Password cracking techniques
Passwords are one of the main authentication methods that is used to protect unauthorised access to online accounts. Unfortunately, some people want access to other users’ accounts in order to gather and steal information and there are a few ways in which hackers can try to gain access to user accounts – such as phishing, malware and brute force.
This post will explain a few of the ways in which attackers attempt to crack passwords so they can access other users’ sensitive information for their own gain.
Phishing
Probably one of the most commonly used hacking techniques today, phishing is the practice of attempting to steal user information by disguising malicious practices through trustworthy sources. Although the term is generally associated with email, phishing can occur across any type of electronic communication – much like those fake PayPal text messages you sometimes get!
The typical tactic is to trick a user into clicking on an embedded link or downloading an attachment. Instead of being directed to a legitimate site/resource, a malicious file could be downloaded and executed on the user’s machine or the user could be tricked into putting their account details into a fake site which the attackers can then gain access to.
Social engineering
Social engineering typically refers to the process of tricking users into believing the hacker is a legitimate agent. A common way in which hackers carry out this attack is by calling a victim and posing as someone such as technical support, asking the user for things like network access passwords to try and ‘help them’.
This can be just as effective if done in person, for example someone using a fake uniform and credentials – although that’s far less common these days. Then again, how many times have you walked past someone wearing a high-vis coat and thought they were probably working, when they could have easily just been trying to get information from people?
Malware attachments
Malware is essentially malicious software which has been designed to steal personal data.
- Keyloggers – record a user’s activity, whether that’s through keystrokes or screenshots, which is all then shared with a hacker.
- Ransomware – attempts to block access to an entire system for monetary value.
- Screen Scrapers – automated use of a website/impersonating a web browser to perform actions that users would typically perform manually.
Simple Guessing
Whilst there are password managers which would allow you to create a random string of characters without the need of remembering it yourself that would be virtually impossible to guess, many people still rely on memorable phrases. Unfortunately, that also means that memorable phrases are much easier to guess than a random string of text!
These can be things such as pets, family or even hobbies – many of which could easily be found in the profile pages on your social media accounts that the password is trying to protect.
Brute force
The method known as ‘brute force’ is just like the previous method of guessing a user’s password, only it would be based on relevant clues and can be made more sophisticated. Most brute force attacks use some form of automated tool which allows them to try a long list of passwords against a user account. Reverse brute force attacks are basically the opposite – they take the most common passwords and attempt to guess any associated usernames.
Why MFA is effective
Although this information sounds quite scary, it is worth noting that with Multi-Factor Authentication (MFA) being used across the University which renders most hacking techniques on passwords useless. Having unauthenticated access to another account name and password could let them in, but MFA means that unless they have access to the phone or device which gets the notification to allow access, they won’t be able to get past the authentication stage.