The art of stealing passwords

The world is going passwordless. Meaning no more memorized secrets instead they make use of “possession factors”, like OTP or software-based authenticators(Authy, Google authenticator). The password-based authentication is coming to an end and adopting new changes will always benefit the security culture. But will it really end?

No, because it solely relies on the service providers and the user choices. If the website only provides password-based authentication methods then there is no other way but to remember the passwords. Password-based authentications are easy to implement and understand. No matter where a user is using the service from, after successful registration they can access various online services without any restriction using their username and password. Responsibility for password security rests with the user’s discretion. It is up to the user to change the passwords from time to time or use a stronger one. This behavior opens up a wide variety of attacks such as brute force, credential stuffing, and more. In this article, we will try to include most of the psychological and external factors that open the door to such attacks.

The problem

Passwords should not be easy to remember. The hardest password a normal person can think of is username@123. It is either username or something that you love in combination with your birth date or other common numbers that anyone can think of. This makes it easy to predict, crack and compromise your online accounts. Also, people use the same password on almost all sites.

Online services being aware of such issues made it mandatory that your password should contain at least one uppercase, one lowercase, one special character, and numbers. Did this solve the issue? No. Instead, the end-user became smarter and evaded the password strength checker using Username@123 instead of username@123. Having said all these issues, let's see how I would’ve stolen passwords with minimal effort.

Stealing passwords

For the sake of this article, I will use an imaginary website called example.com which is full of cat pictures and songs.

Who says no to cats and good songs? we all love both. To access these unlimited services, a user must first register and use their registered email id and password to log in. It’s time to throw the dice of possibilities. From here itself there is a possibility of following events to occur,

• The user submitted the same password as the registered mail id.
• The same credentials are used on a different platform.

Let's assume that our users are smart and they use different and strong passwords across platforms. So the above assumption is of no use, but it can happen. How can we steal the rest of the passwords used by the user?. Being an attacker means having the patience and skill to do certain tasks. So I will allow users to use the site for a while and then disable the login function with a login error message such as “Invalid username/password”. They will not be able to log in even if they try to log in with the correct credentials.

But why? How can this benefit an attacker? Before answering these questions, let us understand the mistake we make in such situations. Most internet users tend to remember their passwords instead of using password managers. So when such errors are thrown at an end-user they will start brute-forcing log in with all the passwords they remember, and this applies to the mail id field if they have multiple emails. The user will end up sending all the remembered credentials to a specific server. The Forgot Password option is only used when all email password combos are exhausted. This causes multiple login attempts to be logged on the server-side.

multiple server requests

As an attacker, by the time the user clicks on forgot password option, I will receive multiple mail IDs/passwords belonging to the same user on the server-side. I can make use of these collected passwords/mail IDs to create a perfect wordlist for credential stuffing attacks. Attempts to log in with this custom wordlist are more likely to be successful due to fewer duplicates and more accurate values. Since I also received multiple mail IDs, with OSINT tools I may be able to find the online services you registered with that mail ID and log in with the password already in my word list.

How to be secure

1. Use password managers — make use of password manager software like KeePass and set up a very strong master password for the application.
2. Use strong passwords,

• Is at least 12 characters long
• Includes a mix of numbers, symbols, capital letters, and lower-case letters
• Avoids using dictionary words or combinations of dictionary words

3. Use passphrases instead of passwords.

4. Change your password periodically across all services that you use.

5. Never reuse your password.

6. Use strong passphrases — instead of using “ThisIsMyStrongPassword” consider using “7H151SMy$7ronGP@55w0rd”.

7. In doubt use forgot password functionality and set up a new password.