It’s a well-known trick that you can reveal any “hidden” browser password with a simple Inspect Element trick — just right click on the password box containing the password, choose Inspect Element, then look up the <input type=”password”… field and remove the word “password” — and you will instantly see the “hidden” password. Or, just use the Chrome extension.
This is a very easy trick, but the real value is when you combine it with other methods.
- It is significantly harder to retrieve the password stored in an application — you would need a disassembler or debugger for that, and good assembly or bytecode experience. Therefore, if there is a web version of the same app, it is much more lucrative target.
- Some apps such as Lastpass allow you to share a password while keeping it “hidden” — if you have ever used it; your password has been exposed already as it is vulnerable to the attack described above. You could just hand them the password in plain text.
Of course, for this attack the culprit must have physical access to your device — but remember that if they do (for instance by stealing your device) then you can be sure they get have all your information.
And, this attack can be performed on mobile devices too. Of course you cannot right-tap them nor do those browsers offer any inspect element feature, but they are very easy to connect to a computer and execute the same kind of attack from a computer’s Chrome or Safari. In fact, this is a developer feature that allows replicating the device’s browser on the user’s computer.
Extra security — extra hacking
Google protects your Gmail with more than just the correct password, right? They ask security questions, the last city you logged in from, your recovery phone or your recovery email.
It turns out that these methods are not as safe as you think. I’ll share a super-simple trick with you; just look at the bottom of corporate emails. They tend to share their phones and addresses in their signature, all the time! And yes, I have tried that and gained real world results (a.k.a. access to the user’s mailbox). Don’t worry; it was a friend and I was doing IT tasks for him ;-)
What about two factor authentication?
Sounds good, but it’s not that good. Specifically if you’re relying on SMS, it has been a well-known hack called SS7 attacks where hackers trick the system to send the SMS to their phone instead of yours. Even secure systems such as Telegram are vulnerable to this, and require you to protect your account with a password.
But all of this starts if my device is stolen, right?
Not necessarily. As I explained in another piece, hacking is psychology. We are inherently lazy, even over our own protection. No one wants to sign in a tedious password every day, so even while the good apps force us to pick secure passwords, we still want to pick the easiest ones. Why? Since we just want to log in and get the job done, and complex passwords are hard to remember and type in.
So here are the next two points of exploitation;
Hacking weak passwords
It has been reported that “123456” constitutes 17% of all passwords in the world. Unfortunately, I had luck with this one too. I checked the forum of a website, and there you can easily tell which accounts are real, active users and which accounts belong to users who are just poking around and have hastily set up something to join with. The latter group uses bogus names, and most probably weak passwords. I put that theory in action, and it worked…
To put it simple, this is the essence of Dictionary Attacks; a list of well-known passwords people tend to use repeatedly. While hacking in to such accounts might not have any significant value even for the account owners, consider that once you are in, you will have access to private information too. It is the combination of methods that causes a threat.
How many passwords do you have?
I believe none of us are using the same password for our email as well our other accounts. But the key is; how different are your passwords? If you are using a variance of your base password everywhere, then the hacker can still penetrate your account with some simple guesswork. One dirty trick is to ask you to register on a website in exchange for a gift — and figure out how you pick your passwords from there.
Social Media authentication
This is a wonderful practice — you don’t need to remember your password for every new site, and the process is dead-simple — just a few clicks instead of typing everything in. BUT, beware of impersonators; always check the URL and make sure you are giving your password to google.com and not goolge.com!
Security is a process, and unfortunately we all must learn it. The best way to protect yourself is to stay up to date and know common vulnerabilities. Never trust password savers, use a wide variety of different, strong passwords and always stay alert. And remember; a long, plain text password is much harder to brute-force and easier to remember than a short cryptographic one — compare “this password is really safe” to “!@qw76XZ”
Do you have any other tactics to share? Let me know in the comments!
Clapping allows me to gain more exposure — if you enjoyed this piece, please clap so others can also benefit.