Hacking: A 101 Hacking Guide (2015)
Chapter 5: Hacking Passwords
A common joke that periodically surfaces on the web concerns a set of password requirements and runs something like this: please enter your new password, and remember that it must include both lower case and upper case letters, a number, a symbol, and a single strand of hair from a unicorn. While most passwords don’t have requirements quite this bad, companies have a good reason to require strong passwords.
One way that hackers obtain passwords is by using a company’s social media information to contact employees, by phone or email, with some excuse for which they need the password. Sometimes they will even impersonate a particular individual that works for the IT department. Uninformed employees will often provide that password information, throwing the door wide open for a hacker.
The best way to prevent this for happening is to train employees to contact IT anytime such an information request is received, and never give their password out. Another measure is to remove IT staff information from public forums, such as company websites. If that information is out there, hackers can easily impersonate an IT representative to convince employees to provide them with their password.
Shoulder surfing is just what it sounds like: looking over someone’s shoulder to see what password they are typing in. Sometimes they will watch the eye movements of the person typing in their password to see if they are looking for a reminder, such as family photo, poster, or object.
This can be prevented by asking someone to step back when you are typing in your password, leaning slightly to the side to block their line of sight, or installing a privacy filter on the monitor. Employees also need to be firmly reminded to not base their passwords on visible items in their work area.
Remote keystroke logging is a devious method of getting passwords. Basically it records all the keystrokes that are entered, storing them in a log file that can be accessed later. Note that some antivirus programs will recognize that a keylogger is running, but not all. It is usually recommended that you inspect each computer individually. Also be aware that keyloggers may be installed as malware, which is why many companies no longer allow employees to download and install their own software.
Physical keyloggers are inserted between the keyboard and the computer, making them easy to spot. They most dangerous keyloggers out there are the software keyloggers.
There are quite a few software-based keyloggers out there, but most free keyloggers lack a vitalfeature: stealth mode, so that users don’t know its running. You might want to check out the free version of REFOG, which is a software that captures keystrokes, clip contents, visited websites, and what programs were run.
Another method of figuring out someone’s password is simply guessing, based on what they can tell about the person, including items on their desk or in their line of sight, birthdays of family members, names of pets, etc. That is why we are often burdened with what seems like outrageous password requirements: to prevent others from simply guessing our password.
Weak Authentication Requirements
Many older operating systems could bypass the login requirements by pressing Escape, and some newer systems will allow you to login to the physical computer but not the network by pressing a certain key. Phones and tablets without a password are also wide open to such simple attacks. These are known are weak authentication requirements. Passwords that are too simple, or contain words form the dictionary or maybe your username, are also examples of weak authentication.
Password Cracking Software
There are many software tools out there for assistance in cracking passwords, such as Ophcrack or John the Ripper. There are also websites that list default passwords that come with well-known software, and dictionaries of words that can be used in cracking a password. That’s why some password requirements insist that you don’t use words that can be found in the dictionary!
Ophcrack Walkthrough: http://pcsupport.about.com/od/toolsofthetrade/ss/ophcracksbs.htm
Default Passwords: https://cirt.net/passwords
Refog Keylogger: http://www.refog.com/
John the Ripper: http://www.openwall.com/john/