Learn to use AI like a Pro. Learn More

Password Protection Unmasked

How Hackers Steal Passwords: 5 Attack Methods Explained

Estimated read time: 1:20

    Learn to use AI like a Pro

    Get the latest AI workflows to boost your productivity and business performance, delivered weekly by expert consultants. Enjoy step-by-step guides, weekly Q&A sessions, and full access to our AI workflow archive.

    Canva Logo
    Claude AI Logo
    Google Gemini Logo
    HeyGen Logo
    Hugging Face Logo
    Microsoft Logo
    OpenAI Logo
    Zapier Logo
    Canva Logo
    Claude AI Logo
    Google Gemini Logo
    HeyGen Logo
    Hugging Face Logo
    Microsoft Logo
    OpenAI Logo
    Zapier Logo

    Summary

    Passwords are prime targets for hackers, with compromised credentials ranking as the top attack vector. This video from IBM Technology delves into five primary methods employed by cybercriminals: guessing, harvesting, cracking, spraying, and stuffing. Guessing involves trial and error, often using leaked databases. Harvesting captures credentials via malware or phishing. Cracking decrypts hashed passwords with comparative techniques. Spraying tests one password across many accounts, while stuffing checks credentials on multiple systems. To thwart these threats, one must enforce stringent password policies, utilize password managers, employ multi-factor authentication, and consider passkeys or rate limiting.

      Highlights

      • Passwords remain a key target for cyberattacks, highlighting the need for strong defenses. 🚨
      • Hackers use a variety of methods like guessing, which can involve databases of known passwords. πŸ—οΈ
      • Harvesting involves malware and phishing attempts to gather user credentials. πŸš”
      • Password cracking is akin to solving a complex puzzle by comparing hashes. 🧩
      • Spraying involves trying a single password across multiple accounts, while stuffing uses it across systems. πŸ”„

      Key Takeaways

      • Passwords top the chart of hacker targets; vigilance is key! πŸ”
      • Guessing isn't just for games; hackers use strategic database insights to guess. πŸ“š
      • Harvesting sounds eco-friendly, but not when it involves your credentials! πŸͺ“
      • Cracking the code isn't easy, but it's not impossible for hackers. πŸ’»
      • Spraying isn't just for cleaning; it's a methodical password attack. 🧽

      Overview

      Passwords are the digital keys to our secrets, and hackers know just how valuable they are. Using methods like guessing and harvesting, they can bypass defenses to access sensitive information. Instead of worrying, arm yourself with knowledge! From IBM’s insightful video, we dive into the methods hackers use and what we can do to stop them.

        In a world where password databases sometimes slip into the public domain, hackers waste no time in exploiting them. Techniques like cracking unravel the encrypted hashes to find the original passwords, transforming what should be indecipherable into a clear threat. It’s the digital realm’s version of detective work, with hackers comparing notes to guess the password.

          Defending against these predatory techniques requires a robust strategy. Effective methods include multi-factor authentication and employing password managers for stronger, varied credentials. The focus should be on prevention, detection, and response strategies that keep these virtual invaders at bay. Turn knowledge into action and lock the attackers out!

