Search Our Knowledge Base
What is Password Hacking?
Passwords are a key element of security and a familiar hurdle for anyone who's ever set up an account on a website, downloaded and installed an application that will track their private information, or otherwise done just about anything with an electronic device. While strong passwords go a long way to ensuring data security and confidentiality, insecure passwords make an attacker's job easy. For this reason, it's important to have a solid understanding of password hacking whether you're an application developer or a user of a website who wants to make sure your password is strong.
A Guide to Defending Against Password Hacking
Despite what Hollywood movies show us, the word "hacking" isn't synonymous with malicious intent, and many hackers are ethical in their actions. When it comes to password hacking, however, the term typically refers to attackers who will use the passwords they uncover to exploit further vulnerabilities in an application or a server or steal user data.
While password hacking can have severe consequences, it's relatively easy to defend against. In this guide, we'll go into detail about how password hacking works, talk about how to remove security vulnerabilities at the application level, take a look at what attackers do with stolen passwords, and share tips and tricks for creating a secure password that's hard to crack.
The Importance of Secure Passwords
One of the best things you can do as a user of the internet is to learn secure password best practices. Attackers often go after low-hanging fruit, using brute-force password-guessing software to crack into any account with weak passwords like "acb123" or "dogsaregreat." Although it might seem more secure to use your birthday, this technique is among the first thing attackers will try as birthdays can be gathered easily in many identity lookup services and matched with email addresses. Likewise, simply duplicating your username and placing that as your password is so easy to guess that most websites and applications won't even let you try.
Secure Password Tips
- Use long passwords. The longer your password is, the stronger it is (so long as you can remember it). “Complex” passwords (passwords containing mixed case, numbers, and other symbols) aren’t as important as longer ones. NIST recommends a minimum of eight characters for passwords, but you should try to choose much longer passwords or entire pass phrases. If you’re a systems designer or developer, try to ensure that your system will accept at least 64 characters for password fields.
- If longer passwords aren’t possible due to application limitations, then you might want to raise the complexity of your password by using a mix of upper-case and lower-case letters, numbers, and other symbols you can type (like punctuation). While not as good as choosing a longer password, this too can make your passwords harder to guess.
- Use basic cryptography. Simply typing your password one row higher on the keyboard or using an initialism for a longer phrase can make passwords much harder to guess. Don't go overboard with this technique, though, or you may forget your own password.
- Avoid reusing passwords or using patterns to generate passwords. If an attacker manages to guess or recover your password for one service, they will very likely try that password and variations on it to log into other services; using unique passwords for each service makes this much harder.
- Use a password manager. This allows you to remember one very strong password, while using long, random, unique passwords for every account.
- Use two-factor authentication whenever possible. There are three main kinds:
- U2F (Universal 2nd Factor) devices connect to your device, typically by USB. Services require both your password and the presence of the U2F device. An attacker would have to steal or copy your U2F device in addition to guessing your password. While these inexpensive devices are supported by many major services, they can be inconvenient to carry.
- TOTP (Time-Based One-Time Password) systems use an application, usually on a mobile phone, to generate 6-digit codes that change frequently. Services require your password and the current TOTP code. An attacker would need to steal or duplicate the data on your mobile phone in addition to guessing your password. There are several applications to choose from to manage your TOTP codes, and most are free of charge.
- SMS systems send a text message to a registered mobile phone number. An attacker would need to be able to read your text messages in addition to guessing your password. This is the least secure solution of the three due to weaknesses in the security of SMS, or the protocol for cellular text messages.
Another important password best practice is not to use the same password in multiple places. Although this is tempting, doing so means an attacker can potentially break into all your accounts at once with a single stolen password. A related habit that's good to follow is to change your passwords regularly. This way, if attackers somehow get hold of an old password, you won't be at risk.
How Secure Coding Practices Can Protect Your Users' Passwords
The importance of strong passwords can't be overstated. However, even the most secure password in the world is useless if an application has security vulnerabilities. Applications that expose sensitive user data are a gift to attackers, allowing them to easily grab any password they wish and use it to steal data or money from users. It's also important to guide your users to a secure password by implementing password strength meters and other techniques recommended by OWASP. To make sure flaws in your application are fixed as securely as possible, check out our free secure coding best practices handbook.
How Hackers Get Passwords
Now that we've covered how to protect yourself, let’s examine what attackers do to steal passwords. The phrase "password hacking" is vague. Attackers use many different strategies to uncover passwords and other sensitive data. NIST Special Publication 800-63B describes dozens of ways an attacker can steal passwords. Below, we've summarized the most common.
Remember those movies we talked about earlier? On the big screen, you'll usually see "hackers" portrayed as technology wizards with no social skills and advanced knowledge of arcane computing tricks. In reality, many passwords are stolen through "social engineering" techniques like phishing, where attackers trick users into clicking on links in official-looking, fake emails. Some attackers even impersonate customer support staff over the telephone to take people's passwords.
Attackers can use password-guessing tools (often called “password crackers”) to guess users’ passwords. These tools can guess every possible password permitted by your password policy (called “brute force cracking”), but it’s often more efficient to use specially crafted dictionaries to check commonly used passwords and likely variations on them. This is called a “dictionary attack”.
Protecting your service against online password-guessing – where an attacker uses an application’s user interface or API to guess user passwords “live” – is important. This can be done by limiting the number of guesses before a user is locked out, required to complete an additional verification step, or similar techniques that make it too slow and expensive for an attacker to make many guesses.
But it’s also important to defend against offline password-guessing – where an attacker obtains a copy of your password database entries and can guess passwords without any of your controls preventing them. There are many ways to defend against this, including properly storing your passwords (using a strong, slow, one-way hash built for that purpose, and adding a unique “salt” value to each stored password), routinely checking your own password database for easy-to-guess passwords and informing the users, and so on.
Another way attackers gain access to passwords is through the use of malware like keyloggers. These programs track every keystroke made on an infected computer, and attackers can easily find usernames and passwords, allowing them access to a victim's accounts. To protect yourself against these programs, make sure you only install trusted software on your device and run regular virus scans when appropriate.
Exploiting Insecure Code
User awareness of common attacks goes a long way to increasing data security. The other half of the coin is application security. When an application's developers haven't followed best practices or aren't aware of vulnerabilities in their code, attackers can easily steal passwords directly from an application.
Usernames and passwords are usually stored in databases, for example. If the SQL code that checks or retrieves these data doesn't properly sanitize input, attackers can use a SQL injection attack to break into the database itself. From there, they can download every user's password and username at the same time or simply bypass the need for a password and just go straight to accessing or erasing the confidential data that passwords are meant to protect.
It's also important to properly secure stored passwords in a way that no one can retrieve them. Weaknesses in the implementation of the one-way hash systems used to make passwords permanently unreadable have been a significant factor in many high-profile password breaches.
Veracode Security Solutions
The bottom line is that your users depend on your application to keep their data secure. Veracode offers a powerful cloud-based suite of application security utilities to help your developers check for insecure code and common security vulnerabilities. Our solutions are modular and can be integrated with development environments your organization already uses, making it easier than ever before to find and fix dangerous security risks in your code.
Contact us today to request a free demo of our solutions or learn about the five principles of secure DevOps with our free handbook.