How do hackers steal passwords?

Passwords are a habitual security bugbear, too many people use easy to crack passwords because they are unaware of just how hackers manage to get into their accounts, it has been claimed.

passwordThe usual image of a hacker entering countless variations into a user account before they magically stumble upon the right one, is a common misrepresentation of what has become a massive criminal problem on the Web. Organised gangs usually don’t target individual’s accounts, as we all know with three strikes and you are locked out the success rate would not be high enough.

The way hackers gain passwords is rather different.  Security analysts Bob Covello raised this exact point on grahamcluley.com, after a 15-year old asked the question: “If I type my password incorrectly on a website, it eventually locks me out, but when hackers do it, they never get locked out. How is that possible?”

Covello explained that hackers actually obtain passwords through techniques known as offline attacks. These involve targeting entire servers, rather than individual accounts. As companies hold passwords on their servers, getting in this way would provide a huge volume of account details, rather than just one set. Witness the Ashley Madison hack in July.

Offline attacks free hackers from lockout rules

Of course, these passwords are often highly protected behind a numerical calculation, or hash value, making them difficult to obtain. As recent high profile cases have shown, however, difficult is certainly not impossible. Furthermore, attacking offline in this manner means the hacker isn’t subject to the same rules of being locked out if they enter the wrong details three times in a row. Without the restrictions, hackers can run attempts via a machine to keep trying different combinations until they eventually get in.

Provided this technique is managed successfully, the hackers needn’t enter a password incorrectly even once. Armed with a database of account details and passwords, they can get in on the first attempt. The most likely scenario, though, involves the databases being sold on to third parties for criminal use.

Covello argued that simply knowing this difference could be enough to encourage account holders to use stronger passwords. It could also highlight to businesses just why their servers need to be kept firmly secured at all times – lest they run the risk of huge fines and plummeting trust.

For a free consultation on your system security including a thorough analysis of your current security level, contact us enquiries@asteccomputing.co.uk

Speak Your Mind

*