Hackers are always on the lookout for innovative ways to steal passwords in order to bypass security controls and gain a foot in the door. Once in, attackers can inflict greater damage — steal your identity, money or sensitive information, unlock access to other accounts, install malware, conduct fraud, espionage or sabotage, or sell your credentials to unscrupulous buyers in the dark web. Verizon’s 2021 investigations report claims that 61% of security breaches can be traced back to stolen credentials.

Hackers can generally hack usernames and passwords using any of these four techniques:

1) Password Theft

Phishing and social engineering are one of the most common ways attackers steal credentials. Posing as a trusted source (friends, family, familiar people), an attacker sends an email, text or a link on social media. The message usually appears authentic and includes a malicious attachment or a link to a bogus URL, which, if clicked, downloads malware or takes you to a page where you enter credentials. If malware is installed, it combs through the victim’s machine, such as its device memory, internet browsers and password caches, or disk storage, trying to extract passwords from programs, applications or processes. Tools like password sniffing utilities may be used to monitor keystrokes and eavesdrop on communications. Since the average person online needs a password for 200 or more accounts, each online service is also a potential target for credential theft from an attacker. 

2) Password Guessing

Despite a daily wave of headline-grabbing ransomware scams, passwords continue to be extremely predictable. “123456” is still among the most commonly used passwords, and many people still use their own name or pop-culture icons like musicians, sports teams, movies or TV shows as part of their password key. What’s more, 65% of users reuse passwords. Attackers simply purchase password dumps from the dark web and validate those credentials on different websites. Studies show that eight-digit passwords can be cracked in eight hours and anything less in a matter of minutes. Credential stuffing attacks, a form of password guessing, are increasingly employed by hackers. In 2020, there were more than 193 billion credential stuffing attacks. 

3) Password Hash Cracking 

Password hash theft is another popular method attackers use to crack victim passwords. In most modern-day operating systems, any password typed in by a user is transformed into a representative hash (or cipher) of the password using a cryptographic hash algorithm. Such hashes are stored in password authentication databases which the operating system uses to authenticate users accessing services or applications. If an attacker is somehow able to retrieve this hash, they can figure out how to crack the cryptographic algorithm. This process is called password hash cracking. Sophisticated hash cracking tools are known to guess up to trillions of passwords per second. 

4) Unauthorized Password Resetting 

Most authentication mechanisms today allow users to reset their passwords themselves. This is because most users tend to forget their credentials, and this results in a large volume of support calls or queries. Attackers often leverage this reset functionality and bypass the authentication mechanism completely. How attackers achieve this varies by authentication system and the reset mechanism (a.k.a. SSPR). But in a nutshell, attackers look for vulnerabilities in the SSPR solution and exploit them to initiate a password reset. Once the account is reset, hackers assume control and use the account in an unauthorized account takeover. 

Tips To Bolster Password Attack Defenses

There are a number of things users and security teams can do to mitigate the risks of password theft:

  1. Always use multi-factor authentication (MFA) as much as possible. Although not entirely foolproof, MFA is a security technology that makes it compulsory for users to verify their identity using two or more credentials.
  2. Make sure users undergo regular security training exercises to follow password hygiene best practices, including identifying and reporting suspicious emails and messages (even MFA is not immune to phishing).
  3. Try and use different, non-guessable passwords for each site or service. It’s best to use a commercial password manager.
  4. Encourage the use of long and complex passwords. A 12-character, perfectly random, computer-generated password can defeat all known cracking attempts and using a 20-character password is even better.
  5. Admin credentials, APIs and sensitive resources must be protected by account lock-out mechanisms, a security mechanism that locks out account resources when repeated attempts are made to access it. 

For an ultimate password defense, remember to use a defense-in-depth or a layered approach. This means having a combination of security policies documenting do’s and don’ts, best practices and incident response procedures; coaching users about password hygiene and technical controls that include timely patching of software, disabling weak hash algorithms and cryptography, monitoring systems for failed login attempts, performing account hygiene and removing inactive users, and checking password exposure websites like haveibeenpwned.com to determine if credentials have been leaked.

With everything moving online, hackers are bound to become better at what they do. If your organization is serious about protecting your identity, data, reputation, money and more, it’s time to revamp your approach to password security.