We all use passwords on a daily basis but not many of us know the history behind this cybersecurity measure. Passwords had been used since ancient times but the person credited with inventing the computer password is an Oakland-born researcher Fernando “Corby” Corbató.
Corbató led the development of one of the world’s first operating systems, the Computer Time-Sharing System (CTSS). It allowed multiple programmers to use a computer at the same time, speeding up the pace of work. Because each developer needed a private account to save and store their work, the login and password system was introduced.
Fernando Corbató passed away in July 2019, leaving a legacy of great computer science advancements. What better way to celebrate his invention of the password than by discussing how to make your passwords stronger, better, and more secure than ever?
Here are the most common password cracking attacks and the most effective ways to protect your accounts against them.
[note]Editor’s note: while the advice in this post is important for anyone who uses the internet, it’s especially important for bloggers, marketers, freelancers, and entrepreneurs. Since we all primarily work with the internet, we have more accounts to keep safe than the average internet user.[/note]
7 common password cracking techniques
Despite movie depictions, not all hackers are lonesome evil geniuses coming up with brilliant plans in their basements. The most common password cracking techniques are well-documented and easily accessible online such that anyone with average computer skills can follow them successfully to crack passwords.
Before we get into securing your accounts with better passwords, let’s see what you’re protecting yourself against.
A dictionary attack is as straightforward as it sounds. Hackers use a file with every word found in the dictionary and try them one after another until he or she gets in.
Of course, no one does this manually. A computer program can run through millions of words in a few hours.
Lumping random dictionary words together won’t save you from this attack but it will probably increase the time it takes to crack your password.
Dictionary is typically the first technique hackers use in when attempting a crack.
If you think you’re being smart by combining dictionary words with numbers and characters, like “p@$$w0rd123” for example, think again. A hybrid password attack can see right through you.
Hybrid attacks use a combination of dictionary words with numbers preceding and following them, as well as replacing letters with numbers and special characters. Passwords that marginally escaped the dictionary attack with a simple trick such as adding a digit has no chance against a hybrid attack.
3. Rainbow Table
Most modern systems now store passwords in a hash. A hash function is where a computer takes an input of any length and content (e.g. letters, numbers, and symbols) and uses a mathematical formula to produce a numerical produce an output of a specific length.
So if a hacker somehow accesses the file where the website passwords are stored, they will then be able to access encrypted passwords in the form of a hash.
Sounds nice and secure, right? Unfortunately, hashes can be cracked. One strategy is simply to hash all dictionary words and cross-referenced them with the hashed passwords. If there’s a match, there’s a very high chance that that’s your password.
Hackers can also use a table that contains hashes for all dictionary passwords to make the process even faster and more efficient.
4. Brute Force
Brute force is usually the hacker’s last resort if the previous techniques fail simply because it’s the most time-consuming one. It does, however, have the advantage of detecting non-dictionary words by working through all possible alpha-numeric combinations.
Brute force is not a quick process. The more characters in the password, the longer the cracking takes.
Hackers can, however, speed things up by adding additional computational horsepower. It all depends largely on their determination and resources.
Some hackers will try to crack your password with force. Others will simply trick you into giving it to them voluntarily. How?
The answer is phishing. Phishing is an attack where the hacker poses as a legitimate institution or website to lure you into providing your sensitive information. This is typically done via email, text or a phone call.
An example of a common phishing practice would be an urgent message prompting you to share credit card information, such as “Your credit card has been blocked”, or “Your account has been hacked.”
Others are offers that sound too-good-to-be-true, like “You’re the millionth visitor to this site, you won an iPhone! Collect it now”. This type of messaging can prompt the victim to act fast, throwing all caution to the wind and even ignoring small red flags.
A common way of stealing users’ password is planting a virus on their devices. There are several different mechanisms that can help hackers do so. Keyloggers, for example, take a record of everything you type, while screen scrapers take screenshots of the login process.
This type of malicious software is often hidden in counterfeit apps. Mobile games, fitness apps, even flashlight apps pose as legitimate software when in fact they’re just malware in disguise. They often work just fine, raising no red flags to an unsuspecting user.
