How Is a Password Stolen?

How Is a Password Stolen?

Password theft is at the center of data breaches, missing credentials, and countless other IT heartaches. But how are they “lost?” Below, we’ve outlined a few of the most common methods cybercriminals and hackers use to steal credentials from their victims, in rough order of frequency. You’ll also find tips to help protect yourself and your precious passwords from each method. Keep those passwords safe and avoid stolen passwords!

Phishing

What is it?

Imagine a phishing attack. You might picture an email full of misspelled words, sent from a poorly-faked email address, spinning a blatantly false tale. Stranded overseas royalty promises riches in exchange for help. A “government agency” threateningly demands nonexistent back-taxes in the form of gift cards. Someone claiming to be a doctor offers dubious medical miracles to cure issues the recipient doesn’t even have.

Be careful – you may be underestimating the single most successful method of password theft. Phishing has evolved well beyond the Nigerian Prince scams of the early 2000s, and would-be scammers are scary-smart about fooling victims.

How does it work?

Most successful phishing attacks use a targeted social engineering tactic called “spearphishing.” The criminal poses as a trusted organization or friend/colleague known to the victim. They use the victim’s real name and ask them to please log in to a (fake) website to pay a bill or review a document. The unsuspecting mark enters their credentials into the fake site, which then delivers their password to the scammer. They might also inadvertently download malware – more on that in a minute.

Many of these emails appear to come from a legitimate source. Due to a vulnerability in the fabric of email protocol (which was developed decades ago, long before phishing was an issue) modern scammers can often spoof a domain name perfectly. The emails will look crisp and professional, and typically lack the telltale spelling and grammar errors once associated with phishing.

Scammers typically employ a heavy amount of manipulation in their phishing schemes. Often, the message appeals to the helpful side of human nature: “Can you click the link and sign off on this document asap? My kids were sick this week and I’m running behind. Scared I’ll get in trouble if I deliver it late.” Other times, they employ threats: “This is an automated message from PNC Bank. Fraud detection flagged a $1800 withdrawal from your account. Please log in to confirm the charges.” Finally, though less common in modern scams, they might offer something too good to be true: “We want to thank you for being a loyal subscriber to our service. Click here to claim your free upgrade to diamond status and enjoy a year of programming on us!”

How to avoid it?

Despite the evolution of phishing attacks, many of the telltale principals remain. The best defense is a healthy dose of skepticism.

• Be on the alert for any email with a sense of urgency. Attackers want victims to act before thinking.
• Verify the legitimacy of any suspicious email by contacting the person or organization who supposedly sent it.
• Never log in to a third-party account (such as Adobe Acrobat) from an email link. Log in securely through the official website using your browser instead. A legitimate email link will redirect once you’re safely logged in.
• Report any suspected phishing attacks to your cybersecurity department.
• Avoid clicking anything in a phishing email – sometimes every corner of the message is a link to a dangerous site.
• Defeat phishing emails before they can even reach your inbox. Aegis IT Services offers an advanced email threat monitoring service, which filters out dangerous messages.

Data Breaches

What is it?

Ah, the data breach – the bane of business owners and cybersecurity professionals everywhere. A data breach is any circumstance in which sensitive information belonging to a large organization is stolen or leaked. Breaches are very often the result of stolen credentials; but for users whose information was compromised, a breach is the cause of their password theft.

How does it work?

There are many ways a breach can occur, but at the end of the day, the result is the same: users trusted an organization with their data, and that organization failed to protect it.

How to avoid it?

Unfortunately, individual users can do little to prevent being involved in a data breach, aside from choosing to only trust organizations with a good track record in cybersecurity. However, you can mitigate the damage of stolen credentials.

• Never reuse passwords. Credentials stolen in a data breach often show up in databases on the dark web, where cybercriminals can purchase them and use them for “credential stuffing,” a style of attack in which an automated program plugs the compromised username/password combo (including similar variations) into a long list of websites.
• Turn on two-factor authentication (2FA) on every service which offers it. We’re big fans of 2FA here at Aegis – you can read more about what it is and how it protects your account here.
• Track data breaches that may have given away your information. The gold standard for checking potential data breaches is “have i been pwned,” a website which checks your email address against a comprehensive database of breach information.
• Finally, of course, change your password if it has been breached (or anytime you fear it may have been compromised)!

Malware

What is it?

Malware refers to any software designed to damage, compromise, or otherwise disrupt the device it was installed onto. Sometimes, malware is disguised as a desirable program, such as the myriad of malicious apps that stole a million Facebook users’ passwords last year. In the context of password compromise, malware would refer to any program designed to swipe credentials.

How does it work?

First, the malware must gain access to the victim’s system. Often, users are tricked into downloading the malicious file: it might pretend to be a desirable program, or hide itself inside a phishing email. Malware can also self-replicate across computers on a shared infected network.

