What are the simple hacking techniques


IT security experts agree: The days when companies could rely on traditional passwords are long gone. More secure access control methods such as multi-factor authentication, biometrics and single sign-on should instead define the status quo. And yet, a look at Verizon's latest Data Breach Investigations Report shows that 81 percent of all hacker attacks are related to stolen or insecure passwords.

So first, let's take a look at the password hacking techniques that cyber criminals use. It makes a big difference whether the target is a company, an individual, or the general public. The result is usually the same: the hacker wins.

Make ‘password out of hash file

If all of a company's passwords are cracked in one go, it is usually because a password file has been stolen. There are companies that keep the passwords in plain text lists. Companies that value IT security convert them into hash files beforehand. They are used to secure passwords in domain controllers, enterprise authentication platforms and the Active Directory, among other things.

In the meantime, these hash files (even if they have been "salted") are no longer considered secure. Actually, such a file should make a password unrecognizable. To verify the password, the entered value is made unrecognizable and then compared with the previously saved hash value.

Criminal hackers who get their hands on a "hashed" password use so-called rainbow tables to make the hash values ​​readable again. Or they simply buy special hardware for password cracking, rent from large public cloud providers such as AWS or Microsoft, or build or rent botnets to cope with the computing effort. If a criminal hacker is not an expert in password cracking, he can simply outsource the unpleasant task, as Brian Contos, CISO at Verodin, explains: "These services can be booked by the hour, by the day or by the week - usually also includes support to the package. A massive specialization can be observed in this area. "

The result: the time required to crack a password (including one that was previously considered secure) in hash form is no longer millions of years. "Based on my experience of how people choose passwords, I would say that 80 to 90 percent of them can be cracked in less than 24 hours. If you have enough time and resources, every password can be cracked. The only question is, whether it takes hours, days or weeks, "says the security specialist.

Incidentally, this is particularly true for passwords that originated in a human brain and were not generated by a software-controlled random generator. According to the CISO, a passphrase (or a longer password) is a good thing for users, but it cannot be a substitute for real multi-factor authentication. Incidentally, what is particularly practical for criminal hackers when "working" with hashed passwords is that the cracking is only carried out on their own computer. Transitional passwords that have to be tested on e-mail accounts or applications are superfluous in this case.

Justin Angel, Security Researcher at CoalfireLabs, knows how easy password cracking really is with the right equipment: "We use Hashcat and a dedicated 'cracking machine' that has multiple GPUs. It's not uncommon for us to use it overnight crack thousands of passwords. "

Botnets for the mainstream attack

For attacks on large public websites, criminal hackers use botnets to test various username-password combinations. They use stolen login data from other sites or work through a list of common and popular passwords. Some of these lists are even freely accessible, as software entrepreneur Philip Lieberman explains: "These lists are available free of charge or for a small fee. They contain around 40 percent of the login information of all Internet users worldwide. Major hacker attacks in the past - like that on Yahoo - created large databases that cybercriminals can use. "

Although compromised login data can already be found on these lists, this does not affect the success of the crackers: "Even after a hacker attack, many users do not change their password," says Roman Blachman, CTO at Preempt Security.

  1. 1st place: x
    A simple x seems to be enough in many places to get into it.
  2. 2nd place: Zz
    Anyone who is familiar with the Unix shell knows that the vi text editor requires you to enter two capital zs to save files. It is not known whether this is the origin of this popular password - but the similarity is astounding.
  3. 3rd place: Start123
    A typical standard password from device manufacturers. If you don't change it, it's your own fault.
  4. 4th place: 1
    Almost even easier than the x, the 1 in the list is only on 4.
  5. 5th place: P @ ssw0rd
    Replacing letters with numbers or special characters is not a real innovation either ...
  6. 6th place: bl4ck4ndwhite
    Michael Jackson once sang "It don't matter if you're black or white" - it doesn't matter here either, but the combined theory of colors certainly creates a hacking mood.
  7. 7th place: admin
    The classic should of course not be missing.
  8. 8th place: alex
    It is extremely unlikely that Tote Hosen singer Campino has had a hand in this. For many hacking routines, however, the following applies: Here comes Alex ...
  9. 9th place: .......
    You have to go over seven points ...
  10. 10th place: administrator
    ... and you end up with the IT expert par excellence, the admin.

