How Did They Get My Password?

password1If I can get your user name and password, I can easily break into and use your computer and network resources just as if I were you.  Bruce Schneier wrote an article recently that discussed this issue.  Many of the largest exploits are started with stolen credentials, the user name and password that we all use to access our computer, network, and online accounts and services.  That’s how the Target breach started, and how the Chinese got into the Office of Personnel Management.  The great thing about using stolen credentials is that I can do whatever I need to do in the guise of an authorized user, without raising any alarms.

So how does this happen?  Here are a few ways:

  • Ask – Often I can get a password by asking for it.  Evidently, this works better if I have just given the target a chocolate.  Seriously!  Might be in person, or over the phone, or by email.
  • Keylogger – This is a software or hardware tool that simply records what you type and emails it to the attacker.  Later on I can run the file through some search software that will automatically find and extract probable user credentials.
  • Phishing/Web Form – Here I will send out a convincing email with a link to a fake web page.  The web page will have a log on form or another form where I can capture the user credentials and perhaps other information.
  • Data Exfiltration – If I have access to a server or domain controller, I can copy out the database that contains the user names and the encrypted hashes of the associated passwords.  I can solve for the password hashes at my leisure, using special password cracking computers and software, and return later to the network I stole them from and log in as an authorized user.
  • Dark Web – Or I can buy lists of stolen user credentials on the Dark Web that have already been cracked and the passwords displayed in clear text.

We have discussed password policy before, but basically, keep your passwords to yourself, user longer passwords to deter cracking, keep your passwords unique on each site or resource, change you passwords periodically, use a password manager, and use two-factor authentication when you can.  These practices are not fool-proof, but do improve your odds of maintaining the confidentiality of your user credentials.


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.