Listen Audio Version
It’s 2021 and most social and monetary dealings take place over password-protected platforms. Every single device we use offers authentication services in order to keep our data private and safe. But how safe are we, despite using multiple levels of protection?
According to research conducted by Dinei Florencio and Cormac Herley for Microsoft, with 25,000 users over a period of 3 months
- The average user has 25 accounts, for which they reuse around 6.5 passwords per 3.9 websites.
- Most users stick to lowercase passwords if the option to do so exists.
- Depending on the password policy of the website, the average password strength changes. For example, user passwords for NY Times and Microsoft OWA scored 37.86 and 51.36 respectively, with the former being a regular newspaper subscription and the latter forcing users to create strong passwords.
- Each month, at least 1.5% of users forget their passwords.
- Annually, 0.4% of users submit their passwords to verified phishing sites.
(Image Source: Internet Identity Theft Statistics)
Why do hackers want to extract data, how do they manage to do it, and most importantly – how can we stop them? This article aims to help you understand how you’re vulnerable to exploitation, and what you can do to minimize the risk.
The obvious answer to this simple question is that they want access to your data. You might be wondering how a regular person’s seemingly insignificant data can be of any importance to hackers.
The market for personal information is huge, with data being sold for as little as $1 and as much as $2000 per transaction. This data could be anything – your social security number, bank details, medical records, or government IDs – all of which are highly valuable. Once stolen, these details can be sold as individual records or as part of huge databases. The buyers could be from any walk of life – other malicious entities, shady con men trying to rip you off, or legitimate businesses trying to get an edge over their competitors, in terms of customer details.
Factors such as demand, supply, reusability, and exploitability of the data affect market prices. Purchases can be made by accessing darknet marketplaces through browsers supporting onion routing and making anonymous transactions using cryptocurrency.
Besides this, hackers could try stealing your passwords to engage in identity theft,
There are numerous ways of stealing and using passwords. These methods don’t necessarily require technical expertise, because of which navigating the cyber age is even scarier. Anyone with a good knowledge of tools that enable password extraction and/or good social engineering skills can get their hands on weak, or insecurely stored passwords. Here are some common methods:
The most non-technical method used for data extraction, social engineering refers to the psychological manipulation of people who can leak target data. The victim of the social engineering attack doesn’t necessarily have to be the victim whose details are being extracted.
For example, a hacker could manipulate your spouse into believing they’re a bank employee who needs your password for official work and gain access to your account.
This method tries to check every possible combination of certain characters to determine the password. It is trial and error based, and most efficient when the set of possible characters is known. Factors like short password length, the absence of mixed characters, and the usage of predictable phrases make brute-forcing easy for the hacker.
Dictionary-based attacks make use of common user credentials, including previously leaked credentials, to break into an account. A subset of brute force attacks, these attacks use specific “dictionaries” to determine whether a specific phrase present in that word-list, is the required password.
Insecure storage refers to inefficient password management, i.e. the practice of storing passwords in plaintext and/or in easily accessible locations. This inadequate protection of sensitive data by individuals, organizations, or software can result in both, weak and strong passwords falling into the wrong hands.
Keyloggers can be both, software and hardware-based. Their purpose is to make a record of all the input being provided to a computer through its keyboard. These records can then be accessed by the owner – in our case, the hacker. Software-based keyloggers are generally installed onto systems unknowingly, as a part of other downloads. Hardware-based keyloggers require physical installation, i.e. the hacker must access the victim’s device and attach the keylogger to it.
One of the most popular methods for stealing credentials, phishing refers to the deception of victims by directing them to a hacker-controlled input form. E-commerce websites, banking websites, subscription lists, or help forums – anything can be used to phish targets. Usually, these forms are made available to victims through emails that require the victim to click on legitimate-looking links that redirect them to the hacker-controlled webpage. After this, the victim is prompted to enter their credentials, leading the plaintext input to be accessed by the hacker.
This is the most direct method of gaining access to victim credentials. By blackmailing the victim using sensitive information or threats of violence, the malicious actors can directly gain access to required passwords. The usage of Remote Administration Tools (RAT) can allow the hacker to obtain private information, videos, images, or documents that could be used for blackmail.
These tools are built to gain complete access to the host system while avoiding detection. They can be used to remotely install backdoors in the victim’s computer, which acts as an entry point for the hacker, even if other ways of accessing the machine, such as old passwords, have been changed. RATs have a much wider functionality, but password extraction is easily achievable.
The analysis of network packets can reveal usernames and passwords if strong encryption techniques aren’t employed. Once the hacker has gained access to your network, they could sniff packets using freely available tools designed for the same. If a strong network security technology such as WPA2 isn’t being used, then the data being transmitted can be easily stolen and deciphered.
Malware, or malicious software, is designed for the sole purpose of causing damage to its host. Almost all types of hacks are caused or at least aided by some type of malware. Amongst other functionalities, strong malware can have the ability to access system memory to obtain passwords.
Depending on whether you want to protect your passwords as an individual, or whether you’re looking for large-scale protection at an organizational level, there are different things to keep in mind.
