The power of a good password can’t be underestimated. Thankfully, there are countless tools out there that help you gauge the strength of any password.
Many of these tools will show you how long it would hypothetically take a hacker to crack your password using randomised brute-force “guesses.” This is a great yardstick to gauge any password’s strength, but it doesn’t give a true picture of the countless ways that hackers can get hold of passwords – regardless of how many special characters you use!
So, let’s explore some surprisingly savvy ways that criminals can get their grubby mitts on precious password paydirt.
1. Using graphics cards to visualise… your password?
Before we get into some of the more leftfield methods that hackers use to fraudulently obtain passwords, it may surprise you as to how easy it is to potentially crack passwords nowadays. So, we’ll just come out with it: graphics cards are great at password cracking.
In order to render graphics or process video, graphics cards have to be stupendously good at doing complex equations on the fly. This feature also makes them good at two things that you wouldn’t immediately associate with graphics processing: cryptocurrency mining and password cracking.
Those with big budgets who are serious about achieving either of these ends will generally invest in built-for-purpose mining or cracking rigs with multiple graphics cards daisy-chained together to maximise their available computing power.
Though that’s not to say that password cracking is impossible on your standard PC gamer’s setup, or indeed on a budget PC. UKFast claimed that the £30 Nvidia GeForce GT220 graphics card can crack an 8-character password in just 4 hours. It’s worth noting that the GT220 was released in 2009 and is considered well below par for PC gaming in the 2020s! Modern graphics cards are considerably more powerful – and more potent in the wrong hands.
With graphics card and GPU technology only getting faster by the day, password cracking is now no longer limited to well-equipped basement-dwelling hackers or top-secret state actors. With access to a few moderately powerful graphics cards and a suitable PC rig, the barrier to entry for password cracking is worryingly lower than ever.
2. Phishing: don’t take the bait
Phishing is a kind of cyber fraud where criminals send digital communications – commonly emails – in order to extort sensitive data (like passwords) from potential victims.
The DCMS’s 2020 survey reported that phishing attacks are by far the most common type of cyber attack suffered by businesses, with 67% of business cybercrime victims noting that their single most disruptive cyber incident occurred as a result of phishing.
So how does a password-harvesting phishing attack work? Criminals start by sending out emails that purport to be from trusted providers and entities, like Office 365, Amazon, and HMRC, to name but a few. These emails are generally carefully designed to mimic that organisation’s branding and tone of voice.
Regardless of who it claims to be from, emails of this nature will generally pressurise the recipient to log in to their account urgently (be that through outright demands or through more subtle psychological coercion) requesting that they do so using a specific link stated in the email.
However, the specific link that the email contains doesn’t go to the trusted provider’s site. It goes to a login page that is also carefully designed to imitate the brand in question. Those who have taken the bait will then innocently enter their login credentials, effectively handing these credentials over to the criminals.
Needless to say – if you get an unusually urgent, unsolicited email from a trusted entity, double check its veracity away from your inbox. Don’t click on the link (as it may contain malware or tracking code) and log in directly through the provider’s URL to double check if any action is required. It’s important to acknowledge that fraudulent emails aren’t only used to steal passwords. They can be used in a number of nefarious schemes, including advance fee scams, spear phishing, malware propagation, identity theft, and much more.
3. Password decryption: Hashing it
Sometimes you may hear in the news or online that a set of “hashed” logins have been leaked. This basically means that though the credentials have been leaked, they have been disguised using a process akin to encryption called “hashing”.
At first glance, it may seem like you don’t have much to worry about. As long as the means to decipher the passwords are safe and sound, you’re golden, right? Well… not necessarily.
It all depends on the strength of the encryption used in the hashing process, how common the specific hashing algorithms in question are, and how much of a randomisation factor (called “salt”) is used to add variety into the hashing process. Therefore, hashed passwords can sometimes be deciphered to some extent, especially if they use common hashing methods. There are even free and low-cost decryption tools/services available online that allow anyone to decipher encrypted or hashed strings of text, no questions asked.
4. Surveillance malware
Malware isn’t always out there to destroy your machine or your files – sometimes it’s just there to listen in.
Surveillance malware can exfiltrate sensitive data in a number of scary ways. Keyloggers are particularly chilling; they record all keystrokes on a device, collecting everything that the user types. This can include usernames, passwords, sensitive payment information, personal information, you name it. Other kinds of spyware can exfiltrate sensitive information or usage data from your network or from your local PC; potentially sending private information (including but not necessarily limited to passwords) to unscrupulous entities. The simplest way to stay safe is to steer clear of risky emails and browsing behaviour and always keep your antivirus software, MDR tools, and security policies up to date.
5. Vishing: Simply Asking for Your Password!
Phishing for passwords isn’t limited to email and text messaging services. Fraudulent requests for sensitive details can be made just as easily over the phone or using voice messaging apps, where it’s called “vishing”.
Let’s illustrate the power of vishing with an example. Jim works in a large, busy office and he’s absolutely rushed off his feet. Out of the blue, he gets a phone call from a number that appears to be from within the building. The chatty, affable person on the other end of the phone claims that they look after Jim’s employer’s IT – they just need Jim’s Office 365 login details to fix or check something. Alternatively, they may ask Jim to download a specific piece of software, or share a nugget of sensitive information.
Ask yourself – would you comply without giving it a second thought? We all have a certain (misguided) sense of security in phone calling – it’s been a part of day-to-day life for so long that it doesn’t arouse the same suspicion as digital communications. Though perhaps it should.
This video below shows just how simple a vishing attack can be.
So, let’s revisit our example. The number calling from within Jim’s building? Phone numbers can be easily spoofed to fool recipients. The chatty person encouraging you to do something against your own interests? They’re a scammer, skilled at using our own psychology against us. The password or software download request? Another stepping stone towards breaching your company’s cyber defences – or indeed your own personal data security.
Live voice conversations are ripe for social engineering (the kind of psychology that’s at play with these phishing-style attacks). Because the call has come out of the blue, there’s a certain element of catching you “on the hop” when you’re at your most unsuspecting. And because you’re talking to them in real time, they can lean on social and emotional cues to convince you to do their bidding – by sounding hurried, stressed, or upset.
Two Solutions for Password Security
Multi-Factor Authentication (MFA) is the answer to most password security worries. MFA strengthens standard “username and password” logins by adding extra verification steps that only confirmed users have the means to complete. These additional authentication factors can include things like security questions, a PIN code texted to a verified mobile number, using an authentication device, or a fingerprint reading.
Therefore, if a criminal does get hold of a username and password for a login that’s protected by MFA, they still won’t be granted access without the additional verification measures.
Learn more about WatchGuard’s industry-leading MFA solution from our colleagues at Just Firewalls!
Good cyber-awareness training is also essential – it helps your team recognise the tell-tale signs of social engineering before it’s too late, provides crucial guidance on creating strong passwords, and much, much more.
Good cyber-preparedness is a group effort. Your team are your last and strongest line of cyber-defence, so train them well.
Just Cyber Security’s practical cyber resilience training workshops are accessible and instantly applicable, regardless of your tech expertise or your industry. We cover numerous aspects of modern cyber security, including password security, social engineering, phishing awareness, device safety, and more.
So don’t wait – learn more about our cyber-awareness workshops or give us a call on 0161 5183341 for a friendly chat!