![]() In fact, passwords tend to be based on all the things we like to chat about on social networks and even include in our profiles. Instead, thanks to our brains’ emotional attachment to things we like, the chances are those random passwords are based upon our interests, hobbies, pets, family, and so on. Unless a truly random password has been created using software dedicated to the task, a user-generated ‘random’ password is unlikely to be anything of the sort. The password crackers’ best friend, of course, is the predictability of the user. It also provides an excellent opportunity to eyeball all those post-it notes stuck to the front of LCD screens with logins scribbled upon them. Once they are in, the service personnel “uniform” provides a kind of free pass to wander around unhindered, and make note of passwords being entered by genuine members of staff. The most confident of hackers will take the guise of a parcel courier, aircon service technician, or anything else that gets them access to an office building. Although the concept is very low tech, you’d be surprised how many passwords and sensitive information is stolen this way, so remain aware of your surroundings when accessing bank accounts, etc. Shoulder SurfingĪnother form of social engineering, shoulder surfing, just as it implies, entails peeking over a person’s shoulders while they’re entering credentials, passwords, etc. Brute force attacks can be shortened by throwing additional computing horsepower, in terms of both processing power – including harnessing the power of your video card GPU – and machine numbers, such as using distributed computing models like online bitcoin miners. It’s not quick, provided your password is over a handful of characters long, but it will uncover your password eventually. ![]() Instead of simply using words, a brute force attack lets them detect non-dictionary words by working through all possible alpha-numeric combinations from aaa1 to zzz10. Similar to the dictionary attack, the brute force attack comes with an added bonus for the hacker. The password cracker can then take as long as they need to try and crack the code without alerting the target system or individual user. Often the target in question has been compromised via a hack on a third party, which then provides access to the system servers and those all-important user password hash files. Well, that would be true if it were not for the fact that most password hacking takes place offline, using a set of hashes in a password file that has been ‘obtained’ from a compromised system. It’s easy to imagine that passwords are safe when the systems they protect lock out users after three or four wrong guesses, blocking automated guessing applications. Really savvy hackers have automated the process and let a spidering application, similar to the web crawlers employed by leading search engines to identify keywords, and then collect and collate the lists for them. Studying corporate literature, website sales material, and even the websites of competitors and listed customers can provide the ammunition to build a custom word list to use in a brute force attack. Savvy hackers have realized that many corporate passwords are made up of words that are connected to the business itself. ![]() They would likely only work with a predefined “random character” set and password strings below 12 characters as the size of the table would be prohibitive to even state-level hackers otherwise. There is talk of salted rainbow tables existing, but these would be so large as to be difficult to use in practice. They require serious computing power to run and a table becomes useless if the hash it’s trying to find has been “salted” by the addition of random characters to its password ahead of hashing the algorithm. However, rainbow tables are huge, unwieldy things. Rainbow tables are attractive as it reduces the time needed to crack a password hash to simply just looking something up in a list. This table contains hashes of all possible password combinations for any given hashing algorithm. In the most straightforward way possible, you can boil a rainbow table down into a list of pre-computed hashes – the numerical value used when encrypting a password. Rainbow tables aren’t as colorful as their name may imply but, for a hacker, your password could well be at the end of it. Cleverly grouping words together such as “letmein” or “superadministratorguy” will not prevent your password from being cracked this way – well, not for more than a few extra seconds. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |