Understanding the password cracking techniques used by hackers to blow up your online accounts is a great way to ensure this never happens to you.
You'll definitely always need to change your password, and sometimes more urgently than you think, but combating theft is a great way to stay on top of your account security. You can always head to www.haveibeenpwned.com to check if you're at risk, but just thinking your password is secure enough not to be hacked is a bad mindset to have.
So, to help you understand how hackers get your passwords – secure or not – we've compiled a list of the top ten password cracking techniques used by hackers. Some of the methods below are definitely outdated, but that doesn't mean they're still not used. Read carefully and learn what to mitigate.
Top Ten Password Cracking Techniques Hackers Use
1. Dictionary Attack
The dictionary attack uses a simple file containing words that can be found in a dictionary, hence its rather simple name. In other words, this attack uses exactly the type of words that many people use as passwords.
Cleverly grouping words like "letmein" or "superadministratorguy" won't prevent your password from being cracked in this way – well, no more than a few extra seconds.
2. Brute force attack
Similar to the dictionary attack, the brute force attack comes with an added bonus for the hacker. Instead of just using words, a brute force attack allows them to detect non-dictionary words using all possible alphanumeric combinations from aaa1 to zzz10.
It's not fast, provided your password is more than a handful of characters, but it will eventually figure out your password. Brute force attacks can be shortened by throwing in additional computing power, in terms of processing power – including harnessing the power of your video card's GPU – and number of machines, such as using templates distributed computing like online bitcoin miners.
3. Rainbow Table Attack
Rainbow tables aren't as colorful as their name suggests, but for a hacker your password might just be at the end. In the simplest possible way, you can reduce a rainbow table to a list of pre-computed hashes – the numeric value used when encrypting a password. This array contains hashes of all possible password combinations for a given hashing algorithm. Rainbow tables are appealing because they reduce the time it takes to crack a password hash to just looking up something in a list.
However, rainbow tables are huge and unwieldy things. They require significant computing power to operate, and a table becomes useless if the hash it is trying to find has been "salted" by adding random characters to its password before the algorithm hash.
There is talk of existing salty rainbow tables, but these would be so large that they would be difficult to use in practice. They would probably only work with a predefined set of "random characters" and password strings less than 12 characters, as the size of the table would be prohibitive even for state-level hackers.
There is a simple way to hack, to ask the user for their password. A phishing email leads the unsuspecting reader to a fake login page associated with the service the hacker wants to access, usually asking the user to fix some terrible problem with their security. This page then skims their password and the hacker can use it for their own purposes.
Why bother cracking the password when the user will be happy to give it to you anyway?
5. Social engineering
Social engineering takes the whole concept of “asking the user” out of the inbox that phishing tends to stick with and into the real world.
One of the social engineer's favorites is to call an office posing as a computer security technician and simply ask for the network access password. You'd be amazed at how often it works. Some even have the gonads to don a suit and name tag before entering a business to ask the same question face to face of the receptionist.
A keylogger, or screen scraper, can be installed by malware that records everything you type or takes screenshots during a login process and then sends a copy of that file to Hacker Central .
Some malware will look for the existence of a web browser client password file and copy it which, unless properly encrypted, will contain saved passwords easily accessible from the browsing history of the user.
7. Offline cracking
It's easy to imagine that passwords are secure when the systems they protect lock users out after three or four false guesses, stalling automated guessing apps. Well, that would be true were it not for the fact that most password cracking takes place offline, using a set of hashes in a password file that was “obtained” from a compromised system.
Often, the target in question has been compromised via a hack on a third party, which then provides access to system servers and those all-important user password hash files. The password cracker can then take the time necessary to attempt to crack the code without alerting the target system or the individual user.
8. Shoulder Surfing
Another form of social engineering, shoulder browsing, just as it involves, is peeking over a person's shoulders while they type in credentials, passwords, pass, etc. Although the concept is very rudimentary, you would be surprised at the number of passwords and sensitive information. is stolen this way, so be aware of your surroundings when accessing bank accounts etc. on your travels.
The most confident hackers will assume the guise of a package courier, air conditioning service technician, or anything else that gives them access to an office building. Once inside, the "uniformed" service staff provide a kind of free pass to walk around unhindered and note passwords entered by real staff members. It also provides a great opportunity to look at all those post-it notes stuck to the front of LCD screens with IDs scribbled on them.
Savvy hackers have realized that many corporate passwords are made up of words related to the company itself. Studying corporate literature, website sales materials, and even the websites of listed competitors and customers can provide the ammunition needed to create a custom wordlist to use in a brute force attack.
Very savvy hackers have automated the process and left a spidering application, similar to web crawlers used by major search engines, to identify keywords, collect and assemble the listings for them.
A password cracker's best friend, of course, is user predictability. Unless a truly random password has been created using software dedicated to the task, a user-generated "random" password is unlikely to be of this kind. .
Instead, thanks to our brain's emotional attachment to the things we love, it's likely that these random passwords are based on our interests, hobbies, pets, family, etc. In fact, passwords tend to be based on whatever we like to discuss on social media and even include in our profiles. Password crackers are very likely to look at this information and make some educated guesses – often correct ones – when trying to crack a consumer-level password without resorting to dictionary or brute-force attacks.
Other attacks to watch out for
If hackers lack anything, it's not creativity. By using a variety of techniques and adapting to ever-changing security protocols, these intruders continue to succeed.
For example, anyone on social media has probably seen the fun quizzes and models asking you to talk about your first car, your favorite food, the number one song on your 14th birthday. While these games look harmless and are certainly fun to post, they are actually an open model for security questions and account access verification answers.
When creating an account, maybe try to use answers that don't really apply to you, but that you'll remember easily. “What was your first car? Instead of answering honestly, put on your dream car instead. Otherwise, just don't post any security answers online.
Another way to access it is to simply reset your password. The best line of defense against an intruder who resets your password is to use an email address that you check frequently and update your contact information. If available, always enable 2-factor authentication. Even if the hacker discovers your password, they cannot access the account without a unique verification code.
Frequently Asked Questions
Why do I need a different password for each site?
You probably know that you shouldn't divulge your passwords and shouldn't upload any content you don't know about, but what about the accounts you log into every day? Suppose you use the same password for your bank account that you use for an arbitrary account like Grammarly. If Grammarly is hacked, then the user also has your bank password (and possibly your email, making it even easier to access all your financial resources).
What can I do to protect my accounts?
Using 2FA on all accounts that offer this feature, using unique passwords for each account, and using a mix of letters and symbols is the best line of defense against hackers. As stated earlier, there are many different ways for hackers to gain access to your accounts, so you should ensure that you are regularly updating your software and apps (for security patches) and avoiding downloads that you don't know.
What is the safest way to store passwords?
Keeping up with several particularly strange passwords can be incredibly difficult. While going through the password reset process is far better than compromising your accounts, it does take time. To protect your passwords, you can use a service like Last Pass or KeePass to save all of your account passwords.
You can also use a unique algorithm to keep your passwords safe while making them easier to remember. For example, PayPal could be something like hwpp+c832. Essentially, this password is the first letter of each cut in the URL (https://www.paypal.com) with the last digit of each person's birth year in your household (as an example ). When you go to log in to your account, view the URL that will give you the first letters of this password.
Add symbols to make your password even harder to crack, but organize them so they're easier to remember. For example, the “+” symbol can be for all entertainment-related accounts while the “! can be used for financial accounts.