In this article we will explain how to protect against a hacker who might be looking for a password .
The purpose of the article is to raise awareness on these 6 techniques to establish countermeasures to secure our passwords . The techniques presented are not necessarily new, but the methods of prevention are not always mastered, hence the need for this article.

Of course, you will not get help if you want to recover the password of a person who did not give you full permission before (we speak of ethical hacking and not hacking).

This article will serve as a guideline so you do not get hacked online and keep your information safe.

How does the hacker look for your password?

1. The attack by brute force

It is said that any password can be broken by brute force. Which is true.
But, and the “but” has all its importance, the time to get there can be long, very long .

When I say “very long”, for example, we can wait for hundreds of thousands of years .

This time is determined by both the complexity of the password and the power of the machine trying to find it.

The attack brute force tests “stupidly” all combinations of numbers, letters and special characters until finding the desired password. It can also be used via a list of keywords ( dictionary attack ) or password templates .

Example of bad passwords:

  • abcdefghijklmnopqrstuvwxyz : The password is certainly long, but not very complex.
  • * e3Q : The password is complex but very short.
  • JeanDupond67 : The password is correct in length and normally complex, but having his name, department or other information easily found by model or in a dictionary is not recommended (at all).

Example of a good password:

  • J34N-DuP0Nd-six7 : The password is correct in length and complexity. It is also rather easy to remember if it is an acronym or a code that tells us something.

2. Social Engineering

How to find a password of a given person?

Answer -> Ask the person concerned gently!

This answer is based on the principle of social engineering . It is about manipulating a person so that they trust their hacker to provide themselves with sensitive information by thinking well. I repeat that this is the biggest problem in computer security, and that contrary to what the picture above says, there is a behavioral patch: awareness and mistrust.

Social Engineering covers different areas, not only passwords that can be recovered by this process but also bank card numbers, private data related to a particular person, etc …

Countermeasure : This is an extremely important point and you must really pay attention to what you are being asked . Prefer to give your password (if already absolutely necessary) to a person by being in front of her, then change it .

Do not trust blindly people you do not know , and also pay attention to people you know, they have potentially been hacked.

For the record, I used to talk to a colleague about “Windows Live Messenger” at the time (ancestor of Skype). One day, she suddenly asks me for help, she absolutely wants me to call a premium number to get a code of a game urgently. Given the situation, I prepare my phone, but instead of calling the number in question, I sent an SMS to ask if it is she who asks me this, because such behavior seemed a little weird. You guessed it, his account was hacked, no way for the antivirus to know it was between me and the hacker.

3. Malware (Trojans, Keyloggers … etc)

Rather radical, when a hacker sends a malicious program type keylogger , it receives everything that his victim types on the keyboard, whether the site is https or not, whether the password is hidden by stars or not . There is a lot of malware all more sophisticated compared to each other. They also take various forms: mobile applications, browser extensions … etc.

Countermeasure : Do not log in from a computer that does not belong to you , let alone connect to your bank. You can use virtual keyboards, anti-keyloggers, or other specialized tools. But do not forget to install and keep up to date an antivirus . Stay wary, do not download anything on your computer or smartphone .

4. Phishing

Phishing is one of the most common methods for getting someone’s password/
In a [hishing attack, the hacker will typically send an email (but it may be a website or smartphone app) to someone pretending to be someone else . This is a specific Social Engineering technique, which deserves to be quoted apart as it is popular.

When the targeted person connects to the fake site or generally gives his information wrongly, the hacker recovers everything and leaves with. And it’s too late for you!

These phishing pages are also regularly posted on free hosting sites , which gives you a clue .

Countermeasures : Phishing attacks are very easy to avoid. The URL of the fake site is necessarily different from the original site. For example, faccbook.com is not facebook.com , so check the URL of a site before submitting information. More about phishing. Also check the veracity of the message in question and never act too fast.

5. The rainbow tables

Attention, technical part in sight. A Rainbow table is a large list of pre-calculated hashes for all possible combinations of characters. A hash of a password is obtained through mathematical algorithms of the type md5 making it possible to transform a password into something unrecognizable .

Here is an example of hash of the word “hi” in md5:

3ed7dceaf266cafef032b9d5db224717

A hash is a one-way encryption , that means that with the hash in question, there is no algorithm to do the reverse method to find the password . The hash is also supposed to be unique, ie the hash of “hello” will not be the same as “sAlut”.

The most popular password storage method for websites is the hashing of passwords.

“But then how do you check that the password is correct when you log in, if you can not recover the password from your hash?”

Indeed, there is no decryption algorithm, but we simply recalculate the hash and compare it to that stored in the database. In fact, rainbow tables are similar to brute-force attacks, they simply apply to hashes and not full-text passwords.

The technique of the tables rainbow is therefore somehow a brute-force on the hashes .

Countermeasure : Same as for the brute-force, be sure of the complexity of your passwords. Normally it’s mostly up to the site administrator to make sure the hash calculation is efficient. And for that there are different hashing algorithms and different methods to make unique hashes (hash salt).

6. Guess the password

To know how a hacker can find a password by guessing it, I will explain this sixth technique with a simple example:
When entering your password incorrectly and repeatedly under certain systems (such as Windows), you get an indication of your password that you have chosen to set when creating the password.

This indication is meant to allow only the owner of the account to remember his password. Only an indication of the type “my last name”, is the same as giving his password directly to everyone.

The problem is the same with the answers to the secret questions that some sites propose to define … .Please, do not tell the truth when the question is “What is your place of birth?” … And already, what is this idea to propose this question as a secret question?

Countermeasure : Do not use your names, first names, date of birth, phone numbers, age etc … in your passwords. Create passwords that only YOU know , which are at least complicated to guess. Do not give directions on your password elsewhere. And finally, do not give information that is too easy to guess as an answer to a “secret question”.

EDIT: Two other ways indicated by a visitor in the comments:

7) If someone leaves their computer unattended , there is an obvious way to get all kinds of private information on your computer. This shows that leaving leaving your computer unlocked can pose very big problems. All accounts where you are connected are also accessible. Imagine that it’s as if you leave leaving the door of your house wide open!

Countermeasure : Lock your session if you leave your computer in a public place.

8) When a password is too complex, a large percentage of people write the password on a paper they stick inside the first drawer of their desk. I think there is no need to explain how risky this idea is, if bad people frequent the same room as you.

PS: I do not provide support to help you find a password that does not belong to you, for whatever reason, needless to ask. This Article is for education purpose.