How Do Passwords Get Hacked?

How Do Passwords Get Hacked?

It seems like almost weekly we are seeing headline news stories of a new company falling victim to a data breach. There are many different reasons why a company is breached: Denial of Service Attacks, Malware Attacks, Password Attacks, and so many more! According to Verizon’s 2023 Data Breach Investigation Report,  “Poorly picked passwords continue to be one of the major sources of breaches.”  Needless to say, creating a more secure password policy is a topic that needs to be discussed internally within every company. We are far beyond the days when Microsoft’s password complexity was good enough.

When a hacker attempts to crack a user’s passwords, they are not just trying a few educational guesses in hopes that they either find the right one or they move on to someone else’s account to try a few more educational guesses. Instead, hackers have advanced technology and software that does all of the work for them.

On the internet, there are many different password cracking tools available for public use. One of the most well-known password cracking tools is called Cain and Abel, which is only available for Windows-based systems. According to the  Infosec Institute, Cain and Able “can work as sniffer in the network, cracking encrypted passwords using the dictionary attack, recording VoIP conversations, brute force attacks, cryptanalysis attacks, revealing password boxes, uncovering cached passwords, decoding scrambled passwords, and analyzing routing protocols.” Another popular tool is John The Ripper. This is a free software that is available for Mac OS X and Windows-based systems and it can detect weak passwords. They do have a paid option that has many more beneficial features.

Besides Cain and Able, John The Ripper, and hashcat, OphCrack is a popular rainbow table tool and L0phtCrack cracks Windows passwords from hashes. For more information about rainbow tables, click here.

Microsoft’s LM hashing algorithm is insecure with its 7-character password segmentation and it is recommended that security professionals disable the LM hashing algorithm and use the NT hashing algorithm only.

As you can see, there are so many tools available to crack passwords. Besides the tools that are available, let’s talk about a few of the methods a hacker can use to crack passwords.

1. Brute Force

A Brute Force password attack can be a very successful, but a slow process for cracking passwords. The program will attempt to guess passwords repeatedly until the password has been cracked or the list of predetermined passwords has been exhausted. Success for this attack is determined by the set of predetermined passwords. If the file is larger, then there is a larger probability of success. The attacks can take anywhere from a few minutes to a few years depending upon the software used and the length of the password trying to be cracked. Longer passwords with multiple character sets take longer to crack.

2. Rainbow Tables

Rainbow Tables are a very successful method of cracking passwords that are 14 characters or less. Rainbow tables are enormous compilations of pre-computed hashed values of possible password combinations. Basically, it allows hackers to reverse the hashing function to determine what the plain text password might be. Once the appropriate hash has been found, the password is cracked. For Windows passwords up to 14 characters, these tables can have up to a 99.9% accuracy rating.

3. Hybrid Attacks

A Hybrid Attack is a password-cracking technique that uses a combination of a Dictionary Attack and a Brute Force Attack. This type of password hacking combines dictionary words with numbers and special characters to try and gain access to a company’s network. It is typically used to target passwords made of a common dictionary word followed by a special character and/or number. Hybrid Attacks are extremely successful due to the fact that studies have shown how the typical user creates a password with a common dictionary word and then either one single letter and/or special character to meet the password policy requirements.

4. Dictionary Attacks

Dictionary Attacks are quite simple, yet they are very dangerous to companies. As stated previously, studies have shown that users like to create passwords with common “dictionary” words like password, summer, football, etc. In a Dictionary Attack, the password cracker tool will try common dictionary words as passwords until the hacker gains access to the company’s network.

With so many different password cracking methods, the thought of “How can I keep my company safe being the IT Administrator?” is probably on your mind. Truth be told, Microsoft Password Complexity is not secure nor strong enough to keep hackers away. Microsoft does not let you prohibit common dictionary words to prevent dictionary attacks, nor do they allow you to set the minimum character limit to 15 characters to prevent an attack via rainbow table. The only solution for this is a Windows-based Password Filter. The nFront Password Filter allows you to create a customized dictionary file to prevent dictionary attacks and you are able to strengthen your password policy settings beyond what Microsoft currently allows. For more information on why the Windows Password Policy isn’t enough, click here.

Even if you are not the IT Administrator for your company and you’re an employee, take it upon yourself to create a stronger password. At least you can rest easy knowing that your password won’t be the reason your company is hacked. According to CNN Money, US companies lose $15.4 million per year due to hacking.

As I stated earlier, everyone has access to password cracking software tools. Do yourself and your company a favor and run one of these tools internally! There are many professionals, called penetration testers, who can conduct a formal penetration test for you with password cracking tools and show your company what the vulnerabilities are.

Share this post

Leave a Reply

Your email address will not be published. Required fields are marked *