How Did Someone Get My Password? A Developer‘s Perspective

As a full-stack developer and professional coder, I‘ve seen countless examples of how poor password security can lead to devastating breaches. Despite years of warnings, weak and stolen credentials remain the top hacking tactic.

In this in-depth guide, we‘ll explore the many methods attackers use to steal passwords, analyze which ones pose the greatest risk, and provide expert tips for fortifying your authentication. By understanding how your passwords can be compromised, you can take concrete steps to bolster your defenses.

Phishing Attacks Exploit Human Psychology

Phishing has exploded in popularity as a tactic for harvesting credentials. In their annual Data Breach Investigations Report, Verizon found that 22% of breaches in 2019 involved social attacks like phishing—and 96% of those phishing attacks were delivered by email.

The basic technique is deceptively simple. The attacker sends a fraudulent message disguised to look like it‘s from a trusted source, like your bank, employer, or a popular web service. Psychological tricks are used to induce the victim to click a link to a spoofed login page or open a malware-laced attachment.

Common emotional triggers include:

• Authority – "Update required to comply with new company security policy. Click here to verify your credentials."
• Urgency – "Your account will be permanently deleted in 24 hours! Login now to stop the deletion process."
• Scarcity – "Act fast! Only the first 100 people to register get 50% off."
• Fear – "Someone tried to login to your account from a new device. Change your password immediately to secure your account!"
• Greed – "Login to claim your share of $10 million inheritance from your long lost relative."

Once the victim enters their password on the fake login page, the phisher captures it and can use it to breach the real account. More advanced phishing kits even proxy the victim to the legitimate website after stealing their credentials to avoid raising suspicions.

*Example of a phishing email impersonating Netflix. Source: Tessian*

Spear-phishing takes the deception a step further by using personalized details to target specific individuals, often company executives or employees with privileged access. These highly-tailored messages may reference the target by name, mention current projects, and appear to come from trusted colleagues.

Data Breaches Expose Billions of Credentials

Another major threat to password security comes from the endless barrage of data breaches that expose billions of login credentials. Some of the most devastating password-related breaches include:

Source: CSO Online

When a major breach occurs, the compromised credentials frequently get posted on hacker forums or dark web marketplaces for other criminals to exploit. Attackers can then mount credential stuffing attacks—taking those exposed username/password pairs and trying them en masse on other websites.

The 2021 Credential Stuffing Report by F5 Labs found a staggering 193 billion failed logins from credential stuffing in 2020, a 45% surge over the previous year. With billions of breached credentials circulating and password reuse rampant, credential stuffing has become a go-to hacking method.

Source: SecureAuth

Password-Stealing Malware Strikes Fear

Keyloggers have long been a staple in the hacker‘s toolbox for pilfering passwords. Once installed, they covertly record all keystrokes made on the infected device, capturing usernames and passwords as they are typed in. More advanced keyloggers can also log clipboard contents and even snap screenshots when keystrokes are detected.

Info-stealers take a slightly different approach, actively scanning the compromised system for sensitive data like password manager databases, browser credentials, cryptocurrency wallets, and other juicy info stored on disk. Collected data is periodically exfiltrated to a remote server under the attacker‘s control.

More recently, malware strains like Raccoon and Ramnit have incorporated real-time form-grabbing capabilities. Instead of passively logging keystrokes, these malware watch for login forms to be submitted and intercept the contents directly in the browser before the data is encrypted. This negates the protection of HTTPS connections.

Source: Exabeam

To maximize infections, password-stealing malware typically gets distributed through large-scale phishing campaigns, drive-by downloads on compromised websites, or trojanized apps disguised as legitimate software. Once the initial foothold is established, the malware often includes functionality to spread laterally across networks and connected devices.

Remote Access Trojans (RATs) pose even greater danger by providing the attacker with full remote control over infected hosts. In addition to deploying additional malware, the hacker can manually poke around the device for stored credentials, browser cookies, or password manager master keys to unlock the victim‘s entire digital life.

Brute-Force Attacks Crack Common Passwords

Despite years of warnings, many people still use laughably weak passwords that provide little to no actual security. Studies have found the most common passwords include gems like "123456", "qwerty", "password", and "letmein".

Attackers can exploit our tendency to choose memorable passwords by using automated tools to rapidly churn through huge wordlists of common choices. Brute-force tools like John the Ripper, Ncrack, and Hashcat can make billions of password guesses per second, cracking a large percentage of user passwords in a matter of hours.

Source: UK National Cyber Security Centre

Targeted brute-force attacks may build custom wordlists incorporating keywords relevant to the victim like names, birthdates, hobbies, and other personal info gleaned from social media or other sources. Appending common symbols and number substitutions (e.g. "password" -> "p@$$w0rd") can crack passwords that appear complex but still use predictable patterns.

