In last weeks blog, we covered some of the ways hackers access personal data that they then sell on the Dark Web. This week, we wanted to further explore some of the most common, and most effective, methods for stealing passwords that lead to data breaches and how you can combat them.
Passwords are often easy to crack, reused and, in today’s era of biometrics and cryptography, are an outdated way of protecting an account.
Unfortunately, it’s this ease of use that means passwords are still the main way of authentication. We think its valuable to know just how you be hacked in order to keep yourself protected.. After all, no matter how clever you think your password is, hackers will find a way to crack it.
Here are our top 5 ways (in no particular order) that hackers can crack your credentials to gain access to valuable data:
Phishing
Phishing is the practice of attempting to steal user information by appearing trustworthy through copied look and feel but the data is used for malicious outcomes. The term is generally associated with email attacks but there other mediums such as ‘smishing’ (SMS phishing) to be aware of as well.
The most common method is to trick a user into clicking on a link or downloading an attachment. Once this is done, a malicious file is downloaded and executed on the user’s machine. The actions of the malware vary, some may encrypt files and prevent the user from accessing the machine, while others may attempt to stay hidden in order to act as a backdoor for other malware to attack at a later date.
Today’s phishing usually involves some form of social engineering, where the message will appear to have been sent from a legitimate, often well-known company, informing their customers that they need to take action of some kind. Netflix, Telstra, and Facebook are often used for this purpose, as it’s highly likely that the victim will have an account associated with these brands.
The days of emails from supposed princes in Nigeria looking for an heir, really aren't that common, although you can still find the odd, wildly extravagant, claim here and there or even extortion attempts.
Social engineering
Social engineering typically refers to the process of tricking users into believing the hacker is a real and legitimate person. Hackers often call their victim and pose as technical support, asking for things like passwords in order to provide assistance and fix problems you didn't know about. This can also be done in person, using a fake uniform although that’s far less common these days.
Successful social engineering attacks can be incredibly convincing and highly lucrative, as was the case when the CEO of a UK-based energy
company lost ~AUD400,000 to hackers after they tricked him with a tool that mimicked his assistant’s voice.
Brute force attack
Brute force attacks refer to a number of different methods of hacking that all involve guessing passwords in order to access a system.
A simple example of a brute force attack would be a hacker simply guessing a persons' password based on relevant clues, however, they can be more sophisticated than that.
Lists are also available of previously used passwords and usernames, so recycling your passwords especially ones from other breaches, is frought with danger. Reverse brute force attacks involve hackers taking some of the most commonly used passwords and attempting to guess associated usernames. The majority of brute force attacks employ some sort of automated processing.
Guessing
If all else fails, a hacker can always try and guess your password. Even with password managers able to create random charcter complex passwords people still often use memorable passwords.. These are often based on pets, hobbies or family, much of which is often splashed across the social media pages that the password is trying to protect, Brutus maybe the cutest fur baby in your eyes, but raving about him on social media could also be the key to your profile for a hacker.
Password management tools that generate randomized passwords for each new login you create and multifactor authentication will help reduce a lot of the risk associated with hackers.
Malware
Keyloggers and a host of other malicious tools all fall under the term of malware, malicious software designed to steal data. Keyloggers, and similar tools, record a user’s activity, whether that’s through keystrokes or screenshots, which is all then shared with a hacker. Some malware will even proactively hunt through a user’s system for password dictionaries or data associated with web browsers, so all of those passwords that Chrome offers to save for you are open to exposure.
Key Takeouts
Never fear, although there are a myriad of ways hackers attempt to compromise your password, there are also
many ways to combat the threat, here are FortiTech's top tips:
- Use a unique password for every login you have, if one password is breached, you can contain the damage a lot quicker than if you have used the same password everywhere
- Use Multifactor Authentication (MFA) where available, but try to avoid any MFA that uses text message, as they can be intercepted, but even text is better than nothing
- Use a Password Manager to keep passwords as long and complex as possible, plus, it means you don't have to remember them - we aren't all Rain Man. LastPass, Dashlane and Roboform are popular and have free options for personal users
- Business class Password Managers enable one person to control the password to an account, and then provide access to other users without sharing the actual password. This is great for businesses with additional security needs or those wanting an easier on-boarding and off-boarding process
- Visit https://haveibeenpwned.com to check if you have already been hacked
- https://howsecureismypassword.net/ lets you find out how secure your passwords are.