Cybersecurity

How can Hackers Get Passwords (And How to Prevent that)

by Carson
written by Carson 141 views
A hacker getting passwords

Unfortunately, many people take our passwords lightly. They may not even recognize themselves as potential targets. But, hackers can easily get their passwords and steal all their personal data in that case. So, let’s find out how the bad guys do so and how to combat password-stealing.

Brute Force Attacks

One of the most easy-to-understand methods of getting passwords are brute force attacks. It basically uses trial-and-error to test every single combination before the attacker comes in.

However, you’ll be surprised by searching how many users utilize the most common passwords! So, the attacks are likely algorithmic to test the most common and the most memorable passwords first.

For example, the hacker probably tests common passwords like “123456”, “password”, or “1234” first. After that, it will extract words from the dictionary, adding numbers and symbols and changing the characters to substitutes.

But, it is insufficient that a human guesses a password on his/her own, right? It will be too slow! So, hackers use programs that can generate many passcodes based on the information it gets from the attackers. So, if you’re still using those fragile ones, your passcode will probably be cracked midway through changing your password!

How does a brute force attack work?
Image Credit: Canva
Preventions

Firstly, use long, strong, and random passwords. These codes are usually untouched in a short while, especially if the attack is algorithmic. Utilize random password generators from password managers on as many accounts as possible.

Secondly, use multi-factor authentication (MFA) whenever you can. Even if the hacker knows your passwords, your data is safe unless he/she also knows the verification code or your biosignatures.

Phishing

But, brute force attacks become less and less efficient as webmasters activate Captcha and limit login attempts. So, hackers need to use more advanced methods to steal the users’ data. One of the most successful ways to break into accounts is phishing because many people fall into the traps of phishing emails.

In phishing campaigns, scammers create emails, messages, or even phone calls to make it look legitimate and usually ask for a link, an attachment, or verbal confirmation. Once you click on that link, it will bring you to a fake website that asks for your login credentials. The website may even directly install malware without you noticing it. If you enter that information on the fake website, hackers can easily get your passwords to log in to the associated real website.

How does phishing generally work?
Image Credit: Canva
Typosquatting

Spammers already know that users will likely investigate the link target before clicking on it. Therefore, they will purchase domains similar to legitimate ones. That’s called typosquatting. For example, if the email pretends to be from PayPal, the link domain maybe “paypa1.com”, making the mistake hard to notice.

Spear-Phishing

There is an even more perilous type of phishing known as spear-phishing. These types of campaigns usually only target one individual. So, the scammers research the target person and write the email or message with your name, age, or other personal information.

The email won’t have any generic greetings like “Dear Customer” anymore. Also, the sender’s email address may look like the target’s CEO or employee. They may even use your birthday to give out fake discounts. All of these tries to trick the target, so people need to be more vigilant than ever.

That could make the email look more trustworthy and encourage the target to be “phished”. Therefore, hackers can get passwords, social security numbers, or even credit card information more successfully when the email is highly personalized.

Preventions

The majority of avoiding phishing is simple — never click on links and open attachments. You may have to download the attachment, but only if it’s confirmed to be legitimate and you expect it to be sent. For links, typing the URL on the address bar will do the trick. Although websites can still be spoofed using DNS cache poisoning, that’s a whole new level to be talked about later.

Also, clicking “unsubscribe” or replying to emails will increase the amount of spam. That’s because the interactions mean that the target email address exists. Moreover, consider changing your email address, especially if it’s the primary one, if you receive too much spam.

There are a few signs that indicate that an email is spam:

  • Strange email addresses
  • Typos
  • Too much urgency
  • Too good to be true
  • Weird URLs
  • Unusual links and attachments

If you recognize spam, report it to the email service provider and send it to trash. You don’t want to accidentally click on phishing links, right?

Oversharing

If we share too much on social media, it does more harm than good. Do you know that a lot of people use personal information for their passwords to make them more memorable? By reviewing the information you share on social media, the passwords can be cracked very easily!

The personal data can also be mentioned in spam emails that may further trick you into revealing your login information! For details, go back to the “Spear-phishing” section in this article.

