[BreachExchange] Six ways by which hackers can crack your password

Destry Winant destry at riskbasedsecurity.com
Wed Feb 7 19:20:06 EST 2018


The password is one of the frontiers that stands between you and your
hacked bank account or social media account. Nowadays even losing
social media accounts to cybercriminals can cause a huge monetary loss
because some bank accounts are linked to online accounts like Gmail,
Yahoo, Facebook or Twitter. There are specific ways and means in which
hackers compromise your account. Passwords being the central theme of
almost all your accounts, hackers prefer to go after your password to
hack into your financial as well as online accounts.

If your account is hacked, the criminals probably used one of the 6
below given ways to crack your account. If you study these methods you
can prepare yourself better to repel such hacks and control your
accounts easily.

Brute force attack

Brute force is about overpowering the user’s password by using
repetition. Brute force attack is a random trial and error method hack
repeated till the password is finally cracked. Hackers randomly keep
applying names and numbers to crack the password through this pattern.
Sometimes, a lot of guesswork is also used to decode the password
while other times hackers use the password cracking software.
Arithmetic numbers, birth date, pet’s name, favorite actor’s name are
the password that users commonly use. Mostly all online accounts limit
the number of tries a user can make but hackers somehow manage to
breach the system.

Dictionary Hacking

Dictionary hacking is also a form of brute force attack. But in
Dictionary hack, hackers use various permutations and combinations of
dictionary words. They repetitively use the dictionary software and
try a various combination of words to crack your password. Almost 50
percent of the passwords are cracked through this process.

Brute force dictionaries always start with simple letters “a”, “aa”,
“aaa”, and then eventually moves to full words like “dog”, “doggie”,
“doggy”. These brute force dictionaries can make up to 50 attempts per
minute in some cases while the number goes up with sophisticated


Phishing is another most commonly used tool hackers use acquire user
IDs and passwords.Phishing is the attempt to acquire sensitive
information such as usernames, passwords, and credit card details (and
sometimes, indirectly, money), often for malicious reasons, by
masquerading as a trustworthy entity in an electronic communication.

Phishing is perhaps the oldest tool used by cybercriminals to trick
the victim into divulging his/her login credentials. Most trojans and
malware are planted through phishing. Hackers create cloned websites
or fake internet address where you are asked to fill in your username
and password details.

Spider attack

Another hacking tool is the Spider attack. Just as the name suggests,
hackers also crawl your website like a spider and collect all the
common information. Cybercriminals normally use spider attack to
target healthcare firms for identity and financial information about
its consumers.

A spider is a tool that crawls a website looking for all the available
content.  Here are a few ways to cybercriminals employ to steal

– Static Content
– Dirbuster
– HTTP Method
– Ascension Fuzz
– Query Fuzz
– Cookie Fuzz
– Robots.txt / Sitemap.xml
– RIA Checks
– UserAgent
– Regexp path/url
– Public cache search
– /status

Keylogger attack

This hacking tool is very similar to phishing and is generally spread
through malware infection. The victim is usually trapped into
installing a keylogger on his/her PC/Laptop by clicking on an
attachment is sent via a spurious phishing mail. The moment you
download the attachment, it scans through your browser and installs
itself in the root directory. Once installed, the keylogger records
all your Internet activity which is relayed back to the command and
control servers.

Rainbow Table

While you might think of Rainbow Table as eclectic colorful furniture
but it is a sinister form of stealing your credentials. The Rainbow
Table that we are talking about are used to crack passwords and are
yet another tool in the hacker’s evergrowing arsenal.

This method requires a good knowledge of computers and coding. Rainbow
Tables are basically huge sets of precomputed tables filled with hash
values that are pre-matched to possible plaintext passwords. The
Rainbow Tables essentially allow hackers to reverse the hashing
function to determine what the plaintext password might be. It’s
possible for two different passwords to result in the same hash so
it’s not important to find out what the original password was, just as
long as it has the same hash. The plaintext password may not even be
the same password that was created by the user, but as long as the
hash is matched, then it doesn’t matter what the original password

The use of Rainbow Tables allow for passwords to be cracked in a very
short amount of time compared with brute-force methods, however, the
trade-off is that it takes a lot of storage (sometimes Terabytes) to
hold the Rainbow Tables themselves, Storage these days is plentiful
and cheap so this is not a big issue for hackers. You can also get
precomputed Rainbow Tables for cracking passwords of vulnerable
operating systems such as Windows XP, Vista, Windows 7, and
applications using MD5 and SHA1 as their password hashing mechanism
(many web application developers still use these hashing algorithms).

More information about the BreachExchange mailing list