Welcome to Bucaro TecHelp!

Bucaro TecHelp
HTTPS Encryption not required because no account numbers or
personal information is ever requested or accepted by this site

About Bucaro TecHelp About BTH User Agreement User Agreement Privacy Policy Privacy Site Map Site Map Contact Bucaro TecHelp Contact RSS News Feeds News Feeds

How Hackers Crack Passwords

Password cracking is one of the most enjoyable hacks for the bad guys. It fuels their sense of exploration and desire to figure out a problem. A hacker can use low-tech methods to crack passwords. These methods include using social engineering techniques, shoulder surfing, and simply guessing passwords from information that he knows about the user.

Social engineering

The most popular low-tech method for gathering passwords is social engineering. Social engineering takes advantage of the trusting nature of human beings to gain information that later can be used maliciously. A common social engineering technique is simply to con people into divulging their passwords. It sounds ridiculous, but it happens all the time.

Techniques

To obtain a password through social engineering, you just ask for it. For example, you can simply call a user and tell him that he has some important-looking e-mails stuck in the mail queue, and you need his password to log in and free them up. This is often how hackers and rogue insiders try to get the information!

A common weakness that can facilitate such social engineering is when staff members' names, phone numbers, and e-mail addresses are posted on your company websites. Social media sites such as LinkedIn, Facebook, and Twitter can also be used against a company because these sites can reveal employees' names and contact information.

Countermeasures

User awareness and consistent security training are great defenses against social engineering. Security tools are a good fail-safe if they monitor for such e-mails and web browsing at the host-level, network perimeter, or in the cloud.

Train users to spot attacks and respond effectively. Their best response is not to give out any information and to alert the appropriate information security manager in the organization to see whether the inquiry is legitimate and whether a response is necessary. Oh, and take that staff directory off your website or at least remove IT staff members’ information.

Shoulder surfing

Shoulder surfing (the act of looking over someone’s shoulder to see what the person is typing) is an effective, low-tech password hack.

Techniques

To mount this attack, the bad guys must be near their victims and not look obvious. They simply collect the password by watching either the user’s keyboard or screen when the person logs in.

An attacker with a good eye might even watch whether the user is glancing around his desk for either a reminder of the password or the password itself. Security cameras or a webcam can even be used for such attacks. Coffee shops and airplanes provide the ideal scenarios for shoulder surfing.

You can try shoulder surfing yourself. Simply walk around the office and perform random spot checks. Go to users’ desks and ask them to log in to their computers, the network, or even their e-mail applications. Just don’t tell them what you’re doing beforehand, or they might attempt to hide what they’re typing or where they’re looking for their password. Just be careful doing this and respect other people’s privacy.

Countermeasures

Encourage users to be aware of their surroundings and not to enter their passwords when they suspect that someone is looking over their shoulders. Instruct users that if they suspect someone is looking over their shoulders while they’re logging in, they should politely ask the person to look away or, when necessary, hurl an appropriate epithet to show the offender that the user is serious.

Inference

Inference is simply guessing passwords from information you know about users — such as their date of birth, favorite television show, or phone numbers. It sounds silly, but criminals often determine their victims’ passwords simply by guessing them!

The best defense against an inference attack is to educate users about creating secure passwords that don’t include information that can be associated with them. Outside of certain password complexity filters, it’s often not easy to enforce this practice with technical controls. So, you need a sound security policy and ongoing security awareness and training to remind users of the importance of secure password creation.

RSS Feed RSS Feed

Follow Stephen Bucaro Follow @Stephen Bucaro


Fire HD
[Site User Agreement] [Privacy Policy] [Site map] [Search This Site] [Contact Form]
Copyright©2001-2019 Bucaro TecHelp 13771 N Fountain Hills Blvd Suite 114-248 Fountain Hills, AZ 85268