Passwords, how they are hacked and how to protect them

8 min


I always liked to understand how things work in InfoSec. This because if you know how Hackers and Criminals operate, you know better how to protect yourself.

That’s why on the website I wear to present both perspectives.

Whenever I will dig in in one topic, then I will create a blog post with the highlights of both perspectives.

So I’ll talk about how passwords get Hacked and how to protect them.

But before we do that, let’s have a short detour and look back at how passwords started.

Fernando “Corby” Corbato, an MIT researcher, is credited with inventing the computer password in the early 1960s. At that time only one person could use the computer at a time. The researcher change that by creating the compatible Time-Sharing System.

MIT CSAIL

The method was a practical solution that allowed multiple people to use a computer at the same time. Then the computer evolved, being more capable and interconnected, yet passwords didn’t change much as the need for privacy and segregation remained.

Passwords, today, are a crucial component for authentication. This means that they are a security control to ensure that only an authorized person can access certain information.

Maybe passwords didn’t change, but additional verifications and securement enhancements came a long way.

Yet it is unfortunate that still today, many people do not have a basic understanding of passwords threats and security.

The problem is so evident that we have a recurring list of top 100 bad passwords, that unfortunately do not change much in time. I grew fed up with that list, as many news agencies started to capitalize on it by displaying it with text only and riddled with ads.

That’s why I created a section called “Beautiful pictures with terrible passwords” for anyone to use and raise people’s consciousness.

But I didn’t want to stop there. I wanted to change that by creating free materials one can read but also use in awareness sessions.

So here we go how passwords get hacked and how to protect from such attacks in a nutshell.

How passwords are hacked

The map shows the most common attack vectors and how you can protect for them.
Click to expand.

There are seven common ways that passwords get hacked and multiple ways you can protect from them.

AttackExplanation
Database theft When Hackers bypass the security of databases to steal their content. Or when information is leacked due to poor security practices and unknown bugs.
WiFi Sniffing Sniffing is a process of intercepting data packages (any information you send and receive via the internet) on a given network.
Phishing attacks Phishing is an email attack that contains links to a fake website. The website will ask you to login with username and password. Phishing is part of the Social engineering family yet is so predominant in password attacks that need separate treating.
Keylogger A keylogger is a software or hardware that will spy and log every single keystroke of your keyboard.
Bruteforce attack A Bruteforce attack is when the attacker will try a set of combinations to try to get into an account.
Shoulder surfingShoulder surfing is a person close to you that will look into your screen to read when you input your password, pin code, or other valuable information.
Social engeneering Social engineering is a combination of psychological and physical techniques that have as ultimate goal stealing information or assets.
SensorsSensors of devices (like phones, IoT, etc.) connected to the internet, exploited in a way to steal information.

The number of attacks can be overwhelming, yet do they all pose the same risk? Well, this entirely depends on who you are and your threat model. Let’s put things into context with Probability and Complexity.

By complexity, I mean the complexity of the attack, considering how difficult it is to create, execute such attack.

Probability is the likelihood of an attack to a regular technology consumer. The graph will be different for people that are targeted because of what they do (journalists, activists) and what they have (power, money, fame).

For most the people, the Social engineering attacks, especially phishing, are a big problem.

There are thousands of phishing emails sent every day, and the chances we get one are quite high. The same thing for our password to be disclosed in a data breach is high due to the number of services that we use.

Those two vectors are the one that people should know best. It is also crucial to know the others even if they have a medium to the low probability. They will still happen.

But let’s ponder a bit on the high complexity attacks. You will see many articles that will describe highly sophisticated hacks, that are hard to execute, and can be recreated in very specific enviroments.

When such materials hit the press than people that are not familiar with InfoSec will think that such attacks are highly probable. That’s why we need to always put in contexts with complexity/probability.

One dimension that was leftover was the money quantification. Many Cyber attacks will act with a model similar to any business. Maximise the attack success with the lowest possible investment.

Then complexity can also take in consideration this aspect. The more an attack is difficult to create or execute, the more it costs. And such costly attacks will most probably be addressed to specific targets.

How to protect passwords

Protecting passwords can be done both with preventive and detective controls. Moreover, there are also additional best practices to take in consideration that is particular for each attack.

Preventive control has as a goal to prevent something unwanted to happen.

Detective control is one that will find out if something didn’t go accordingly to plans.

Great preventive control is a password manager.

Password managers are great tools since they manage all the passwords without the hassle to remember them all. Also, they handle all the security complexity.

Let me quote Troy Hunt’s blog post to make a point:

Your brain is a very bad password manager.
It’s incapable of storing more than a couple of genuinely random strings of reasonable length (apologies if you’re a savant and I’ve unfairly characterized you in with the rest of our weak human brains).

Troy Hunt

Password managers don’t need to be perfect; they need to be better than not using them which they unequivocally still are

Troy Hunt

But what happens if they get hacked, is there a chance we will know that our passwords are compromised? Not in every case, yet some services will help you to identify such cases.

A great way to know if your account got hacked is by registering to haveibeenpwned.com. And that’s a perfect detective control.

From the website:

“a free resource for anyone to quickly assess if they may have been put at risk due to an online account of theirs having been compromised or “pwned” in a data breach.

haveibeenpwned.com

But internal controls are not the only part of protecting passwords.

We can reduce the likelihood or the impact of such attacks by knowing how to protect from them.

AttackProtection
Database theft Masked emails,Password Manager,Strong passwords,Unique passwords
WiFi Sniffing VPN
Phishing attacksEmail good practice
KeyloggerEmail good practice
Bruteforce attackComplex passwords,Unique passwords
Shoulder surfingCover your device
Social engeneeringDon’t disclose information
SensorsUpdate regularly

Depending on the attack, there will be different protection measures. Every attack deserves an extensive description, but for now, there will be just a short reference.

  1. Password Manager: it is the best security measure for your passwords. Takes away the complexity of managing the all and will create unique and robust passwords automatically for any given account.
  2. Strong passwords: a password hard to crack, best if managed by the password manager
  3. Unique passwords: Creating one password that is specific for each account, again much better if handled by the password manager.
  4. VPN: a service used to channel all traffic to avoid spying of internet traffic.
  5. Email good practice: Check the sender, do not open unknown attachments and click on links
  6. Cover your device: cover your hand when putting a pin or password.
  7. Don’t disclose information: quite simplistic but do not disclose information to people you do not know, or you met on the internet.
  8. Update regularly: always update your devices as soon as possible.
  9. Masked emails: emails that will not reveal your main email and forward contemn to your primary mailbox.

If you liked the post or you have any comments, you can contact me in different ways.

You are welcome to use the graphics for free.
Please remember to give attribution.

Help me grow this site to become a knowledge base for Cyber Security and make it approachable for everyone!

Your guide trough The Cyber@PiotrSec

Become a Patron!
Advertisements
Advertisements

Like it? Share with your friends!

0