Hackers are always on the lookout for new methods to steal passwords in order to get around security restrictions and obtain access. Once inside, attackers may steal your identity, money, or sensitive information, unlock access to other accounts, install malware, commit fraud, espionage, or sabotage, or sell your credentials on the dark web to unscrupulous bidders. According to Verizon’s 2021 investigations report, stolen credentials are responsible for 61% of security breaches.
Any of the following four strategies may be used to breach usernames and passwords:
Theft of Passwords
One of the most popular methods attackers gain passwords is via phishing and social engineering. An attacker sends an email, SMS, or social media link posing as a trusted source (friends, relatives, or known persons). The mail normally seems legitimate and contains a harmful file or a link to a fake URL that, when clicked, installs malware or redirects you to a page where you must input credentials. If malware is installed, it searches the victim’s computer’s memory, internet browsers, and password caches, as well as disk storage, for passwords to be extracted from programs, apps, or processes. Password sniffing utilities and other tools may be used to monitor keystrokes and listen in on conversations. Because the typical user uses a password for 200 or more accounts online, each online service is a possible target for credential theft.
Surfing on one’s shoulders
All of the ways to compromise a password that we’ve looked at so far have been virtual. As lockdowns relax and personnel return to work, it’s important to remember that certain tried-and-true eavesdropping tactics may also be dangerous. Shoulder surfing is still dangerous for a variety of reasons, and ESET’s Jake Moore recently conducted an experiment to see how easy it is to hijack someone’s Snapchat account using this basic approach.
A more sophisticated variant, known as a “man-in-the-middle” assault employing Wi-Fi eavesdropping, allows hackers to listen in on your password as you type it in while linked to the same hub. Both strategies have been around for a long time, but that doesn’t make them any less dangerous.
Guesswork
Although hackers have automated tools for brute-forcing your password, they don’t always need them: basic guessing – rather than the more methodical technique employed in brute-force assaults – might occasionally enough. “123456” was the most popular password in 2020, followed by “123456789.” The one and only “password” came in fourth place.
And if you’re like most people and reuse the same password or a similar variant across many accounts, you’re making things much simpler for criminals and putting yourself at danger of identity theft and fraud.
Forcing by force
In 2020, the average number of passwords a person must maintain is expected to climb by 25% year over year. As a result, many of us employ easy-to-remember (and guess) passwords that we repeat across several sites. However, this might lead to the use of so-called brute-force methods.
Credential stuffing is one of the most prevalent. Attackers utilize automated tools to input massive numbers of previously compromised username/password combinations. The application then tests these against a huge number of websites in the hopes of finding a match. Hackers may therefore use only one password to get access to multiple of your accounts. According to one estimate, there were 193 billion such attempts worldwide last year. The Canadian government was one of the most recent victims.
Malware
Malware is another frequent method of obtaining your credentials. Phishing emails are a common vector for this kind of attack, but you might also be a victim by clicking on a malicious online advertisement (malvertising) or visiting a hacked website (drive-by-download). As ESET researcher Lukas Stefanko has proved several times, malware may be concealed in a legitimate-looking mobile app, which is often available on third-party app stores.
There are many different types of data-stealing malware, but the most typical ones are meant to record your keystrokes or snap images of your device and email them back to the attackers.
Social engineering and phishing
Humans are imperfect and impressionable animals. When we’re hurried, we’re also more likely to make poor judgments. Social engineering, a psychological con trick aimed to get us to do something we shouldn’t, is one way cybercriminals exploit these flaws. The most well-known example is phishing. Hackers pose as genuine entities, such as friends, relatives, and corporations with whom you’ve done business, and so on. The email or text you get may seem to be legitimate, but it will include a malicious link or attachment that, if clicked, will download malware or direct you to a website where you must enter your personal information.
Fortunately, as we demonstrate below, there are a number of methods to recognize the warning indications of a phishing assault. Scammers are even calling victims to directly extract logins and other personal information, frequently posing as tech support specialists. This is known as “vishing” (voice-based phishing).
Cracking password hashes
Another way attackers employ to break victim credentials is password hash stealing. A cryptographic hash algorithm transforms every password entered in by a user into a representative hash (or cipher) of the password in most current operating systems. Password authentication databases hold such hashes, which the operating system employs to authenticate users accessing services or applications. If an attacker is able to recover this hash, they will be able to decipher the encryption algorithm. This is known as password hash cracking. Advanced hash cracking software has been reported to guess billions of passwords each second.
Password Reset Without Authorization
The majority of authentication systems now enable users to change their passwords on their own. This is due to the fact that most users forget their passwords, resulting in a high amount of support calls or inquiries. Attackers often use this reset feature to entirely defeat the authentication system. Depending on the authentication system and the reset process, attackers may do this in a variety of ways (a.k.a. SSPR). In a nutshell, attackers hunt for SSPR solution flaws and exploit them to force a password reset. Hackers gain control of the account after it is reset and utilize it in an unlawful account takeover.