Don’t overshare!
Image Credit: Canva
Preventions

To prevent hackers from guessing your passwords through your personal information, simply don’t overshare. Limit what you share on social media to provide as little personal data as possible. Resist the temptation to share your location in real-time because robbers can use it.

Furthermore, you should be aware of spear-phishing. Take a look at how to recognize spam in the section above.

Keyloggers

The collecting of passwords is not only active — they may be passive. That’s where keyloggers come into play. Keyloggers can be both software or hardware. The software one is more popular because it can be installed more quickly.

How do they work? They basically record all keystrokes from a keyboard. While some keyloggers can be beneficial for parental supervision or diagnostic purposes, many of them are illegal. When the keypresses are recorded, they send it to the hackers’ servers, and they will be able to get your passwords with a little extra functionality.

Keyloggers are very annoying. That’s because no matter how strong your passwords are, they can become useless at once due to that type of spyware. Moreover, using a virtual keyboard can’t help — the keyloggers can still intercept that command.

Preventions

How to avoid keyloggers? Well, the tips are the same as avoiding any other type of malware. For example, you should install antivirus software on your devices. You must watch out for signs of phishing and spam emails and act promptly to them. Also, you have to clean up your computer often to delete unused files and keep your OS and apps up-to-date.

There is a remedy specified to keyloggers: Use a password manager and enable that autofill option. That way, the user won’t have to input the password and login information (except for the most important accounts), and you’re safer from the guys spying on your keyboard.

Credential Stuffing

Another way hackers can get your passwords is credential stuffing. Although the attack needs a password to be revealed either from the methods above or from a data breach, its risk is still significant.

When a hacker receives a password, what will they do? Well, other than damaging the accounts, they will try to break into other accounts because many people reuse passwords. According to an article by Cloudflare, only 0.1% of the attempts for credential stuffing succeed. Still, it’s worth it because data breaches often reveal large amounts of login data.

Preventions

To withstand credential stuffing attacks, the primary thing is to use unique passwords for each of your accounts. When you reuse passwords, hackers will likely get into your other accounts when an account’s data is leaked.

Moreover, make sure to only sign up for websites with HTTPS so that traffic is encrypted. Furthermore, you should regularly search about data breaches and change passwords once you’ve heard of that news It’s better to be safe than sorry.

Physical Inspection and Insecure Networks

Other than using software methods like phishing, brute force attacks, malware, etc., hackers can also get passwords by watching the person typing in the password. Furthermore, insecure networks and non-HTTPS websites make it easy for attackers to intercept the connection (a.k.a. man-in-the-middle) and read all information between the client and server.

Preventions

To prevent that, never enter passwords, social security keys, and credit card information in public computers or on public networks. In most cases, you can simply wait until you go home or connect to a trusted network. However, if the login can’t be delayed, make sure to clear all browsing data and passwords after you’ve logged out of the account. Never leave it logged in unattended, as it can make room for people to invade your accounts.

Before you enter the sensitive data, make sure no one is watching you: The information can easily be grabbed and used for illegal purposes. Moreover, it’s a good idea to change your passwords you’ve entered on a public computer as it might be infected with keyloggers.

Rainbow Tables

It is quite easy to understand the tactics above, right? In this case, it gets a bit technical, but it’s still something you should know about.

To learn about this type of attack, we first have to understand how passwords work. Passcodes are not stored in plaintext on the server — they store their hashes. The hashing algorithms are designed that it is not reversible, but the hash’s original password can still be found indirectly.

Well, a rainbow table is used. The computer continuously figures out the hash of the strings and saves that in a massive database. Once a data breach occurs, and the computer receives the hash, it will find the password by simply looking for the hashed value on the table, and the original password will likely be found (unless it’s not on the rainbow table yet).

Preventions

For normal users, there’s little we can do to combat this type of attack. We can simply use strong passwords, and hopefully, the rainbow table’s generator hasn’t tested this phrase yet.

However, for webmasters, we can use cryptographic salt, which changes the user input before hashing it`. That way, the real password won’t be included in a “valid” place in the rainbow table.

