By: Luis Ponce, Territory Sales Manager for BeyondTrust
In this era where digitization is evident in different activities and forces us to have more and more accounts, it is essential to be prepared and know the most common methods that hackers use to steal passwords. These virtual criminals seek to access valuable information and profit from it. For this reason, I want to present some of the techniques most used by attackers to prevent you from falling for them.
1. Random attacks
A random password search is rarely successful unless it is a very common password or dictionary word. To improve their chances of getting caught, hackers collect information about their intended victim: information about social networks, direct interactions, misleading conversations, even access to data from past engagements.
Passwords that meet the following characteristics are easy to guess:
“Password” or its derivatives “m0tpassword
Username variations, with initials, numbers, special characters.
Personal or family birthdays, especially descendants
Memorable places or events
Family names and variants with numbers or special characters
Pets, food preferences or other special characteristics of the individual
Random password lookups can be done without automation tools, but automation tools can improve the likelihood of getting a result. These attacks leave traces in the event log and eventually cause account lockout after x number of failed attempts. But when the same passwords are used on multiple resources, then the chances of passwords being guessed increase and make it easier for a hacker to lateral advance.
2. Brute force attacks
These attacks use a programmatic method to try all possible combinations of a password. This method is effective with short and simple passwords. It is unthinkable, even for the fastest recent systems, a password of at least eight characters. If the password consists of all alphabetic characters, including upper and lower case, it may take 8,031,810,176 attempts to crack it. To do this, the hacker must be aware of the limitations placed on the length and complexity of passwords. Other factors are numbers, capitalization, and special characters of the language used.
Properly configured, a brute force attack will always find the password, but this requires computational power and a lot of time. Considered the least effective method of hacking a password, this technique is only considered by hackers as a last resort.
3. Login Fill
Stuffing is an automated hacking technique based on stolen credentials. This may include lists of usernames, email addresses, and passwords. Automation allows you to send login requests to an app and save only the correct combinations for later use. Login stuffing attacks do not attempt to guess passwords or brute force access. The hacker uses specific tools to automate authentication attempts using previously disclosed credentials. Credential stuffing attacks only work if a person reuses the same password, which happens all too often across multiple sites.
4. Password spraying
This credential-based attack attempts to access many accounts by trying only a few common passwords. This is the exact opposite of a brute force attack, which targets a given account and tries lots of password combinations. In this case, the hacker tries the same common password (for example, “12345678” or “M0tdepasse”) on lots of accounts, and then tries again with a different password. Since he tries a password on all accounts on a list before moving on to the next, this technique prevents the hacker from being detected and no account from being locked out due to the time that elapses between attempts. If a user’s or account’s password management practices are poor, the hacker will be able to get in.
Some password attacks combine several of the tools and methodologies presented above to improve their chances of success. However, in most cases, successful hacks are largely due to poor password management practices. It is imperative to be informed about the care of information in digital media in order to mitigate the possibility of suffering any of these attacks.