Hashjacking and stolen passwords present persistent problems for organizations in 2023.
Hashjacking is a sophisticated attack method that can grant hackers access to your accounts. Hashjacking targets the encoded version of your password, known as the hash. Attackers use social engineering, phishing, trojans, and other means to capture the encoded version of your password so that they can then decode it using a password cracking tool.
When you’re logging into a website and you type in your password, your password is almost never being directly sent to the owners of the website. This is because doing so would make it much easier for hackers to steal your password.
Computers can ensure you’re able to login without ever receiving your password by using complex mathematical formulas to encode it before sending it off. In addition to website owners, just about every company encrypts their employees’ passwords and any other passwords they manage. This adds an extra layer of protection to your passwords, but just like all other security layers, it is only as strong as its weakest link.
As an example of how this can go wrong, a weak password such as “Password” which was encoded using a common algorithm known as SHA-256 would become “e7cf3ef4f17c3999a94f2c6f612e8a888e5b1026878e4e19398b23bd38ec221a”. This is something few of us mere humans could memorize. However, computers can run programs that can compare the above password hash with a list of common password hashes. Since “Password” is one of the most used passwords in the world, any hacker with basic knowledge in password cracking would be able to crack that password very quickly.
Protecting your passwords is mandatory in an ever-increasing world of threats. Over the years, many different methods to extract hashes have been developed. While some of these methods have been addressed with security improvements, many others have not been. Current threats range from using file-protocol phishing links which send your password hash to the attackers when clicked, to hiding files that automatically send your hash to attackers in 1×1 pixel spaces within emails, to gaining initial access to a network and simply dumping or sniffing for password hashes, and many others.
Protecting passwords is ultimately everyone’s responsibility because an attacker gaining access to company networks at any level allows them to build access and can result in the complete destruction of a company.
There are many steps individuals and organizations can take to counter the threat of hashjacking. Ultimately, nothing can totally eliminate the threat, but by taking steps to prevent it, you can greatly reduce the risk that it will happen. This is also another reason why simply trying to stop initial attacks is never enough.
Modern security strategies address this fact by implementing security layers that prevent damage when an attacker has gained initial access and cut that access off. While common and weak passwords can be cracked in under a few minutes, a 14 character (or longer), randomly generated password or passphrase is orders of magnitude more secure. Having multi-factor authentication or password-less authentication also makes it so that hackers need to do more to compromise your accounts than just cracking your hash.
There are also numerous protocols, such as SMB V1, which make you more vulnerable to hashjacking and should be disabled. There are many other steps you can take to mitigate these attacks, and Scorpius can help you find and implement the solutions that make the most sense for you.
TL;DR: A hash is an encoded version of your password. Hashes exist to avoid sending and storing your password in plain text and they provide minimal value when the password you use is weak. They provide more value when you have a strong and unique password, but this alone is never enough. MFA, disabling insecure protocols, and many other additional steps should be taken to mitigate the risk of stolen passwords. Contact us to learn about how to mitigate the risks of stolen password and create a strategy that works for you.
To learn about how to mitigate the risks of hashjacking at your organization, contact us to schedule a free cybersecurity risk assessment!