• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
Craig Hays

Craig Hays

  • Cybersecurity
  • Principles
  • Newsletter
  • Learn Cyber Security
    • Hacking and Defending User Accounts
    • Learning Guides
  • Contact
  • Show Search
Hide Search
You are here: Home / Archives for Password

Password

Why Hackers Love User Accounts and How They Hack Them

September 4, 2020 By Craig Hays Leave a Comment

Reading Time: 5 minutes

User accounts are still the number one target for criminals. This is why they are so desirable and how hackers hack user accounts every day.

Why hackers love and hack user accounts
Photo by Kelly Sikkema on Unsplash

When we think of cyber attacks we often think of scenes resembling those from Hollywood movies. Cybercriminals, slouched over a keyboard, furiously typing, and hunting for vulnerabilities in a piece of software exposed to the internet.

Security vendors leverage this perception in their marketing efforts. I still find it amazing how much fear selling takes place from companies like Tenable, Rapid7, and Qualys, to name a few. Granted, they’re selling software designed to detect known vulnerabilities in other pieces of software, but they exploit the common perception that the sky is falling and that hackers are seconds away from compromising your IT systems.

In reality, most of the cybercrime committed today is done through legitimate user accounts. Real user accounts belonging to real people which have been taken over by hackers with criminal intent. Why is this the case?

Hacking People is Easy. Hacking Software is Hard

People are vulnerable by design. Human nature makes us susceptible to being hacked in any number of ways.

When we use software and computer systems we typically login using a unique username and password that identifies us, proves that we are who we say we are (authentication), and confirms that we’re permitted to do what we’re asking to do (authorization). When a hacker logs in with our user account they instantly get access to do all of the things we are allowed to do.

Software, on the other hand, can be very difficult to manipulate. Even once you’ve found a vulnerability and created an exploit to gain access to something you shouldn’t, you still need to figure out a way to make it do what you want. This is a very time consuming and expensive process. The question hackers ask themselves all the time is ‘why would I waste all of that effort hacking into a computer system when I could just log in as a legitimate user instead?’

This is why user accounts are such a big target. The right account in the wrong hands can move millions of dollars between banks in a few minutes. Trying to do the same thing with a software exploit could take months or even years and isn’t always possible.

Three Ways Hackers Steal Your User Accounts

1. Guessing Your Password

The first way for hackers to break into one or more of your user accounts is to simply guess your password.

The top 10 passwords for 2019, based on publicly known password breaches, are:

  1. 123456
  2. 123456789
  3. qwerty
  4. password
  5. 1234567
  6. 12345678
  7. 12345
  8. iloveyou
  9. 111111
  10. 123123

Based on these passwords it is a reasonable assumption to state that most of these have been created on mobile devices. The top 10 passwords has changed over the last decade from common words to common number patterns as the ubiquity of smartphones has steadily increased.

Do you use any of these passwords for any of your accounts? Do you have anything similar?

For anyone not using one of the most commonly used passwords, with a little research into an individual it is easy to guess other password formats that people use. Combinations of the following make up the vast majority of the passwords in use today: names of partners, children, pets, football teams, cities, countries, dates of birth, seasons, years, and colours.

I’ve cracked a lot of passwords in my career and I’ve analyzed 1.4 billion clear-text passwords to improve my understanding of how people think about password creation. With a good enough wordlist, you don’t even need to find a Facebook page to guess most people’s passwords.

2. Finding Your Password In Someone Else’s Data Breach

As mentioned in the previous point, there’s a publicly available list of 1.4 billion usernames and passwords on the internet for anyone to download. That’s just one list out of many out there. Every day, additional websites are hacked and new username and password combinations are leaked to buyers on the black market.

Just as your web browser offers to remember and fill in your passwords for you, there’s a password completing browser extension that criminals can use to makes life easier for them when taking advantage of your stolen passwords.

3. Asking You For Your Password (And You Giving It To Them!)

Phishing is an attack where criminals send you an email or SMS text message pretending to be someone else. Typically a company, organisation, friend, or some authority figure that would convince you to do as they say. The message will contain a link to a website asking you to log in, or it could include an attachment. The attachment will then take you to a website, again asking you to log in, or it will run something harmful on your device which could allow it to steal your personal data, including passwords.

Linking to a login form is the most common. It’s surprising how many people still fall for phishing emails today, but phishing emails are often well written and designed specifically to invoke an emotional response in the reader. Emotions overpower logic and reason. People do strange things in a panic.

What Can We Do To Fight Back?

Here are a few things we can do to defend against password theft.

Use Multi-Factor Authentication

Multi-Factor Authentication, or MFA for short, is the use of something in addition to your password to prove that you are who you say you are. In order for multi-factor you need to use a combination of two or more of the following:

  • Something you know (your password)
  • Something you have (your smartphone)
  • Something you are (your fingerprint)

Smartphone apps or SMS text messages are the most commonly used form of the second factor. While it is possible to bypass MFA protected logins that use SMS messages, it takes a lot more effort and involves contacting your mobile phone provider and convincing them that you’ve lost your phone. Without a second authentication factor, as soon as someone has your password, they’re in and your account has been hacked.

