How Hackers Steal Passwords: 5 Attack Methods Explained

CyberMind Lab

🔒 Ever wondered how a bad actor breaches your passwords? In this video, we unpack 5 real-world attack methods hackers use:   Guessing — using common or personal details   Harvesting — through phishing or malware keyloggers   Cracking — reversing hashed databases   Spraying — trying one password across many accounts  Credential stuffing — reusing known breaches across systems   Plus, learn pro tips to defend yourself: strong passwords, MFA, password managers, passkeys, rate-limiting, and more.   💡 Arm yourself and make it harder for hackers.   #PasswordSecurity #CyberSecurity #LearnHacking #EthicalHacking #Infosec  #PasswordSecurity   #CyberSecurity   #Infosec   #EthicalHacking   #PasswordCracking   #CredentialStuffing   #SprayingAttack   #PasswordHarvesting   #MultiFactorAuthentication   #Passkeys   #ThreatIntelligence   #LearnHacking   #HowHackersWork   #CyberAwareness   #SecurityTips   #DefenseInDepth               #EthicalHacking   #CyberSecurity   #CyberAwareness   #TryHackMe   #HackTheBox   #KaliLinux   #NmapTutorial   #BurpSuite   #Pentesting   #CyberDefense   #HackingForBeginners   #LearnHacking   #InfoSec   #WhiteHatHacker   #CyberMindLab   #USCyberSecurity   #SecurityTools   #CTFChallenges   #HackingLegally   #TechEducation

Transcript

00:00Have you ever wondered how a bad guy hacks your password?

00:05It's a big problem.

00:06In fact, according to both IBM's Cost of a Data Breach Report and the X-Force Threat

00:11Intelligence Index, stolen, misused, or otherwise compromised credentials are the number one

00:16attack type.

00:17There are lots of ways this is done, but in this video, I'm going to focus on five different

00:22approaches they use—guessing, harvesting, cracking, spraying, and stuffing.

00:27And don't worry that I'm giving away any secrets because the bad guys already know this stuff.

00:32My purpose is to arm the good guys with this knowledge and provide some tips at the end

00:36on what you can do to prevent this from happening to you.

00:40Let's start first with password guessing.

00:43So here we have a bad guy who's going to try to hack into this system, and he's going to

00:49posit some particular guess into the system.

00:52Well, what is he going to base that guess on?

00:54Well, it might just be out of his imagination.

00:57It might be just a knowledge about the individual who this system is.

01:02It could be because he walked by where their laptop was and saw a yellow sticky on the system.

01:08We refer to these things as the PC sunflower because people collect a lot of those around

01:12their systems and just reads a password off of that.

01:15So a lot of different ways they could base this.

01:17And one other possibility is they use a password database.

01:22That is, when systems have been cracked in the past, sometimes we get to find out what

01:27all those passwords were in the password database in the clear.

01:31And those are made available publicly on the internet, and attackers can use that.

01:36So anything the attacker can do to make a more intelligent guess, those would be the different

01:41items that they would consider.

01:44Well, if it's a guessing attack, they're then going to try to log in.

01:48And if they're wrong, okay, then they try again.

01:51And if they're wrong again, in most systems you get three strikes and you're out.

01:55So that's the problem.

01:57And that's the reason, by the way, that those three strikes policies are in place.

02:01So someone can't just keep guessing over and over and over again.

02:04So usually he's going to get three guesses and then the account will be locked out.

02:07So unless this is a really good guess, that's probably not a very effective way to do things.

02:13Now another approach would be harvesting.

02:16This is where the attacker is going to actually know what the password is and it's not a guess.

02:21In a harvesting attack, and there's numbers of different ways this could occur, but one

02:25is they install some sort of malware on this system.

02:29That malware we call a keylogger.

02:31And everything that's typed on this system then is sent to this guy.

02:37It's either stored locally and then later he retrieves it or it's sent in real time.

02:41But that keylogger or an information stealer, info stealer, whatever you want to call it,

02:46is something that's recording everything they type including passwords.

02:49So that could be fed directly into this guy and he knows exactly what to enter.

02:54So obviously we need to keep this system clean so that it doesn't have that kind of malware

02:59on it.

03:00Another thing that could happen is through a phishing attack.

03:03Where this user is convinced to log into some particular website and then the website is

03:09a fake.

