How do hackers steal passwords

How do hackers steal passwords

How do hackers steal passwords and personal data? Social engineering. Cookie theft. Keyloggers. Brute force.
2.11.2014 / 19:18 | pomnibeslan

How hackers crack and steal passwords online


Cybercriminals go for many tricks to steal user passwords to all kinds of websites: personal pages in social media, accounts in the online games, payment systems, etc. Statistics of identity theft in the network is replete with alarming numbers. Not to find yourself among the victims who have lost their accounts, let's review the basic methods that hackers use to steal passwords — social engineering, exhaustive password cracking (brute force), implantation of keyloggers and interception of cookies. Having an idea about these malicious “technologies”, you can effectively resist them and keep the proper level of security and confidentiality of personal data.

The superb fairy-wren (Malurus cyaneus) is a small passerine. Bird protects his precious progeny from planted on the nest parasitic cuckoos with no less than a password! As soon as his chicks hatch out, he teaches them to reproduce a unique trill. Of course, the progeny of sassy mother cuckoo know nothing about this tune, because they hatch out two or three days later.

The triumph of justice and vengeance comes during the nursing. Chicks of superb fairy-wren, as soon as they see parents coming to the nest, begin to peal a password trill they know from the first days of their life. Only the ones who can sing a native trill are the legal heirs — so they get food. And cuckoo chicks are left with nothing and soon die of hunger.

For the first site it is an interesting picture from nature, but it is so alike to what happens in the boundless wilderness of Internet: here also are passwords and good and bad characters — hackers and simple users.

Well, dear readers, to save your precious logins and passwords from mean people you do not need to learn trills. But it is useful to learn about various methods of personal data theft. If you want peace, prepare for war!


Social engineering

Social engineering

Main instruments of attacker in this method are user’s naivety and excessive curiosity. No sophisticated software tricks, no insidious viruses and other hacking techniques.

Criminal knowing only the e-mail login of his victim inserts it to the entrance form of e-mail service. Then he says to system that he forgot a password. Monitor displays a security question — hacker does not know the answer, but now he knows what is in the question. Here begins the most “interesting”: according to the question topic hacker sends to his victim a tricky letter where he tries to learn — in a veiled form — a correct answer. The insidious message might look like this: “Hello! This is a cooking website such-and-such… What is your favorite food?” And this is just one example. A great number of similar tricks go around the network. So be careful when you read your mail!


Cookie theft


Cookie is a session data file that website stores in the user's browser. In the encrypted form cookie holds login, password, ID and other information to which a website periodically takes access during the work.

Hacker who knows the vulnerability of a particular website (forum, e-mail service, social media) writes a special script to draw out cookies from the victim’s browser and to send them to his criminal hands. This malicious thing cannot happen without the participation of account holder, because a harmful script needs to be run at his will. For this reason malicious code is wrapped into the attractive lure: a picture, engaging letter, request, etc. The main objective is to draw a victim to click on a given link. And if it happens at last, a hacking script sends cookies from user’s browser to sniffer on a third-party hosting (network traffic interceptor). Only after this work script addresses a user to where he was promised in the message: a dating website, video hosting, photo gallery, and so forth. Of course, the account holder suspects nothing, because this fraudulent practice takes only 5 seconds.

By using the stolen cookies hacker can seize the user's session: insert them into his browser and enter to the victim's account with rights of the owner. And, if he doesn’t manage this, hacker also can try to decrypt the password stored in the cookie file. If password is only 5-6 symbols long, it is likely that he succeeds. The fact that encrypting algorithm MD5 works only in one way, that is, it cannot be directly decrypted, does not stop hackers. In this case they use a method of searching; on the hacker online services they search for matching results in the special dictionaries with prepared word pares. For example: MD5 “a865a7e0ddbf35fa6f6a232e0893bea4” is nothing more than “my_password”.
Do not be lazy to compose long and complex passwords! And this trouble will bypass you.


Keyboard spy loggers (keyloggers)

Keylogger is a program that records in its log file all user keystrokes. It works discreetly, without showing its presence in any place of the system: a tray, system processes or registry. Not every antivirus is able to recognize a skillfully written keylogger.

User of the infected PC can conveniently sit near the display and peacefully input his login... and then his password at one website, then at another one and so on. This time keylogger works hard: it captures data, saves it, encrypts, and then sends to his hacker.

To counteract this small, but breaking spy, you can use a virtual keyboard and special utilities which automatically fill in the website login forms.


Brute force

It is a method of password cracking performed by the exhaustive search in a range of possible variants taken from the special dictionary. Brute force is very efficient when password is not longer then 5-6 characters or is a simple sequence (“11111”) or a word from human dictionary (“monkey”).

To leave a brute force hacker empty-handed, use the online password generator Sinhrofazotron.

The reviewed methods of theft and cracking are just a tiny tip of the dangerous iceberg. There are actually a lot more. And what's more to that — “the new solutions” appear in the Internet every day, and they are more insidious and dangerous then past ones. But all these crimes, to some extent, can be stopped with a complex password.

Wish you secure Internet and good luck!