How Ha*kers Can Steal Your Password 

​Using strong passwords, mixing case sensitive alphabets with numbers (alphanumerics) and dealing with only reputable online platforms are myths we believe guarantee a rigid online account security. 

 Well, if you think these are all that are required to guarantee account safety then, how do you explain these for instance:

LinkedIn – A file with 6.5 million passwords appeared in an online forum based in Russia.

Yahoo – 450,000 usernames and passwords from Yahoo! were posted online

Sony (Playstation) – This massive breach involved 77 million Sony PlayStation user accounts containing passwords and other personal information.

These are reputable tech giants, believed to be implementing the strongest security countermeasures available. But even these are not strong enough to withstand attacks all the time.

This is because, as technologies keep advancing, ha*kers also keep stepping up their games. 

Now let’s see how ha*kers carry out these attacks:

Man-in-the-middle Attack 

In a man-in-the-middle (MITM) attack, an attacker hijacks communications between two machines (e.g. a server and a client, two clients, a router and a client, or a router and a server). He then sets up his computer to impersonate both legitimate machines and then makes it appear they are still communicating with one another.

As a result, all of their messages would pass through his computer, allowing him to view any information that is sent in plaintext; including usernames and passwords.

Hacking into servers that stores passwords in plaintext

This can range from sophisticated methods like an ‘SQL injection’ to “manual” methods like stealing the server’s hard disk.

All the attacker needs to do is, gets into the system, where passwords can be easily retrieved from the database because they are all in plaintext.

Considering the risks of storing sensitive data in plaintext, you’d think it would be unimaginable for big companies to store passwords in this manner. Well, think again. That’s exactly what Yahoo! did, which once led to their massive data breach.

Employing social engineering (Phishing/ Scammails E-mails)

This technique does not require any sophisticated hacking tool. 

A commonly used social engineering trick (known as “phishing”) which many of us are already familiar with involves sending out fake notification emails informing users of a data breach at a legitimate website where the users have accounts. The email would then instruct the users to reset their passwords by clicking on a link that takes them to a spoofed website, closely resembling the real one.

The fake page asks the users to enter their username, old password, and new password. Those falling for that then pass their login credentials into the wrong hands.

Another example of social engineering is simply calling a company’s tech support, convincing them you’re someone else, asking for a password reset, and then requesting that the temporary password is sent to an email address you control. 

Using brute force

This is probably the crudest way of cracking a password?

You can base your guess on the user’s name and a bunch of dates important to him (e.g. his birthday). If your first guess doesn’t work, you guess again. 

And again. And again. Until you get it correctly. Some systems don’t put a limit to the number of times you can enter a password. Of course, this can take forever unless the attacker automates it using programs like John the Ripper, Cain & Abel, or TCH Hydra. These programs can make a large number of rapid intelligent guesses, which is great for hackers, but not so great for the security of your passwords.

Luring gullible victims using trojans

Trojans are malware, disguised as downloadable programs, that hackers make available through harmless-looking emails or websites. That interesting downloadable freebie online, for example, might be a trojan. 

Once downloaded, a trojan can stealthily perform whatever nefarious activity it is programmed to do. One common activity is recording keyboard strokes (keylogging), whenever the victim login to a “secure” site; another is scanning the memory and extracting what it suspects to be passwords (“memory dumping”). When done, the malware transmits this information to the attacker. 
Now that you’re familiar with the common techniques used for stealing passwords, wouldn’t you rather stay up for our post on how to rigidly secure them?.

Want to share your views? Then use the comment box below. Also, if you enjoyed this post and want to get it to your social circles, then use any of the share post icons below and above the post, it helps us grow. Again, bookmark our site, like our Facebook page from here by tapping any of the Facebook page (with page banner) displayed above and below the page, if you haven’t done so and be sure not to miss any of our updates.



Leave a Reply