3 surprising ways your password could be hacked
Many people are familiar with the basic threats to their passwords: social engineering, password guessing and so on. But there are other surprising ways hackers could obtain your password information, some of which involve routine, seemingly harmless activities.
If your password is compromised, adversaries can use it for credential stuffing, where they feed it into other online websites to gain access to multiple accounts. As 72% of people reuse passwords in their personal life, it’s almost guaranteed that some compromised passwords will work when hackers use them on other websites.
Reducing the risk of password theft starts with learning how hackers can gain control of your passwords. Here are some new attack vectors you should be mindful of.
See Infosec IQ in action
1. Watching your shoulder movements during video conferencing
Adversaries can find out what a person is typing in video conferencing chats through tiny visual cues, researchers at the University of Texas have claimed. The statement comes after a team of researchers figured out what a user typed with 75 percent accuracy by noticing how their shoulders and upper arms moved during a Zoom video call.
Essentially, the research team analyzed the subtle pixel shifts around the user’s shoulder to identify the four main directions he was moving (North, South, East and West). This allowed them to know what direction the user is moving to enter their password. With that information, the researchers were able to develop software that cross-references these movements with dictionary-word profiles to identify the entered password.
This is a concerning development for most people, as we have come to rely on video conferencing platforms like Skype, Zoom, Google Meet and more during the lockdown period. Attending video meetings could mean leaving yourself vulnerable to keystroke interference attacks that may result in the theft of online banking passwords, email credentials and other sensitive data.
2. Hacking Windows passwords through your wallpaper
Wallpapers and themes might seem innocent, but they can serve as a gateway for hackers to steal your passwords. Last year in September, a security researcher named Bohops shared a password harvesting trick that leverages Windows theme files — although it relies on phishing for passwords rather than injecting malware into the files.
Bohops set a Windows wallpaper location to a file based in a remote location to abuse it for phishing. He revealed that pointing files to external locations like a password-protected HTTP page instead of a locally present image makes them vulnerable to phishing attacks. The reason being the password-protected site with the HTTP Basic Access Authentication would naturally ask the person to enter the password to that site before letting them access the wallpaper.
The trick is effective because if a user enters the web URL of a Windows theme or wallpaper hosted on a password-protected website, they’re prompted to enter their username and password in the same fashion as the HTTP page. Therefore, users are most likely to proceed, which means hackers could point theme files to a website they control and collect passwords without much effort.
3. Cracking Wi-Fi (WP2A) passwords with new tools
WPA2 is a password-protected protocol that offers a secured, encrypted connection over a WiFi network. The old way of cracking WPA2 required a hacker to disconnect an authorized device from the access point they wanted to crack. The technique was noisy and required adversaries to send packets that forcibly disconnect a connected user from the network. This type of unauthorized interference increased the risk of being detected.
Now, hackers don’t need to intercept two-way communications to try and crack passwords, as a new technique called Hashcat allows them to communicate directly with a vulnerable access point. The method involves using a Kali Linux-compatible wireless network adapter and a set of wireless attack tools called hcxtool.
The tools allow adversaries to interact with nearby Wi-Fi access points to capture PKMID and WPA hashes. Once captured, they can load the hashed list on the adapter to attempt a brute-force crack using a dictionary, mask and other password guessing techniques. Hence, Hashcat offers a safe route to hackers trying to steal passwords through Wi-Fi.
However, success depends on whether the target passwords are present in the derived password list and the strength of those passwords.
How to protect against new threats
Fortunately, there are ways to thwart password thieves and achieve cyber resilience against the new threats.
To prevent shoulder-surfing over Zoom, you could go close up to the camera so that the screen displays your head only or grow your hair very long. Additionally, you could make significant movements while typing to defend yourself from the attack. However, the first two measures are better if you’re having professional meetings via video conferencing.
For defending against Windows wallpaper hacks, the best course of action is to read password prompts carefully. The dialog box text can indicate that the password request is from a remote website rather than Microsoft’s official website. The login message, too, should be reviewed as it would surface from the authenticated site rather than the operating system. These are red flags that the prompt is from a rogue site and should be ignored to avoid a potential hack.
