Experts say that businesses no longer trust security with traditional passwords. It is time to move to multi-factor authentication (FTA), biometrics and single sign-on (SSO) technology. According to Verizon’s recent data breach investigation report, 81 percent of data-breach incidents involving hacking was related to loose or spilled passwords.
Let’s start by talking about password hacking technology. The hacking method may vary depending on whether the target is a corporation, an individual, or the general public, but the results are always the same. It ends with a hacker’s victory.
Password Hash
Detecting Passwords through File Leak If all the corporate passwords are stolen at once, this is because the password file has been leaked. Some companies write passwords literally and keep them in the form of text files, while some more security-sensitive companies set hashs in password files. Verizon’s CISO Brian Kontos said that using hash files can protect passwords for enterprise-certified platforms such as domain controllers, LDAP, and Active Directory.
Even hashes are no longer safe. The hash shuffles the password. To verify that the password is correct, the login system scrambles the user’s password and compares it with the existing hashed password.
Attackers attempting to exploit these hash password files use a “rainbow table” to decrypt the hash with a simple search operation. They can also buy hardware specifically for password cracking, lease public cloud space such as Amazon and Microsoft, or create or rent botnets for processing.
Even if the attacker is not a password cracking expert, you can outsource any of these tasks. “You can rent these services for hours, days, or weeks, and these services usually come with support,” said Kontos.
As a result, the time taken to solve the hashed password is getting shorter. Even the passwords, which until now have been considered quite secure. “If you get a firsthand look at how people set up their passwords, you’ll probably be able to decipher 80-90% of your passwords in 24 hours, and if you have enough time and resources, there’s no password you cannot solve in the world. How many hours does it take to complete this process, or how many days or weeks does it take? ”
This is especially true of human-generated passwords, not randomly generated passwords. It is true that long passwords in sentences are convenient and more secure for users to remember, but they do not replace powerful MFA.
Hash file leaks are especially lethal because all work is done on the attacker’s computer. If a hash file is leaked, you do not even have to enter the trial password into your website or application.
Justin Angel, a security researcher at Coalfire Labs, said, “We prefer Hashcat. We decrypt the passwords through a cryptographic hash algorithm using a number of graphics processing units along with a dedicated password decryption machine. In this way, we can restore thousands of passwords during the day. ”
Attacking on a large scale with botnets When attacking a
large public Web site, attackers use a botnet to try various passwords and ID combinations. It uses a list of stolen login information from other websites and a list of passwords that people commonly use.
According to Philip Lieberman, CEO of Lieberman Software Corp., it is not difficult to get such a list, and you can buy it for free or for a very small amount. And it contains login information for about 40% of all Internet users. “We have a massive database of login information that can be exploited by criminals because of information leaks from big companies like Yahoo,” Riverman said.
And the password information is longer than expected. “There are still a few users who do not change their existing passwords after an information leak,” said Roman Blakman, CTO of Preempt Security.
For example, let’s say that attackers targeted banks. If you try to log in multiple times to the same bank account, the security system will work at once to block login attempts or other security issues.
“Attackers who know this are trying to log in by choosing one of the most popular passwords, along with spoofed e-mail addresses,” said Lance Cottrell, senior researcher at Ntrepid Corp. ” And then try to hack it by typing in a typical password, which prevents any account from failing to log in multiple times. ”
A few days later they try the same thing, this time with a different password. “Because we use botnets from millions of infected computers, we do not notice that all of these login attempts are actually being done from one source on the target website,” he added.
Companies are increasingly aware of this problem and looking for a solution. A third-party authentication service that logs in using an account such as LinkedIn, Facebook, or Google will reduce the number of passwords the user must remember. Two-factor authentication (2FA) is already widely used by cloud developers, financial services websites, and major retailers.
“Standard organizations are also actively involved in this issue,” said James Betke, a security researcher at SecureWorks. In June, NIST published its updated Digital Identity Guidelines, which focuses exclusively on this issue.
“This guideline recognizes that setting a complex password and changing it on a regular basis can actually make your password more vulnerable because the users who are sick and tired of managing and remembering the password Because we reuse it or reuse it in a predictable pattern. “