Knowing how passwords are weak is the best way to know how to make good ones. So let’s take a stroll inside the hacker’s head and learn their tricks.
Obtaining passwords is a task ranging from ashamedly easy to moderately difficult. I wish I could say that it was really hard, but in most cases it’s not. All the attacker needs is time and the right circumstances. So it’s our job to waste his time and limit his opportunities as much as possible.
Here are a number of ways the crooks get your goods. Don’t think that any of these are less important than any other. They’re all used prolifically and they all work.
Note on Wireless: Be sure to check out how wireless passwords are hacked as well, because they can be attacked in ways not listed here.
Password Guessing – Exploiting your predictability
Pretty straightforward, right? The problem is that everyone is predictable. Think about everyone who knows anything about you. If you’re using your spouse’s name as a password, then everyone who knows your spouse knows your password. What’s more, even the guy at the next table in the coffee shop will overhear you speak it out loud several times during the course of your latte.
And it’s not only about the people who you know or see in a café. Like it or not, there’s a lot about you on the internet already. Keep in mind that no information is inconsequential no matter how mundane. If you’ve ever posted anywhere what your favorite car model is, then complete strangers two continents over know this about you.
Defense against password guessing
Don’t be predictable. Resist the urge to give your passwords significance to you. Make it random.
Shoulder surfing – Exploiting your forgetfulness
This refers to someone getting your password by simple observation. Got your password written on a post-it note stuck your monitor? Under your keyboard? In a drawer? Shame on you. If your password exists anywhere other than in your head or in the login box when you type it in, you’re compromising its security.
If you absolutely must write them down so as to not forget, the best place is encrypted on your computer. Put them in an encrypted file using Axcrypt. Or let the Lastpass plugin remember them for you. Just remember that if you physically write passwords down, you will eventually lose them. How bad would it be if the wrong person found them?
Defense against shoulder surfing
Keep your passwords in your head or encrypted on your computer.
Keyloggers and other malware – Using viruses
It’s possible to have a computer virus that monitors your key strokes. It will then either send them back to the mothership or save them somewhere on the computer for the bad guy to find later. If this is the case, they’re getting a lot more than just your passwords.
Defense against keyloggers
Keep your computer virus-free. If you have viruses, get rid of them first, then change all your most critical passwords right away.
Brute Force – Full frontal attack
This just means going through a huge list of possible passwords until the attacker stumbles on the right one. It sounds too random to be functional, but they’re clever with it. The way they generate these lists puts the highest probability guesses on top, like commonly used passwords, regular dictionary words, words with numbers on the end, etc.
They can take this further by catering the list toward the target, depending on how much they know about you. Like using the names of your family members, words associated with your company, or all the local sports team names in your area.
To make this exponentially easier, there is special software that automates the process and can chew through a list in no time. If it can get on a website and try one password every two seconds, it could go through every commonly-used English word in a matter of a few days, and slight variations of those words in a few more days.
Fortunately, most websites have limits on password attempts before locking the account (usually around five tries). But not all. Twitter got hacked with an attack like this (they have fixed the problem since then). A small construction company I contract for also had their server hijacked in the same way. Never assume a site is safe just because they’re big, or just because they’re small. Everyone is a target.
Defense against brute force attacks
Create long, complex, unique passwords.
Social Engineering – Exploiting your trust
This is just getting someone to voluntarily divulge their login information in one way or another. The criminal poses as someone who you think you can trust (on the phone or in person) in order to get what they want.
Sometimes it’s a “bank representative” calling you with important account information. Sometimes it’s a “potential client” who’s interested in your IT or physical security practices. It’s easier to give trust when interacting with a real person.
Defense against social engineering
Don’t be gullible. Don’t ever hand out your login information to anyone. And don’t give out sensitive information without properly vetting a person and/or their company.
Phishing – Dangling the tasty bait
Phishing is a form of social engineering. It refers to throwing a line out and seeing if the user bites. The bait is commonly an email or pop-up window.
For instance, you get a fake email telling you there’s something wrong with your bank account so you should click here and fix it. The link takes you to a fake site run by the attacker and they get your password as soon as you type it in.
Defense against phishing
Don’t bite the bait. Don’t ever click on links in emails or pop-ups that say they need you to log in somewhere, even if they say it’s an emergency.
Hacking password databases – Good old-fashioned stealing
It’s possible to hack into a computer and steal the list of passwords inside. This is typically performed against high-profile targets like website servers where lots of people log in.
But don’t get complacent because anything could be a target. That includes your home computer which also stores your passwords inside. It’s possible to thieve passwords by either gaining physical access to the system or attacking from the internet.
For computers you don’t have control over, like a web server, you might not think there is anything you can do. But there is.
Good web servers will hash their password databases, which makes them difficult to read if they’re stolen. To increase the difficulty further, you can make your passwords long (at least 10 characters) and complex, using all four of the character types (upper case, lower case, numbers, and symbols). This makes reversing the hash much more difficult.
Defense against password database theft
Make your passwords long and complex. Limit physical access to your computer.