Sunday, October 23, 2022

What Is Of Importance To The Cyberattacker When Hijacking Passwords

Ah yes, the password. I have written about this nemesis of ours on who knows how many occasions. But no need to rehash the past. Instead, this morning as I was perusing the news headlines on what to write about, I came across an article that does not harbor too much on the mistakes that people when creating or resetting passwords, but rather it discusses more about what the Cyberattacker does from their standpoint when they want to hack into something.

Apparently, some time ago, a listing of passwords was leaked out to the public. But this is not any ordinary file  - it was 100Gb in size and contained well over 8.4 billion different passwords that people use on an almost daily basis. This file that was leaked to the public is known as “RockYou2021”. Through research conducted by Rapid 7, the following was discovered:

*Over a year long period, Cyberattackers used that list to try break into various servers on a global basis.

*From this list, there were 512,000 variations of these passwords that were created.

*The above stats prove that the Cyberattacker is taking the easy route in order to get passwords that work. For example, the days of conducting dictionary style attacks in order to get passwords are now over. Instead, password lists are now available on the Dark Web for pennies on the dollar, and the Cyberattacker can now use these instead to launch Credential Stuffing attacks. These passwords are real and valid.

The bottom line here is that the Cyberattacker is not producing any news to get passwords. Just get them from somewhere, and off you go.

In fact, since many people around the world still use reuse the same password, or produce easy to guess modifications of it, cracking into a database and heisting passwords only takes a very short period of time now. We are not talking about hours; we are talking now just minutes.

For example, back in 2021, a Cybersecurity researcher based in Israel claimed that he could heist network-based passwords stored in Wireless Access Points in just under a few minutes.

Part of the reason for this is that many of the end users who visited the public places where these Wireless Access Points were at simply used their smartphone numbers as their passwords, with or without the dashes. More information about these discoveries can be seen here at the link below:

https://www.darkreading.com/endpoint/a-common-password-list-accounts-for-nearly-all-cyberattacks

As mentioned previously in this blog, many people do not take the time to create a strong password. They want to create an easy ones to remember, some of the following are a few examples:

*123456

*123456789

*qwerty

This can be clearly seen in the diagram below:


(SOURCE:  https://www.darkreading.com/endpoint/a-common-password-list-accounts-for-nearly-all-cyberattacks)

It should be noted here that many scientific studies with regards to password usage have focused primarily upon the end user. This study conducted by Rapid 7 (as noted in this blog) is one of the first of its kind to focus on the kinds of passwords that the Cyberattacker likes to go after and uses more quickly.

In fact, password guessing is still one of the favored threat variants that exists today, according to another Cyber firm known as ESET.

These studies have also further indicated the Cyberattacker is taking the least path of resistance when it comes to password cracking. But, interestingly enough, hackers are not using the entire RockYou2021 list. Instead, they are just taking a handful. Why is the case?

It has been hypothesized by Cyber researchers that since the bulk of the passwords are the same as the ones as listed above or some easy variation of it, there is no need to use every password on that list (plus it would take a very long time to go through all of them, even if automated tools were being used). Simply put:  A small, representative sample of passwords can and does represent the entire set of them.

The Rapid 7 study also examined the kinds of passwords that the Cyberattacker uses when trying to gain access to those Privileged Accounts. Examples of these include the following:

*administrator

*user

*admin

*nproc

In other words, the Cyberattacker is the old-fashioned concept of using “a little a lot.”  And if it is paying off, why not use this approach? There is no need to waste extra time and resources to try different, more difficult variants of the above passwords.

But now the question that comes up is out of those 8 billion password, how does the Cyberattacker know which ones to pick? It all comes down to experience, being lucky, and the laws probability that something will work.

My Thoughts On This:

So now, you may be wondering, “OK, what is the bottom line here?” The bottom line here is that you do not want anything to hacked into, whether it is professional or personal. I am not going to say again here what should do, a simple Google search will reveal what you need to do. You can find all those checklists there.

But what I do recommend is that you make use of a good Password Manager, or get your organization to try to use some SSO based technology like Biometrics, where Passwords are no longer needed. Then that way, password security should no longer be an issue.

 


No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...