Wednesday, 12 February 2014

Ways In Which Your Passwords Can Be Stolen

There are numerous ways in which someone could hack into one of your online accounts, but the most obvious one is by getting hold of your password.  In a previous article I explain how and why a website shouldn't know your password, so if they don't store it and you don't tell anyone, how can someone get hold of it?

In this article I explain just some of the fun and interesting ways in which your passwords can be stolen.  The purpose of this is twofold: Firstly to allow you to take measures to reduce these risks.  And secondly to make you realise just how real the threat of one of your passwords being stolen is, and that you can't mitigate against all of the risks, thus encouraging you to have passwords.  Plural.  Not one password for everything, like your gran has.

Let's go...

Phishing Emails

You've probably heard of these, and you've probably seen them.  These are where someone sends you an email attempting to trick you into entering your login credentials into a site.  These emails usually take the form of "Please confirm your account details for security" and some kind of dodgy-looking link which takes you to a site which is masquerading as a site which you trust.  If you're naive enough to follow the link and enter your credentials then that's it.  One password, stolen.

How to avoid it:

Domains Squatting Attacks

This is another form of phishing - tricking you into willingly entering your credentials into a bogus site.  But this version doesn't require sending you an email.  Instead, the attacker buys a domain name which is a common typo of a site which you use.  Supposing I'm an attacker and I buy, and you're checking Facebook at 3am, again, and in your fumbling sleep-typing you enter instead of  You now arrive at my site, which I have made to look exactly the same as the login page on  In fact, I just made an exact copy of their page, and then added one subtle difference: my version contains a little script which takes what you enter into the login form and sends me a copy, before submitting the login form as usual.

And that is the beautiful part (from my evil hacker perspective), because you never notice that you visited my bogus page.  The form on my site actually submits to the real form on, and so when you submit my login form you actually get logged into Facebook.  Stealing you password is one thing, but stealing it without you noticing is even better!

Side note: There are actually ways in which websites and web browsers try to prevent a site from submitting a form to another site, but it is theoretically possible.  And even if I can't get that to work, I can always just redirect you to the real site, you might be logged in anyway, in which case it will look as if my form logged you in, or if not then you'll be presented with the real login form and will think that there must just have been a glitch in the Matrix.  (There was!)

How to avoid it:

The 'Real' Site Has Been Hacked

Let's suppose that I'm back as my evil hacker alter-ego, and I've been surfing the web finding some sites to hack into.  I've managed to hack into one site in a way which lets me alter their login page (the details of how one goes about doing such a hack would take another whole article, no, another entire blog, but...), let's suppose that I can modify the login page.  Like with my previous example, I've just added a little script which takes a copy of the username and password which are entered into the form and sends me a quick copy before allowing the form to submit as usual.

It could take the owners of the site ages to discover my hack.  Maybe hours, maybe months.  But until they notice I can get a copy of the login details of everyone who logs in, which I can use whenever I like at a later date.  And again, the users have no idea that it's happening.

The important message here is that just because the website itself is not malicious, that doesn't mean that the page isn't doing malicious things.

How to avoid it:
  • You can't, but using a different password for each site will confine the damage to just the one site.

Malicious Websites Taking Advantage of Your Reused Password

Let's suppose that you reuse the same password for several sites, and one of these sites isn't quite as bona fide as you thought.  A well-built and well-intentioned website will never actually store your password, but a malicious website could take your login details and then try them out on other sites.  This is especially dangerous if your username is your email address and you've reused the same password for your email account.  If the password for your email account is used for any other online account then read this and change it.  Now.

How to avoid it:

  • Use a different password for every account (more about this in my next article).

Your Password Is Stolen Directly From The Site

As I've said too many times now, a well-built login system will never store your password in plain text, but because you can't see how a website's login system is built, you can't be sure that it's following this practice.  So if a site is storing your password in plain text and its database gets cracked open, your password is going for walkies.  And even if the passwords are hashed in the database, there are things called rainbow tables, which may give hackers a chance of de-scrambling your password.

How to avoid it:

  • Use a different password for every account.
  • Use complex passwords (trust me, it helps to avoid getting rainbow tabled).

It Gets Remembered On A Public Computer

This is a bit of an edge case, but I thought I'd mention it.  If you're using a public or shared computer, then there are 3 ways I can think of in which your password can be stolen:

  1. You tell the browser to remember it.
  2. You accidentally type your password into the username field, and hence the browser automatically remembers it.
  3. The computer is infected with malware which steals it.

How to avoid it:
  • For 1 and 2, just be careful.
  • The only way to avoid the malware is to avoid public or shared computers.


This covers a whole variety of evil software which could be lurking in various places on your computer, which could take the form of viruses, trojan horses, browser plugins, or mobile apps.  Basically, anything which lives on your device snooping on you.

A lot of these will be some form of key logger, a piece of software which monitors everything you type.  All of your keystrokes are then sent to a remote location to be scanned for repeating patterns, such as [email address][tab key][a short string of text][return], which are likely to be username/password combinations.  Yet another reason to not use the same password for multiple sites, especially not your email account.

How to avoid it:
  • Keep your software up to date, including your operating system and your web browser.
  • Use a modern web browser such as Firefox or Chrome.  (Internet Explorer may be less riddled with security holes than it used to be, but I still don't trust it.)
  • Keep anti-virus software up to date.
  • Don't install anything which you don't entirely trust.
  • When you use a friend's computer, ask yourself "Do I trust this person, and more importantly, do I trust their IT skills enough to be sure that this computer is completely free of malware?".


So given that any website which you type your password into could deliberately steal that password, or accidentally leak that password, the thing you have to ask yourself any time you re-use the same password is: "Am I totally happy for the owners of this website, and anyone in the world who hacks into it, complete access to all of my other accounts which are using the same password?".  The answer should be no.  So you should never re-use the same password.

My next article will cover a few approaches to generating a different password for every site, without having to remember them all.

You should also realise by now that you can never be entirely sure that your password hasn't been stolen, even if the website is bona fide and you haven't used the password for anything else.  So my article after the next one will cover 2-factor authentication.

Until then, have fun, and watch out for the rainbow tables.

No comments:

Post a comment