Password Secrets : Why Your Password is Never Secure

There is one thing that makes us so vulnerable is ignorance. Today, most of our work is depended on the internet. Is it enough to set a password for the security of our credentials? are we really aware of how to deal with passwords?

Our lack of understanding about passwords is allowing crooks to spy on us, steal from us, and deceive us into thinking nothing ever happened. Despite the volumes of texts that have already been written about them, how many of us have ever read a single chapter paragraph about the nitty-gritty of passwords?

That’s why I have compiled the following three shortlists which outline the most common misconceptions about passwords; the ways in which our passwords can be stolen; and the tools you need to make sure it doesn’t happen to you.

Each of these sections can be read in less than two minutes. But once you’re done, you will have acquired enough information to deal safely and confidently with your passwords.

Password Myths You Should Stop Believing

1. A file, folder, computer, or account protected by a password is safe.
Read the rest of the article and learn why that statement is no longer true.

2. Your passwords are secure as long as you only deal with reputable online businesses.

Major online businesses that serve tens of millions of customers worldwide are expected to hold a treasure trove of personal information – the favorite diet of identity thieves. Therefore, these companies are always in the crosshairs of the world’s most highly-skilled hackers.

Take these recent examples, for instance:

  1. LinkedIn – A file with 6.5 million passwords from LinkedIn accounts appeared in an online forum based in Russia.
  2. Yahoo – 450,000 usernames and passwords from Yahoo! were posted online
  3. Sony (Playstation) – This massive breach involved 77 million Sony PlayStation user accounts containing passwords and other personal information.

Reputable businesses like LinkedIn, Yahoo! and Sony should be implementing the strongest security countermeasures available. But even these are not strong enough to withstand attacks all the time…

3. A password input box that obscures characters as you type hides your password from prying eyes.

Password input box
The dots or asterisks displayed on a password input box are just meant to prevent people near you from seeing what you’re entering in there. How the password is actually stored or sent is a different story.

4. “Strong” passwords are difficult to compromise.

Even if your password is long and complex (e.g. a combination of uppercase and lowercase letters, numbers and other non-alphanumeric characters), if it is stored or sent in plaintext, you’re toast if the hackers get hold of it. Plain text means it can be viewed exactly the way it has been entered, using easily accessible tools. For example, if your password is Super$ecretp@Ss, a free downloadable tool like Ettercap enables your password to be viewed exactly in that form: Super$ecretp@Ss.

If, however, your password is encrypted, it means that it has been scrambled; it cannot be viewed using the same tool (Ettercap). It might be displayed something like this: xt%y&1sm^*it;>2.

Unfortunately, many software applications still store and send passwords in plaintext. That is why hackers still find the first three items in the next section so effective.

5. Hackers use sophisticated tools to steal your password.

Actually, many successful hackers don’t require sophisticated tools to acquire passwords. Some simply use crafty conversational skills. In the highly publicised hacking of Wired Senior Writer Mat Honan, the hackers made extensive use of social engineering, a technique that relies heavily on the art of deception. More about this shortly.

In the meantime, let’s talk about how crooks can get a hold of your passwords.

Commonly Used Techniques for Stealing Passwords

1.  Hacking into a server that stores passwords in plaintext

There are many ways to do this. I won’t delve into the technical details but they can range from sophisticated-sounding methods like an ‘SQL injection’ to “manual” methods like stealing the server’s hard disk.

Once the attacker gets into the system, passwords can be easily retrieved from the database because they are all in plaintext (as previously explained).

Considering the risks of storing sensitive data in plaintext, you’d think it would be unimaginable for big companies to store passwords in this manner. Well, think again. That’s exactly what Yahoo! did, which led to that massive data breach referred to earlier.

2. Operating as a man-in-the-middle

Man in the middle

In a man-in-the-middle (MITM) attack, an attacker hijacks communications between two machines (e.g. a server and a client, two clients, a router and a client, or a router and a server). He then sets up his computer to impersonate both legitimate machines and then makes it appear they are still communicating with one another.

As a result, all of their messages would pass through his computer, allowing him to view any information that is sent in plaintext; including usernames and passwords.

3. Luring gullible victims using trojans

Trojans are malware, disguised as downloadable programs, that hackers make available through harmless-looking emails or websites. That interesting downloadable freebie online, for example, might be a trojan…

Once downloaded, a trojan can stealthily perform whatever nefarious activity it is programmed to do. One common activity is recording keyboard strokes (keylogging), whenever the victim login to a “secure” site; another is scanning the memory and extracting what it suspects to be passwords (“memory dumping”). When done, the malware transmits this information to the attacker.

4. Employing social engineering

As mentioned earlier, this technique does not require any sophisticated hacking tool.

A commonly used social engineering trick (known as “phishing”) involves sending out fake notification emails informing users of a data breach at a legitimate website where the users have accounts. The email would then instruct the users to reset their passwords by clicking on a link that takes them to a spoofed website, closely resembling the real one.

The fake page asks the users to enter their username, old password, and new password. Those falling for that then pass their login credentials into the wrong hands.

Another example of social engineering is simply calling a company’s tech support, convincing them you’re someone else, asking for a password reset, and then requesting that the temporary password is sent to an email address you control.

5. Using brute force

Do you know what the crudest way of cracking a password is? Simple. You just make an educated guess.

You can base your guess on the user’s name and a bunch of dates important to him (e.g. his birthday or wedding day). If your first guess doesn’t work, you guess again. And again. And again. Until you get it correctly. Some systems don’t put a limit on the number of times you can enter a password.

