PASSWORD PROFILERS

Many of us have heard of psychological or behavioral profiling but to many of you, this may be the first hearing about password profiling. So, who are password profilers and what do they do?

    Password profilers analyze and classify their targets and their password. If the password profilers can gather information on their target, it becomes easier for them to build the profile and based on that profile they will be able to create a list of possible passwords to try in brute force attacks. Brute force attacks are password and cryptography attack. It does not try to decrypt any information but keeps trying lists of various words, letters and passwords.

    Although we hear about different security breaches and various other security related news, we fail to stay careful about our own security. Most of it is because people think that an incident like that will never happen to them. One of the first steps towards keeping ones information protected is to maintain a strong password. People still use passwords like 1234, their DOB or any information that is related to them personally. This makes their passwords weak. It creates a passage for the password profilers to get in. According to a research conducted by a Hacker named Tonu; out of 734,000 people, more than 234,000 people use just six characters in their passwords, more than 17,000 of those people used the password ‘123456’ and nearly 4600 people choose to use ‘password’ as their password. And people wonder why their passwords got cracked and their information got stolen.

    Password profilers can use several methods to gain passwords from their target: impersonation, in person, shoulder surfing and websites. While using the method of impersonation, the attacker can pretend to be the system manager or technician of a large corporation and contact the company’s employees faking there is a problem with their company’s account. The password profilers will ask the employees to log in to the account to fix the problems and after several attempts when the employee cannot follow the instructions, the attacker acts as frustrated and ask the employees for the password to the account so they can fix it for them. In the person method, the profilers get into the office buildings under false identity (service worker, consultant etc.). To make it look authentic, they may even wear company’s uniform and gain access to the buildings with gates. After they are in, they may be able to get default usernames and passwords left in plain view (common passwords posted somewhere, process of resetting password posted in notice board). But this type of attack is more effective in mid-sized businesses since bigger companies normally have stricter rules, which helps in preventing attack such as this. People may not notice or expect this procedure.

    In big companies with numerous employees, people do not have time to pay attention to what people are doing around. People with bad intentions can simply focus on their target and look over their shoulder to get information. No body covers their monitors while they are working because nobody would think that they are being looked at and even if they feel they are being watched; in passive aggressive atmosphere like that, the target chooses evading all possible arguments, and thus supposes that the attacker's purpose is harmless. In the website techniques, password profiler provides the target with some reason in requiring username and password combination and there are several ways to do this. One of the ways is to lead the target to the familiar web page (email provider, financial institution etc.) that requires a username and password. But a fake URL is put in the address bar to show the genuineness of the website and when the target enters the information, the password profiler is able to get access to their information.

    Passwords helps to make sure that password profiler or others do not get access to the computer or other valuable information unless they have been granted to do so. In order to make it simpler to memorize the passwords, the users frequently use similar or related passwords on every system and if they were given a choice, most users would pick passwords that are simple and easy to remember or are easy to guess. But short and easy passwords are comparatively easier passwords for the password profiles to determine. Since they have become progressively sophisticated in cracking passwords, one of the easiest defenses we have on the Internet is by creating the strongest password possible in order to defend ones data, computer and online accounts. While creating strong passwords it is imperative that one uses both upper and lower case letters, incorporate punctuation and numbers and create a password that is minimum eight characters long.

    Our system and our information are vulnerable but it is up to us to whether leave it the way it is or make it strong.

References

Hadnagy, C. (n.d, n.d n.d). Social Engineering and Nonverbal Behavior Set. Retrieved August 05, 2015, from Common User Password Profiler: https://books.google.com/books?id=oMoiAwAAQBAJ&pg=PT318&lpg=PT318&dq=password+profilers+as+social+engineering+tool&source=bl&ots=94kMrCYliC&sig=Sywc03Xm5UJeMxk-lyDzD3JlfEw&hl=en&sa=X&ved=0CC0Q6AEwA2oVChMIo_mKyZqSxwIVARY-Ch2guAXR#v=onepage&q=password%20profilers%20as%20social%20engineering%20tool&f=false

Hadnagy, C. (2011). Social Engineering: The Art of Human Hacking. Indianapolis, Indiana: Wiley Publishing, Inc.

Sanela, E. S. (2015, n.d n.d). Engleski Jezik –  Informacijski Sistemi. Retrieved August 05, 2015, from Academia.edu: http://www.academia.edu/5318961/Sanela_S._Social_Engineering

Smith, T. (2011, July 27). Photo Credit: Password Profiler 3: Automate Log-Ons and Fill Forms Faster. Retrieved December 09, 2015, from PCMag Digital Group: http://www.pcmag.com/article2/0,2817,2389089,00.asp