Use Strong Passwords

The stronger your password is, the harder it is to guess. Google recommends:

“Long passwords are stronger, so make your password at least 8 characters long. These tips can help you create longer passwords that are easier to remember. Try to use:

  • A lyric from a song or poem
  • A meaningful quote from a movie or speech
  • A passage from a book
  • A series of words that are meaningful to you
  • An abbreviation: Make a password from the first letter of each word in a sentence”

Use Different Passwords on Every Website

As shown in the 1.4 billion usernames and password list, as soon as one website is hacked, any other accounts on other websites you use with the same username and password are vulnerable to a takeover by a hacker.

We’ve all done it in the past, including me. We pick a handful of memorable passwords and use them across a range of sites. If you ever forget which one you’ve used you can always try them all until you get in. Eventually, it works. This is what hackers do too.

Use a different password on every website. That way, if your password ever gets leaked, it won’t be usable on any other website. As a bonus, if you know which site a password was used on, you’ll know which site’s have been hacked when your passwords do become public.

Use a Password Manager

Let’s be realistic… Having a separate password for every account is unmanageable for most of us. We can’t remember that many unique password combinations. Instead, use a password manager to store unique, strong passwords for all of your accounts.

Modern web browsers have password managers built-in. Companies like 1Password, LastPass, and Dashlane all offer free or paid-for alternatives. There are many options out there and you’re free to choose whichever you prefer. But please, use one and you’ll only need to remember one, very, very strong password to keep all your accounts safe.

Gaining Lateral Movement with SSH Password Sniffing

February 19, 2020 By Craig Hays Leave a Comment

Reading Time: 5 minutes

Sometimes the best way to gain lateral movement during a penetration test is to steal a password. Here’s how to sniff passwords from a running SSH server.

OpenSSH Password Sniffing
Photo by Clint McKoy on Unsplash

If you’ve managed to gain a remote shell onto a Linux server and elevated your privileges to root (congrats!), the next step is to maintain your access and gain lateral movement around the network. If you’ve been unable to find anything on the compromised server that would indicate a password for any system, including the compromised server, you can always try to sniff SSH passwords straight out of OpenSSH. You can even be doing this while attacking password hashes offline. I always prefer multiple options that race each other to the correct answer.

The Reality of SSH Passwords

Lateral movement through OpenSSH password sniffing is a very viable concept because:

  • People use the same username and password combinations on multiple systems
  • Passwords often follow a common pattern which can be used to predict other passwords on the estate
  • People type valid passwords into the wrong servers.
  • Given enough time, someone will always login

There are exceptions to the above but unfortunately, most organisations are not that mature.

3 Ways to Sniff SSH Passwords on a Compromised Server

[Read more…] about Gaining Lateral Movement with SSH Password Sniffing

Inside a Real SMS Phishing Attack (Smishing)

February 5, 2020 By Craig Hays 4 Comments

Reading Time: 8 minutes

SMS based phishing attacks (Smishing) are a real threat that we see every day. To help you spot them in future, this is how they work.

The start of an SMS Phish (Smish)

A Phishing/Smishing Attack In Action

At 17:52 pm today I received a text message from my mobile phone network, ‘EE’. I picked up the message at 18:08. This is what it said:

[Read more…] about Inside a Real SMS Phishing Attack (Smishing)

How to Run a Phishing Simulation Test

January 29, 2020 By Craig Hays Leave a Comment

Reading Time: 12 minutes

Running a successful phishing simulation campaign is difficult. This is how to test your employees to better prepare them for real attacks.

phishing simulation
Fishing Fleet image by Bernard Benedict Hemy

Following on from my last article on how to write phishing emails that work, this article outlines how to run a successful phishing simulation campaign. We do this to measure how employees respond to attacks from criminals, how effective our training is, and where we need to do more to help our employees stay safe online.

[Read more…] about How to Run a Phishing Simulation Test

Enforcing better Active Directory passwords (Password audit part 3)

May 30, 2019 By Craig Hays Leave a Comment

Reading Time: 3 minutes

(This is the third and final post of a three part series on Microsoft Active Directory password quality auditing)

Following on from part 2 where we used DS-Internals to extract NT hashes and John the Ripper to crack them, in this post we cover what to actually do with all of this (usually worrying) information.

What to do with a list of cracked passwords

Now that John has done his good work, you will likely have a list of passwords and their associated user accounts from some of your users. Once you’ve gotten off the floor and climbed back into your chair, you may start to think: “This is great! We can see exactly who has bad passwords. If they were good we wouldn’t have cracked them so easily.” So now what…

[Read more…] about Enforcing better Active Directory passwords (Password audit part 3)
  • Go to page 1
  • Go to page 2
  • Go to Next Page »

Primary Sidebar

Newsletter

Want to get smarter about cyber security? Join my growing list of newsletter readers for exclusive news, reviews, how-tos, and more.

· © Craig Hays, 2006–2023 ·

  • Phishing