            Chapters

            • 00:00 - 00:30: Introduction The Introduction chapter addresses the issue of password hacking, highlighting its significance as the number one attack type according to reports by IBM and the X-Force Threat Intelligence Index. The video will explore five methods used by hackers to compromise credentials: guessing, harvesting, cracking, spraying, and stuffing. The intention is to equip viewers with knowledge to protect themselves, rather than revealing any secrets to attackers.
            • 00:30 - 02:00: Password Guessing The chapter, titled 'Password Guessing', discusses the method of hacking into systems by guessing passwords. It begins by introducing a hacker who attempts to access a system by making an educated guess about the password. These guesses could be purely imaginative or based on information known about the individual whose system is being targeted. The chapter concludes with tips on how to protect oneself from such attacks.
            • 02:00 - 03:30: Harvesting The chapter titled 'Harvesting' deals with how attackers might gain access to sensitive information, particularly passwords. It discusses the vulnerability posed by physical notes like sticky notes labeled as 'PC sunflowers' that users often leave near their systems, which can be easily read by anyone passing by. Another point raised is the threat from password databases; when systems are compromised, these databases can be exposed, revealing passwords in clear text that attackers can readily access.
            • 03:30 - 05:00: Cracking This chapter titled 'Cracking' discusses the methods an attacker might use to improve their chances of guessing a password or gaining unauthorized access to a system. It highlights the importance of policies like 'three strikes and you're out,' which are employed to prevent repeated guessing attempts by locking out the user after three failed attempts. The discussion underscores the necessity of such security measures in protecting systems from brute force attacks.
            • 05:00 - 07:00: Password Spraying The chapter titled 'Password Spraying' discusses different attack strategies on passwords. Unlike traditional methods that may lock out an account after a few incorrect guesses, attackers might use harvesting, a method where they already know the password, possibly acquired through malware like a keylogger. This malware captures everything typed on a system, sending the data back to the attacker, thus bypassing the need for guesswork.
            • 07:00 - 08:30: Credential Stuffing The chapter discusses the risk of credential stuffing, a cyber attack strategy where stolen credentials are leveraged to gain unauthorized access to user accounts. It highlights two primary threats: the use of keyloggers or info stealers that capture everything a user types, including passwords, and phishing attacks that trick users into willingly giving up their credentials. The emphasis is on the importance of maintaining a clean system to prevent malware like keyloggers from compromising sensitive information.
            • 08:30 - 11:00: Prevention Techniques The chapter titled 'Prevention Techniques' begins by discussing a scenario where users are deceived into logging into a fake website. The attacker uses this phishing technique to harvest the victim's login credentials, enabling unauthorized access. Following this, another attack method, known as password cracking, is introduced. In this technique, attackers utilize databases of stored passwords to gain unauthorized access by deciphering or guessing the correct passwords.
            • 11:00 - 13:00: Detection Techniques The chapter discusses various detection techniques related to cybersecurity. It highlights the scenario where an attacker logs into a system, hacks into it, and extracts the database storing all passwords. However, these passwords are hashed, meaning they are encrypted using a one-way process that makes them unreadable in their current form. Despite an attacker having access to these hashed passwords, they are essentially useless without the ability to reverse the hashing process.
            • 13:00 - 15:00: Response Strategies This chapter discusses strategies for responding to encrypted passwords, specifically focusing on the concept of reversing an irreversible encryption. It is explained that while you cannot directly reverse such encryption, alternative methods can be employed to discover the original password. These methods include using databases of publicly available common passwords or utilizing a password dictionary to make educated guesses.

