Internet Passwords: Stolen, Not Cracked

Internet Passwords: Stolen, Not Cracked

My Facebook account got hacked. No, seriously, just hours after we published the article about the best password protection practices, my Facebook password got cracked and somebody rummaged about in my private correspondence for half an hour till I finally checked my profile and caught those guys off-guard.

And do you know what was really really really bad? I followed all the best practices for my passwords! My Facebook password was reasonably long (14 characters), it contained mixed-case letters, it contained numbers, and I didn't make any sense at all... and for Christ's sake, it still got cracked!

It raises a logical question: how did they pull it off? Really, how do hackers crack your passwords these days?

The answer is off-putting for people far from the tech: they don't crack them anymore. They steal them.

The Basic Crack Protection

If you are not a high-profile government official or celebrity, there's hardly any hacker out there trying to get you personally. More likely, your password will be in the course of one mass crack operation and used for sending tons of spam.

When carrying out such massive cracks, hackers don't have really much time and resources to spend on cracking your profile: brutal force or dictionary attacks won't do in that case. Most of the time, they'll have only two or three tries before the system will ask them to enter captcha or start implementing some other anti-robot test.

More often than not, the hackers will be using one of the relatively simple but efficient techniques:

1. Trying popular passwords

You'll be amazed how many people use the dumbest passwords you can think of. According to a recent password leak from RockYou, a company creating software for social networking services like Facebook, the three most popular passwords among the RockYou users are '123456', '12345', and '123456789' respectively. The top 639 passwords accounted for 10% of the users, so trying one of them (or even one of the three most popular) will give a fairly high chance of successful cracking. So please, take your time and try to think of a better password than your name, 'iloveyou', or 'password'.

2. Hacking the service database.

Unfortunately, there are few or no idiot-proof exams at big IT companies, so sometimes they just do unbelievably dumb things, like storing user password in plain text, without any encryption. According to persistent rumors, it was exactly the case with Steam last November, when its user base was hacked and thousands of passwords were stolen without giving the hackers too much trouble. Unfortunately, the dullness of our service providers is the only thing we cannot take control of ourselves... Just hope your webmaster is more intelligent.

However, sometimes hackers do not confine themselves to these unsophisticated tricks and employ more complex techniques to get hold of your password.

You’ve Been Cracked!

Caulking Your Computer

Fortunately, there are ways to ensure your password won't get heisted, although these security measures have their downside we'll talk about in greater detail a bit later.

So, what should you do to protect yourself in the best way possible?

1. No cookies!

Web cookies are small pieces of data that your web browser exchanges with websites. More specifically, they are small files stored on your computer containing, among other things, your authentication information. Let's now try to guess what would happen if some malevolent hackers intercepted your cookies and these turned out to be protected not well enough...

Just as with the way your passwords are stored in your service provider's database, you have little or no control over cookie security protection. Each time you use cookies to log in to a website, you're buying a pig in a poke: 'Okay, I think, these guys know what they do and won't let anyone abuse my privacy'. Uh-huh.

Still, even if you can't control the cookie protection itself, you can manage which websites can send you cookies and which cannot. On the one hand, you can do it by arduous, burdensome, laborious drilling down in your browser settings... or by simply using some cookie managing software like Cookie Manager.

2. Get a Nice Anti-Virus

If it's not cookies, it's a keyboard spy. That's essentially a trojan-like program that infects your computer and then saves information about all the keys you press and sends it to criminals. You don't have to be a nerdy computer genius to figure out that the first several characters that directly follow an email address or user name during an authentication procedure are actually your password. Actually, that's how my hackers were able to crack my passwords.

If you don't want to leave hackers a single chance, you should get a really good anti-virus software. Which anti-virus counts as good is a separate discipline of the Web Special Olympics and an inexhaustible source of tech forum holywars. Just lurk on the Web, check out recent anti-virus benchmark tests, and decide for yourself. As soon as you have installed your oh-so-wonderful anti-virus, the first thing you should do is perform a complete check on your computer and delete everything that is even distantly similar to spyware programs. To make sure that your machine is clean and safe, you should repeat the complete check every two or three weeks and pray you have picked the right software. And yeah, make sure your Software AutoUpdate is switched on.

3. No Browser Cache!

That's the easiest part of it all: every time your browser asks you if it can save your password you should respond with a firm 'No'. The reason for this is easy as pie: if your passwords are stored in any form on your computer, they are, therefore, prone to hacking.

Secure but Not Usable

And Now for the Bad Part

You've installed a super antivirus, your AutoUpdate works flawlessly, you don't store your passwords in your browser cache, don't use '12345'-ish passwords and made sure your provider is no idiot. You are even sticking to the best password-choosing practices, just in case somebody would try to crack your confidential information with brutal force. Your computer is almost totally secure.

And almost totally unusable. Tediously entering each of your many 15-character passwords every time you want to log in to one of the many websites you visit on a daily basis... Suffering productivity loss caused by your anti-virus, checking each and every piece of data on your machine again and again... Are you sure you're ready to pay this price?

The truth is that if somebody wants to hack you real bad, they'll do it no matter what precautions you have taken. As I've already mentioned, it's not very likely somebody's interested in you specifically unless you're one of those VIPs. Moreover, there's always a chance that the bad guys have devised something completely new that both the antivirus companies and you are unaware of. So what's the use to implement all of these security procedures if they bring you nothing?

In fact, it depends on what you do on your computer. If you regularly make purchases on the Web, it does really make sense to stay wary and regularly check for keyboard spies in your system; otherwise you can find out one day that somebody has bought a whole shipment of Macs from your card somewhere in Bangladesh. If you regularly discuss things going on in your company with your Facebook friends then first you'd better change your behavior in that respect and second you'd better make sure nobody's ever gonna hack your profile. However, if you primarily surf the Web, listen to music and read troll-face comic strips on social networks then you can easily accept all cookies you want and don't give much thought as to what anti-virus you're using. At the end of the day, even if you get hacked, the intruders won't get much. Just like mine haven't. Jerks.

Picture Credit: http://www.maxisciences.com; http://www.usageorge.com; http://www.csus.edu/