Archive for the ‘General’ Category

You’ve probably heard that a strong password is really important to keep your accounts safe. You’ve also probably heard that people are still not creating good passwords. But even if you are—or at least you think you are—hackers are smart and they’ve figured out ingenious ways to crack what you think is a secure password.

Here’s how they do it:

Dashlane, a password manager tool, took a look at 61 million passwords from data breaches. These passwords were available to hackers, of course, but also to the public and even security researchers. To the surprise of precisely nobody, the biggest takeaway was that people’s passwords were far from original, and most of them were actually the same.

The most popular passwords were “Ferrari,” “iloveyou,” “starwars,” and of course “password1234.”

If you’re a hacker, let’s be honest, these aren’t hard to guess. And, in fact, there are tools out there that will help make life even easier.

“John the Ripper”

One of the most common tools is “John the Ripper.” This tool uses what’s known as a “dictionary attack,” where it takes a list of dictionary words and uses them to crack passwords. The tool can try millions of words in a short space of time, and it can do sneaky things like replacing an “a” with an “@” or an “e” with “3.”

In short, if your password contains a real word of any kind, even an inexperienced hacker can use a tool to figure it out in seconds.

Password walking

One other thing Dashlane noticed was that many people thought they were being creative by using a tactic called “password walking.” Basically, this is when you “walk” your fingers across the keyboard, hitting keys that are adjacent. This creates a password that looks unique and random, like “zxcvbn,” “1q2w3e4r,” or ‘poiuytr.”

While you might think a password such as this is secure, hackers know people use these tricks and can plug in any number of variations into their tools and test them out. Once again, in a matter of moments, a hacker will figure out your password.

Password formula

Some may think that a password formula based on the name of the particular website you are using is a smart idea. But, again, it’s hard to trick a hacker. This is especially true if a hacker figures out your “base password” (the part of your password that you use over and over again…another common tactic). They’ll then use that and try different variations, or other common combinations, to piece the puzzle together.

Let’s imagine, for instance, that you use the password “Porsche3$5^” for Twitter and “Porsche4%6&” for Facebook. All you did was change the second half and then went “password walking.” This is child’s play for hackers.

“How to hack passwords,” from a hacker himself

Here’s what goes on in the mind of a hacker, according to a person who has hacked thousands of accounts and documented his tactics on Lifehacker.

Follow his logic in this section taken from his article:

  • You probably use the same password for lots of stuff right?
  • Some sites you access such as your Bank or work VPN probably have pretty decent security, so I’m not going to attack them.
  • However, other sites like the Hallmark e-mail greeting cards site, an online forum you frequent, or an e-commerce site you’ve shopped at might not be as well prepared. So those are the ones I’d work on.
  • So, all we have to do now is unleash Brutus, wwwhack, or THC Hydra on their server with instructions  to try say 10,000 (or 100,000 – whatever makes you happy) different usernames and passwords as fast as possible.
  • Once we’ve got several login+password pairings we can then go back and test them on targeted sites.
  • But wait… How do I know which bank you use and what your login ID is for the sites you frequent? All those cookies are simply stored, unencrypted and nicely named, in your Web browser’s cache.

From this, you can see how the mind of a hacker works. And also how sophisticated (yet kind of simple) it is for them to figure things out.

And what’s not mentioned in this segment is the part your social media channels play—you know, where you talk about your favourite dog “Chappy” or your kid’s birthdate. Odds are, you probably use these personal details in your passwords. So, a quick search on Facebook and a hacker can find a few good words and numbers to plug into their hacking tool and figure out some viable options.

The moral of the story is this: Stop trying to come up with clever passwords based on names, places, or things in your life. Instead, use a password manager which automatically will create random passwords for all of your accounts. For example, my password manager just generated “ppwjK!C$p8g^2B” which is ridiculously strong and is highly unlikely to be guessed. And the added benefit is a password manager will remember the passwords, so you don’t have to.

Also, make sure your password is long. Here’s an image that shows just how much easier it is for a hacker to crack a short password, and what a difference it makes using a variety of characters rather than just lowercase letters.

From that same Lifehacker article:

Pay particular attention to the difference between using only lowercase characters and using all possible characters (uppercase, lowercase, and special characters – like @#$%^&*). Adding just one capital letter and one asterisk would change the processing time for an 8 character password from 2.4 days to 2.1 centuries.

how to hack passwords

Though you cannot stop your important accounts from getting breached, which is up to the organizations and companies that own them, you can do something on your end to minimize the chance of your password being hacked.

Advertisements

tv-300x2241

This year’s list of 1.5 billion breaches, I’m already beginning to worry about counting up 2017’s.

By my calculations, which involves the complex process of adding up all of the available numbers on the stories that I’ve reported each month, I’m at 1,654,135,541 leaked records in 2016. It’s very likely that the final number is significantly higher, but we know that there’s been at least 1,654,135,541.

I’d like to point out that I’ve not included the 500 million records exposed in the Yahoo data breach that came to light this year. The breach occurred in 2014 but didn’t become publicly known until earlier this year. Below, is a list of the most significant events of each month.

