NCSAM: how hackers get passwords

I’m continuing to read, and I feel that this article I’ll be linking to should be an NCSAM post. We’ll definitely have more stuff coming, don’t worry.

Today, Lastpass has an article explaining how hackers get passwords. The beginning of this article really hits home with what someone was asking about just today in one of the conference rooms on Livewire.

In every movie with a hacker, there is always that scene where the hacker must guess the right password. A blinking cursor in the password field looms
on a large computer monitor. The hacker is usually under a lot of pressure, with the seconds counting down. They make one or two wrong guesses, before
finally typing the right password, and presto! They’re in. Now they can launch the missile, or stop the missile from launching, or steal all the evidence
that will incriminate the crime boss.  

From what we see in movies and pop culture, you would think that “hacking” is a matter of guessing a few passwords and instantly gaining access to something.
You would also think that it’s usually a solo hacker targeting a specific person for a specific reason – perhaps because their target is a millionaire
or the CIO of a large company.  

But what you see on the big screen is pretty far from the truth about how hackers get passwords and how they use them. 

This is exactly what I’ve said today on Livewire, and that is, that this isn’t how it really works.

We know from experience that Hackers get password through software that isn’t updated, or through an insider, or even through a vulnerability. This is the most important thing we can take from an article like this.

According to the article we’ll be linking to, it says:

First, most passwords that hackers have access to are stolen in large data breaches from popular online services. When popular services like LinkedIn, eBay,
and Adobe have millions of records leaked, the passwords stolen in those breaches are compiled in large databases. Less well-known websites are also regularly
hacked due to poor security protocols. So, what do hackers do? They use these “dumps” of data to perform “credential stuffing”, where they use software (or
“bots”) to automatically test every username and password combination in the database to see if any successfully log on to another website (like a bank).  

Or, if a hacker knows an email address for a user’s account, they can use “password spraying” where they test known passwords (like 12345 and asdf) to
see if any work with that particular email address. Again, bots are running these tests, and only if a match is found does a hacker then use the valid
credentials to try taking over the account. 

My question about the last quoted paragraph is how would the bot know if the password worked? That’s my question.

Another way hackers can get passwords, although not so common today, is to hack your computer. most hackers won’t do that because most routers block incoming traffic by default. They’ll go after the sites that may not necessarily be secure, and sadly, we don’t have any control over that. The other thing this article mentions are keyloggers or even people with physical access trying to log in from your machine itself.

If you were sent a phishing email perporting to be Paypal, a password manager would not fill in your credentials as the password manager sees that the URL you’re on does not match the URL you went to so that you can log in. This is the most important thing you can learn during NCSAM. Whether you use Lastpass, Trend Micro, One Password or any other manager, you want to know where you’re logging in to and know that you can’t log in once you’re on a different site.

If you can add multifactor authentication or what is called two-factor, you’re better off. There are different kinds including authentication applications, SMS, or even touch or face ID. SMS is better than nothing, the apps are better, and even touch id or face ID is probably the best.

Want to learn about the hacking scene? Last pass has the article How Do Hackers Get Passwords? and thanks for reading!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.