Understanding how password attacks typically work will help us build appropriate defenses.
TL;DR
- Most password cracking happens offline, not at login screens
- Common methods include: data breaches, rrute force attacks, rainbow table attacks, Dictionary attacks, social engineering and phishing
- Long, unique passphrases and multi-factor authentication are your best defence
Movies will have you believe that the main way passwords get cracked is by a hacker sitting in front of a black screen with green text, guessing different combinations of passwords to get into a high-value account. Uh, well, that does happen, but not nearly as often as you’d think.
Login screens protect against hacks by being slow, limiting the number of tries, and locking you out if there are too many incorrect password attempts. They also make you jump through additional hoops on a new computer or from a new location. Most passwords are cracked far away from any login screen. The majority of attacks aren’t targeted at any one individual. We’ll explore some of the more common ways passwords are cracked.
The fish that swim near the surface
If you go fishing with a net in a stream, you’d catch the fish swimming near the surface because they were easy to spot and grab. Well, that’s exactly what hackers do, with the first category of password attacks we’ll cover.
Data Breaches: The all-you-can-eat buffet for hackers
Data breaches happen all. the. time. 95% of data breaches come from government, retail, or technology industries (wikipedia source).
When a breach occurs, hackers don’t just get your password. They often get:
- Your email address
- Your username
- Your password (hopefully unique, hopefully hashed; but not always)
- Other personal information (birthdate, address, etc.)
Usually, leaked data from different sites are put together into a larger database, e.g. Collection #1. This information can be shared / sold, and used to guess passwords on other websites.
Here’s where it gets interesting. Remember how we talked about password hashing in our last chat? Well, even if the passwords are hashed, hackers have a few tricks up their sleeves to crack them.
Brute Force: The sledgehammer approach
Imagine you’re trying to guess the combination to a safe. You could start at 0000 and work your way up to 9999. That’s essentially what a brute force attack does, but with passwords.
Here’s how it typically works:
- The attacker gets a list of hashed passwords from a data breach.
- They use powerful computers to generate hashes for millions of possible passwords.
- They compare these generated hashes to the ones from the breach.
- If there’s a match, bingo! đ¤ They know which password that the generated hash corresponds to. They’ve cracked a password.
But wait, didn’t we say hashing was slow? Yes, but:
- Attackers use specialised hardware (like GPUs) to speed up the process.
- They often focus on shorter passwords first, which are quicker to hash.
- If the hashing algorithm is weak - like MD5 (omg that’s like so 1992 đ) - it’s much faster to crack.
Pro Tip: This is why password length matters more than complexity.
A 20-character passphrase takes way longer to brute force than an 8-character password with symbols!
Rainbow Tables: The shortcut to the pot of gold
Remember how we said hashing is a one-way street? Well, rainbow tables are like a cheat code for that one-way street. They’re pre-computed tables of password hashes.
Instead of hashing passwords on the fly, attackers can look up hashes in these tables. It’s like having a massive dictionary where you look up a word by its definition instead of spelling. If something like this is available to anyone on the internet, can you imagine the resources available to someone who is determined?
The good news? Remember salting, from our previous post? Salting passwords makes rainbow tables practically useless. It’s like adding a secret ingredient to every hash that isn’t in the attacker’s recipe book.
Dictionary Attacks: Because humans are predictable
Let’s face it, we’re not as creative as we think when it comes to passwords. Dictionary attacks exploit this human predictability.
Instead of trying every possible combination, attackers use lists of common passwords, words, and phrases. These lists can include:
- Actual dictionary words
- Common passwords (like “123456” or “password”)
- Variations with numbers and symbols (like “p@ssw0rd”)
- Phrases from pop culture
One infamous example is the “RockYou” list, which contains 14 million unique passwords from a 2009 data breach of 32 million accounts. It’s still used in attacks today because, well, humans haven’t gotten much more creative with passwords since then.
The deeper, darker waters
Now that we’ve covered the surface-level attacks, let’s dive into some of the more sinister methods hackers use to get your passwords.
Social Engineering: The art of human hacking
Why crack a password when you can trick someone into giving it to you? Social engineering is all about manipulating people into revealing sensitive information.
Here’s a classic scenario:
- Attacker finds your email and phone number from a data breach.
- They call your phone company, pretending to be you.
- Using information from the breach, they convince the support agent they’re you.
- They change your account details or get access to your information.
It sounds far-fetched, but it happens more often than you’d think. Mat Honan had his entire digital life erased by hackers using this method. Also, here are examples with Amazon, and PayPal + GoDaddy.
Phishing: Where the phish is your data
Phishing is like fishing, but instead of using a worm as bait for a fish, attackers use fake emails and websites as bait, and the fish is your secret data. Here’s how it could work:
- You get an email that looks like it’s from your bank.
- It says there’s a problem with your account and you need to log in.
- You click the link and enter your username and password.
- Oops! That wasn’t your bank’s website. It was a fake one that just stole your credentials.
Phishing can be incredibly sophisticated. Some attacks use AI to craft personalised emails based on your social media activity!
Protecting yourself: Don’t be an easy catch
Now that we know how attackers try to crack passwords, how can we protect ourselves? Here are some key strategies:
Use unique passwords for every account: If one account is compromised, the others stay safe.
Make your passwords long: Aim for at least 16 characters. Passphrases are great for this.
Steps 1 and 2 is easier if you use a password manager: It can generate and store strong, unique passphases for you.
Enable multi-factor authentication (MFA): Even if your password is cracked, MFA provides an extra layer of security.
Be wary of phishing: Double-check email senders and website URLs before entering your password.
Keep your software updated: This helps protect against known vulnerabilities.
Perfect security doesn’t exist. But by understanding how attacks work and taking these precautions, you can make yourself a much harder target. Don’t be the fish swimming at the surface â dive deep and stay safe!