Of course, this can take forever… unless you can automate the process.

Brute force attack programs like John the Ripper, Cain & Abel, or TCH Hydra, enable you to do just that. These programs can make a large number of rapid intelligent guesses…which is great for hackers, but not so great for the security of your passwords.

Now that you’re familiar with the common techniques used for stealing passwords, let’s take a look at what tools you can use to foil them.

Must-Have Tools for Maintaining Password Security

If hackers use tools to simplify and automate their exploits, then you should have your own tools to make it more difficult for them.

One thing to keep in mind when choosing a security tool, especially if you’re going to let other people use it, is that it should be easy to use, as well as providing the necessary level of security.

Once a security mechanism or tool is too sophisticated, end users will tend to avoid it. This will make you vulnerable again, and the time and money you invested into it will essentially go to waste.

Keeping that in mind, consider acquiring these tools:

A Password Generator – this helps you create passwords; especially handy if you’re tired of composing your own, and if you need very strong passwords. Here’s a tool that allows you to generate both simple and strong passwords: makeagoodpassword.com

A Password Strength Tester – If you really want to compose your own passwords, you should make sure they’re strong enough. Tools like howsecureismypassword.net can help you determine whether your password is difficult to crack.

A Password Manager – This tool helps you securely manage all your passwords in one location and means you don’t have to remember multiple, complicated passwords. You can centralize all your passwords from your email accounts, blogs, social networking sites, online banks, and so on. Here’s a popular one that’s also free: KeePass

A Built-in Volume or Hard Disk Encryption – If you prefer to keep your passwords in files and save them to your desktop or laptop, the easiest way to secure them is to use your operating system’s built-in volume or hard disk encryption programs. Using them is pretty straightforward. In Windows, use BitLocker. And in Mac OS X, use FileVault.

An Encryption-Enabled Password Sharing Tool – When people send passwords to work colleagues they usually email them. However, many email services are vulnerable to man-in-the-middle attacks. Use a free tool like Firepass, which encrypts your password and sends it so that only the intended recipient can access it.

Just employing the above five tools will put you way ahead of the crowd; most people do not put enough thought into creating, storing or sending their passwords; it’s never too late to start getting serious about protecting your most confidential and sensitive information.

47 thoughts on “Password Secrets : Why Your Password is Never Secure”

  1. sony has been hacked more often. Theye were hacked in 2011, 2013 and this year also. in total around the 120 to 130 milion acount users has been hacked. A unkown amaount also got their credit card hacked. There were more hacks against sony, but most didn’t steal any information but were DDos attacks to slow down the network.

    The rest of this article was realy good and I learned a few things from it.
    Thank you and keep up the good work

    Karok

    Reply
  2. Vicky:
    I read all your posts and always find important information that I can use. This post is no
    exception as I learned a lot from it. I am going to start bookmarking all your post for
    future reference.
    Thank you so much

    Reply
  3. very good ….i’m interested in hacking .i know c language and html ..can u please guide me..and what languages i have to learn to achieve my goal.

    Reply
  4. Most of this i’ve already knew, still, it’s very interesting, especially for the uninformed users.

    By the way, i find myself coming back to this website pretty often. You are doing a good job.

    Reply
  5. hey vicky i need more tricks and information like this so please keep it up and this one is osammm………………………..god bless you

    Reply
  6. muchas gracias por esta información no entiendo mucho el ingles pero me ayudo con el traductor de google y es de gran importancia para mi este conocimiento desde Colombia muchas gracias VICKY.

    Reply
  7. send me your login names for any site and your password and i can tell you exactly how secure it is,ask anyone who works in it security and they will tell you i’m spot on!

    Reply
  8. how is it possible for a hacker to retrieve password using sql injections? And as a web dev what must be considered to prevent sql injections?

    Reply
    • Well SQL Injection requires that the hacker know the names of your tables in your databases…but a typical naming convention of the “users” table would be easy to guess. Going forward with the assumption that the hacker knows your table names…he would then be able to pull and display any data stored in your database…this would include passwords/usernames that are stored in plain text.. a viable option for preventing this would be to store passwords/usernames in encrypted format within the database or simply use some php processing code that strips all special characters that the user enters to prevent SQL/PHP code from being executed. If you have any more questions feel free to email me!
      -Chris

      Reply
  9. you have written a practical And realistic artical. I love it because there is no nonsense in this info and not hi fi like others blog or articals. Thanks for a alot of useful info.

    Reply
  10. heyy buddy…. can u pls tell me the way of how to hack the password and also tell me about those tools dat r used by hackers for hacking…..?

    Reply
  11. Behind a password may lie data of utmost value. As Vicky points out hackers are becomeing very sophisticated and can almost always breach your passwords. To keep users’ data safe, use data centric protection, which keeps your data safe even when threats can access it. Tools offered by http://www.cloudmask.com are created to safe guard data with full anticipation that password breach will occur. Vicky please check out this blog post https://cloudmask.com/encryption/anatomy-password-based-security-part-one/ , it really compliments your article.

    Thank you very much.

    Reply
  12. Vickey most of sites can be hacked by using harviz( a tool that is programmed to perform sql injection) so how can we safe our password from them?

    Reply
  13. I have forget my fb password and have no access to email address. How can i recover my fb account. Can you help me?

    Reply
  14. Practical reads. New kid on the block wondering if AI can can hack passwords with SEO, been using same password (co-incidentally a friend’s website name) and getting “things of interest” on the “password subject” lol. I also notice my internet engineer friend’s seo is now screwed. Scary thought

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.