Consider the following : You are creating a new account, it could be a financial account, an e-mail account, or even a social media account. Then, after you punch your password in, a notification comes up that the password is too weak. At this point, you cannot proceed with the process of creating the account until you change the password to the one with the required numbers and characters. This would obviously be annoying, especially when all the passwords you can remember easily don’t’ fit the password requirements. We have also heard financial institutions warning us that we should never share our passwords or never use vendor default password like Bitcoin1. At our jobs, chances are we are hearing about this password “rule” more often.
The increasing high-profile security breach scandals have more businesses taking steps to ensure their networks are protected from breaches. They ensure that the sensitive information stored in their networks are safe and secure.
Most of us do our best to adhere to password security guidelines of the companies we work with. However, many of us cannot tell why these password protocols are even effective. It makes sense when you are working at billing and you are told to not leave your password lying around your desk since a coworker may use your login. However, it is not very easy to understand why using a longer and more complicated password with all kinds of character (Capital letters, numbers, signs, etc.) would make a difference. You may say no one can guess your password so it makes less sense and it seems like a waste of time.
Well, we can all agree that hackers are trying to get their hands on the most sensitive information of any high profile institution for their own reasons such as taking money out of our pockets. Understanding how they do this would enable us to understand why using complicated passwords and more advanced techniques such as multi-factor authentication are very important. So, how do hackers go about stealing passwords to penetrate networks and gain access to sensitive information such as credit information or a client database? Let us explain.
Currently, there are three common methods that hackers use to break into password protected systems:
Manual Brute Force
One of the less complicated ways of cracking someone’s password is to manually log in with a series of test passwords. This method, however, requires a hacker who knows some personal details about you such as your name, your year of birth, your favorite pet, your parents’ name and so on. Most people develop their passwords from such information, for example, Patricia87 – Patricia being the name and 1987 is the year of birth. Therefore, the hacker can guess multiple times and if lucky, they can get your password. This method seems tedious and with fewer chances of success to the hackers. However, some hackers have learned to speed up the process. They can try to login with a list of passwords using an automated login program. However, most of these systems would only allow them to try no more than one password every few seconds.
This method has an extremely low chance of success especially when the target system is configured to suspend an account after a certain number of failed login attempts. Generally, the success of this method relies on the “strength” of the password. If the account holder uses an obvious password such as blank passwords or their names or names of their towns, then there are slightly higher chances that the hacker using this method will succeed.
Password Capturing
Attackers can also steal a password through capturing. This method involves installing a keyboard-sniffing Trojan horse or just physical keyboard-logging hardware devices. There are many types of hardware for sale online to help facilitate this. For example, if you are will to shell out about $100, you can access a keyboard keystroke logger that is capable of logging up to 2 million keystrokes. These physical keyboard logging devices are small in size, about an inch long, and can be slipped between the keyboard cord and the keyboard port of the computer. With this tool being installed on the target’s computer, the attacker can sniff the password from any location in the world. Keyboard loggers have been around for quite a long time now. However, they have continually evolved. Outside of just recording keystrokes, some keyboard loggers can even take screenshots from the victim’s computer and record which pages they visit. Therefore, the hacker can find it easy to retrieve the password and know the right account to apply it to.
Using “Hash” Values
Typically, passwords are not stored on a system in a readable clear format. Rather, the system stores a “hash” of every password it creates. Whenever a password is typed into a system, it is passed through an algorithm that creates a corresponding unique hash value. These hashes are usually referred to as “one-way hashes” since the hashes cannot be restored to the original values using a reverse algorithm.
When a user inputs a readable, clear text password, the password is run through the same hashing function and is authenticated against the stored one-way hash for the same user.
The hashing system is a target for hackers. The attackers understand that if they break into this system, then, they can easily download the user’s name and password hash values. To have such privilege, the attacker must compromise the system either by malware or the knowledge of the password of the administrator on the target system. With the user’s name and the password hash values, the attackers can retrieve a clear text password using password cracking programs. Generally, these programs rely on either of the following techniques:
Hacker’s Dictionary
“Hackers’ dictionaries” is a collection of passwords that are matched with their corresponding hashes. These passwords are common and equal to a single dictionary word. The basic concept is that, when a hash that matches the hash values that a hacker is trying to find is found in the hackers’ dictionary, then the hacker can determine a clear text password with its hash value.
Manual search for a password from the hackers’ dictionary from record one would require a lot of time and energy. Therefore, password cracking software that hackers use employs a “binary search “technique that involves continuous halving of the hackers’ dictionary file until a matching password hash is found. This speeds up the process.
Rainbow Tables
In most cases, the hackers’ dictionary approach works best when trying to find a commonly used password, simple variations, and single dictionary word passwords. However, when it comes to cracking any password with a certain length such as an eight-character password, using the hackers’ dictionary could be inefficient. Having a dictionary with all possible eight-character password would require a lot of storage space. A specialized file called “Rainbow table” solves this problem.
“Rain tables” work the same as the hackers’ dictionary only that it offers more options. Each rainbow table record might look like a hackers’ dictionary though they are significantly different. In the hackers’ dictionary record, each record’s password is stored with its associated clear text password. On the other hand, in a rainbow table, each record represents a “chain” of hundreds of thousands of passwords that are usually referenced by the final hash value in the record during the search function. Therefore, the size of the table is very small compared to the size of the equivalent hackers’ dictionary file. It is a very complex exercise to build a rainbow table that can cover all password values. Currently, some of the most comprehensive rainbow tables can work with passwords for up to 10 characters. Any additional character in the password that increases its length would geometrically increase the complexity, storage, and processing power for processing rainbow tables.
Resist Password Hacking
Create long and Unique Passwords
As we have learned, the hackers’ dictionary and the rainbow tables that the hackers use in retrieving passwords from hash values have a limitation of capacity. These systems do not have the hash for every password. Therefore, creating a unique and longer password, perhaps with 12 characters, will definitely give the hackers a lot of trouble giving you the advantage.
Configure Systems to use “salt” in the Hashing Process
Applying a salt value to the process of password hashing leads to a totally different hash value formed. Therefore, the hackers’ dictionary or rainbow table based on no salt value or a different salt value will not allow them to get the password from the hash values.
Use Two-Factor Authentication
Two-factor authentication (also multi-factor authentication, an advanced authentication, and 2FA) requires users to use more than a password to access the system. They may also be required to use other security factors such as a unique one-time access code generated from a token device. They may also use a password and a pin obtain access to the system. A network protected by multiple factor authentication is very hard to penetrate.
Conclusion
Now we know that a long and complicated password can protect us from hackers who are after stealing our passwords. However, knowledge without action is worthless. Therefore, try to protect your system by taking action along with the steps given above.