When the first home computers appeared, the concept of a password was alien to most people. After all, without computers, why would most of us need a password?
However, while most people naturally gravitated towards what we would now consider very insecure passwords – simple dictionary words or memorable names and dates – there is now a much greater awareness of what constitutes a secure password. Most services will now force users to choose a secure password when they register. Because of this, anyone looking to break into an account that doesn’t belong to them has their work cut out. Or do they?
Into the Breach
Breaking into a password-protected system is possible, albeit prohibitively difficult for most people. Modern encryption standards are incredibly secure and the chances of an attacker being able to guess or brute force a truly secure password are small (more on that later).
This is why hackers today tend to rely more on social engineering – hacking people rather than computers – to undermine security systems and gain access to networks. But in some cases, they don’t even need to do that, they can instead turn to database dumps.
We have seen a number of high-profile data breaches in recent years. When these occur, databases containing passwords and other personal information are posted online or sold on the dark web. These data dumps are a valuable tool for hackers. They allow them to access user accounts on other services where the same password has been used.
Proving that no one is immune to the efforts of attackers to break into systems and steal passwords, one of the world’s most prominent cybersecurity providers was hit by a hack that used dumped user data to break into accounts of up to 2,000 users. This attack utilized a method known as ‘credential stuffing’. This basically involves using the account details stolen from one service provider to access user accounts on other services.
Of course, this relies on people doing something they are repeatedly warned not to – reusing the same credentials across multiple services. However, as the continuing success rate of these attacks shows, there are plenty of people who are doing just that.
Imagine you have a padlock that is unlocked by entering the correct 4-digit sequence. Without knowing anything else about the password, you can go through each of the 10,000 possible combinations, starting at 0000 and ending with 9999. You will eventually have opened the lock, even if it takes you a while.
This approach – working through a sequence of potential passwords, is known as brute-forcing. Using only strings of numbers for passwords is highly insecure as all a computer has to do to break it is to count until it reaches the correct password.
If you have a database of passwords and you know that one of them is the right one, you can launch a brute force attack that tries each potential password in sequence. If you don’t have such a database, you can launch a dictionary attack that utilizes a database of common passwords.
The more computing power available, the less time it will take to successfully brute force a password. By utilizing proxy networks, attackers are able to execute hundreds of thousands of password attempts each second.
Ch-Ch-Ch-Changes (or not)
According to a study from Google, as many as 1.5% of passwords are vulnerable to credential-stuffing attacks. This means that people are reusing their credentials across different services. If you do this then a breach in just one of those services could compromise all your other accounts that share login information.
In order to conduct their study, Google produced a browser extension that would automatically check an anonymized hash of any password the user entered against a database of compromised account information. If a match was found, the user was alerted. However, Google discovered that only 26% of users acted on these warnings to change their passwords.
The good news is that it’s actually pretty easy to stay secure online. There are a plethora of password managers on the market that you can use to manage your passwords for you. Not only will they remember your passwords, but they will also generate secure ones for you. If one account is compromised, it won’t matter as much because you won’t be reusing the same credentials elsewhere.
You can use haveibeenpwned.com to check if any of your accounts have been compromised. If they have, make sure that you change passwords on any services that use the same information. If possible, you should also be changing your passwords regularly. As long as you follow the above advice, you should be fine.
With billions of account passwords leaking from all sides, you can never be too careful.