Passwords have been widely adopted as the most effective way to protect valuable data from unauthorized access. They are simple and easy to use, but reliable enough to deter most hacking attempts.
However, as technology has advanced over the years, the traditional security system of implementing passwords seems to be slowly falling behind. Weak or easy-to-guess passwords can easily be cracked, and even strong ones don’t seem to be fully impervious to hacker attacks.
So, what can you do to prevent your passwords from getting cracked? On this page, we’ll tackle the increasingly important topic of password cracking in cyber security and share with you valuable password cracking prevention tips. Read on to learn how to make cracked passwords a thing of the past.
Cracked Passwords: How Do Hackers Get Them?
When it comes to password cracking, most attackers have the same mantra − the simpler, the better. They will always primarily look to use the easiest, most cost-effective, and stealthiest way to crack your password.
Worryingly enough, attackers can use one of the many available tools to gain access to your accounts. Although password cracking tools are primarily intended to help users recover lost passwords and test the security of their passwords, some people, unfortunately, decide to employ these tools for nefarious purposes. Here’s a brief overview of some of the most common types of password cracking software tools:
- Hashcat − Widely regarded as one of the fastest password cracker tools, Hashcat also supports a handful of password cracking methodologies. It doesn’t store any cracked passwords on its servers and is available entirely for free.
- THC Hydra − This tool supports over 50 protocols. Its mobile system supports all major software platforms, making it a great tool if you need software for an iOS or Android password crack.
- Medusa − Medusa is a very convenient password cracking software that supports a long list of protocols. It supports several computer operating systems, excluding Windows.
- John the Ripper − John the Ripper is a multi-platform, open-source, and completely free password cracking tool. It supports hundreds of hash and cipher types and is one of the most flexible password cracking tools.
- CrackStation − Unlike the above-mentioned software, CrackStation is a web-based cracker and doesn’t have a standalone program. It supports many protocols, but only non-salted hashes without any attached random strings can be used.
Password Cracking Types
In this regard, you can say that the attackers have the edge, as there are simply too many password hacking types. Because of this, most people aren’t aware of just how many directions the threat can come from.
The majority of password crack attacks can come in three distinct forms. These are password guessing attacks, social engineering attacks, and hash-based attacks. Let’s discuss each of these attacks in more detail.
1. Password Guessing Attacks
While most of us tend to imagine that cyber-attacks come from super-sophisticated hackers using expensive equipment, the reality is often not that exciting. In fact, most password cases of cracked passwords stem from attackers simply guessing the password until they get it right. There are several types of password guessing attacks:
- Random Password Guessing − The most basic form of password guessing, this is also the least effective method, unless the victim is using a very common password or the attacker knows a lot about the victim.
- Dictionary Attacks − A more advanced form of password guessing attack, in which attackers use an automated dictionary of words. The complexity of dictionary attacks depends on whether attackers include numbers and characters and whether they target specific word combinations.
- Brute Force Attacks − Brute force password guessing attacks involve a systematic approach to every possible letter, number, and word combination. The main advantage of this attack is that the hacker is bound to hit the correct password at some point. However, the flip side is that it might take them a lot of time to generate all possible permutations.
2. Social Engineering Attacks
Social engineering is a broad term referring to various malicious activities that are carried out by exploiting human interactions through psychological manipulation. Through social engineering attacks, hackers aim to trick their unsuspecting victims into giving them valuable sensitive information.
Social engineering attacks are often carefully thought-out, as attackers typically investigate their victims to gain information to help them carry out the attack. Here are the most common forms of social engineering attacks:
- Phishing − Arguably the best-known and most popular technique, phishing involves tricking the target into clicking a link or opening an attachment that includes malware. There are many forms of phishing attacks tailored to specific situations, including spear phishing, whaling, smishing, and vishing.
- Password Reset Attacks − Another prevalent form of social engineering attacks includes initiating forced password changes by someone other than the end user. Attackers manipulate a password reset link that points to a domain they control.
- Shoulder Surfing − This is a very crude and antiquated form of cracking passwords, but one that, unfortunately, still works on some victims. The basis of the attack is simple. The attacker physically observes the victim inputting a password and then uses the obtained identification data to carry out the attack.
3. Hash-Based Attacks
Lastly, hash-based attacks can be particularly dangerous. This is because hackers can attack the user/password database even offline. The two most common types of hash-based attacks are:
- Rainbow Table Attack − Hackers first gain access to leaked hashes and use the rainbow table to decrypt the password hashes. As long as the hashes don’t have an additional unique encoding for each password, the hackers can then simply translate the encrypted passwords into plaintext.
- Pass-the-Hash Attack − Abbreviated as PtH, Pass-the-Hash attacks exploit weaknesses in the authentication protocol. These types of attacks are often used for Windows password cracks, although they can also occur on other platforms.
How to Prevent Password Cracking?
Password cracking is undoubtedly a worrisome practice and something all of us can fall victim to. That said, this isn’t to say that you can’t do anything to minimize the chances of your passwords getting cracked. Here’s how to prevent password cracking with a few simple methods:
Tip #1. Create Strong Passwords
The first step in preventing your password from getting cracked is to set a strong password in the first place. As your password is the first line of defense, it should be as robust as possible.
There are many aspects to remember when trying to create the strongest possible password. For instance, it should be of sufficient length and combine both lowercase and uppercase letters, as well as numbers. Moreover, the hints should be unique and hard to guess.
If you’re wondering, “how hard is my password to crack?” and want to ensure that it’s sufficiently strong to deter any attack, we recommend reading our dedicated page on NIST password guidelines.
Tip #2. Use a Reliable Password Manager
In addition to having strong passwords, you should also use a reliable password manager. For starters, a password manager serves a very practical purpose, as it frees you from having to memorize your passwords.
More importantly in the context of this page, it also brings added security benefits. You can generate strong random passwords, utilize an autofill feature, and securely share passwords whenever you need to do so.
Tip #3. Use 2FA and Passwordless Sign-in When Possible
Two-factor authentication (2FA) has been gaining increasing traction in the past few years. And, for a good reason. 2FA provides an added layer of protection and keeps your accounts safe even if your password gets compromised. If an attacker gets ahold of your login credentials, they will still be shut out without obtaining approval at the second factor.
Considering this, it’s recommended to enable two-factor authentication wherever possible. It doesn’t take much time and effort to do so, but it can save you from a lot of headaches in case an attacker targets you.
In addition, if you want to reduce your attack surface even further, contemplate going fully passwordless. While this step does require a more careful approach, going fully passwordless eliminates risks associated with password-based security.
The Ultimate Tool for Password Cracking Prevention
Bearing all of the above in mind, to ensure uncompromising protection against password cracking, you would have to utilize several tools. In case you would like to simultaneously manage your passwords from legacy web services and use the benefits of modern passwordless autentication, you’d need at least two devices: a password manager and a FIDO token for passwordless sign-ins. But let's be honest, this isn’t very convenient.
From this perspective, the most effective way to prevent password cracking is to use a one-of-a-kind hardware key that combines functionality and security. Our Hideez Key 4 is a pocket-sized device that has all of the features of a top-quality password manager combined with FIDO2 "passwordless" standard support.
What’s more, this tiny device can also serve as a smart proximity lock for your Windows computer, enabling you to lock or unlock your device when you approach or leave it. Lastly, you can implement this as you main security tool both at home and in a business environment. Contact us to learn more or take advantage of our 30-day free trial offer!