Password breaking is one of the most pleasant hacks for the bad guys. It fuels their sense of exploration and desire to figure out a problem. A hacker can use low-tech methods to Break & Crack passwords. These methods include using social engineering techniques, shoulder surfing, and simply guessing passwords from information that he knows about the user / company.
Shoulder surfing (the act of looking over someone’s shoulder to see what the person is typing) is an effective, low-tech password hack.
To mount this attack, the bad guys must be near their victims and not look understandable. They simply collect the password by watching either the user’s keyboard or screen when the person logs in.
An attacker with a good eye might even watch whether the user is glancing around his desk for either a reminder of the password or the password itself. Security cameras or a webcam can even be used for such attacks. Coffee shops and airplanes provide the ideal scenarios for shoulder surfing.
You can try shoulder surfing yourself. Simply walk around the office and carry out random spot checks. Go to users’ desks and ask them to log in to their computers, the network, or even their e-mail applications. Just don’t tell them what you’re doing earlier, or they might attempt to hide what they’re typing or where they’re looking for their password. Just be careful doing this and value other people’s privacy.
Encourage users to be aware of their surroundings and not to enter their passwords when they suspect that someone is looking over their shoulders. Teach users that if they believe someone is looking over their shoulders while they’re logging in, they should politely ask the person to look away or, when needed, hurl an appropriate nickname to show the criminal that the user is serious.
It’s often easiest to just lean into the shoulder surfer’s line of sight to keep them from seeing any typing and/or the computer screen.
Inference is simply guessing passwords from information you know about users — such as their date of birth, favorite television show, or phone numbers. It sounds inane, but bad guys often determine their victims’ passwords simply by guessing them!
The best defense against an inference attack is to educate users about creating secure passwords that don’t include information that can be associated with them. Outside of certain password difficulty filters, it’s often not easy to enforce this practice with technological controls. So, you need a sound security policy and ongoing security awareness and training to remind users of the importance of secure password creation.
The most popular low-tech method for gathering passwords is social engineering. Social engineering takes advantage of the trusting nature of human beings to get information that later can be used maliciously. A common social engineering technique is simply to con people into revealing their passwords. It sounds bizarre, but it happens all the time.
To obtain a password through social engineering, you just ask for it. For example, you can simply call a user and tell him that he has some important-looking e-mails stuck in the mail line, and you need his password to log in and free them up. This is often how hackers and rogue insiders try to get the information!
A common flaw that can facilitate such social engineering is when staff members’ names, phone numbers, and e-mail addresses are posted on your company websites. Social media sites such as LinkedIn, Facebook, and Twitter can also be used against a company because these sites can reveal employees’ names and contact information.
User awareness and steady security training are great defenses against social engineering. Security tools are a good fail-safe if they monitor for such e-mails and web browsing at the host-level, network border, or in the cloud.
Train users to spot attacks and respond efficiently. Their best response is not to give out any information and to alert the appropriate information security manager in the organization to see whether the inquiry is legitimate and whether a response is necessary. Oh, and take that staff directory off your website or at least remove IT staff members’ information.
External attackers and malicious insiders can obtain — or simply avoid having to use — passwords by taking advantage of older or unsecured operating systems that don’t require passwords to log in. The same goes for a phone or tablet that isn’t configured to use passwords.
On older operating systems that prompt for a password, you can press Esc on the keyboard to get right in. Okay, it’s hard to find any Windows 9x systems these days, but the same goes for any operating system — old or new — that’s configured to bypass the login screen.
After you’re in, you can find other passwords stored in such places as dialup and VPN connections and screen savers. Such passwords can be cracked very easily using Elcomsoft’s Proactive System Password Recovery tool and Cain & Abel. These weak systems can serve as trusted machines — meaning that people assume they’re secure — and provide first-class launching pads for network-based password attacks as well.
The only true defense against weak verification is to ensure your operating systems require a password upon boot. To eliminate this vulnerability, at leastupgrade to Windows 7 or 8 or use the most recent versions of Linux or one of the various flavors of UNIX, including Mac OS X.
Also read: Cyber Security Importance & Tips for Users