ethical hacking
9
Nov

Your Password Has Been Hacked! Do You Know How It Happened?

In June 2018 Reddit admitted they suffered a massive security breach which exposed some of their user’s account information and data, including email addresses and an old 2007 database backup containing hashed passwords and usernames.

The hack was accomplished by intercepting SMS messages which were meant for Reddit employees with one-time passcodes. The criminal eventually bypassed the 2-factor authentication and compromised Reddit employees’ accounts located at their source code and cloud hosting provider. [1]

Hacking into someone’s web-based email or social media account is easier to do than most people realize, despite the fact that many change their password every couple of weeks to avoid being hacked.

Here are some of the methods used by hackers and cybercriminals to hack passwords:

Break In By Cybercriminals

There are quite a number of techniques that criminals follow to crack passwords. Some of the most popular ones are below.

1. The Guessing Game

As the name suggests, this technique relies completely on guessing the password of a user. Passwords like ‘password’, ‘qwerty’, ‘admin’, ‘default’, your name, or even your birthday are commonly used to set default passwords. If the user has not changed the default password or if the user is careless while setting a new password, then they can be hacked easily.

2. Brute Force Attack

A brute force attack is one of the most common techniques used by hackers and cybercriminals against web applications. The main focus of such an attack is to gain access to user accounts using a trial-and-error technique to guess a user’s password or personal identification number (PIN). A brute force attack methodically tries one password after another until the attacker successfully logs in to the target account. For example, the attacker will use automated tools to try Password, then Password1, Password2, Password3, etc. and iterate through every possible option within a defined keyspace (a-z, A-Z, 0-1, etc.) By using bots to test random combinations of lower and upper case alphabets and numbers to generate the right password to your account in a couple of seconds, the attacker can gain access to your account!

There is a similar attack technique known as reverse brute force attack where instead of hacking a specific user, the hacker attempts to hack multiple accounts using a single commonly-used password.

3. Dictionary Attack

A dictionary attack uses a pre-defined wordlist in a systematic process against individual usernames or usernames of an entire organization to gain access to the system. The possibility of a hacker gaining access using this method is high as many users often use basic words that can be found in the dictionary as passwords. Wordlists are available for nearly every language (real and fictional) and are even separated into genres or themes.  For example, if your server is named Gandalf, then a Middle Earth dictionary file that contains words and languages from the Lord of the Rings books and movies might be effective. The best way to deter a dictionary attack is to use a multiple-word (random combination of lowercase, uppercase characters with numerals) password.

Software Used By Hackers and Criminals

Apart from using different attack techniques to crack and steal passwords from users and organizations, cybercriminals tend to use password hacking and decrypting software. Here are some popular ones:

1. John The Ripper (JTR)

This software is designed to crack open some of the most complicated passwords, as it can crack passwords ‘offline.’ JTR takes different text string samples, commonly referred to as ‘wordlists,’ that contain complex and popular words found in the dictionary or real passwords which were cracked before. This tool uses both the key and encryption algorithm and compares the output to the encrypted string. JTR can also be used to perform a variety of alterations towards dictionary attacks.

2. Aircrack-ng

This tool/software is used to crack wireless passwords; the tool is very effective when used by a trained user. Aircrack-ng is an 802.11 WPA-PSK and WEP keys cracking software which can recover passwords when sufficient data packets are captured in monitor mode. Professionals who are experienced in penetration testing and auditing wireless networks can get the best results from this software.

3. Cain and Abel

This extremely popular tool is often referred to as just ‘Cain.’ At its core, the Cain and Abel Password Hacking Tool is used to recover passwords for Microsoft Windows but can also be used as a password cracking tool by hackers and criminals worldwide.

4. THC Hydra

This tool is similar to JTR, except for the fact that THC Hydra works online. This hacking tool supports a variety of network protocols such as LDAP, SSH, VNC, Mail (IMAP, POP3, etc.), SMB, and databases. THC Hydra is an essential hacking tool to log into a stable network, using dictionary and brute-force attacks to crack open complicated tough passwords present in the login page.

Protect Your Accounts Before It’s Too Late

In today’s era, criminals are constantly hacking both small and large firms, getting their hands on crucial information and data. Data breaches of health insurance companies, IT companies, and retailers are no longer surprising. While it is the primary duty of organizations to protect their data, it is important that consumers also become proactive to avoid these types of security breaches. The following recommendations can help companies, consumers, and organizations stay safe and secure:

1. Uninstall Unnecessary Bloatware

Criminals are always trying to find vulnerabilities to break into a system. One of the most common ways of hacking is to exploit known loopholes, which are commonly present in software and other malicious applications. Uninstalling unknown applications, or “bloatware,” on your system means there will be fewer potential vulnerabilities.

2. Install All Security Updates and Patches

Remember that security patches are released to combat the latest viruses. Running out-of-date software could lead to your device being compromised.

3. Use the Account Lockout Feature

Account lockout is a security feature used across all operating systems and services that prevent hackers from entering a user account, especially when brute force attacks and dictionary attacks are implemented. This feature works by locking the user’s account after a set number of incorrect password attempts.

3. Use Strong Passwords

Make sure that you have an advanced password, making it harder for criminals to crack. Create passwords that include a mix of special characters and numbers to complicate it. Avoid using obvious details in your passwords such as your birth date, your name, family name, etc.

4. Use VPNs

Many users who pay for expensive data packages but still use free public Wi-Fi networks. Keep in mind that criminals can steal data using wireless hacking techniques and tools on these often-unsecured networks. Use Virtual Private Networks (VPNs) to ensure that the traffic is encrypted and not easily readable by anyone trying to hack your device.

EC-Council’s Certified Ethical Hacker (C|EH) program helps candidates upgrade their skills and experience by learning to overcome web server attacks, malware threats, social engineering, IoT hacking, and much more, while attaining a hands-on experience through the various latest tools and techniques accessible through the practical labs’ platform iLabs.


Sources

  1. https://www.quickanddirtytips.com/tech/computers/how-to-crack-a-password-like-a-hacker?page=1
  2. https://thehackernews.com/2018/08/hack-reddit-account.html
  3. https://www.zdnet.com/article/security-researcher-fined-for-hacking-hotel-wifi-and-putting-passwords-on-the-internet/
  4. https://www.divergeit.com/4-ways-hackers-can-steal-password/
write-for-ec-council
Write for Us