As the saying goes, “There’s more than one way to skin a cat.” And this proverb exactly describes the situation with passwords. I’ve already discussed the inherent problems with passwords in a previous blog post, and I listed the possible alternatives to passwords in my latest piece in TechCrunch. In this post, I’ll describe some of tools and tricks hackers use to either steal your password or bypass it.
Brute force attacks
Brute force is the most primitive and simple type of attack against passwords, and it involves guessing passwords by trying different possible combinations. Hackers usually have a dictionary of commonly used passwords and their different variations, which they use in brute force attacks. That’s why you’ll also hear the name “dictionary attack.”
Since trying millions of different possibilities is beyond human capacity and would take thousands of years, brute force attacks are usually staged through an automated program. More resourceful hackers use botnets (an army of zombie infected computers and connected devices that are at the command of a remote “herder”) to split the task, speed things up, and thwart the victim’s attempts to block out a single node that is trying to brute force its way in.
Online services usually warn users when their account is being brute-forced or is trying to be accessed from an unknown location, so watch out and pay attention to the warnings your service provider gives you. For plain vanilla passwords, you can reduce the risks by choosing very strong and unpredictable passwords. Sadly, this is a guideline that many users do not take seriously, and strings such as “password” and “123456” continue to remain among the most popular passwords.
The more advanced types of multi-factor authentication methods can prevent such attacks because they rely on the user knowing the password or PIN number, and having something, such as a fob or a mobile device, which the attacker doesn’t.
Man in the middle attacks
This type of attack is also known as “bucket brigade.” As the name implies, in MitM, a malicious user intercepts communications between you and the online server you’re logging into, and steals your username and password when you submit them. This usually happens without you ever finding out, which makes it even more dangerous, because the attacker will start using your account and spying on you without leaving a trace.
Staging MitM attacks on unencrypted communications is a piece of cake for hackers. That’s why sites that exchange data with users usually use encryption protocols such as SSL and TLS to secure their communication channels. However, although these protocols increase the difficulty of MitM attacks by several orders of magnitude, they do come with their own vulnerabilities and have been broken in the past.
The key to eliminating the threat of MitM attacks is to use procedures that avoid exchanging secrets between servers and clients. Authentication protocols that rely on “zero-knowledge proof” or use signature-based handshakes are immune to such attacks.
Keyloggers are malware which, once installed on your computer, will monitor every keystroke you make on your keyboard and exfiltrate it to some clandestine location where it will be stored for later perusal.
Computers fall victim to keyloggers when visiting infected websites or opening an attachment that comes with an infected email. After that, the next time the user logs into an account, the credentials are captured sent to the server that controls the malware.
There are many ways to deter keylogger attacks, including constantly installing fresh updates for your system and antivirus program. Also, using a password manager tool can help, but there have been cases of password managers themselves being breached by hackers.
Two factor authentication and authentication methods that do not involve passwords fix the problem at the root, making spying on your keystrokes irrelevant.
In phishing attacks, hackers target thousands or millions of users by sending cleverly crafted emails that seem to come from reliable and authentic sources, and try to trick the recipient into log into their account by clicking on a link that is contained in the message. They usually use messages and warnings to urge the user to take action at once and perform a one-time procedure to either activate a new feature on their account or to prevent it from being closed down.
Once users click on the link, they’re redirected to a website that resembles the real service, say Facebook or PayPal, but is in fact a fake version of the same site. When they enter their username and password, the information is sent to the malicious actor that is in control of the counterfeit site.
Phishing attacks can usually be detected by checking the url of the site you’re logging into (because hackers can’t spoof domains that belong to others), by using updated anti-malware solutions that are constantly updated with list of malicious websites, and by simply not being naïve. Don’t believe anything you read in an email that comes from someone you don’t know, and certainly don’t click on links in emails from unknown senders.
Then again, replacing passwords with more advanced methods of authentication can eliminate the threat of phishing attacks altogether.
No matter how strong a password you choose, it won’t help you if your online service provider becomes the target of a data breach, because hackers will be able to pick of the server’s database without a hitch. And this happens a lot. If you’re lucky enough, your service provider would have encrypted your password. But in many cases, online services using outdated hashing algorithms such as MD5 and SHA1, which can be broken or are easily reversible through large hash dumps that are available in the internet. In others cases, strong symmetric encryption is used to protect passwords, but hackers who gain administrative access to the servers also find access to the keys to decrypt the passwords.
What’s worse, many users share passwords across accounts, so when a hacker gains access to one of your passwords, they have better chances of hacking other accounts you own, including critical email, bank and credit card accounts.
The solution to this problem is to first use strong hashing algorithms such as SHA-2 and 3 to protect passwords, and second, to salt passwords for good measure. But the ultimate way out of smash-and-grab attacks is to use methods of authentication that do not use shared secrets and avoid storing critical information on the server. There are already several good technologies that are based on this concept.
I barely scratched the surface of the many ways your identity and credentials can be hijacked by malicious users. For one thing, I didn’t even mention social engineering, which happens to be one of the most fatal type of attacks. Just ask CIA director John Brennan, Director of National Intelligence Jim Clapper, and Wired Magazine’s Mat Honan on how their accounts were breached. The point is, we have to stay vigilant, take threat seriously and look for new ways to protect our identities.