For example, if a cybercriminal wants to gain access to a bank account, repeated use of incorrect access data will trigger further security measures and alerts. So the hackers do the following: They take two lists - one with known e-mail addresses and one with the most frequently used passwords. With this they try to log in with every single email address and a password of their choice. This means that there is only one failed login for each account. If the crackers are unsuccessful, wait a few days and then try the next password on the list. And otherwise the hackers are washed with all hands, as Lance Cotrell from Ntrepid knows: "You can also use a botnet to fool the target website into thinking that the login attempts do not come from a single source."

The industry has already taken on the problem: The use of third-party providers such as LinkedIn, Facebook or Google for authentication helps to reduce the number of passwords that a user has to remember. Two-factor authentication is also increasingly gaining ground among cloud providers, financial service providers and retailers.

Something is also moving in terms of generally applicable standards. In June 2017, NIST published a new version of its "Digital Identity Guidelines". The FIDO alliance is also currently working to promote strong authentication standards. In addition to these standards, there are also some new technologies such as "behavioral biometrics" or face recognition that can be beneficial for the security of consumer websites and mobile apps.

Has your password been stolen?

If criminal hackers want to target an individual, they first check whether their login details have already been stolen on other sites. There is a good reason for this, as Gary Weiss of OpenText explains: "The LinkedIn hack a few years ago is the best example of why this approach makes sense. Hackers had stolen Mark Zuckerberg's password and were able to use it to log into other platforms. because the Facebook CEO obviously used it several times. "

As the security provider Dashlane found out in a study on the occasion of World Password Day 2017, the average German Internet user has a whopping 78 online accounts for which only a single password is required. The Germans are still in the lower midfield: an American has an average of 150 online accounts, a French 127 and a British 113. Dashlane assumes that the number of password-protected accounts will be up to will double again in 2022. Prospects are not good, because according to Dashlane CEO Emmanuel Schalit there is an ominous duck floating around when it comes to passwords: "It is a common assumption that you only need one complicated password and that you are secure. That is absolutely wrong becomes known, the complicated password is already compromised - and so is everyone else. "

So maybe you have chosen a really good password for your online banking. Which is of no use if your Gmail account (which is used to reset the password) is inadequately secured. Once a criminal hacker has access to an email account, he will use it to try to reset all other passwords. If the number of login attempts is not limited by a website or an internal company application, the cyber criminals use a brute force attack and try the password with the help of said lists and cracking tools such as "John The Ripper", "Hashcat "or" Mimikatz "to crack.

In the shallows of the Darknet there are of course commercial services that go in this direction. Although algorithms are usually used, the major leaks of recent years have also played into the hands of these service "providers".

You can check here, for example, whether your password or account has already been compromised.

How secure is your password?

A lot of websites are pretty lousy when it comes to educating users about the strength of their password. As a rule, standards are used that are anything but up to date - for example, the minimum length of eight characters, a mix of upper and lower case letters or symbols and numbers. However, you should exercise caution if you want to check the strength of a password on the Internet: "It is probably the worst idea in the world to go to any website and enter your password there to see whether it is safe "says Lance Cotrell indignantly.

Safe contact points for this endeavor are, for example:

For most users, it is a significant problem to use a separate, secure, unique password for each website that they can also remember.

  1. Tip 1: variance is important
    In the meantime, the question is actually more when and not whether the password leak will occur. You can minimize the damage if you use a separate password for EVERY online account. Of course, it's hard to remember all of these passwords - especially if you don't want them to be predictable. This is where password managers come in. If you know the problem with a lot of passwords, you should get one. The software is now available for most browsers and operating systems - including mobile devices.
  2. Tip 2: maintain complexity