While passwords are the most popular account security tool, they aren’t necessarily the safest option. Security experts agree that human beings are the weakest link of any security system. Most often, users create weak passwords, store them as plain text, and use them on multiple online accounts. Although there are many ways to hack into an account, hackers first use the easiest available method for password cracking, which is phishing. If that fails, there are plenty of other options to try.
Understanding the most popular password-cracking techniques used by hackers is a great way to ensure it never happens to you or your employees.
Most Popular Password-Cracking Techniques
Phishing involves tricking the user to download an email attachment or access a link that contains malware. Usually, the hackers send an important and official-looking email that warns the recipient to take action before it’s too late. After opening the attachment, some kind of password-extracting software is installed automatically on the device.
Another method is redirecting the user to a look-alike website, where the user enters his account details. Common phishing techniques include whaling, spear-phishing, and voice phishing.
- Brute Force Attack
Brute force attacks involve trying all possible combinations until the hacker hits the jackpot. The password cracking tools used by hackers allow them to modify the attack and significantly reduce the time needed to check all variations. Once the password is obtained, the attacker will assume it’s being used in more than one place and will try the same login credentials on other online services. This is known as credential stuffing and is very popular in the age of data breaches.
Two of the most common malware types for stealing passwords are keyloggers and screen scrapers. A keylogger sends all keystrokes to the hacker, while the screen scraper automatically uploads screenshots.
Other popular types of malware used by cybercriminals are backdoor Trojans. These pieces of software can grant full access to a user’s device. Also known as potentially unwanted applications, these programs usually install themselves after clicking a wrong button on some dubious website.
- Social Engineering
Social engineering relies on the gullibility of the victims. Contrary to the other password cracking techniques, social engineering can happen offline. Calling or even personally meeting the victim doesn’t imply sophisticated software or hardware. Recent technological advancements revolutionized social engineering. In 2020, hackers used AI and voice technology to impersonate business owners to trick top management into transferring large sums of money to several accounts. Another tactic used by hackers is to impersonate a bank or Google agent and to ask for credit card info.
- Packet Sniffing
One of the most used password-cracking techniques is packet capturing, also known as packet sniffing. It involves using a packet analyzer to monitor and log network traffic. The analyzer can decode data sent back and forward through a network, which might include plaintext passwords. This technique requires physical presence or malware that has already been installed. Packet sniffing often fails if traffic is encrypted using a strong security protocol or a Virtual Private Network (VPN).
- Dictionary Attack
The dictionary attack is a slightly more sophisticated example of a brute force attack. It automatically checks if the password is a commonly used phrase like “iliketodance” or “iloveyou” by looking it up in the dictionary. The chance of a successful dictionary attack increases substantially if the attacker adds passwords from other leaked accounts.
It’s always a good idea to train your employees to choose strong passwords that contain more than one word.
- Shoulder Surfing
Shoulder surfing is an incredibly effective offline password-cracking technique and it can be used almost anywhere. With attention focused on only what’s happening on the screen, one can easily ignore what’s going on in the same room.
In general, smaller companies are more at risk because they use fewer security precautions. It’s easy for anyone to impersonate a courier or a quality inspector and gain access to the office.
- Rainbow Table Attack
This password-cracking technique is more complicated. After getting the password in the form of a hash, hackers create a table of common passwords and their hashed versions. Experienced cybercriminals usually have a rainbow table that also involves leaked passwords, making the technique more effective. The bigger the rainbow table, the faster the attack ends because most of the data is already there. On the other hand, complex rainbow tables are huge, taking up hundreds of GBs.
The simplest password-cracking technique is guessing. As incredible as it may sound, thousands of passwords are being hacked every year using this method. This technique doesn’t imply gathering information about the victim, because trying some of the most popular passphrases is enough.
According to a SafetyDetectives report, the top ten most used passwords in the world are: “123456”, “password”, “123456789”, “12345”, “12345678”, “qwerty”, “1234567”, “111111”, 1234567890” and “123123”.
With hacking rates on the rise in recent years, security experts say that most people become victims because they don’t create passwords that are unique and hard to guess. Any business or IT manager should implement strong security protocols, including password hygiene. Read here the most important password hygiene security protocols any company could follow.