Conclusion

So, we’ve talked about how hackers can get in and access your data by getting your passwords. We’ve covered different methods like phishing, keylogging, and even using rainbow tables. But, you need to know more and be practical. So, look at the references below to check out more.

References and Credits

  1. Megan Kaczanowski. (2020, January 30). How did someone get my password? Retrieved February 21, 2021, from https://www.freecodecamp.org/news/how-did-someone-get-my-password-2/
  2. Leo A. Notenboom. (2020, March 30). How Do I Choose a Good Password? – Ask Leo! Retrieved February 21, 2021, from https://askleo.com/how_do_i_choose_a_good_password/
  3. (2020, November 17). The top 12 password-cracking techniques used by hackers | IT PRO. Retrieved February 21, 2021, from https://www.itpro.co.uk/security/34616/the-top-password-cracking-techniques-used-by-hackers
  4. (n.d.). 10 Ways Hackers Get Your Passwords and What You Need to Do to Protect Yourself. Retrieved February 21, 2021, from https://brightside.me/inspiration-tips-and-tricks/10-ways-hackers-get-your-passwords-and-what-you-need-to-do-to-protect-yourself-468060/
  5. Rebecca Stone. (2020, October 26). How Do Hackers Get Passwords? – The LastPass Blog. Retrieved February 21, 2021, from https://blog.lastpass.com/2020/10/how-do-hackers-get-passwords/
  6. (2019, July 24). How Hackers Get Passwords Using These 7 Methods | SentinelOne. Retrieved February 21, 2021, from https://www.sentinelone.com/blog/7-ways-hackers-steal-your-passwords/
  7. (n.d.). Brute Force Attacks: Password Protection | Kaspersky. Retrieved February 21, 2021, from https://www.kaspersky.com/resource-center/definitions/brute-force-attack
  8. Josh Fruhlinger. (2020, September 4). What is phishing? How this cyber attack works and how to prevent it | CSO Online. Retrieved February 21, 2021, from https://www.csoonline.com/article/2117843/what-is-phishing-how-this-cyber-attack-works-and-how-to-prevent-it.html
  9. (2020, June 17). What is Spear Phishing? Retrieved February 21, 2021, from https://www.varonis.com/blog/what-is-spear-phishing/
  10. (n.d.). What is Spam and a Phishing Scam? | Kaspersky. Retrieved February 21, 2021, from https://usa.kaspersky.com/resource-center/threats/spam-phishing
  11. (2018, November 14). Five easy ways to recognize and dispose of malicious emails – Malwarebytes Labs | Malwarebytes Labs. Retrieved February 21, 2021, from https://blog.malwarebytes.com/101/2018/06/five-easy-ways-to-recognize-and-dispose-of-malicious-emails/
  12. (n.d.). What is a Keylogger and How Can I Detect One on My Home Computer? Retrieved February 21, 2021, from https://home.sophos.com/en-us/security-news/2019/what-is-a-keylogger.aspx
  13. (n.d.). Keyloggers – How keyloggers work & how to detect? | Malwarebytes. Retrieved February 21, 2021, from https://www.malwarebytes.com/keylogger/
  14.  (n.d.). What Is Credential Stuffing? Credential Stuffing vs Brute Force Attack | Cloudflare. Retrieved February 21, 2021, from https://www.cloudflare.com/learning/bots/what-is-credential-stuffing/
  15. (n.d.). Safety Tips for Using a Public Computer. Retrieved February 21, 2021, from https://www.nortonlifelockpartner.com/security-center/safety-tips-using-public-computer.html
  16. Andy O’Donnell. (2019, November 18). Rainbow Tables: Your Password’s Worst Nightmare. Retrieved February 21, 2021, from https://www.lifewire.com/rainbow-tables-your-passwords-worst-nightmare-2487288

Related Posts

9 Types of Malware That You Must Know

How Does Hashing Work?

10 Ways to Protect Your Online Footprint

How to Set Up File Permissions Properly?

What is a Cross-site Request Forgery Attack?

How Does an Antivirus Work?

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

* By using this form you agree with the storage and handling of your data by this website.