Intro
We’ve all been there, reseting your password per the system’s prompt, and it seems like these prompts became more frequent than before. You are probably wondering why that happened. Here’re the statistics:
As of June 9, 2020, the website haveibeenpwned.com shows that there are
9,760,722,439 (nearly 9.8 billion)
Source: https://hackernoon.com/7-ways-to-protect-your-company-from-insecure-credentials-nyk3yg3
This means that something is afoot here – hacking accounts is more prominent now than ever before.
You can check your own accounts here: haveibeenpwned.com
In this post, I’ll introduce you to how accounts are hacked because I believe that once you get the big picture, it will help you out in the long run. Note, this is not going to be a hacking tutorial, there’re plenty of sites that provide that information if that’s your thing. This post is aimed at the average person, so if words like “Metasploit” and “burp suite” mean anything to you, you probably already know more than this article will share.
Getting into accounts 101
So, there are basically two ways to get into an account: the easy way and the hard way. The easy way is split into two separate sections: Personally Identifiable Information (PII), and other insights. And the hard way is where the hacker doesn’t have any information going into the process, that’s where raw computing power is usually used.
The examples given below are adopting a fictional story, where Jane Doe has an account with “securesite.com”. We’ll be describing the thought process behind trying to get into her account. I think it’s obvious, but I’ll state it anyway, the scenario is fictional, the site name is something I though of a minute ago.
I’ll summarise the best ways to protect yourself against each mechanism described in the last chapter.
The easy way
Let’s assume that the hacker gathered some information about Jane Doe before attempting to access her account. They know that her username for the site is: “[email protected]”.
PII
Overview
PII is any information that can be used to identify a person directly. More info on the topic here: Link. For the purposes of this explanation, the hacker knows that Jane has a cat named Whiskers. And that her favourite colour is “Royal Blue”. You might be thinking, hold on a minute there, how can a hacker know this information? Well, have you ever shared an image on Facebook of your cat, and forgot to set the post to private? Or have you ever shared an image of a room’s interior in a colour you really love, say “Royal Blue” for example? Yeah, that’s literally how easy it is to get PII about a person these days.
The hacking bit
At this point, the hacker has the following information:
- Her username
- The cat’s name
- Jane’s favorite color
Using the method called “Dictionary attack“, the hacker will attempt to submit Jane’s username with random passwords that a wordlist generation script produced. These scripts take a number of parameters, and believe me, the first thing in the parameters to be added are the two key pieces of information: the cat and the color. The hacker then sets a length limit, say they need a password of a minimum of 8 characters and a maximum of 12. And the script then generates a file of millions and millions of combinations to be tried against the username. Imagine someone inputting the username in the form and pasting a password, hitting submit, pasting a password, hitting submit (…) thousands of times a minute. At some point they’ll get in, that’s the result of a simple mathematical function – it’s just a matter of time.
“Forgot my password”
Another, trickier way to get in is by using the “Forgot my password” functionality. Some sites still use the horrible “Security Question” verification step. You know what I’m talking about: “What was your childhood’s best friend’s name?” etc. Horrible, horrible stuff. Why? Well, what are the chances that the questions contain: “What’s your pet’s name?”, or “What’s your favourite colour?”. Yeah, the hacker has the answers to those questions. Furthermore, when sites use this kind of “verification” mechanism, they usually just prompt you for a new password if you get the answers correct. Yeah, that’s a hard no from me for registering on those sites, thanks.
The hard way
Right, so this time the “supersecure.com” site has been re-designed, and the security question “verification” fiasco is gone. Moreover, Jane is setting her posts to “Friends only”, so the hacker doesn’t have any PII on their hands. So how would they get in then? Keep reading, we’re not done yet.
The scale problem
The human brain is a wonderful biological miracle, unfortunately, it’s the laziest thing I’ve had the pleasure of possessing. As soon as the brain is faced with a problem, it attempts to find the easiest, quickest solution, as running its neurons are one of the most expensive things to run in our bodies, energy-wise. I’m not an MD, please don’t quote me on that.
Now, when you want to register into a new site, and you already have 10+ registrations on other services, all of which contain a, I hope unique, pair of username and password, what does the brain do? Well, it tries to find the cheapest energy-wise solution – just use the same structure as before. So chances are, if you have a username “john.doe” on service X, when you go to register for service Y, you’ll use the same format. Great for the brain, horrible for security. Do you remember the stats at the beginning of this post? Yeah, it only takes one hacking attempt, which doesn’t even have to be successful, for your username to appear on the hacking horizon. Hackers are like any other professional – they share resources so that they can decrease the time investment in a future “endeavour”. So if there was a username leak from a site you’re registered on – you’re on the list (sorry).