To make matters worse, many web applications and IoT devices lack basic brute-force mitigations like rate-limiting failed logins or auto-blocking IP addresses after repeated failures. Attackers can mount large-scale "credential spraying" campaigns, attempting the most common passwords across thousands of accounts to find the few weak spots.

Social Engineering Cons Users Into Compromise

Not all password-stealing attacks rely on fancy technical tricks. Humans are innately vulnerable to deception and manipulation, and skilled attackers can exploit these tendencies to con users into willingly divulging credentials.

One popular ploy is for the scammer to pose as an IT support technician and approach the victim with a seemingly legitimate request for their password to resolve an urgent issue. The pretext may be an account lockout, malware infection, or impending data loss if immediate action isn‘t taken.

The sham IT admin often applies time pressure and invokes authority to short-circuit the victim‘s normal suspicions. Similar tricks can be used over the phone to persuade users to visit a phishing site or allow remote access to their device where the scammer can "accidentally" view the password as it‘s typed.

More subtle social engineering may involve strategic name-dropping of colleagues, citing insider knowledge about company projects, or using jargon to establish a veneer of technical credibility. For example, the scammer may spin a yarn about needing to test a new single-sign-on system and ask the user to login first to populate their profile.

Low-Tech Attacks Still Pose a Threat

With all the high-tech hacking happening, it‘s easy to overlook more mundane but still effective methods of snagging passwords. Physical security remains crucial.

"Shoulder surfing" is the classic technique of simply watching over the victim‘s shoulder as they type in their password. The snoop may lurk behind the target at a coffee shop, on the subway, or anywhere else they can catch a glimpse of the screen or keyboard from behind.

Finding a discarded sticky note with login details scrawled on it is another low-hanging fruit for computer criminals. According to Keeper Security, 57% of respondents admitted to writing down work-related passwords on sticky notes. While perhaps better than reuse, relying on insecure paper password records is still a recipe for compromise.

Source: XKCD

A slightly higher-tech variant uses hidden cameras positioned behind the victim or even replacing legitimate security cameras to capture password entry. This can be particularly effective on ATMs, payment terminals, and building access control systems. The attacker can review the footage later to extract PINs and passwords.

Fortifying Your Password Defenses

Credential compromise remains a huge challenge, but adopting a layered defensive strategy can help mitigate the risk substantially. At a minimum, follow these password security best practices:

• Enable multi-factor authentication (MFA) on every account that offers it. MFA blocks 100% of automated bot attacks according to Microsoft research.

• Use a trusted password manager to generate strong, unique passwords for each account. 1Password, LastPass, and Dashlane all work across different platforms.

• Never reuse passwords across multiple accounts. Password managers make it easy to use a different random password on every site.

• Make your passwords long and complex. Go for at least 16 characters with a mix of uppercase, lowercase, numbers, and special characters.

• Set up alerts on Have I Been Pwned to get notified if your email address appears in a known breach. Change compromised passwords ASAP.

• Scrutinize URLs before entering login details. Watch for subtle typos, different subdomains, and other signs of a spoof designed to steal credentials.

• Keep your systems patched and run reputable antivirus software to help block common malware infection vectors.

• Never share your passwords with anyone. Legitimate companies will never ask for your password over the phone or email.

For developers, properly securing authentication systems is critical. Follow OWASP‘s Authentication Cheat Sheet for comprehensive guidance. A few key points:

• Always hash and salt passwords with a modern key derivation function like Argon2, scrypt, or PBKDF2 when storing them. Never store passwords in plain text!

• Implement secure password reset mechanisms with time-limited, single-use tokens. Avoid sending passwords over email or SMS.

• Prevent brute-force attacks with progressive rate-limiting based on IP, account, and other signals. Deploy CAPTCHAs where appropriate.

• Encourage or require users to set up MFA. For bonus points, make MFA mandatory for any privileged administrator accounts.

• Use browser security headers like HSTS and CSP to enforce encryption and mitigate cross-site scripting (XSS) and related flaws.

Despite best efforts, determined attackers may still find ways to compromise credentials. That‘s why it‘s vital to have a robust incident response plan for investigating suspected intrusions, containing the damage, and notifying affected users. Proactively incorporating "assume breach" principles into your architecture can help limit the blast radius.

Looking forward, support for passwordless authentication using methods like FIDO2/WebAuthn, OAuth, and hardware security keys is poised to grow. While not perfect, these approaches reduce the risk of phishing and remove the all-too-common human factor in choosing and managing passwords. For now though, passwords remain the dominant authentication method online—despite all their flaws.

As guardians of sensitive user data, developers have a special responsibility to promote secure authentication practices and to bake secure design principles into everything we build. Together, we can chip away at the password problem and give attackers fewer opportunities to exploit our very human mistakes. May all your hashes be salted!