In our continuing series on cybersecurity issues, we discuss the fragility of relying solely on passwords to protect our identity and our data online. We will peel back the curtain and show you some different methods used by hackers. We will also discuss some simple methods you can employ to keep your personal information protected.
How hackers crack passwords
Passwords are used for pretty much every service we use online today. From our bank accounts to our Facebook profiles, passwords are just a first step in securing your data. Hackers can use a variety of methods to “crack” or obtain passwords. Once they have your login credentials, they can quickly do damage to your finances, impersonate you online, or simply sell those passwords on the Dark Web. Knowing how these hackers obtain passwords will help you defend against their malicious attacks, keeping your online identity safer.
- Brute Force Attack: This method uses computers to try every possible combination of letters, numbers and symbols against a login system. From 000000 to zzzzzz and beyond, trying this method will eventually yield a working password. However, it may take a long time to find the password. The longer the password, the longer it takes to crack. This graphic from BitWarden illustrates the time it takes to crack a password nicely. As we can see from the graphic, a 7-character password takes mere minutes to crack, while a 15-character password can take centuries to crack:
- Dictionary Attack: This type of attack is similar to a Brute Force Attack, except instead of constantly generating passwords, it tries a list of words in a dictionary. That dictionary can be a standard dictionary or it can be customized list of words to increase efficiency.
- Rainbow Attack: This attack uses precomputed tables of hashed passwords to speed up the cracking process.
- Malware Retrieval: This type of attack infects the user’s device with malicious software designed to steal password data from a computer or network and send it somewhere the hacker can retrieve it later.
- Social Engineering: Although we tend to think of hackers sitting in some dark room in front of a computer, hackers can be out in public looking for opportunities to gain access to secure areas. They may study a target for weeks or months, developing solid strategies while learning people’s schedules. Once they successfully enter the secure area, they look for obvious places where people write down and store passwords, such as notebooks stored in desk drawers, and sticky notes stuck to the back of user’s keyboards.
- Phishing Phone Calls: In this method, the hacker calls the user or has the user call a phone number. Posing as a technician or agent from a legitimate business, they try to trick the person into giving them their password, payment info or other identifying information. Sometimes this is teamed up with a malicious browser popup claiming that the computer is infected and needs to be fixed by a computer technician on standby at a supplied phone number.
- Email Phishing Attacks: In this method, specially crafted emails are sent to hundreds of people. These emails can be quite deceptive, looking like legitimate emails from well-known companies such as Microsoft, Apple, Google, Facebook, Paypal and even major banks.
- Guessing: Yes, hackers can sometimes get lucky and guess a password. This may be an educated guess, such as knowing the name of a person’s pet or favorite sports team. Or they could just be guessing popularly overused passwords such as Password123 or abc123.
How to protect yourself from hackers
To keep your identity and account data protected, follow these tips and suggestions to keep your online accounts secure.
- Use long, complex passwords that contain upper and lower case letters, numbers and symbols. The longer the password, the harder it is to crack with brute force methods.
- Don’t use easily guessable passwords like Password123.
- Don’t use a single word as a password! This will prevent successful dictionary attacks. If you do want to use a single word, incorporate numbers and symbols. Sometimes you can use numbers and symbols in place of letters. For example, use 3 for E, ! instead of i, @ for A, etc.
- Don’t use words or names that can be easily traced back to you. For example, don’t incorporate your name or the names of your loved ones into your passwords. Don’t use easily guessable pet names, sports teams or city names that people can easily associate with you. You would be surprised how much of your data is readily available online, especially if you use social media.
- If you think words are an easy way to remember your password, consider using a passphrase. A passphrase is a password made up of 3 or 4 words, separated by a hyphen. This typically yields a password is many characters long. For example, Coastal-Green-Turtle would be considered a strong password. Because of its length and complexity, a brute force attack would take centuries to crack a typical passphrase.
- Consider using a randomly generated password. There are several tools online for free, but make sure it is hosted or sponsored by a reputable source.
- Don’t use the same password for different accounts. If one account gets compromised, potentially they all could be compromised if the passwords are the same.
- For accounts that support it, Turn on Two-Factor Authentication whenever possible. Alternatively, you can use biometrics to secure your data, such as using the fingerprint reader or FaceID on your phone.
- If you have a problem remembering passwords, consider using a password manager, like LastPass. Password managers will typically automatically fill in your login information to sites and applications, after it authenticates you as the primary user.
- Don’t write passwords down on paper. And don’t store passwords online in a non-secure location or method.
- If you do need to write down passwords, make sure you keep them locked up in a drawer or cabinet.
For online accounts:
- Keep online accounts to a minimum. The less accounts you have, the less likely you will be targeted.
- Only use services from trusted businesses.
- For social media accounts, limit the kind of personally identifiable information that you post.
- Change the privacy settings on your social media accounts. This will also help limit what hackers can learn about you online.
- Dedicate one credit card for online purchases. Make sure that credit card offers online theft protection. In case your identity is stolen, and fraudulent charges are made, you won’t be personally responsible for those unauthorized charges.
- Don’t accept a friend request from someone who is already your friend on the service. It is most likely a fake account created to fool you. Check with the actual person first before accepting these kinds of friend requests.
Concerning Computers and Email:
- When you receive a suspicious email, carefully check the sender’s email address. If you get an email from a large company, but the sender’s email address is Gmail, it is most likely a scam.
- Hover over all links in the browser before clicking on them. Make sure the URL is actually going to the place it says it is going to.
- Never open or download attachments from suspicious emails.
- Have separate email addresses for different activities. For example, you could have an email address dedicated to financial accounts, one dedicated to job searches, an email address dedicated to online purchases. You can even have an email address dedicated to services you only intend to use for a short time.
- Install and use malware protection software from a trusted company.
- Lock or shut down computers in public or work environments when they are not in use. A computer cannot get infected when it is off!
On the Phone:
- As spam callers and spambots are making record number of bogus phone calls, only answer calls for people you know.
- Don’t volunteer personal information or credit card information on any phone calls you did not initiate.
- If you get a popup saying your computer is infected with a virus, don’t call any phone number that it provides. Rather, take it to a trusted computer repair shop or friend that works on computers to help you clear the malware.
Out in Public:
- Don’t discuss personal or financial information in public areas.
- Don’t give strangers any personal information.
- Stay vigilant when in a new area. Pay attention to those that are paying attention to you.
- At your place of business, don’t hold open any doors to secure areas for anyone.
- Don’t let people enter secure areas with your credentials.
- Keep an eye out for unfamiliar people in your work area.
By following some of the suggestions listed above, you will decrease your chances of getting your data stolen or your accounts compromised. If you are concerned that you may have been the victim of identity theft, you can have a dark web scan performed on your behalf.
Allegiance Technology Solutions provides 24-7 Cybersecurity Monitoring services for our Managed IT Service clients. Our service will proactively monitor the Dark Web for you and notify you immediately when your data is found to be compromised. Contact us if you are interested in using our cybersecurity protection services for your business.