How do hackers steal passwords and how to deal with it
The concept of password has been around for centuries and passwords were applied to computer science much earlier than most of us can remember.
One reason for the popularity of passwords is that people instinctively know how they work. But there is a problem. Passwords are the Achilles’ heel of many people’s digital lives, especially as we live in an age where the average person remembers 100 passwords, and that number has grown in recent years. “It’s not surprising that many people choose easy solutions, which reduces security,” said Phil Muncaster of ESET, a global cybersecurity team.
Since a password is often the only barrier between a cybercriminal and your personal and financial data, fraudsters are more than willing to steal or break those passwords. It’s up to us to protect our online accounts.
What can a hacker do if he gets my password?
Passwords are the virtual keys to your digital world – they give you access to your online banking, email, social networking services, Netflix and Uber accounts and all the data hosted in the cloud.
With your passwords in hand, a hacker could:
To steal your personal information and sell it to other criminals.
Sell passwords. Dark web sites market this information roughly. Unconscious shoppers could use the codes to obtain everything from free taxi rides and streaming services to discounts on pirate Air Miles accounts.
Use passwords to unlock other accounts in which you use the same password.
How do hackers steal passwords?
Phil Muncaster, from the team of the global cyber security company ESET, suggests that we become familiar with these classic cybercrime techniques in order to be able to manage the threat:
Phishing and social engineering
Human beings are prone to mistakes when making hasty decisions. Cybercriminals exploit this weakness through social engineering, a psychological trick designed to push us to do something we should not do. Phishing is perhaps the most representative example. Here, hackers disguise themselves as friends, relatives, companies you have worked with, etc. The email or text you receive will look authentic but will include a malicious link or attachment which, if clicked, will download malware or take you to a web page to fill in your personal information.
Fortunately, there are many ways to spot the warning signs of a phishing attack, as we explain here. Scammers even use phone calls to extract direct passwords and other personal information from their victims, often pretending to be technical support agents. This method is called “vishing”.
Another popular way to get your passwords is through malware. Fishing emails are a major driver of this type of attack, although you may fall victim to malicious advertising or a drive-by-download website. As ESET researcher Lukas Stefanko has repeatedly shown, malware can even hide in a mobile app that looks legal, which is often found in third-party app stores.
There are several types of malware that steal information, but some of the most common are designed to capture keystrokes or snapshots of your device’s screen and send them to attackers.
Brute Forcing Attacks
The number of passwords that the average person has to manage has increased by about 25% year on year in 2020. Many use passwords that are easy to remember (and guess) and use on many different websites. However, this can open the door to so-called brute-force techniques.
One of the most common are those of the credential stuffing type. Here, attackers feed into automated software large volumes of previously compromised username / password combinations. The tool then tests these combinations on a large number of websites, hoping to find a match. This way, hackers can unlock multiple of your accounts with a single password. An estimated 193 billion such efforts were made last year worldwide. The Government of Canada has been one of the victims of this technique.
Another brute-force technique is password spraying. In this case, hackers use automated software to test a list of frequently used passwords on your account.
Although hackers have automated tools for hacking your password, sometimes they are not even necessary: even a simple guess – as opposed to the more systematic approach used in Brute Force attacks – can do the trick. work. The most common password for 2020 was “123456”, followed by “123456789”. In 4th place was the word password “password”.
And if you are like most people and use the same password, or a derivative of it on multiple accounts, then you make it even easier for scammers and put yourself at additional risk of identity theft and fraud.
Shoulder surfing – Peeking over the victim’s shoulder
All the password breach paths we have explored so far have been virtual. However, as quarantine loosens and many employees begin to return to the office, it is worth remembering that some tried and tested spying techniques are also a risk. That’s not the only reason shoulder surfing is still a threat, and ESET’s Jake Moore recently conducted an experiment to find out how easy it is to break someone’s Snapchat using this simple technique that requires the physical presence of the attacker. close to the user’s victim so that the former has eye contact and can see the latter’s keyboard and screen.
A higher-tech version, known as a “man-in-the-middle” attack that involves Wi-Fi spying, could allow hackers connected to public Wi-Fi networks to track your password as you enter it while you’re on. connected to the same node. Both techniques have been around for years, but that does not mean they are not a threat.
How to protect the login credentials of your accounts
There is a lot you can do to block these techniques – by adding a second form of authentication, managing your passwords more effectively, or taking steps to prevent theft in the first place.
Consider the following:
Use only strong and unique passwords or passphrases on all your online accounts, especially your bank accounts, email accounts and social media accounts.
Do not use the same password on different accounts.
Enable 2-factor authentication (2FA) on all your accounts.
Use a password manager that stores strong, unique passwords for each website and each account, making connections simple and secure.
Change your password immediately if a Provider notifies you that your data may have been compromised.
Only visit websites https: //
Do not click links and do not open attachments in spam emails
You only download apps from official app stores
Invest in security software from a trusted provider for all your devices
Make sure all operating systems and applications are upgraded to the latest version
Beware of shoulder surfers in public places
Never sign in to an account if you are on a public Wi-Fi network. If you must use such a network, use a VPN.