When a password is the only thing standing between hackers and your data, you can count on them to capitalize on any means they can to get it. Password hackers are often highly motivated because they know what they steal could lead them to troves of data such as bank details, client records, and more. For end users, they are as low-tech as security tech ever gets… but we all use them today, tomorrow and will do for the foreseeable future.
Passwords that are weak or easy to guess are more common than you might expect: recent findings from the NCSC found that around one in six people uses the names of their pets as their passwords, making them highly predictable. To make matters worse, these passwords tend to be reused across multiple sites, with one in three people (32%) having the same password to access different accounts.
It should come as no surprise that passwords are the worst nightmare of a cyber security experts. Though there are steps and means you can take to protect yourself. This starts with getting to know your enemy… and we’ve put together these common password-cracking techniques used by attackers to enable you and your business to be better prepared.
Phishing
Phishing is among the most common password-stealing techniques currently in use today and is often used for other types of cyber attacks. Its success is rooted in being able to deceive a victim with seemingly legitimate information while acting on malicious intent. The target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking details and passwords.
Credential Stuffing
Credential stuffing, also known as list cleaning and breach replay, is a means of testing databases or lists of stolen credentials – i.e., passwords and usernames – against multiple accounts to see if there’s a match. For example, an attacker may take a list of usernames and passwords obtained from a breach of a major high street store, and use the same login credentials to try and log in to the site of a national bank. The attacker is hoping that some fraction of those department store customers also have an account at that bank, and that they reused the same usernames and passwords for both services.
Social engineering
Social engineering is the art of manipulating people so they give up confidential information. An example of this tactic is for hackers to call a victim and pose as technical support, asking for things like network access passwords in order to provide assistance. Successful social engineering attacks can be incredibly convincing and highly lucrative. This tactic is rampant on social media in the form of viral ‘social media quizzes’ whereby a fun trend is started to “share a dozen fun facts people might not know about you” Innocent though they may seem, these social media quizzes can put you in the crosshairs for attackers, both physical and cyber. They are a prime example of over-sharing sensitive data online.
Password Spraying
Password spraying is a technique that attempts to use a list of commonly used passwords against a user account name, such as 123456, password123, and others. The basic idea behind password spraying is to attempt to access a large number of accounts (usernames) with a few commonly used passwords. During a password-spray attack the malicious actor attempts a single commonly used password against many accounts before moving on to attempt a second password, and so on.
Malware
Two of the most common malware types for stealing passwords are keyloggers and screen scrapers. As their names imply, the former sends all your keystrokes to the hacker, and the latter uploads the screenshots. Some malware will even proactively hunt through a user’s system for password dictionaries or data associated with web browsers. An example of malware is a backdoor trojan that can grant full access to the user’s computer if accidentally clicked on. This can usually install itself after clicking the wrong “Download” button or advertisement a website.
Keylogging
A keylogger is monitoring software or hardware designed to record what you write. It could be either a program on your computer or a small device connected to your PC and keyboard, which keeps track of everything you’ve been typing. Keyloggers record the strokes you type on the keyboard and pass them on to third parties. This jeopardises data security, since it allows unauthorised people to obtain login data such as passwords, which they can then use to access even more private data.
Brute force attack
Brute force attacks involve hackers using a variety of methods, usually on a trial-and-error basis, to guess their way into a user’s account. It basically involves trying all possible combinations until you hit the jackpot. This could see attackers simply trying to use commonly used passwords like ‘password123’ against a known username, for example. A brute force attack can also take the form of an attacker making educated guesses. For example, the username may already be known and the attacker may even know the victim personally, so guesses related to known birth dates, favourite sports teams, and family members’ names.
Dictionary attack
A dictionary attack is a type of brute force attack and it’s often used together with other brute force attack types. These types of attack involve hackers running automated scripts that take lists of known usernames and passwords and run them against a login system sequentially to gain access to a service. It means every username would have to be checked against every possible password before the next username could be attempted against every possible password.
Extortion
A less common method, but still noteworthy is the extortion method. This is a straightforward blackmail technique that depends on the nature of the relationship between the attacker and the target. Someone may demand your password if they have the means to harm or embarrass you if you don’t comply, such as revealing sensitive information, images or videos about you, or threatening the physical safety of yourself or your loved ones.
Spidering
Spidering refers to the process of hackers getting to know their targets intimately in order to acquire credentials. The process is very similar to techniques used in phishing and social engineering attacks, but involves a far greater amount of work on the part of the hacker – although for this reason it’s generally more successful as a result. The goal is to create a word list that would help guess the password faster. Hackers can trawl company handbooks, check the company’s website, social media, and other sources, and will come up with something like this:
Founder name – Jon Doe
Founder DOB – 1984 06 14
Founder’s sister – Joan
Founder’s other sister – Emma
Company name – RANDOM IT COMP LTD
Headquarters – Abbey Road
They would then upload it to a proper password cracking tool and start the hacking process.
Shoulder Surfing
Shoulder surfing is a simple but effective technique available to hackers, given the right context and target. Somewhat self-explanatory, shoulder surfing simply sees hackers peering over the shoulder of a potential target, looking to visually track keystrokes when entering passwords. This could take place in any public space like a coffee shop, or even on public transport such as a flight. An employee may be accessing in-cafe internet to complete a task and the hacker could be sitting nearby, watching for an opportunity to note down a password to an email account, for example.
Guess
If all else fails, a hacker can always try and guess your password. While there are many password managers available that create strings that are impossible to guess, many users still rely on memorable phrases. These are often based on hobbies, pets, or family, much of which is often contained in the very profile pages that the password is trying to protect.
Guessing, unfortunately, is a lot easier and quick for a hacker to do that you would think. Primarily because lots of recent studies suggests business executives and company owners tend to use weak and easy-to-crack passwords, which significantly increases the chances of a large-scale data breach. NordPass has compiled a detailed list of top passwords used by business executives… and it makes for interesting (but worrying!) reading. They found;
Top passwords
The study reveals that passwords such as 123456, password, and 123456789, are as popular among high-ranking executives as they are among ordinary internet users.
Most affected countries
France and the United Kingdom were the two countries among the most affected by data breaches. Research shows that France had over 200M passwords breached while the UK’s number stands at 600M.
Most popular names
Research shows that many high-ranking business executives prefer to use names as their passwords. Among the most popular name-themed passwords are: Tiffany, (100,534), Charlie (33,699), Michael (10,647), and Jordan (10,472).
Animal and mythical creatures
Besides names, business leaders showed love for animals and mythical creatures when it came to passwords. Dragon (11,926) and monkey (11,675) were ranked high among the top animal-themed passwords used by high-ranking executives.
Here are the top 50 most common passwords used by C-level executives, managers, and business owners.Password
- password
- 12345
- 123456789
- qwerty
- 1234
- qwerty123
- 1q2w3e
- 111111
- 12345678
- info
- DEFAULT
- 1q2w3e4r5t
- Password
- 1234567
- 3,479
- 123
- infoinfo
- 123123
- 1234567890
- welcome
- abc123
- 123321
- 654321
- 000000
- qwe123
- 777777
- test
- password1
- 1q2w3e4r
- 666666
- Switzerland
- 1111
- 555555
- aaaaaa
- asdfgh
- qwertyuiop
- test123
- 11111111
- 222222
- 1111111
- 1qaz2wsx
- qazwsx
- SKIFFY
- 11111
- 123qwe
- Willkommen
- temppass
- 112233
- 121212
- 1,115
- 777777
If you currently have one of these passwords on you company computer or need advice on how you can reduce the risk of a password hack, give us a call to book in your free IT and security audit! Call us today on 01772 369247.
