Modern breakers can use advanced techniques based on artificial intelligence or algorithms. (PIXABAY) As cyberattacks increase, each of us can potentially be confronted with them.
Of course, we all have our tricks for the passwords we use on our computers and laptops: hidden under a keyboard, written on a piece of paper or from the birthday of the youngest. But how do you ensure that your password is truly in-cra-qua-ble? Many studies find that a significant proportion of passwords do not sufficiently protect users: passwords are too weak and too often reused.
For example, 51% of French people would use the same password for professional and personal use – a statistic that is found in the United States. From a password, cybercriminals will be able to recover private information by connecting to our online accounts (messaging, social networks, etc.), in particular our bank or e-commerce accounts, but also to penetrate our computer. and encrypt its content for ransom.
The theft of a password can have financial consequences, but also psychological through practices such as “doxxing” (publishing information on the identity or the private life of a person with the aim of harming him) or revenge porn. In the professional context, password leaks expose the company to attacks by blackmail, to “denial of service” (cyberattacks consisting in interrupting or mishandling the service provided by a third party), or even to economic espionage.
How does a fraudster recover passwords?
The two main approaches used by cybercriminals to recover passwords are social engineering and stealing credentials databases.
Social engineering consists of the cybercriminal convincing his victim to reveal his password, typically by resorting to phishing: the vast majority of attacks do not target a predefined victim and these mass attacks are intended to phish any victims. It is only then that the cybercriminal will concentrate his forces on the phished person.
As for the theft of credential databases, the attack generally involves hacking a website to steal the names and passwords of users in order to log into the victim’s account, to use them on other accounts ( for example, the fraudster will test his victim’s Google IDs on Twitter) or resell them on the dark web. The website “Have I been pwned?” » allows everyone to check if their password has leaked on the Internet; it currently lists nearly 12 billion accounts whose credentials have been leaked.
In the majority of cases, these databases of identifiers do not contain passwords, but fingerprints of passwords: the fingerprint is the result of a so-called “one-way” function which is applied to the password. By analogy, the fingerprint is to the password what the fingerprint is to the human: two different passwords have different fingerprints and given a fingerprint, we cannot identify the human. But given a footprint and a human, you can tell if the footprint is from that human. In the case of passwords, we cannot therefore find the password from its hash, but we can test a password to see if it corresponds to the hash: we then say that the password is “broken”.
Password crackers use different approaches to test the most likely passwords: first the shortest ones, then dictionary words and their variants (e.g. “Meal”, then “Meal”, “Meal”, “undermine”, “meal1”…) and strongly structured passwords (for example starting with a capital letter, then lowercase letters, numbers and finally special characters).
Modern breakers can also use advanced techniques based on artificial intelligence or algorithms.
Finally, all possible passwords are tested if other attempts have failed: this is called an exhaustive search, which usually has little hope of being successful in a reasonable time. In particular, attacks that consist of testing different passwords for a given user directly on a website until they succeed in logging in are impractical: they are very slow because of the response time of the web server and easily detectable.