How Passwords Get Hacked

  • August 26, 2021

Can you think of an online service that doesn’t require a password?

Everything on the internet requires a password. However, constantly creating and remembering new and ever more complex passwords is no small task.

In fact, 66% of people polled admitted to using the same password more than once because of how hard it is to remember passwords that are considered strong. Taking steps to make passwords easier to remember can also make them easier for hackers to guess.

How Passwords Get Hacked

Attackers will usually use tools to hack passwords, such as a dictionary attack tool. This code will use the most common words to attempt login access until they are successful. Often times, after a successful breach, hackers will publish and / or sell these logins to other bad actors online. Because of this, it’s only getting easier for hackers to find and use these common passwords and make even stronger tools by loading the dictionary attack tool with the lists of passwords.

The tool will attempt every password until it finds a match. Once the attacker is in, they can create a backdoor for future entry. With a backdoor in place, the hacker can begin installing additional malware and other malicious code that damages your online presence or steals sensitive information.

How successful an attack is will usually depend on whether it is an offline attack or an online attack. An offline attack will allow the attacker to leverage the full power of their devices, which may vary depending on their setup.

For example, offline password cracking could make up to 2 million attempts per second with power of multiple GPUs. If they have a botnet of infected machines, they are able to utilize the resources of those machines. A very simple password can be hacked this way in a matter of minutes.

An online attack however, is not as quick and easy. There are limitations set by the target hosting server and/or the web application being used (for example WordPress) that can limit the amount of consecutive attempts they can make. A common example of such a limitation is limiting the amount of password attempts one can make within a set timeframe. This helps slow down attackers, but it doesn’t necessarily stop them.

Next, they will try techniques like credential stuffing where the hacker finds a more tailored password list created from passwords stolen from previous compromises. This is exactly why using difficult and complex passwords is such an important concept for website and IT security in general.

Best Practices

The strongest passwords will not have combinations of letters, numbers and symbols that are easily guessed. Most easy to remember passwords that include names, pets, and birthdays aren’t very strong at all. If you can read the password as a word or phrase, a hacker using automated tools will be able to guess it. A strong password is much more complex.

Increasing password length is a great way to start when creating a strong password. Dictionary attacks are less effective against passwords with more characters. They are also less effective against passwords that contain a mixture of lowercase and uppercase letters, numbers and symbols.

However, complex means more than replacing letters with symbols, such as @ in place of A or 3 in place of E. Adding random numbers isn’t great either. Because many people use these tactics, hackers are aware of them and incorporate them in their attacks.

In order to create a complex and secure password, it needs to be unique. If you’ve ever used the password before, or if anyone else may have used it before, it is likely to be in a list and vulnerable to a dictionary attack or credential stuffing. The strongest passwords look like a random combination of characters, numbers, and symbols. Imagine a cat running across a keyboard as you go to type in your password. A secure password should look like that.

Good password security also necessitates that passwords not be reused or used on more than one account. This increases the chances of a hacker being able to gain further access with the same credentials if one account becomes compromised.

With all of this in mind, one of the biggest issues when creating passwords is keeping track of them. Many of us have dozens and dozens of online accounts and having different strong, complex and unique passwords for all of them can be difficult to keep track of. Luckily, there are services out there that handle that exact issue for you called password managers.

Using Password Managers

A password manager is a service that generates unique, complex passwords and saves them in a secure vault. They can be used through a browser extension or through a mobile app which makes creating, keeping and using your passwords securely even easier.

Most browsers and mobile operating systems offer built-in password managers. However, those built-in password managers often lack many of the best features that third-party services such as LastPass, KeePass, or Dashlane can provide.

Many password managers aren’t free, however. While LastPass, KeePass, and Dashlane do offer free versions, they may not work well for all users. Fortunately, the paid versions typically only cost a few dollars a month. It is definitely worth it when considering alternatives for keeping track of a myriad of unique and complex passwords.

Conclusion

Hackers have been trying to compromise passwords and secure systems since the very beginning. The only thing more consistent about passwords is the struggle to create strong and unique ones, all while remembering them.

Practicing good password habits doesn’t have to be a taxing chore. Password managers take the burden off of creating and storing unique and complex passwords. It is the easiest way to protect your passwords and online accounts from hackers. However, like any security practice or system, it isn’t foolproof. Passwords can still be stolen and used by hackers using alternative methods like keyloggers or MiTM attacks. This is why today it is recommended to use additional authentication measures like multi-factor authentication.

Cybersecurity doesn’t stop with good passwords. Hackers have a full arsenal of malicious weapons to gain access to websites. You may want to consider our Website Security Platform  for a more robust cybersecurity solution. You can also watch out for additional types of password attacks by reading our blog post Password Attacks 101

Joe is an Agency and Enterprise Consultant with Sucuri. He has spent 7 years working directly with website security, PKI and other related fields. When not working, he enjoys spending his time traveling, hanging out with family and friends and playing video games

Related Categories
You May Also Like