How your password can be compromised

How your password can be compromised

Hacking passwords, whatever they may be - for email, online banking, Wi-Fi or Vkontakte and Odnoklassnik accounts - has become a frequent occurrence in recent times. This is largely due to users not following fairly simple security rules when creating, storing, and using passwords. But that's not the only reason passwords can fall into the wrong hands.

This article details the methods that can be used to crack user passwords and why you are vulnerable to these attacks. And at the end you will find a list of online services that will allow you to find out if your password has already been compromised. There will be (already is) a second article on this topic, but I recommend starting reading this and moving on to the next one.

Update: the next article - On Password Security, which describes how to keep your accounts and passwords as safe as possible, is ready.

What methods are used to crack passwords

There is not such a wide range of different techniques used to crack passwords. Almost all of them are known and almost any compromise of confidential information is achieved using individual methods or combinations thereof.

Phishing

The most common way that passwords for the most popular email services and social networks are "stolen" today is by phishing, and this method works for a very large percentage of users.

The essence of the method is that you arrive at what you think is a known site (the same Gmail, VK or Odnoklassniki, for example), and for one reason or another you are asked to enter your username and password (to enter, confirm something, change it, etc.). Immediately after logging in, the password is in the hands of the intruders.

How it happens: You may receive an email, apparently from customer support, informing you that you need to log into your account and providing you with a link that, when clicked, opens a site that copies exactly the original. It is also possible that after accidentally installing unwanted software on your computer, the system settings change so that when you enter the desired site address in the browser's address bar, you actually end up with a designed phishing site. exactly the same way.

As I have already mentioned, many users fall for this, and it is usually due to lack of attention:

  • When you receive an email asking you to log in to your account on a certain site in some way, pay attention to whether it was actually sent from an email address on that site: similar addresses are often used. For example, instead of [email protected], could be [email protected] or something similar. However, a correct address does not always guarantee that everything will be fine.
  • Before entering your password anywhere, look carefully in your browser's address bar. First, the exact site you want to enter must be listed. However, in the case of malware on your computer, this is not enough. You should also pay attention to the presence of connection encryption, which can be determined by using the https protocol instead of http and the image of a "padlock" in the address bar, when clicking on which, you you can be sure you are on a real site. Almost all serious resources that require logging into an account use encryption.

By the way, I'd like to point out here that both phishing attacks and password forcing methods (described below) don't involve painstaking work on the part of one person today (i.e. you don't need to enter a million passwords manually ): all this is done by special programs, quickly and in large quantities, and then they report the successes to the intruder. Furthermore, these programs may not run on the hacker's computer, but stealthily on yours and thousands of other users, greatly increasing the effectiveness of hacks.

Password matching

Password matching attacks (Brute Force, Russian for brute force) are also quite common. Whereas a few years ago most of these attacks were actually brute force attacks that used all combinations of a certain set of characters to compose passwords of a certain length, today things are a bit simpler (for hackers).

Analysis of millions of passwords leaked in recent years shows that less than half of them are unique, and the percentage is quite small on sites "inhabited" by mostly inexperienced users.

What does this mean? The hacker does not need to search through countless millions of combinations: having a base of 10-15 million passwords (approximate, but close to reality) and using only these combinations, he can crack almost half of the accounts of any site.

In the case of an attack targeting a particular account, a simple brute-force attack can be used in addition to the base one, and modern software allows this to be done relatively quickly: an 8-character password can be cracked in a matter of days ( and if these characters are a date or a combination of name and date, which is not uncommon, in minutes).

Keep in mind: If you use the same password for different sites and services, once your password and corresponding email address are compromised on any of them, the same username and password combination will be tested on hundreds of other sites using software special. For example, right after several million Gmail and Yandex passwords were leaked at the end of last year, there was a wave of account hacks on Origin, Steam, Battle.net, and Uplay (I think many others too, just because of the game services mentioned have approached me many times).

Hack websites and get password hashes

Most serious sites don't store your password as you know it. The database only stores the hash - the result of applying an irreversible function (that is, your password cannot be retrieved again from this result) to the password. When you connect to the site, the hash is recalculated and if it matches the one stored in the database, it means that you have entered the password correctly.

As it is not difficult to guess, the hashes are stored, not the passwords themselves, only for security reasons, so that if an intruder broke into the database and succeeded, they would not be able to use the information and figure out the passwords.

However, very often, you can:

  1. Certain algorithms are used to calculate the hash, most of them known and common (that is, everyone can use them).
  2. By having databases with millions of passwords (from the brute force clause), an attacker also has access to the hashes of those passwords calculated with all available algorithms.
  3. By comparing the obtained database information and the password hashes of your own database, you can determine which algorithm is being used and find out the true passwords of some of the records in the database by simple matching (for all non-unique). The brute force attack will help you figure out the rest of the unique, but short, passwords.

As you can see, the marketing claims of various services that they do not store your passwords on their site do not necessarily protect you from being leaked.

Spyware (SpyWare)

Spyware is a wide range of malicious software that covertly installs itself on a computer (spyware functions can also be included in some desired programs) and collects information about the user.

Among other things, certain types of SpyWare, such as keyloggers (programs that track keystrokes) or covert traffic analyzers, can be (and are) used to obtain user passwords.

Questions about social engineering and password recovery

As Wikipedia tells us, social engineering is a method of accessing information based on human psychology (this may include the phishing mentioned above). On the Internet you can find many examples of the use of social engineering (I recommend that you look and read - it is interesting), some of them are very elegant. Generally speaking, the method boils down to the fact that almost any information needed to access sensitive information can be obtained by exploiting a person's weaknesses.

And I am going to give an everyday example, simple and not particularly elegant, that has to do with passwords. As you know, on many websites it is enough to enter the answer to a control question to recover a password: which school did you go to, your mother's maiden name, your pet's name ... Even if you haven't already published this information on the public domain of social networks, do you think it is difficult to discreetly obtain that information using the same social networks, being known or having found you especially?

How do you know if your password has been compromised?

Well, to conclude the article, some services that allow you to find out if your password has been hacked, by checking your email address or your username against the password databases that have been made available to hackers. (I'm a bit surprised that among them there is too high a percentage of Russian-speaking service databases.)

Have you found your account on the list of known hackers? It makes sense to change the password, well, more details on the security practices in relation to the passwords of the accounts I will write in the next few days.


Creative Stop All About Technology
A How To.