We live in an era of botnets and data breaches, which has made it more important than ever to use strong passwords. Yet, how many of us have one or two general passwords that we use for all our accounts? Or the same four-digit PIN for our phone and ATM cards?
There are plenty of ways to crack a password, so try not to make it easier for hackers to get through. One way to do this is by using a password manager, which creates strong passwords and remembers them for you – but you’ll need a strong password for it.
Here are some of the ways hackers break through weak passwords:
1. Dictionary attacks
Avoid consecutive keyboard combinations, like ‘qwerty’ or ‘asdfg’. Don’t use dictionary words, slang terms, common misspellings or words spelled backwards. These cracks rely on software that automatically plugs common words into password fields. Password cracking becomes almost effortless with a tool like John the Ripper.
2. Brute force attack
Similar to the dictionary attack, the brute force attack comes with an added bonus for the hacker. Instead of merely using words, a brute force attack lets them detect non-dictionary words by working through all possible alpha-numeric combinations, from ‘aaa1’ to ‘zzz10’.
It’s not quick, provided your password is more than a handful of characters long, but it will uncover your password eventually. Brute force attacks can be shortened by throwing additional computing horsepower, including harnessing the power of machine numbers, like what online Bitcoin miners do.
Savvy hackers have realised that many corporate passwords are made up of words that are connected to the business itself. Studying corporate literature, website sales material and even the websites of competitors and listed customers can provide the ammunition to build a custom word list to use in a hack. Really savvy hackers have automated the process and let a spidering application (similar to those employed by leading search engines to identify keywords) collect and collate the lists for them.
4. Cracking security questions
Very many people use first names as passwords, usually the names of spouses, children, other relatives or pets, all of which can be deduced with a little research. When you click a ‘forgot password’ link, you’re often asked to answer a question or series of questions. These answers can often be found on your social media profile, which is how US politician Sarah Palin’s Yahoo account was hacked.
Why bother going to the trouble of cracking a password when the user will happily give it you? A phishing email leads an unsuspecting reader to a faked log-in page associated with whatever service it is the hacker wants to access, requesting the user to put right some problem with their security by inputting their user name and password.
6. Simple passwords
Don’t use personal information, like your age, birth date or favourite colour, as a password, and don’t keep it simple. When 32 million passwords were exposed in a breach in 2010, almost 1 per cent of victims had ‘123456’ as a password. The next most popular ones were ‘12345’, ‘111111’, ‘princess’ and ‘abc123’.
7. Offline cracking
It’s easy to imagine that passwords are safe when the systems they protect lock out users after three or four wrong guesses. However, most password hacking takes place offline, using a set of hashes in a password file that has been ‘obtained’ from a compromised system. Often the target in question has been compromised via a hack on a third party, which then provides access to the system servers and those all-important user password hash files.
8. Social engineering
An alternative to traditional hacking, this is the act of manipulating others into divulging confidential information. A favourite of the social engineer is to call an office posing as an IT security tech guy and simply ask for access passwords. You’d be amazed at how often this works.