            How Hackers Steal Passwords: 5 Attack Methods Explained Transcription

            • 00:00 - 00:30 Have you ever wondered how a bad guy hacks your password? It's a big problem. In fact, according to both IBM's Cost of a Data Breach Report and the X-Force Threat Intelligence Index, stolen, misused, or otherwise compromised credentials are the number one attack type. There are lots of ways this is done, but in this video, I'm gonna focus on five different approaches they use. Guessing, harvesting, cracking, spraying, and stuffing, and don't worry that I'm giving away any secrets because the bad guys already know this stuff. My purpose is to arm the good guys with this knowledge
            • 00:30 - 01:00 and provide some tips at the end on what you can do to prevent this from happening to you. Let's start first with password guessing. So here we have a bad guy who's gonna try to hack into this system and he's gonna posit some particular guess into the system. Well, what is he gonna base that guess on? Well, it might just be out of his imagination. It might be just a knowledge about the individual who this system.
            • 01:00 - 01:30 It could be because he walked by where their laptop was and saw a yellow sticky on the system. We refer to these things as the PC sunflower because people collect a lot of those around their systems and just reads a password off of that. So a lot different ways they could base this. And one other possibility is they use a password database. That is when systems have been cracked in the past, sometimes we get to find out what all those passwords were in the password database in the clear. And those are made available publicly on the Internet, and attackers can use that.
            • 01:30 - 02:00 So anything the attacker can do to make a more intelligent guess, those would be the different items that they would consider. Well, if it's a guessing attack, they're then going to try to log in. And if they're wrong, okay, then they try again. And if there wrong again, in most systems, you get three strikes and you're out. So, that's the problem and that's reason, by the way. That those three strikes policies are in place. So someone can't just keep guessing over and over and again.
            • 02:00 - 02:30 So usually he's gonna get three guesses and then the account will be locked out. So unless this is a really good guess, that's probably not a very effective way to do things. Now, another approach would be harvesting. This is where the attacker is going to actually know what the password is and it's not a guess. In a harvesting attack, and there's numbers of different ways this could occur, but one is they install some sort of malware on this system. That malware we call a keylogger. And everything that's typed on this system then is sent to this guy.
            • 02:30 - 03:00 It's either stored locally and then later he retrieves it or it's sent in real time. But that keyloger or an information stealer, info stealer or whatever you want to call it is something that's recording everything they type including passwords. So that could be fed directly into this guy and he knows exactly what to enter. So obviously we need to keep this system clean. So that it doesn't have that kind of a malware on it. Another thing that could happen is through a phishing attack where this user is convinced
            • 03:00 - 03:30 to log in to some particular website and then the website is a fake, they think it's a real one and they type in their credentials there and then those flow here. In either of these cases, the bad guy has just harvested the information and can now log in directly. Okay, now let's take a look at another technique We call it cracking. In password cracking, what the attacker is going to do is start with a database of stored passwords.
            • 03:30 - 04:00 Maybe he logs into the system, hacks into a system, and pulls out that database where all the passwords are stored, and he extracts those. But here's the thing. Assuming they did a decent job of security, these passwords are hashed. That is, using a special one-way encryption technique that cannot be reversed. So they're not readable. In any normal sense, and there are going to be a number of these hashed passwords that now the attacker has available to them, but in and of themselves in the hashed form they're no use.
            • 04:00 - 04:30 So what can he do in order to reverse what is an irreversible encryption? Well, you can't, but you can back your way into discovering what the original password was. And the way that gets done is you start with, again, a different type of guess. What you would do maybe is take one of these databases of publicly known available common passwords, or you could use a password dictionary.
            • 04:30 - 05:00 Those are also available on the internet. So you can find a lot of different ways, use it in worst case, you start doing a brute force where you try every single possible password combination, but you use some source to pull out a clear text password that you can read and you hash it in the same way these passwords are hashed. Then you just do a comparison and say is this equal? Well if it's not then I move on.
            • 05:00 - 05:30 Is it equal? Is it equal? And then if it is, then I didn't have to know what the original password was. I didn' have to break the encryption. What I did was I figured out what my guess was and I knew that it matched so therefore I know I have found the right password. That's a way of cracking a password. Our fourth type of technique... Is called password spraying. And in password spraying, again, we need to start off with an attempt, a guess. Now again, we could get this, maybe from this publicly available information, it could be a lot of other sources,
            • 05:30 - 06:00 but we're gonna start off with a guess and what we're going to do is across a particular system, there will be multiple accounts. So we have account one, account two, and so forth. So all the way down to account N. So lots of accounts on this system. And what we're gonna do is we're going to take that password that we have as a guess, and we're to try it here and see if it works. And if it does, of course we're in.
            • 06:00 - 06:30 If it doesn't, try it down here. Then try it done here. Try it for all of these. That's why it's called spraying, because we're spraying it across all of the different accounts within a particular system. And the attacker, think about from their perspective, they don't necessarily need to get into account two or account one. Their goal is just to get into anything. So they'll take any password and try it across all of these and until they finally get a hit. And why does this work?
