Password Stealing 101: Common Methods and Defenses

If you want to defeat a cybercriminal, you have to understand how they think. When you know the tools of their trade, you can learn defenses to help you fight back.

Ultimately, most cybercriminals want to earn money from their misdeeds. While some may try to lock up data via ransomware or steal processing power via illicit cryptominers, many simply want to get into systems, steal data, and resell it on the dark web. Often, the first step involves getting access to user accounts via their username and passwords—and cybercriminals have multiple ways of doing it.

Today, I’m covering three common methods cybercriminals use to get passwords from users—and how you can fight back. This list certainly isn’t exhaustive, but it’ll explain some of the most common methods.

Brute-force attacks

Passwords are rarely stored in plaintext anymore. They’re usually hashed using a one-way algorithm or encrypted using one or more encryption keys. Brute-force attacks attempt to get around hashed or encrypted passwords by trying multiple combinations to discover an encryption key or the output of a hashed password.

Cybercriminals can unencrypt passwords if they get the encryption key. Brute-force attempts on encrypted passwords often involve trying to figure out the encryption key for the service, then using that knowledge to try username/password combinations until they find a match. However, software vendors can take preventive steps to make encrypted passwords harder to decrypt. Steps include using multiple encryption keys, encrypting the password multiple times, and ensuring the account holder is the only one who knows at least one encryption key.

You can’t unhash hashed passwords. The algorithm used is one-way—meaning you can’t use the same algorithm to turn the password back into plaintext. Instead, when authenticating, services compare the hashed output of a user’s password against a known hash in their database. To provide an incredibly oversimplified example, let’s say your password is cat. When you put this into the service, the algorithm outputs H14c!. Each time you authenticate with cat, the application will run your input through the algorithm, then grant access if the output matches H14c!. If someone manages to steal the password database, they won’t be able to use the algorithm to turn H14c! back into cat. Instead, they’ll run a series of potential passwords through common hashing algorithms. If the hashes match, they can reverse engineer your password and get into the intended service (and likely others if you’re reusing passwords).

Fighting back: Regardless of whether your service uses encryption or hashing algorithms, the best way to fight back against brute-force password cracking attempts is to use hard-to-guess passwords. Make sure they’re lengthy, unique, and use a mix of capital and lowercase letters and special characters.

Credential stuffing

Credential stuffing involves using previously breached data from one service and using it on another. For example, if criminals breach a common social networking site and get a list of usernames and passwords, they can try these username/password combinations on other common services as well. When they attempt this in bulk, they’re bound to get hits on services that let them get even more sensitive information—like payment info or health records.

Fighting back: Credential stuffing relies on the fact people often reuse passwords to make them easier to remember. So make sure your employees and customers know to use unique passwords for every important service. Additionally, refresh passwords periodically to keep them from going stale. If you reset passwords frequently enough, it reduces the amount of time a breached password can be useful for credential stuffing.

Phishing and social engineering

Another common method of stealing passwords involves deception. People can often fall for a convincing (or even only slightly passable) scam. All it takes is someone clicking the wrong link in an email and entering their credentials into a convincing-looking fake website. And email isn’t the only delivery method—criminals often use social media links, SMS messages, or phone calls to trick people into giving up the goods.

Prevention: There are several ways to reduce your risk. First, a good email security solution can help reduce the amount of spam and phishing attempts that land with your customers. However, this doesn’t help with social- or phone-based attacks. Instead, offer user training to teach people to recognize potential scams. Teach them common signs of a scam such as generic greetings, poor spelling or grammar, and fake website URLs. Also, make sure they know to never give out credentials unless they’ve specifically requested communications such as a password reset or technical support from the sender. This can be particularly important for phone-based scams. For example, if someone from an online payment vendor attempts to contact a user, they should hang up and dial the main line to verify the caller is from the company. Also, don’t stop at one training—consider sending out frequent reminders of the basics of phishing and social engineering prevention to your customers. This helps customers stay alert to dangers—but also reinforces the value you provide.

Enforcing password best practices

Despite your best efforts, humans are still fallible. Even IT and security professionals can sometimes fall into poor password practices from time to time. One of the best ways to protect credentials involves using a strong password management solution to help enforce password management best practices across your team.

SolarWinds^® Passportal helps your team automatically generate strong, unique passwords while retaining efficient one-click access to the services they need to do their jobs. Additionally, you can easily grant and revoke access as needed, and force password resets as needed. Plus, we use robust encryption on all passwords to make them even harder for cybercriminals to crack. Learn more today at passportalmsp.com/.