Password sniffing and account hijacking have become more prevalent in recent years due in part to the growth of Wi-Fi and software that make these hacking techniques so easy. This article discusses these techniques and how to prevent them to protect your accounts and privacy.
Both of the methods we're discussing require the eavesdropper to be connected to the same network as you. So you should be more concerned when using public Wi-Fi hotspots or public Internet ports in hotels, cafes, malls, or any other network that you can connect to without ever having to provide a password. Wi-Fi networks in your home or office should be secured with WPA or WPA2 encryption. When encrypted, people must have your security password in order to connect, so people without your password can't eavesdrop on your Wi-Fi signal.
These hacking techniques can still be used by other users on private networks using the Personal/Pre-Shared Key (PSK) mode of WPA/WPA2 encryption or the older WEP encryption. However, they can't be used on networks using the Enterprise/EAP mode of WPA/WPA2 encryption, which is usually used only by businesses and requires a separate 802.1X server.
Password Sniffing and Account Hijacking Techniques
One password sniffing technique is where the eavesdropper uses a program, such as SniffPass, to capture your username and password sent in clear-text when logging into websites, email, and other services that aren't using a secured connection with SSL encryption. Very sensitive websites like banks should be using SSL encryption. You should see a pad lock or alert in the browser when it's using SSL. But other websites, like social networks, email providers, gaming sites, and other less sensitive places don't always use SSL encryption. Those are the places that eavesdroppers might be able to capture your login credentials from.
One account hijacking technique is HTTP session hijacking. Again, this applies just to websites, email, and other services that aren't using a secured connection with SSL encryption. The eavesdropper can use software to monitor logins or web sessions and attempt to hijack them. Examples of software they might use include the Firesheep add-on for the Firefox web browser, or the FaceNiff or DroidSheep apps on an Android smartphone. The technique used by these applications doesn't necessarily give them your password, but it lets them get on your account.
Here are some of the popular websites that don't always use SSL encryption and could be vulnerable to these hacking techniques: