Understanding How Passwords are Stolen: Phishing, Spoofing and Beyond

Written by Christopher Tozzi
October 22, 2017

We've compiled an explanation of the most common strategies that attackers use to steal passwords - and what you can do to help prevent them.

It’s no secret that passwords can be stolen.

In order to maximize the security of your passwords, however, you should understand how password attacks actually occur.

Before we begin, we should note that stealing or “cracking” passwords is not the only way that attackers can gain unauthorized access to sensitive data.

They can also intercept weakly encrypted data over the network, for example, or find ways to bypass passwords entirely in order to access protected data.

However, stolen passwords are one of the most common vehicles that attackers use to hijack email accounts, steal identities and more.

Following are the most common strategies that attackers use to steal passwords, along with an explanation of what you can do to help prevent each type of attack.

Protocol Vulnerabilities

Sometimes, flaws exist within the code that is used to exchange or encrypt passwords.

Attackers can exploit these vulnerabilities to break passwords.

For example, this is a method for cracking WEP passwords – technically encryption keys, not passwords – which were once commonly used to secure wireless networks.

To minimize your risk of having passwords stolen through this type of vector, you should ensure that your software is up-to-date.

Keeping your software current ensures that you have the latest patches that address known security vulnerabilities.

You should also avoid using protocols with known security flaws – and don’t assume that just because a protocol is available to you, it is secure.

For more than a decade, it has been possible to break most WEP keys in a matter of seconds, yet some router manufacturers still provide WEP as an encryption option. Instead of WEP, you should use WPA, which is generally secure.

Unfortunately, attackers sometimes discover and exploit vulnerabilities before they become publicly known and fixed.

For that reason, you can never be certain that a software vulnerability won’t expose your passwords to attack.

Brute Force

Brute force refers to the practice of trying all possible combinations of letters and numbers until you hit one that matches a password.

The best way to mitigate brute force attacks is to make sure your passwords are long (eight characters is often suggested as a minimum, but a best practice is to make the password as long as you’re allowed to) and do not consist of commonly used words or phrases.

The longer your password, the greater the number of possible combinations that an attacker will have to try in order to brute force your password.

And by avoiding commonly used words and phrases, you ensure that your password can’t be brute-forced by running through a list of common passwords.

Attackers often use these lists first during brute-force attacks.

A sufficiently long and random password is effectively immune to brute-force attacks.

However, as computing power grows ever greater, so does the ability of attackers to unleash brute-force attacks.

What counts as a long-enough password today may not be secure in the future, because the computers of tomorrow will be able to test possible passwords faster than today’s.

Spoofing

The third common attack vector for stealing passwords is convincing users to give them up unwittingly.

For example, an attacker could “spoof” a website by creating what appears to be a valid login page for a site that a user commonly visits, then direct his target to the page.

If the user enters his or her login information into the spoofed page, the attacker has the credentials.

Spoofing attacks can be easier to execute than you may think.

Anyone who controls a network’s configuration settings can easily redirect visitors to a spoofed version of any site he wishes by modifying DNS configurations.

It’s also sometimes possible to “poison” DNS caches within networks in order to execute spoofing attacks, even without controlling the network settings directly.

The best way to avoid spoofing attacks is to connect only to networks that you trust. Spoofing attacks are one reason why you should not connect to random networks in airports, for example.

Anyone can set up an access point with a network name like “Free Wifi,” then use spoofing attacks to steal passwords.

You can also help to mitigate DNS poisoning and other vulnerabilities by keeping your routers and other network software up-to-date, and running network intrusion-detection software.

Finally, you should take seriously warnings in your web browser about invalid certificates when you visit professionally maintained websites, whose certificates should always be properly configured.

It’s common to see certificate problems on many poorly maintained websites, simply because administrators fail to create proper certificates rather than because of actual spoofing.

For this reason, users have unfortunately become accustomed to ignoring warnings about certificate problems, which are often a sign of spoofing attacks.

Phishing

The fourth type of attack, phishing, is the cousin of spoofing.

Sometimes, phishing and spoofing are used together.

In a phishing attack, an attacker uses social engineering to convince a user to click a link or download software that then steals passwords – or wreaks havoc in other ways.

Phishing is the technique that attackers used to break into email associated with Hillary Clinton’s presidential campaign in 2016, for example.

Unfortunately, there are no failsafe technical tools that you can use to prevent phishing. The best defense is to educate yourself and your users so that they think very hard before clicking a link or accepting a download, even if it appears to be from a legitimate source.