But how do hackers crack passwords? Below are few of the main ways a hacker can guess a password and gain access to someone’s account. I hope to demonstrate why it is so important to make sure your passwords are strong (believe me, when I first learnt about all these techniques, I went through changing all my passwords!)
Social engineering
A lot of people use things like their birthday, the name of a family member, or something else that is significant to them to them to set their password. Often people take this approach as it makes it easier to remember your password, however it can also leave you more vulnerable to someone else being able to easily guess your password if they know a few things about you.
You might have seen the news about Trump’s Twitter getting hacked after a Dutch researcher guessed his password was ‘maga2020!’. It is worth noting that Twitter have said they have not found evidence of this, but whether it is true it helps to highlight how people can use information about you to get access to your accounts.
Another example of this happening can be seen in the popular show, Mr Robot, where the main character by day works for an IT security company, and by night is a “grey-hat” hacker targeting people who might otherwise escape law enforcement. In the show he can often be seen stalking his target’s social media accounts and online profiles to find things such as their date-of-birth or information about their relatives to find things he can use to guess their passwords. In the first episode, he manages to login to his therapist’s boyfriend’s email by finding out who his favourite sports teams are and what his dog’s name is. Armed with these two pieces of information, he was able to access his email, and then use similar variations to gain access to other aspects of his life.
Therefore, is it extremely important to have a password that cannot be easily guessed – so if your password contains something like your pet or girlfriend’s name, I recommend you consider changing it.
Brute Force
A brute force attack is when someone tries to guess your password using a program that can go through multiple iterations of passwords at a time, starting with ‘a’ to ‘z’ and everything in between. This method will take longer depending on the number of characters in your password. If your password is all lower-case or a single word, then programs like this can guess your password within seconds. If you have a password with a number or a few numbers, it will help strengthen your password, as will using symbols.
Where you place the numbers and symbols can also make a difference. One of the most common types of passwords are “Word Date Symbol” i.e., Apple1998* – This would still show on the website I refer to below as being secure and would take 5 years to crack. But it contains commonly known phrases and would be easier to crack by someone who really wanted to get into your account/computer.
There is a useful website which I often use to help see how secure my passwords really are.
If we check this website and type in the word “pineapple” it shows that this can be guessed in just 2 minutes! However, pineapple with capitals “PineApple” would take 9 hours. Then, if I replace PineApple with P1n3Appl3 (1=i & 3=e) it takes 3 days. Then if you add a symbol it takes 5 years. Now the problem here is that the password itself is a common word i.e., it can be found in the dictionary. Which leads me on to…
Dictionary attack
A dictionary attack can be done in two ways:
1. A program that would literally go through the dictionary, from Aardvark to Zebra.
2. A program that has a list of known existing passwords i.e., a dictionary of passwords that might have come from a website which has been compromised.
The first option, going from Aardvark to Zebra, may take a while, but you would be surprised about how many people still use these kinds of simple passwords. If your password is just one word, I would strongly recommend changing it now!
The second option is a known list of used passwords. Some of you may remember back in May 2016 that LinkedIn was attacked and had over 100 million passwords taken and sold on the dark web.
Attackers would download/buy this file of leaked passwords and see where else those passwords work. They would have a target email address and use a program to go through the file and try the passwords listed in it. Therefore, it is very important to have a different password for each account on the internet. This is because you never know what site is going to be compromised or forgotten about – make it a habit to use strong and unique passwords every time.
It might be worth checking this site to see if any of your accounts have already been compromised. Enter your email address and find out. If it has, change your passwords and check out my next blog post where I am going to go through some simple tips for making you password more secure.
If you would like to talk about password best practice drop me a line at fru@macnamara-ict.co.uk – Though, please do not share your actual passwords with me 🙂