How The State & Hackers Hack (And How to Stop Them) – Part 1: Password Cracking

This series of articles will attempt to explain, in layman's terms, how Hackers – either underground criminals or state level wrongdoers – gain access to an individual or company's digital life. Many of the phrases and terminology can be confusing so we hope to explain things in clear, simple language. Cyber hacking is on the rise, and the enemy is busy – time to get smart.

Most Hacking articles will start with Malware, but this series will be in order of simple to more challenging changes you can make practically right now. The first is about instilling strong password discipline in the reader.

HOW PASSWORDS ARE STOLEN

There is no magical pixie dust which allows hackers access to your personal online accounts. Other methods will be discussed in future articles, but one method of attack can be closed off in an instant, if you learn how passwords are cracked and how to slam the door shut on those wishing to access your accounts. We should all treat password protection in the same way you would protect your house. Our lives are as much digital as physical nowadays.

Below are the most common methods hackers use to gain access with an individual's private password – there really is more than one way hackers can skin the cat.

Brute Force Attack

Most Brute force attacks employ some sort of automated process, allowing vast quantities of the most common passwords being fed into a system. With enough time and a short enough password, a dictionary attack can find the correct password. As will be discussed later, a unique and long phrase password and good 2FA (2 factor authentication) can stop this method in its tracks.

Phishing

Using a carefully crafted SMS or email, the typical tactic is to fool a user into clicking on an embedded link or download an attachment. A malicious file is downloaded, and that software can scrape all the data on a device, search for saved passwords, or start logging keystrokes and screenshots.

Malicious software in the form of keyloggers and screen scrapers are very common and specialized malware can target passwords from an individual's device in real-time. Keyloggers are sending each keystroke to the hacker, and screen scrapers will send a screenshot of the target's device every 10 seconds or so. Malware and phishing will be discussed in greater detail in future articles.

Physical keylogging/Screen Scraping

Source - https://9to5mac.com/2021/09/02/wireless-key-logger-cable/

Data breach password Leaks

Billions of our Username's, Passwords, or hashed passwords (which can sometimes be cracked with high powered computing), addresses etc. are in the hands of hackers and can be found very easily online. These leaks occur when a company is hacked and all these details stolen, either by criminals seeking a ransom, State actors, or just acts of nihilism. In June 2021 it was revealed that a 100GB text file was leaked containing 8.4 billion passwords.

https://www.techrepublic.com/article/billions-of-passwords-leaked-online-from-past-data-breaches/

Social Engineering

A common method is for hackers to call a target and pose as technical support, asking questions that will provide a user's password or enough of a password to enable access. This is a growing risk area, and we should always be on alert. The CEO of a UK-based energy company lost more than $240,000 to hackers who used AI tools which mimicked his assistant's voice.

https://www.itpro.co.uk/social-engineering/34308/fraudsters-use-ai-voice-manipulation-to-steal-200000

Shoulder surfing

It sounds very James Bond, but this method is a genuine threat. Hackers may disguise themselves as workmen to gain access to a company and literally look over or film over the shoulder of employees to grab master passwords.

Guessing

If all else fails, then a hacker may try to guess a password using known information about the target. Many users still rely on memorable phrases often based on hobbies, pets, or family – many of which can be gleaned from social media profiles.

HOW TO PROTECT PASSWORDS

The Perfect Password

A strong password is one a hacker could never guess (no pet names!) and cannot crack using a brute force attack.

A Password should be

- At least 12 characters longer (Longer the better)

- Use a combination of upper/lower case letters, numbers, and symbols.

- Does not contain memorable keyboard paths (e.g., qwerty)

- Is not based on personal information

- And each password must be unique from another

Now obviously passwords such as this are impossible to remember

PxxgBM&%hdBnub4T

Therefore, everyone needs to be utilizing an encrypted password manager (See below).

I deploy a long password (30+ characters) memorized with random words and symbols etc. for my three most important accounts. To enter and decrypt my MacBook, open encrypted mail, and one more for opening the password manager.

For example –

Laz7188BE2mazeitnow&berehearsed4eva

35 characters and random. This method is not for everyone but if you can memorize such passwords, it is a great way to keep the most important 2 or 3 things locked down.

The below diagram was posted in 2021 by the Microsoft VP and is based off current computing powers, but computing power is increasing so fast that these times may halve in a few years. Note the difference between 12 digits only and 12 containing all variations.

Test different password combinations at this website to self-discover more https://howsecureismypassword.net/

Use an encrypted Password Manager

Passwords are stored encrypted on a computer or phone app until you call them up with a passcode or password. The keyboard is never pressed, so no logging is possible. And the password is entered without reveal, so screen scraping becomes redundant.

There are many commercially available encrypted password software managers, and they are much easier to use and usually charge a small fee but are worth it. They can work across devices and cause a real headache to would-be hackers. Good commercial examples include Keeper, Dashlane, LastPass, bit warden etc.

My personal favorite free and open-source manager is KeePass https://keepass.info/

Check For Password Leaks

A very good place to check if your email/password combinations have ever been leaked is have I been pwned https://haveibeenpwned.com/

They update their database very regularly.

A more cunning method is to use https://www.dehashed.com/ . At the time of writing the site has still not been shut down by the FBI, as others have. You can search by name, Email, Usernames, Ip addresses, Domain name. They update databases very regularly and charge a small weekly fee to reveal what info was stolen – I recommend paying with cryptocurrency to retain a good level of anonymity-A later article will discuss the use of crypto for anonymous purchases.

Change Passwords Regularly

Really, you should. Those who fall prey to a data breach leak are in a much stronger position if they have been changing passwords every 2/3 months.

Use 2FA (Two Factor Authentication)

Sim swapping https://blog.mozilla.org/en/internet-culture/mozilla-explains/mozilla-explains-sim-swapping/ is becoming a greater problem and risk to us every day. So, I suggest not deploying SMS 2FA unless there are no other options. Two factor authentication is best deployed using authy or other such apps or using a physical device such as a YubiKey or only key.

Beware the Phishes!

Further articles will get into more detail but, in general, be very wary of odd text messages or emails. Always check the sender URL address or SMS number. And check very closely! For example, coca-cola.com and coca-coia.com can fool the best of us and spam filters are not perfect. If you suspect coming across such an email or sms message then delete them entirely and block the sender. If you open such a link or document then you may be infected, and the only real solution is to delete and re-boot the device.

Should you have suspicions that the motive is beyond a random attempt then investigate before deletion. Part Two on Phishing and Malware will cover how to do that.