03:10They think it's a real one and they type in their credentials there and then those flow

03:14here.

03:15In either of these cases, the bad guy has just harvested the information and can now log in

03:22directly.

03:23OK.

03:24Now let's take a look at another technique we call cracking.

03:27In password cracking, what the attacker is going to do is start with a database of stored

03:34passwords.

03:35Maybe he logs into the system, hacks into a system and pulls out that database where all

03:40the passwords are stored.

03:42And he extracts those.

03:44But here's the thing.

03:45Assuming they did a decent job of security, these passwords are hashed.

03:50That is using a special one-way encryption technique that cannot be reversed.

03:55So they're not readable in any normal sense.

03:58And there are going to be a number of these hashed passwords that now the attacker has available

04:04to them.

04:05But in and of themselves in the hashed form, they're no use.

04:09So what can he do in order to reverse what is an irreversible encryption?

04:14Well you can't.

04:15But you can back your way into discovering what the original password was.

04:19And the way that gets done is you start with, again, a different type of guess.

04:24Now what you would do maybe is take one of these databases of publicly known available

04:30common passwords.

04:32Or you could use a password dictionary.

04:34Those are also available on the internet.

04:37So you can find a lot of different ways.

04:39Use, in worst case, you start doing a brute force where you try every single possible password

04:44combination.

04:45But you use some source to pull out a clear text password that you can read.

04:50And you hash it in the same way as these passwords are hashed.

04:56Then you just do a comparison and say, is this equal?

04:59Well, if it's not, then I move on.

05:02Is it equal?

05:03Is it equal?

05:04Is it equal?

05:05And then if it is, then I didn't have to know what the original password was.

05:09I didn't have to break the encryption.

05:11What I did was I figured out what my guess was and I knew that it matched.

05:16So therefore, I know I have found the right password.

05:19That's a way of cracking a password.

05:21Our fourth type of technique is called password spraying.

05:25And in password spraying, again, we need to start off with an attempt, a guess.

05:30Now, again, we could get this maybe from this publicly available information.

05:35It could be a lot of other sources, but we're going to start off with a guess.

05:38And what we're going to do is across a particular system, there will be multiple accounts.

05:44So we have account one, account two, and so forth.

05:48So all the way down to account N. So lots of accounts on this system.

05:53And what we're going to do is we're going to take that password that we have as a guess

05:58and we're going to try it here and see if it works.

06:01And if it does, of course, we're in.

06:03If it doesn't, try it down here.

06:06Then try it down here.

06:07Try it for all of these.

06:08That's why it's called spraying because we're spraying it across all of the different accounts

06:12within a particular system.

06:14And the attacker, think about from their perspective.

06:17They don't necessarily need to get into account two or account one.

06:22Their goal is just to get into anything.

06:24So they'll take any password and try it across all of these until they finally get a hit.

06:30And why does this work?

06:32Well because people tend to use the same passwords again and again.

06:36So something that is in this publicly available database that was based on a previous breach,

06:42probably someone, if it's a common password, someone has used that password on this system

06:46as well.

06:47So it's a good place to start with guessing.

06:50And in that guessing, again, the advantage to spraying is it avoids the three strikes penalty.

06:57We're only doing one attempt.

06:58If it doesn't work, we move on to the next account.

07:01Then we move on to the next account and the next account and so forth.

07:04So that way, unless someone is really looking hard, they're not going to even know that they're

07:09under attack because it flies slow and low below the radar.

07:14A similar type of attack is credential stuffing, which is the same kind of idea, it's just

07:19a variation on a theme.

07:21In this case, we're going to take our password guess and we're going to try it across, not

07:27multiple accounts, but multiple systems.

07:30So I'll try it across a particular, if this is system one and then system two, system in,

07:39I'm going to try this on this particular system.

07:44And if it works, again, I'm in.

07:46If it doesn't, I move on and I move on.

07:50That's what the attacker is going to do in this case.

07:52Now again, very similar to spraying, but notice the difference is these are across different

07:56systems.

07:57This is across a single system.

07:59So same concept.

08:01This one is even harder to detect because probably the person that is responsible for security

08:06on this system may not be the same one that's responsible on this system.

08:10So they may not be able to monitor and look across all of these.

08:13So here again, we're leveraging these well known bad passwords and guessing across these

08:20systems.

