How Hackers Get Passwords and What You Can Do to Protect Yourself

How Hackers Get Passwords

Passwords have become a part of modern life.  We use them every day to identify ourselves online for work and home.  In the early days of computing you had maybe one or two passwords, however as the internet grew and companies began offering their goods, software, and services online, it’s likely you have passwords you don’t remember you even have.  

Do you end up reusing passwords just to keep it simple?  You are not alone – this is a common practice. In fact, 59% of people reuse the same password everywhere!  The problem with this commonality is it presents a big security risks for everyone, including your employer.  So, if a hacker gets access to your password for your personal bank account, it’s very likely that the hacker could use your password to access multiple logins – including your workplace accounts.   

Passwords are a way to “authenticate” or identify that a person is who they say they are. For that reason, they need to be secret only to you.  Protect the things you value by understanding how passwords work and how to protect them.  

How do hackers get passwords and what are their methods We’ll discuss a few and ways that you can protect yourself. 

Providers store passwords insecurely in what’s called ‘clear text’  

When you create a password for access to a website, you probably don’t know how the company is going to store it.  Sometimes sites or providers store passwords in just plain text.  That means should a hacker be able to access the file or database, they can just read the password in plain English.   

How do you know if your password is stored in clear text? You can be sure that your provider stored your password in clear text if you’ve ever done a password reset and they just email you what your password is rather than a reset link.  Even the most well-known companies sometimes store their passwords in plain text accidentally. In fact, Facebook recently was discovered to be storing passwords in clear text.

Good systems use several types of encryption to ensure that even if a password is exposed, it is not human readable.     

Malware on your computer capturing text  

The whole discussion of Malware and how it infects your computer could be a series of blog posts all on its own.  Malware often installs software on your device that is constantly monitoring every key you type.  It waits for you to go to a banking site, an ERP system, or an online service and type your password.  Then, without your knowledge, your password is transferred back to the hacking group to be used later.  Here is the creep factor: the best malware resides on a system for weeks or months without detection, and the whole time it is sending your secrets back to criminals.  

How to prevent Malware:   Apply patches regularly and have security monitoring software that catches and reports suspicious activity on your network.    

Easy-to-guess passwords used in Brute Force, Dictionary or Password Spraying attacks   

The most common passwords like 123456 or “password” are well known attack targets.  Many people use an easy-to-remember password, which can easily be exploited.  Hacking organizations use a combination of guessing techniques to break into accounts, this involves using software to guess passwords at the rate of thousands per minute, much faster than anyone could type.  

There are many different methods for guessing passwords. First, dictionary attacks happen when the attacker uses common words found in the dictionary to try and break into account.  Brute force attacks are when all possible combinations of passwords are tried to access the system.  And finally, password spray attacks happen when the perpetrator tries a relatively small number of passwords against a very large number of accounts.   

How to avoid password attacks:  Enforce polices that prevent easy to guess passwords and limit the number of attempts that someone can try and login to prevent these types of break ins.  

Social engineering  

Unfortunately, we humans are usually the weakest link in any system.  Social engineering is a huge attack vector for hackers.  This can include phishing attempts where an email that looks legit asks users to “login” to a site that is made to look authentic when it’s really a way to capture usernames and passwords.  Other even more targeted attacks can involve calling users and impersonating someone from IT or another company to trick users into giving away their secret.  There are thousands of websites that take advantage of typos in the URL so that you think you’re where you intended.  Instead, you are at a hacking site and you give your credentials to them.   

How to keep your organization safe:  Educate employees about these types of attacks and conduct regular tests and reeducation as methods of phishing get more and more sophisticated.  

Here are some additional ways to help reduce your risk to password hacking.   

Use multi-factor authentication.   Anytime it’s available, accounts should be secured by more than a password. 

Perform system maintenance regularly.  Make sure that you are applying patches at the operating system, application, and systems level on consistent schedule.  Missing one patch means that an attacker can exploit that vulnerability the next day. It’s something that must be done regularly. Period. 

Use sophisticated detection, prevention and monitoring softwarePatching your systems isn’t enough.  You must have software on your network and devices that is looking for suspicious behavior and that software has to come from trusted companies who constantly monitor global threats and update their signatures of attacks. 

Use a password manager.  Never reuse passwords.  A good password manager can generate passwords for you, make the available wherever you need.  When you do this, your secrets are safe.    

Educate your team.  While systems and software and polices are good, they are only as good as the people who know your passwords.  Make sure you have a constant source of education and reeducation of people who use your systems.  Then test regularly.  Employees need to know and see examples of threats, so they know what to look for. 

 

If all this seems a bit overwhelming and a lot for your organization to manage, fear not.  Arctic IT is here to help your organization.  ArcticCare, our award-winning managed service offering, helps you navigate the threat landscape and put in to place the polices to limit your exposure.   

 By Phil Jackson, CIO at Arctic IT.