Most people understand the need to have strong passwords though a large number, seemingly with bloody-minded intent, insist on using passwords that are frighteningly easy to crack.
With this in mind here are some common methods hackers use to steal passwords. For those of you who haven’t got around to using strong passwords what follows might make you sit up straight and get cracking on creating strong passwords.
You’re no doubt familiar with the almost steady stream of news about how company XYZ had its database hacked or organisation ABC left a door open for hackers to walk right in and walk back out again with an armful of personal data.
Typically this type of information includes names, addresses, passwords and so on. Most organisations when storing this data will ‘hash or ‘salt’ their databases. This means the data is scrambled. Sounds good right?
Well, actually no. Hash combinations tend to be universal. For instance the password ‘12345’ when hashed becomes ‘df6f58808ebfd3e609c234cf2283a989’. Now you might think this is robust but unfortunately hackers have a range of tools that enable them to decrypt hashed passwords.
Some hackers use computers that can try over 300 billion hash combinations every second so that ‘robust’ hash suddenly looks seriously vulnerable.
A lot of stolen database information ends up for sale on the dark web. Fraudsters buy up this information, run their decrypting software, crack the password details.
Phishing attacks – fake websites
Cyber fraudsters are a deeply devious bunch. One of their favoured tricks is to set up a website that looks like the real deal, for instance your bank or a well-known retail site. For instance, you receive an email purportedly from your bank asking you to follow a link.
If you follow the link through to a website and enter your password it’s immediately stolen. Cunningly, once you have entered your information and it has been captured by the fraudsters, you are then often redirected to the legitimate site.
Phishing attacks – trojans
This is a variation on the above method. You receive an email promising untold riches or life after death, or at least something that compels you to open an attachment. If you click the ‘intriguing’ attachment, unknown to you a key-stroke logger is downloaded into your browser.
Every detail you then type into a webpage, including username and passwords, are recorded and sent to the hacker.
Brute force attacks
If a hacker gets your email address you might not think it’s a problem. After all what’s an email address without a password? Well to hackers it’s both a key and a door. All they need to do to find your password is apply brute force cracking tools. These can be downloaded freely and given that ‘123456’ is still the most common password on the planet, most passwords can be cracked with alarming ease.
Public Wi-Fi monitoring
There’s a simple thing you need to know about public Wi-Fi – data is not encrypted so in theory hackers can see everything you do. If you have logged into an account your password could already have been stolen. Wi-Fi traffic monitoring is a simple attack; a hacker uses an application that can easily be downloaded from the internet for free to watch all traffic on a public Wi-Fi network. Once you enter your username and password, the software notifies them and the hacker intercepts the information. It’s as simple as that.
How to protect yourself
- Clearly the golden rule is to use strong passwords, ten or more characters and a combination of upper and lower case letters, symbols and numbers.
- These types of passwords will defeat ‘hash’ cracking methods and brute force techniques
- Don’t carry out sensitive transactions on public Wi-Fi such as banking or making online purchases
- Use security software like BullGuard Internet Security. This multi award-winning protection flags up phishing attempts, identifies malicious websites and stops malware downloads such as key stroke logger downloads