Product developers and service providers are constantly being informed of vulnerabilities that require instant patching. Once this information becomes public, hackers can quickly start trying to exploit them – putting every client organization at risk. This makes prompt action extremely important in the case of bugs.
Every device that is connected to a network is an endpoint. With the recent influx of personal devices in workplaces, endpoint security is now a major issue. Since each device acts as an entry point to the network, hackers can quickly gain access through them if adequate safety measures aren’t put in place. Once they’re inside the network, extracting passwords of employees becomes easier.
‘Legacy software’ refers to outdated software that has modern, updated alternatives but continues being used. Reasons such as time and money invested in the integration of any software at the workplace could encourage organizations to stick with legacy software, but this practice has proven to be highly insecure. It is therefore necessary to stay updated with industry advancements.
Oftentimes, employees are granted special rights that they require for certain projects. While this step is necessary, it is also important to revoke these privileges once the work is complete. Not doing so leaves loose endings, which can be exploited by hackers to gain high-level privileges, giving them access to large amounts of data.
Instead of directly targeting the victim’s network, hackers could focus on individuals or vendors who have access to it due to outsourced work or software. This way, they can use legitimate channels of communication between the associate and the victim to extract passwords.
The purpose of firewalls is to ensure that unauthorized devices can’t access the organization’s network and that internal devices can’t access unauthorized endpoints. They block URLs that aren’t meant to be accessed by employees, reducing the risk of phishing attacks that could lead to data loss. Besides this, they make it harder for hackers to gain direct access to the network, reducing the chances of network analysis based attacks.
Employing the usage of biometric authentication makes password-stealing complicated, as fingerprints and retinas can’t be stolen. In order to exploit these security mechanisms, hackers would have to gain access to the databases storing biometric information of employees, which is objectively harder.
Investing in trusted and efficient anti-spyware technology is one of the most important steps any organization can take. These tools are designed to detect malware that might be hiding within the target network and assist with their removal. The removal of such malicious software can decrease the chances of data extraction.
Encryption is the process of converting plaintext to a seemingly random combination of characters based on a key. A key is a set of values that determine how the original data will get converted – known only to the sender and the recipient. Encrypting all the data flowing in and out of the organization’s network makes it hard for the hacker to find value in stolen passwords, network packets, and intercepted requests.
(Image Source: Information Commissioner’s Office, UK)
Security Keys are hardware-based versions of two-factor authentication solutions. They enable password-less authentication and eliminate the chances of phishing-based credential extraction. They employ the FIDO U2F (Universal 2nd Factor) open standard to offer the highest level of physical protection.
While these organization-level measures strengthen the entire network, individual employees need to do their part as well. To ensure that there are a minimal number of insider threats, set the following guidelines for employees.
Almost every website prompts users to set long passwords that use a combination of uppercase characters, lowercase characters, numbers, and special characters. The reason behind this is that when hackers use dictionary attacks to gain access to accounts, the automated tool being employed checks for passwords that match pre-existing entries in the word-list. If a complex combination of characters is used, the chances of finding a match decreases.
In the case of brute-forcing, the character list grows due to which processing time increases exponentially, enabling session timeouts or rate-limiting checks to detect the intrusion attempt.
Online password strength checkers such as the University of Illinois at Chicago’s free tool allow you to check how secure your passwords are:
While it’s important to set passwords you won’t forget easily, it is equally important to set passwords that can’t be guessed. Because of this reason, it’s a good idea to decide on a system for setting all your passwords and using phrases instead of words.
For example, instead of using passwords such as “Gmail@123” and “My.Facebook” for your Google and Facebook accounts, you could use your third-grade classmates’ names as “G1ll1@n.Pet3r$” and “Fr3der!ckEng3l$”. This personal system won’t be known to hackers, and the usage of relevant initials would reduce the chances of forgetting passwords.
In case one of your accounts gets hacked, the perpetrator would not only gain access to it, but they would also be able to login to other accounts using the same password. Small modifications such as one or two changed characters aren’t enough, so make sure each password is unique and unrelated.
To eliminate the risk of forgetting or repeating passwords, make use of password managers. They are cloud-based vaults that can be accessed using one master password, which is very strong and must be memorized. Using this, you can randomly generate and access secure passwords for all types of accounts – social media, banks, emails, etc.
Offered by many applications, two-factor authentication links your primary password to a secondary authentication method. This is seen in websites that ask you to enter an OTP sent on your registered mobile number, once the correct account password has been entered.
Two-factor authentication increases the level of security as it requires the hacker to either gain access to both authentication methods, or fool the system into handing over control to them. Both of these are hard to pull off and very time-consuming.
Hackers aren’t necessarily shady young people sitting in secluded corners of dark rooms. Your coworker, classmates, and the stranger you chatted with on the subway – each one has the potential to exploit you by stealing visible credentials. It is therefore necessary to take note of your surroundings while entering sensitive information on your cell phones or computers.
Watch out for suspicious behavior by installed applications and always use virtual keyboards for sensitive passwords. Most banking websites provide on-site virtual keyboards to prevent credential extraction via keylogging.
While it is impossible to keep your passwords 100% protected, following general safety practices and using tools dedicated to this reduce the chances of getting exploited.