7. Man-in-the-middle attack
Last way for hackers to access your passwords is to spy on your Internet traffic. This can’t be easily done on your password-protected home network. Public Wi-Fi, however? Completely different story.
Open Wi-Fi networks, for example in cafes, hotels or airports, are often unencrypted. With the help of free and widely available software, hackers can easily spy on your Internet traffic when you surf on a public Wi-Fi.
The hacker would be intercepting the traffic between your device and the server, hence the descriptive man-in-the-middle name of the attack.
Every page you visit, message you send and password you input goes straight to the attacker instead of the legitimate Wi-Fi provider. Not only passwords but also credit card details and other sensitive information can be stolen this way.
How can you protect yourself?
The number of different password cracking techniques is overwhelming and, frankly, terrifying. Luckily, you’re not completely defenseless against them. With good cybersecurity hygiene and basic awareness of common threats, you’ll likely escape any unpleasant situations.
Here are six basic rules you need to know – and follow – to stay safe.
1. Use a password generator
As you already know, a dictionary attack is a common and efficient password cracking technique. That’s because humans are simply not good with coming up or remembering random strings of letters and characters.
When we try to comply with security tips and add special characters to our passwords, we usually sneak them into a dictionary word anyway. And that, as you remember, is an easy target for a hybrid attack.
Instead of trying to do something we’re not good at, let’s just outsource it to technology. There are plenty of free random password generators that will do your job for you. Simply choose the length of your password (the longer the better) and any special requirements you have. The tool will sort out the rest.
2. Never use the same password twice
Data breaches are a lot more common than many people suspect. Even big websites, which you’d expect to have top-notch security, suffer from frequent hacker attacks. Adobe, Tumblr, and Facebook are just a few of the companies involved in data breaches.
Many data breaches specifically target user login credentials. Why? Hackers know all too well that you recycle passwords and most likely use only one or two for all your accounts. Leaked email and password combinations are sold on the black market and used to log into other websites.
That’s why it’s so important to never use the same password for more than one account. And now that you’ve got a password generator, there’s really no excuse. It does all the work for you!
3. Download a password manager
No human can possibly remember dozens and dozens of unique passwords. Much less if they’re all 15-characters long and nonsensical. If you want to do password security right, you need a password manager.
A password manager is a program that keeps all your login credentials and other sensitive information stored safely. All you need to remember is one master key (this one you can make an exception for and actually make it memorable) that unlocks your other passwords.
4. Know when you’ve been pwned
The odd-looking word “pwned” comes from the jargon term “pwn”, which means “to compromise or take control, specifically of another computer or application.” Created in 2013, Have I Been Pwned? is a website that lets you track recent data breaches and check if your email was involved in a leak.
It’s a good idea to sign up for their notification so you’re the first to know if your login credentials were compromised. That way, you can immediately change your password and secure the affected account.
5. Turn on two-factor authentication
No matter how strong you make your password, it can still fall victim to a determined brute force attack or phishing.
The best way to stay safe is to add an extra layer of security — two-factor authentication. Two-factor authentication is a combination of something you know (your password) and something you have (your phone or security key).
However, not all two-factor authentication methods were created equal. Setting SMS messages as a second authentication step is generally considered to be the weakest strategy. Hackers can use social engineering to redirect the victim’s texts to a different SIM card.
Using an authenticator app on your phone or a physical security key is much more secure as they protect you against social engineering attacks.
6. Use a VPN when connected to public Wi-Fi
If you can’t help using public Wi-Fi, there is one safety measure that can protect you from hackers. Download a VPN onto your device and keep it on throughout your browsing session. VPN, or a virtual private network, encrypts your Internet traffic so third parties can spy on your online activities. That way your passwords and other valuable data will remain safe.
Passwords are still the most common and in many ways the best security measure we have. However, they’re facing a lot more challenges today than they did when Fernando Corbató first introduced them.
It’s no longer enough simply to secure your account with any dictionary word. Hackers dispose of tactics and computational power to crack most, if not all, of our passwords.
The good news is that with two-factor authentication and good cybersecurity hygiene, you’ll be safe from most attacks.