Note: The total number alongside each month is not definitive; please take it as the minimum number of records leaked in each month, not the total.

January –  57,740,000

US health insurer Centene loses 950,000 people’s records

Asda website leaves customer details vulnerable for 677 days

Etihad Airways investigating data breach dating back to 2013

Wendy’s Probes Reports of Credit Card Breach

Bitcoin Worth $USD 6 Million Stolen

Hackers have stolen €50 million from an aerospace parts manufacturer

February – 428,000

Linux Mint hacked – lone attacker creates botnet

Lincolnshire Council forced to use pen and paper after ransomware attack

@ChileanCrew Hacks, Leaks Details for 300,000 Chilean Citizens Looking for State Benefits

9000+ Department of Homeland Security staff have their details leaked by hacker

March – 20,018,962

3,000 Tidewater Community College workers victimized in W-2 scam

Attacker compromises information of 250K in Bailey’s data breach

Cyber criminals steal $25 million from Russian banks via phishing attack

Rosen Hotel chain was hit by credit card-stealing malware for 17 months

April – 166,687,282

Minecraft community lifeboat suffers data breach affecting seven million members

CoinWallet Bitcoin Trader Shuts Down Following Data Breach

93.4 million Mexicans at risk after voter database breach

BeautifulPeople.com Leaks Very Private Data of 1.1 Million ‘Elite’ Daters — And It’s All For Sale

ShapeShift loses $230,000 in bitcoin data breach – ex-employee to blame

Trump Hotel chain suffers data breach again

May –  117,339,372

MySpace and Tumblr hit by ‘mega breach’

117 million hacked LinkedIn email addresses and passwords put up for sale

Kiddicare customers at risk after data spills from test server

EPISD employee accounts hacked, money stolen

Payroll vendor employee falls for phishing scam, all clients’ W-2 data involved

1.4 Billion Yen Stolen From 1,400 Japanese ATMs

June –  289,150,000

154 million voter records exposed, revealing gun ownership, Facebook profiles, and more

77K accounts of Financial Giant, State Farm, leaked due to DAC Group Hack

Muslim Match dating website hack exposes more than half a million intimate messages

45 million records from over 1100 Verticalscope.com domains and communities hacked and leaked

51 Million iMesh Passwords Dumped Online

Personal info on 7.93 million people feared leaked

July –  34,195,351

King’s counselling department breaches students’ privacy

Athens Orthopedic Clinic to begin notifying patients of hack

WikiLeaks Put Women in Turkey in Danger, for No Reason

10 million customer’s data leaked from online shopping site

‘Warframe’ Hacked, Details on 775,000 Players Traded

Illinois online voter registration portal hacked, information compromised

August –  11,875,817

Omegle, the Popular ‘Chat with Strangers’ Service Leaks Your Dirty Chats and Personal Info

Data for 6 Million Minecraft Gamers Stolen from Leet.cc Servers 

SCAN Health Plan notifying members of unauthorized access to their information

Dominican Hospital notifies patients whose PHI was sent to wrong health plan

Epic’s forums hacked again, with thousands of logins stolen

Turkish Hackers Launch Second Cyber-Attack on Killeen’s Website

Defense university computers hacked, ‘information secure’

Olympics: Hackers attack Russian whistleblower’s doping account

September –  105,400,000

Florida Bar Association hacked, members’ data leaked

6.6 million plaintext passwords exposed as site gets hacked to the bone

Russian hackers leak Simone Biles and Serena Williams files

Russian internet giant Rambler.ru hacked, leaking 98 million accounts

Login details for 800,000 Brazzers users leaked

MarsJoke ransomware targets the government and K-12 educational sector

A single ransomware network has pulled in $121 million

October –  142,160,000

Medical marijuana patients’ personal information found in trash pile

Security Firm Tries Desperate Solution to Alert Company of Data Leak

Hacker grabs over 58 million customer records from data storage firm

Hutchinson Community Foundation falls victim to data breach

DDoS attack against DNS provider knocks major sites offline

Whoops: Pro-Donald Trump super PAC publishes donor credit card numbers

Hackers stole credit card data from Republican website for 6 months

November –  456,403,757

Department of National Defence investigating possible hack of its recruiting site

Over 412 million ‘adult’ accounts exposed – including 15 million deleted ones

Ransomware attack targets Seguin dermatology practice

Report holds Hitachi responsible for debit card data theft

Thieves Use Skimmers on ATMs in Four NYC Hospitals

Madison Square Garden Company Alerts Customers of Payment Card Data Breach

Data of 34 million Keralites leaked in massive breach

December – to be updated

85 million login details stolen from Dailymotion

Joan Jett’s BlackHeart Records leaks thousands of files online

KFC warns 1.2 million Colonel’s Club loyalty scheme members of data breach after website hacked

Japanese hosting company Kagoya hacked; credit card data stolen

ThyssenKrupp secrets stolen in ‘massive’ cyber attack

Well, that’s it for this year – a lot to reflect on over the Christmas period.