            • 06:30 - 07:00 Well, because people tend to use the same passwords again and again. So something that is in this publicly available database that was based on a previous breach, probably someone, if it's a common password, someone has used that password on this system as well. So it's good place to start with guessing. And, in that guessing, again ... The advantage to spring is it avoids the three strikes penalty. We're only doing one attempt. If it doesn't work, we move on to the next account. Then we move onto the next count and the next to count and so forth.
            • 07:00 - 07:30 So that way, if unless someone is really looking hard, they're not gonna even know that they're under attack because it flies slow and low below the radar. A similar type of attack is credential stuffing, which is the same kind of idea. It's just a variation on a theme. In this case, we're gonna take our password guess and we're going to try it across not multiple accounts, but multiple systems. So I'll try it a across a particular, if this is system one, and then system two,
            • 07:30 - 08:00 system N, I'm gonna try this on this particular system. And if it works, again, I mean, if it doesn't, I move on, and I move on. That's what the attacker is going to do in this case. Now again, very similar to spraying, but notice the difference is, these are across different systems. This is across a single system. So same concept. This one is even harder to detect because probably the person
            • 08:00 - 08:30 that is responsible for security on this system may not be the same one that's responsible on this system. So they may not able to monitor and look across all of these. So here again, we're leveraging these well-known bad passwords. And guessing across these systems. Okay, now we've taken a look at five different types. There are other ways as well, but at least we've taking a look these. Now, what can you do to prevent this from happening? How can you keep from being a victim? Well, there are three things that we do in cybersecurity.
            • 08:30 - 09:00 We do prevention, detection and response. So let's first take a look at some things you can do for prevention. So one of the prevention things we can do is test password strength. So when someone types a password into your system, you ought to be able to test and see if it's got the right level of complexity to it. Don't make it too complex because then people just have to go write it down. But some level of complexity and length, and by the way, length is strength when it comes to passwords. So longer is probably even better than complexity.
            • 09:00 - 09:30 Also check it against a database like we've talked about before, of these known passwords, known vulnerable passwords, and make sure it doesn't match any of those. If you can, test and see that someone is using a different password across multiple systems. So there are a lot of things you can do there. And to that last point, something you can to encourage people to use multiple passwords and complex long passwords is to use a password manager or a password vault. Some sort of secrets management system, if you're looking at this on an enterprise level
            • 09:30 - 10:00 or a Password Manager, if you are talking about it on a personal level. Here, the system can generate strong passwords for you and keep track of all of those for you. Also make sure it will encourage you that you're less likely to use the same password across multiple systems, therefore reducing your attack surface. Another thing is to use multi-factor authentication. Don't rely just on a password. Look for other things, not just something you know, something you are, something you have.
            • 10:00 - 10:30 So maybe a message to your phone or a biometric like a face ID or something along those lines. What's the best way to not get your password stolen though? Don't have one. Don't have a password. Get rid of passwords and go with passkeys. Sounds like the same sort of word, but it's a lot different. The solution is a lot stronger. It's based on cryptographic techniques. I won't get into the details of it, but if you have an option to choose pass keys, do it. And then the last one I'll mention in terms of prevention is rate limiting.
            • 10:30 - 11:00 We want to make sure that someone isn't able to just flood our system with tons and tons of password logins. You want to baseline. And understand what is a normal level of traffic for people trying to log in, and don't accept if all of a sudden you have just a burst of login attempts that don't make any sense. Okay, then moving to detection, what can we do there? Well, I'd like to look for a couple of different situations based upon spraying and credential stuffing.
            • 11:00 - 11:30 One is multiple failures over time. I wanna see if I'm seeing an increase in the number of failures over a given interval of time. Now if an attacker is really smart they'll spread this out over a really long time, but if they're not then you might just suddenly see a whole bunch of attack attempts and you would want to flag that and then take some action, which we'll talk about in a second, also another thing you could be looking for is multiple failures over the account space. So on a particular system you will be looking four did i have a failure on
            • 11:30 - 12:00 one account then another account then another account, another account. That would be a sure fire sign that we're looking at a password spraying attack, by the way patent pending on that one. so stay tuned, Now let's move on the response side. what could you do on this once you've discovered that you're under attack what should you be doing? Well one of the things you want to do is block suspicious IPs, ip addresses, because you know if you're seeing tons of logins from one place all at one time that's probably a bad actor.
            • 12:00 - 12:30 So let's just block that IP. Disable compromised accounts is another. Once we know that an attack has occurred, we should go back and look and see if maybe that one password that was attempted across lots of different ones and then suddenly worked on one. Okay, that was a spraying attack and the one that got logged into is probably suspicious at this point. So maybe we want to block that until we can do an investigation,
            • 12:30 - 13:00 and then ultimately, if we know an account has been compromised, we lock it out, we force a password change. So that way the attacker can't use the information that they already have to get into the system. So there you have it, lots of ways for attackers to get in and lots of way for you to keep them from doing it. Do these things and you'll make life a lot harder for the bad guys and that's how we want it to be