How Hackers Use SSL Strip to Obtain Secure Passwords [VIDEO]

March 24, 2014
213 Views

Passwords are generally considered the first line of defense between cyber criminals and your data. In order to help prevent security breaches via logins, it’s crucial to pick strong passwords that are different for each of your important accounts, and it is good practice to update your passwords regularly. Despite these recommendations, people still employ weak passwords like “123456” and “password” – and then wonder why their data is stolen.

Passwords are generally considered the first line of defense between cyber criminals and your data. In order to help prevent security breaches via logins, it’s crucial to pick strong passwords that are different for each of your important accounts, and it is good practice to update your passwords regularly. Despite these recommendations, people still employ weak passwords like “123456” and “password” – and then wonder why their data is stolen.

As I’ve discussed here before, there are a number of ways hackers crack passwords. What I’ve also emphasized is that knowing the techniques hackers use is THE best way to combat them. In this short video, I will demonstrate how to use SSL Strip to obtain secure passwords. In addition to showing you how hackers carry out this attack, this video will guide you through the process so it can be applied to your company’s system to see if it’s accessible through weak passwords.

SSL Strip is a tool that essentially reroutes encrypted HTTPS requests from network users to plaintext HTTP requests, effectively checking out all logins traveling along the network via SSL. Basically, it lets users connect via HTTP, logs their information, then redirects their connection to the originally-intended HTTPS server on the Internet.

Watch and learn how SSL Strip allows users to detect wimpy passwords on the network.

As you saw, using SSL Strip to lift passwords is fairly straight forward. All organizations are susceptible to this type of attack. Those companies with strong password policies are less at risk.

It’s important to make sure your Web security is up-to-date. Remember, SSL Strip looks for HTTPS traffic and then redirects it to HTTP traffic, this is what makes it vulnerable. If the website is all HTTPS and not HTTP, SSL Strip cannot change the HTTPS link to a HTTP link. On a site note, if you find yourself needing to use a public network, or if your personal WIFI is not secured, then it’s probably not a good idea to use that network to access any of your personal accounts, lest you become a target for an SSL Strip attack.