the latest password for something specific. An unsuspecting person can hand over the keys to the kingdom without a second thought.
What's scary is how often this works. Social engineering has been around for centuries. Being duplicitous to gain access to a secure area is a common method of attack and one that only education protects against. This is because the attack doesn't always ask for the password directly. It could be a fake plumber or electrician asking to enter a secure building, and so on.
Actually, to stay safe from social engineering attacks, it's a little complicated. Because a successful social engineering attack will be finished when you realize something went wrong. So security education and awareness is your tactic to stay safe from this attack. Avoid posting personal information that could later be used against you.
5. Rainbow Tables
Rainbow table is usually an offline cipher attack. For example, an attacker has obtained a list of usernames and passwords, but they are encrypted. The encrypted password is hashed. This means that the password looks very different from the original password. For example, your password is my password. The known MD5 hash for this cipher is “e169bcf81c7303c476ddcfd194028cc8“.
It may look like bullshit. But in certain cases, the attacker will run a list of plain text ciphers through a hashing algorithm, comparing the results to an encrypted cipher file. In other cases, the encryption algorithm is vulnerable, and most passwords are already hacked, such as MD5 (that's why admins know the special hash for “mypassword”.
This is where the rainbow table begins its role. Instead of having to process hundreds of thousands of potential passwords and match the resulting hashes, a rainbow table is a large set of precomputed algorithm-specific hash values.
Using a rainbow table can drastically reduce the time it takes to crack hashed passwords, but it's not perfect. Hackers can purchase prefilled rainbow tables containing millions of potential combinations.
Anticipating Rainbow table attacks is also a little tricky. Because it offers a variety of potential attacks. But you can prevent this by avoiding any site that uses SHA1 or MD5 as their password hashing algorithm. Avoid any site that limits you to a short password or limits the characters you can use. Always use complex passwords.
Another surefire way to lose your login credentials is to use malware. Malware is everywhere, with the potential for major damage. If the malware version displays a keylogger, you can find all your accounts compromised.
There are lots of password stealing software out there. Make sure you check your computer with a good anti-malware program. Malware can also specifically target personal data or introduce remote Trojans to steal your credentials.
To avoid malware or keyloggers. You should install and update your antivirus and antimalware applications regularly. Carefully consider your download sources. Do not click through installation packages containing bundleware and others. Stay away from bad sites. Use script blocking tools to stop malicious scripts.
Actually there is a relationship between Spidering and the dictionary attack that we discussed earlier. If hackers target a specific institution or business, they might try a series of passwords related to the business itself. Hackers can read and construct a series of related terms or use search spidering to work on them.
You may have heard the term "spider" before. Search spiders are very similar to those that crawl the internet, indexing content for search engines. A custom word list is then used for the user's account in hopes of finding a match.
To stay safe, again, only use strong, one-time-use passwords consisting of random strings and nothing related to personal, business, organizational, and so on.
Okay, this is the last option in this guide to the most common techniques used to steal passwords. What if someone just looks up while you're typing in your password?
Shoulder surfing sounds a little silly, but it happens. If you work in a busy downtown cafe and aren't paying attention to your surroundings, someone could be close enough to jot down your password as you type.
Shoulder surfing is a type of data theft in which cybercriminals steal personal or confidential information by peeking over the target's shoulder.
One way to avoid this attack is to stay alert and watch those around you while typing your password, cover your keyboard, cover your keys during input.
So those are some of the most common techniques used to steal passwords. So how can we stop hackers from stealing passwords? The very short answer is we can't be completely 100% secure. The tools hackers use to steal our data change all the time. But we can reduce our exposure to vulnerabilities. One thing for sure is to use a strong, unique, and one-time-use password.
That's all for the article 8 Most Common Techniques Used to Steal Passwords. Look forward to other interesting articles and don't forget to share this article with your friends. Thank you…
Just an ordinary person who wants to share a little knowledge, hopefully the knowledge I provide can be useful for all of us. Keep in mind! Useful knowledge is an investment in the afterlife.