Finally, create a strong password to safeguard against WPA2 password hacks. Use a combination of numbers, uppercase and lowercase letters and special characters. You can also add a long passphrase (a long random string of letters, such as security.motherhood.toys.netflix.mylife) to your password to make it difficult to crack, which can deter hackers from attempting brute-force attacks.
See Infosec IQ in action
Conclusion
We live in an age where measures like not using your nickname or pet name as the password are not enough to prevent them from being hacked. With new, unusual hacking techniques surfing one after the other, you need to keep yourself up to date with the latest password protection practices to safeguard your personal information. Hopefully, the tips mentioned in this post will help you defend against some of the newer threats.
Sources
Why 72% of people still recycle passwords, TechRepublic
Serious Security: Hacking Windows passwords via your wallpaper, Naked Security
Hashcat developer discovers simpler way to crack WPA2 wireless passwords, Help Net Security
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
In this Series
- 3 surprising ways your password could be hacked
- Tax scam season: How to protect your data from common scams in 2024
- Security awareness for kids: Tips for safe internet use
- Celebrate Data Privacy Week: Free privacy and security awareness resources
- Consumer data, who owns it and who protects it?
- Human error is responsible for 74% of data breaches
- What is a social engineering attack?
- Biggest cybersecurity mistakes by large organizations
- 4 common social media scams (and how to avoid them)
- From theory to practice: Designing a successful security awareness training program
- Understanding cyberattacks: Types, risks and prevention strategies
- Securing digital frontiers: The importance of information and IT security awareness training
- Optimizing your corporate security awareness training: Strategies and techniques
- What is security awareness: Definition, history and types
- Top 10 security awareness training topics for your employees in 2023 and beyond
- AI best practices: How to securely use tools like ChatGPT
- Connecting a malicious thumb drive: An undetectable cyberattack
- 5 ways to prevent APT ransomware attacks
- 4 mistakes every higher ed IT leader should avoid when building a cybersecurity awareness program
- ISO 27001 security awareness training: How to achieve compliance
- Run your security awareness program like a marketer with these campaign kits
- Deepfake phishing: Can you trust that call from the CEO?
- Fake shopping stores: A real and dangerous threat
- 10 best security awareness training vendors in 2022
- How to hack two-factor authentication: Which type is most secure?
- Malicious push notifications: Is that a real or fake Windows Defender update?
- Free Cybersecurity and Infrastructure Security Agency (CISA) ransomware resources to help reduce your risk
- How IIE moved mountains to build a culture of cybersecurity
- At Johnson County Government, success starts with engaging employees
- How to transform compliance training into a catalyst for behavior change
- Specialty Steel Works turns cyber skills into life skills
- The other sextortion: Data breach extortion and how to spot it
- Texas HB 3834: Security awareness training requirements for state employees
- SOCs spend nearly a quarter of their time on email security
- Security awareness manager: Is it the career for you?
- Risks of preinstalled smartphone malware in a BYOD environment
- The ROI of security awareness training
- 5 reasons to implement a self-doxxing program at your organization
- What is a security champion? Definition, necessity and employee empowerment [Updated 2021]
- Excel 4.0 malicious macro exploits: What you need to know
- Worst passwords of the decade: A historical analysis
- ID for Facebook, Twitter and other sites? Not so fast, says security expert
- Fake online shopping websites: 6 ways to identify a fraudulent shopping website
- All about carding (for noobs only) [updated 2021]
- Password security: Complexity vs. length [updated 2021]
- What senior citizens need to know about security awareness
- 55 federal and state regulations that require employee security awareness and training
- Brand impersonation attacks targeting SMB organizations
- How to avoid getting locked out of your own account with multi-factor authentication
- Breached passwords: The most frequently used and compromised passwords of the year
- Top 5 ways ransomware is delivered and deployed
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
Security awareness
Tax scam season: How to protect your data from common scams in 2024
Security awareness
Security awareness
Celebrate Data Privacy Week: Free privacy and security awareness resources
Security awareness