If I can get your user name and password, I can easily break into and use your computer and network resources just as if I were you. Bruce Schneier wrote an article recently that discussed this issue. Many of the largest exploits are started with stolen credentials, the user name and password that we all use to access our computer, network, and online accounts and services. That’s how the Target breach started, and how the Chinese got into the Office of Personnel Management. The great thing about using stolen credentials is that I can do whatever I need to do in the guise of an authorized user, without raising any alarms.
So how does this happen? Here are a few ways:
- Ask – Often I can get a password by asking for it. Evidently, this works better if I have just given the target a chocolate. Seriously! Might be in person, or over the phone, or by email.
- Keylogger – This is a software or hardware tool that simply records what you type and emails it to the attacker. Later on I can run the file through some search software that will automatically find and extract probable user credentials.
- Phishing/Web Form – Here I will send out a convincing email with a link to a fake web page. The web page will have a log on form or another form where I can capture the user credentials and perhaps other information.
- Data Exfiltration – If I have access to a server or domain controller, I can copy out the database that contains the user names and the encrypted hashes of the associated passwords. I can solve for the password hashes at my leisure, using special password cracking computers and software, and return later to the network I stole them from and log in as an authorized user.
- Dark Web – Or I can buy lists of stolen user credentials on the Dark Web that have already been cracked and the passwords displayed in clear text.
We have discussed password policy before, but basically, keep your passwords to yourself, user longer passwords to deter cracking, keep your passwords unique on each site or resource, change you passwords periodically, use a password manager, and use two-factor authentication when you can. These practices are not fool-proof, but do improve your odds of maintaining the confidentiality of your user credentials.Share