Once inside, malware steals user information – not only passwords, but any sensitive data it can find, from client lists to bank account numbers – and relays this information to the cybercriminal who deployed it.

How this information is stolen varies widely. Many forms of malware install a keylogger, which records everything the user types; other varieties nab data from browser vulnerabilities and other loopholes. Most will also reconfigure the infected system to ignore or even spread the attack.

How to avoid it?

The list of malware mechanisms and vectors of attack is nearly endless, and malicious software is constantly evolving (because cybersecurity specialists thwart each new iteration!). Handling malware is a bit like whack-a-mole, but end users can take a few concrete actions to minimize their chances of compromise.

• Typically, malware exploits vulnerabilities in software which are patched out as soon as the problem is discovered. Keep all your devices updated to the latest software – malicious programs can’t slip through the cracks if they’re all sealed.
• Likewise, make sure your antivirus is robust, and always keep your virus database up-to-date.
• Beware of phishing attacks, which are among the most popular methods of spreading malware.
• Finally, of course, verify that any software or programs you install are from a trustworthy source – and never allow an unrecognized program to make changes to your computer.

Password Spraying

What is it?

So, a lot of people use common passwords. Really common passwords. You know, “password123” common. Password spraying (charming name, huh?) takes advantage of users who choose such insecure passwords by using methodical, educated guesswork to access their accounts.

How does it work?

A password spraying attack is quite simple – the hacker chooses a target username, then plugs in any of a few hundred extremely common password choices. Often, this is done with the help of a program that can throw a large quantity of username/password guesses at a bunch of websites at once. If the hacker is lucky, the victim chose an overly simple or frequently-used password, and the hacker now has access to their account.

How to avoid it?

Luckily, password spraying is pretty easy to avoid. Read up on the most common passwords, and then follow these steps:

• Don’t use a common password.
• Don’t use a common password.
• Don’t use a common password.

The best password is one that even the user does not know. Generate long, randomized, alphanumeric passwords with a password generator, and store them in a password manager. Most browsers come with a password generator and manager built in – but a subscription service will give you the best and most secure experience. We prefer to use 1Password at Aegis IT Services, and endorse it readily.

Brute Forcing

What is it?

An advanced, expensive, and relatively rare method of password theft is brute forcing. Many people probably picture brute forcing when they imagine a stolen password, as it’s most in line with how a glamorous, cyberpunk hacker in a gritty thriller movie would steal credentials: by literally cracking the encryption around it.

How does it work?

Generally, an automation runs through a “dictionary” of possible passwords – but many, many more than one might find in a password spraying attack. This includes a codex which attempts every conceivable spelling variation and word combination. Should this fail, it moves on to random letters, numbers, and characters.

The other main form of brute forcing attempts to decode password encryption, often once the encrypted password has already been leaked.

It sounds scary, but currently, the technology to operate this sort of program under the radar of modern computer protocols is pricy and unreliable. A brute force attack also takes a long time, especially for a lengthy, randomized password.

How to avoid it?

Given the cost in both time and resources to the hacker of running a brute force attack, most users are unlikely to ever be victims of one – the targets for this sort of attack are typically high-profile. That said, a longer password is much more difficult for a brute force attack to crack.

Local Discovery

What is it?

Local discovery is the most low-tech method through which a password is compromised. This refers to any time a victim physically writes down credentials, which become lost or stolen.

How does it work?

Unlike most of the other items on this list, local discovery is typically perpetrated by a disgruntled colleague or someone with access to the victim’s workspace. The criminal might snatch a post-it note with a username and password off the monitor while their target is in the bathroom; or they might rifle through desks after-hours in search of a notepad where sensitive details are written down.

Even if everyone in the office gets along famously, long-hand password storage can lead to disaster. The victim might forget their briefcase in a café, for example; or a burglar could break into the office and use publicly-posted login information to help themselves to protected information.

How to avoid it?

While local discovery is uncommon, it does happen – and boy, it’s super embarrassing to have to admit to your IT team that someone stole your password because you left it lying around.

Avoid that awkward situation by storing passwords digitally, in a password manager. As mentioned above, most popular browsers come with one built in for free; although more sophisticated, paid programs typically have less vulnerabilities. It’s worth repeating: Aegis IT Services recommends 1Password.

The Take-Away

Sometimes, even careful and savvy users have their passwords stolen – but taking the steps outlined above will minimize your chances of becoming a victim of cybercrime. Remember, use a complex, unique password for every login, and always employ 2FA.

Have questions about cybersecurity? Need a managed cybersecurity service specialist in the York, Lancaster, Harrisburg, Reading, and Central PA to help you keep your company’s data safe? Reach out today!