How Hackers Crack Passwords
Password cracking is one of the most enjoyable hacks for the bad guys. It fuels their sense of exploration and desire to figure out a problem. A hacker can use low-tech methods to crack passwords. These methods include using social engineering techniques, shoulder surfing, and simply guessing passwords from information that he knows about the user.
The most popular low-tech method for gathering passwords is social engineering. Social engineering takes advantage of the trusting nature of human beings to gain information that later can be used maliciously. A common social engineering technique is simply to con people into divulging their passwords. It sounds ridiculous, but it happens all the time.
To obtain a password through social engineering, you just ask for it. For example, you can simply call a user and tell him that he has some important-looking e-mails stuck in the mail queue, and you need his password to log in and free them up. This is often how hackers and rogue insiders try to get the information!
A common weakness that can facilitate such social engineering is when staff members’ names, phone numbers, and e-mail addresses are posted on your company websites. Social media sites such as LinkedIn, Facebook, and Twitter can also be used against a company because these sites can reveal employees’ names and contact information.
User awareness and consistent security training are great defenses against social engineering. Security tools are a good fail-safe if they monitor for such e-mails and web browsing at the host-level, network perimeter, or in the cloud.
Train users to spot attacks and respond effectively. Their best response is not to give out any information and to alert the appropriate information security manager in the organization to see whether the inquiry is legitimate and whether a response is necessary. Oh, and take that staff directory off your website or at least remove IT staff members’ information.
Shoulder surfing (the act of looking over someone’s shoulder to see what the person is typing) is an effective, low-tech password hack.
To mount this attack, the bad guys must be near their victims and not look obvious. They simply collect the password by watching either the user’s keyboard or screen when the person logs in.
An attacker with a good eye might even watch whether the user is glancing around his desk for either a reminder of the password or the password itself. Security cameras or a webcam can even be used for such attacks. Coffee shops and airplanes provide the ideal scenarios for shoulder surfing.
You can try shoulder surfing yourself. Simply walk around the office and perform random spot checks. Go to users’ desks and ask them to log in to their computers, the network, or even their e-mail applications. Just don’t tell them what you’re doing beforehand, or they might attempt to hide what they’re typing or where they’re looking for their password. Just be careful doing this and respect other people’s privacy.
Encourage users to be aware of their surroundings and not to enter their passwords when they suspect that someone is looking over their shoulders. Instruct users that if they suspect someone is looking over their shoulders while they’re logging in, they should politely ask the person to look away or, when necessary, hurl an appropriate epithet to show the offender that the user is serious.
It’s often easiest to just lean into the shoulder surfer’s line of sight to keep them from seeing any typing and/or the computer screen. 3M Privacy Filters work great as well.
Inference is simply guessing passwords from information you know about users — such as their date of birth, favorite television show, or phone numbers. It sounds silly, but criminals often determine their victims’ passwords simply by guessing them!
The best defense against an inference attack is to educate users about creating secure passwords that don’t include information that can be associated with them. Outside of certain password complexity filters, it’s often not easy to enforce this practice with technical controls. So, you need a sound security policy and ongoing security awareness and training to remind users of the importance of secure password creation.
External attackers and malicious insiders can obtain — or simply avoid having to use — passwords by taking advantage of older or unsecured operating systems that don’t require passwords to log in. The same goes for a phone or tablet that isn’t configured to use passwords.
On older operating systems that prompt for a password, you can press Esc on the keyboard to get right in. Okay, it’s hard to find any Windows 9x systems these days, but the same goes for any operating system — old or new — that’s configured to bypass the login screen.
After you’re in, you can find other passwords stored in such places as dialup and VPN connections and screen savers. Such passwords can be cracked very easily using Elcomsoft’s Proactive System Password Recovery tool and Cain & Abel. These weak systems can serve as trusted machines — meaning that people assume they’re secure — and provide good launching pads for network-based password attacks as well.
The only true defense against weak authentication is to ensure your operating systems require a password upon boot. To eliminate this vulnerability, at least upgrade to Windows 7 or 8 or use the most recent versions of Linux or one of the various flavors of UNIX, including Mac OS X.