How Hackers Crack Passwords
Password cracking is one of the most enjoyable hacks for the bad guys. It fuels their
sense of exploration and desire to figure out a problem. A hacker can use low-tech methods
to crack passwords. These methods include using social engineering techniques, shoulder surfing,
and simply guessing passwords from information that he knows about the user.
The most popular low-tech method for gathering passwords is social engineering. Social
engineering takes advantage of the trusting nature of human beings to gain information that
later can be used maliciously. A common social engineering technique is simply to con people
into divulging their passwords. It sounds ridiculous, but it happens all the time.
To obtain a password through social engineering, you just ask for it. For example, you
can simply call a user and tell him that he has some important-looking e-mails stuck in the
mail queue, and you need his password to log in and free them up. This is often how hackers
and rogue insiders try to get the information!
A common weakness that can facilitate such social engineering is when staff members'
names, phone numbers, and e-mail addresses are posted on your company websites. Social media
sites such as LinkedIn, Facebook, and Twitter can also be used against a company because these
sites can reveal employees' names and contact information.
User awareness and consistent security training are great defenses against social engineering.
Security tools are a good fail-safe if they monitor for such e-mails and web browsing at the
host-level, network perimeter, or in the cloud.
Train users to spot attacks and respond effectively. Their best response is not to give
out any information and to alert the appropriate information security manager in the organization
to see whether the inquiry is legitimate and whether a response is necessary. Oh, and take
that staff directory off your website or at least remove IT staff members’ information.
Shoulder surfing (the act of looking over someone’s shoulder to see what the person is
typing) is an effective, low-tech password hack.
To mount this attack, the bad guys must be near their victims and not look obvious. They
simply collect the password by watching either the user’s keyboard or screen when the person
An attacker with a good eye might even watch whether the user is glancing around his
desk for either a reminder of the password or the password itself. Security cameras or a webcam
can even be used for such attacks. Coffee shops and airplanes provide the ideal scenarios for
You can try shoulder surfing yourself. Simply walk around the office and perform random
spot checks. Go to users’ desks and ask them to log in to their computers, the network, or
even their e-mail applications. Just don’t tell them what you’re doing beforehand, or they
might attempt to hide what they’re typing or where they’re looking for their password. Just
be careful doing this and respect other people’s privacy.
Encourage users to be aware of their surroundings and not to enter their passwords when
they suspect that someone is looking over their shoulders. Instruct users that if they suspect
someone is looking over their shoulders while they’re logging in, they should politely ask
the person to look away or, when necessary, hurl an appropriate epithet to show the offender
that the user is serious.
Inference is simply guessing passwords from information you know about users — such as
their date of birth, favorite television show, or phone numbers. It sounds silly, but criminals
often determine their victims’ passwords simply by guessing them!
The best defense against an inference attack is to educate users about creating secure
passwords that don’t include information that can be associated with them. Outside of certain
password complexity filters, it’s often not easy to enforce this practice with technical controls.
So, you need a sound security policy and ongoing security awareness and training to remind
users of the importance of secure password creation.