Password Crackers have access to more stolen passwords and more ingenious hacking tools than ever before. They are not to be stopped; you should be active anyway. From Authentico Technologies get the best ideas of the same now.
IT security experts agree: The days when companies could rely on traditional passwords are long gone. Safer access control methods such as multi-factor authentication, biometrics, and single sign-on should instead define the status quo. And yet, looking at Verizon’s latest “Data Breach Investigations Report,” 81 percent of hacker attacks are related to stolen or insecure passwords.
Let’s take a look at the password-hacking techniques cybercriminals use. It makes a big difference whether the target is a company, an individual, or the general public. The result is mostly the same: the hacker wins.
Make hash file password
If all passwords of a company are cracked in one go, this is usually because of a password file was stolen. There are companies that keep the passwords in plain text lists. Companies that value IT security first convert them to hash files. These are used to secure passwords in, among other things, domain controllers, enterprise authentication platforms, and Active Directory.
Meanwhile, these hash files (even if they were “salted”) are no longer considered safe. Actually, such a file should make a password unrecognizable. In order to verify the password, the entered value is made unrecognizable and then compared with the previously stored hash value.
The result: The amount of time it takes to hash a password (even one that was considered secure by previous standards) is no longer millions of years. “Based on my experience of how people choose passwords, I would say that 80 to 90 percent of them can be cracked in less than 24 hours, and if you have enough time and resources, you can crack any password whether it takes hours, days or weeks, “says the security specialist.
Incidentally, this is especially true for passwords that have sprung from a human brain and not created by software-controlled random number generator. A passphrase (or longer password) is good for users, according to the CISO, but cannot be a substitute for true multi-factor authentication . By the way, for criminal hackers working with hashed passwords, it is especially handy that the cracking is done exclusively on their own computer. Transition passwords that need to be tested on e-mail accounts or applications are unnecessary in this case.
Botnets for the mainstream attack
For attacks on large public websites, criminal hackers use botnets to test different username-password combinations. They use stolen login data from other sites or work out a list of common and popular passwords. Some of these lists are even freely accessible, according to software entrepreneur Philip Lieberman: “These lists are available free of charge or for a small fee, which includes approximately 40 percent of all Internet users’ log-in information in the past – major hacker attacks in the past – such as on Yahoo – have resulted in large databases that cybercriminals can use. Although compromised login data can already be found on these lists, this does not detract from the cracker’s success: Even after a hacker attack, many users do not change their password.