The Lists
These lists appear everywhere, think “Pastebin“. So now the hacker has a list of usernames – great. The only thing left is the password. Sometimes, very unfortunately the list contains the full username/password pair, automate the login process and you’re in. That’s called “Credentials Stuffing” in the security world. If pairs don’t exist, we’re back to the “Dictionary attack”, we discussed earlier.
The above case can exist in a reverse form, where the hacker has a password, that they know is used on the system, and they rotate the username. Meaning they automate the process again, but they substitute the username, instead of the password. That’s called “Password Spraying“
Brute forcing
This used to be the go-to method for gaining access a while back before password requirements changed. You could have entered a password that had no special characters, no caps letters, and no alphanumerical combination. Furthermore, it could’ve just been 4,6,8 characters long. Although the latter seemed secure at the time, as it would take a person literal years to try all the possible combinations, computers are really good at doing the same thing over, and over, very quickly. There’s an amazing password security checker site, that shows you how long it will take someone to hack a password using the brute force method: Link. Here’s the rundown of using 12345678
as your password:
Yeah, definitely not great.
The ins-and-outs
So how does the brute force method work exactly? Let’s take a fictional scenario once again. We know that the password for a given site is 4 characters long, and requires no secure combinations. In the real world this would be all be automated, but here’s what the algorithm would do. It will take a given input, say numbers only. And it will create a wordlist that looks like this:
0000
(...)
1111
1112
1113
1114
1115
1116
1117
1118
1119
1121
(...)
9999
If there were letters included, the list becomes exponentially larger, but the structure is the same:
0000
(...)
aaaa
aaab
aaac
(...)
aaa1
aaa2
(...)
9999
A similar thing will be done for the usernames, which say are separated with a dot:
a.a
aa.a
aaa.a
aaaa.a
(...)
john.a
(...)
jane.a
(...)
jane.aaaa
(...)
jane.daaa
(...)
jane.doe
(...)
And there we go, on line 3455531 of the document, we see the username of our fictional user.
Author’s note
Please note that brute forcing a password is not a viable approach for a large number of online services anymore. Most of the most-used sites out there have very strict password requirements, that make brute forcing not worth it, as say a 16 character password containing alphanumeric and special characters will take decades to be cracked with a single computer. Bot nets speed this process up, but that’s a discussion for another day. Here’s a screenshot of a 16 character password containing all the above-listed characters, and the time it takes to crack it:
Security tips
You’ve most likely heard of all of these before, but please consider doing the following:
- Use different usernames and passwords on each service you use
- Change your passwords every 3-6 months
- Check the hacked accounts service, to see if you have compromised details often: https://haveibeenpwned.com/
- Use either the maximum character length provision on a site, or at least 16 characters, if the length is not limited
- Always use alphanumeric, upper & lower case, and special character combinations.
- If the above is too hard to remember, use long phrases like a sentence from a book, without the spaces. Example:
theBigBrownDogJumpedOverTheLazyFox
(this example will be hacked in 343 SEPTILLION YEARS - Another option is to use a password manager, although I personally wouldn’t suggest that, as having a 3rd party store my passwords scares me.
- If the above is too hard to remember, use long phrases like a sentence from a book, without the spaces. Example:
You might be wondering, so after all of the above information, the strategy to avoid my account being hacked is that simple? Yep, literally that’s the best you can do. Follow the points above, and the rest is up to the service’s IT people to secure. If they fail – there’s nothing you can do unfortunately. Which is another key point in itself. Never register for shady sites, or sites you’ll be using only once. Always look for that “Guest checkout” button. Why on earth are you registering to a site you’ll only use once? Remember the brain section of this post? What are the chances you’ll either use the same username structure, or the same password on that one-use site. Worst of all, you’ll forget you ever used it, thus even if someone hacks it and it makes the news – you’ll never make the connection. And your details are on a list somewhere, just like that.
TL:DR
The general strategy here is: be mindful, be critical, and treat every new site you visit (and maybe your regulars as well) as a stranger you’ve just met. Treat your login credentials as you do your house key. You wouldn’t be going about allowing strangers to make copies of it, even if they didn’t know where you live, right? Be mindful, be critical, be safe.