08:21Okay.

08:22Now we've taken a look at five different types.

08:23There are other ways as well, but at least we've taken a look at these.

08:26Now what can you do to prevent this from happening?

08:29How can you keep from being a victim?

08:31Well, there are three things that we do in cybersecurity.

08:34We do prevention, detection, and response.

08:37So let's first take a look at some things you can do for prevention.

08:40So one of the prevention things we can do is test password strength.

08:45So when someone types a password into your system, you ought to be able to test and see

08:50if it's got the right level of complexity to it.

08:52Don't make it too complex because then people just have to go write it down.

08:56But some level of complexity and length.

08:58And by the way, length is strength when it comes to passwords.

09:00So longer is probably even better than complexity.

09:05Also check it against a database like we've talked about before of these known passwords,

09:09known vulnerable passwords, and make sure it doesn't match any of those.

09:13If you can, test and see that someone is using a different password across multiple systems.

09:18So there are a lot of things you can do there.

09:20And to that last point, something you can do to encourage people to use multiple passwords

09:25and complex long passwords is to use a password manager or a password vault, some sort of secrets

09:31management system if you're looking at this on an enterprise level or a password manager

09:36if you're talking about it on a personal level.

09:39Here the system can generate strong passwords for you and keep track of all of those for

09:43you.

09:44And also make sure it will encourage you that you're less likely to use the same password

09:49across multiple systems, therefore reducing your attack surface.

09:53Another thing is to use multi-factor authentication.

09:57Don't rely just on a password.

09:59Look for other things, not just something you know, something you are, something you have.

10:03So maybe a message to your phone or a biometric like a face ID or something along those lines.

10:10What's the best way to not get your password stolen though?

10:13Don't have one.

10:14Don't have a password.

10:15Get rid of passwords and go with pass keys.

10:18Sounds like the same sort of word, but it's a lot different.

10:21The solution is a lot stronger.

10:23It's based on cryptographic techniques.

10:25I won't get into the details of it, but if you have an option to choose pass keys, do it.

10:31And then the last one I'll mention in terms of prevention is rate limiting.

10:35We want to make sure that someone isn't able to just flood our system with tons and tons

10:39of password logins.

10:41You want to baseline and understand what is a normal level of traffic for people trying

10:46to log in and don't accept if all of a sudden you have just a burst of login attempts that

10:51don't make any sense.

10:52Okay, then moving to detection.

10:55What can we do there?

10:56Well, I'd like to look for a couple of different situations based upon spraying and credential

11:01stuffing.

11:03One is multiple failures over time.

11:05I want to see if I'm seeing an increase in the number of failures over a given interval

11:11of time.

11:12Now, if an attacker is really smart, they'll spread this out over a really long time.

11:16But if they're not, then you might just suddenly see a whole bunch of attack attempts and you

11:21would want to flag that and then take some action, which we'll talk about in a second.

11:25Also another thing you could be looking for is multiple failures over the account space.

11:31So on a particular system, you will be looking for, did I have a failure on one account,

11:36then another account, then another account, and another account.

11:39That would be a surefire sign that we're looking at a password spraying attack.

11:44By the way, patent pending on that one.

11:46So stay tuned.

11:48Now let's move on the response side.

11:51What could you do on this?

11:52Once you've discovered that you're under attack, what should you be doing?

11:56Well, one of the things you want to do is block suspicious IPs, IP addresses, because

12:02you know if you're seeing tons of logins from one place all at one time, that's probably

12:06a bad actor.

12:07So let's just block that IP.

12:10Disable compromised accounts is another.

12:13Once we know that an attack has occurred, we should go back and look and see if maybe

12:18that one password that was attempted across lots of different ones and then suddenly worked

12:22on one, okay, that was a spraying attack and the one that got logged into is probably suspicious

12:28at this point.

12:29So maybe we want to block that until we can do an investigation.

12:32And then ultimately, if we know an account has been compromised, we lock it out, we force

12:38a password change.

12:39So that way the attacker can't use the information that they already have to get into the system.

12:45So there you have it.

12:46Lots of ways for attackers to get in and lots of ways for you to keep them from doing it.

12:51Do these things and you'll make life a lot harder for the bad guys.

12:55And that's how we want it to be.

Category

Transcript

Recommended