Passwords are your first line of defense for protecting your digital identity. As important as they are, however, about 52% of people still use the same passwords across multiple accounts and 24% use a variation of common passwords that are easy to hack.
Hackers employ different strategies to steal your passwords. It helps to understand how they do it, so you can prevent account takeover and other forms of identity theft. In this guide, we discuss some of the biggest password security risks you face and some things you can do to better help protect your identity.
- Credential Stuffing
- Password Spraying
- Brute Force
- Local Discovery
- Tips for Creating Better Passwords
Credential Stuffing: Highly Risky
Credential stuffing uses compromised credentials to access online accounts. According to Microsoft’s Tech Community, hackers try credential stuffing on tens of millions of accounts on a daily basis.
How Does Credential Stuffing Work?
Credential stuffing relies on two things:
- login credentials obtained from data breaches or the dark web
- bots that automate login attempts using these stolen lists.
This is one of the biggest threats consumers face today given the billions of records exposed in data breaches and the current state of digital security habits.
How to Avoid Credential Stuffing?
The best way to help protect yourself against credential stuffing is to use strong passwords for every account. That way, if one password is compromised, your other accounts can remain secure. To make this easier on yourself, consider using a password manager. This tool creates complex and unique passwords for you, helps you update them every few months and removes the need to have to remember them.
Phishing: Highly Risky
Phishing is a type of social engineering attack where hackers impersonate a trustworthy entity to trick victims into revealing their passwords, payment details or other sensitive information.
How Does Phishing Work?
Phishing commonly happens via emails or text messages that contain fraudulent links to malicious attachments or cloned websites. When you try to open these links or attachments using your username and password, the hackers can get your credentials.
How to Avoid Phishing?
There are a few things you can do to help protect yourself against phishing.
- On the one hand, it helps to be able to identify a phishing scam, so you can avoid them whenever you run into one. Phishing emails and texts usually contain grammatical errors and come from email addresses or phone numbers that don’t match the entity they’re impersonating.
- Another way to protect yourself against phishing is to enable two-factor or multiple-factor authentication on all your accounts. This way, if you accidentally happen to compromise your password, the hacker needs to also have access to your phone or email to receive a code that allows them to complete the login process.
- You can also look for anti-malware software with features that help you identify and avoid malicious links and websites altogether.
Password Spraying: Highly Risky
Password spraying is one of the most obvious and commonly used techniques to steal passwords. In this method, hackers use a list of commonly used passwords for automated login attempts.
How Does Password Spraying Work?
Hackers first obtain a list of usernames. Then, they try to login into each user account using commonly used passwords such as 12345678, qwerty@123, qazwsx123, abcdefgh, mickymouse, etc. Breaking the passwords with this technique depends on the processing power of the hacker and on the platform they’re trying to hack, as most platforms block the account after several incorrect attempts. To get around this security feature, hackers use multiple IP addresses, which allows them to increase the number of attempts they can have before getting detected.
How to Avoid Password Spraying?
You only need to make sure that you follow the tips of creating strong and unique passwords that we have discussed in the last section of this guide.
Keylogging: Medium Level Risk
Keyloggers are a type of monitoring software designed to record the keystrokes made by users on their devices. Keyloggers capture information that is typed into a website or application and then transmit it to a third party. This hacking technique is used in targeted attacks. Usually, the hacker either knows the victim personally (spouse, relative, colleague) or is particularly interested in the target such as in the case of corporate or nation espionage.
How Does Keylogging Work?
Hackers can install keylogging malware on devices physically or remotely through the web. Once your device gets infected with keylogging software, it records your keystrokes and sends feedback to the hacker. The hacker can then look for times when you logged in and capture information you typed while you were using your device.
How to Avoid Keylogging?
This hacking technique depends on malware, so the best way to defend against it is to have anti-malware software installed capable of detecting and removing any threats to your sensitive information.
Brute Force: Low-Level Risk
To most people’s surprise, brute force hacking is one of the least used techniques because of how difficult, time-consuming and expensive it is for criminals. It’s the type of hacking you usually see in movies or television shows when a hacker runs an algorithm against an encrypted password. The algorithm tests different combinations at lightning speeds until it cracks the password
How Does Brute Force Work?
There are several tools available, such as DaveGrohl, John the Ripper, etcetera, that hackers use to brute force your password. These tools offer a couple of different types of cracking. The first one is simple: the algorithm tries all the words in the dictionary. Depending on the computing power of a system, the entire dictionary can be tested within a matter of seconds. The other technique is used when a hacker acquires a hash (usually from a data breach) of your password’s plain text. Hashed passwords are those black dots that hide the text of your password. A password in the form of a hash is not usable as it’s encrypted and doesn’t reveal anything except for the number of characters the password contains. So, the hacker attempts as many words and combinations to generate the hash that matches the acquired one. To speed up the process, hackers use tools like Rainbow tables which is a precomputed table of common phrases.
How to Avoid Brute Force?
The best way to minimize the chances of falling victim to brute force attacks is to make sure that you set passwords with sufficient length (at least 16 to 20 characters). We recommend you go with the maximum length that any certain service allows. Moreover, it’s advisable not to use online platforms that don’t allow you to create passwords of more than eight to ten characters or that don’t set a limit on the number of login attempts.
Local Discovery: Low-Level Risk
Local discovery is another type of targeted hacking. It happens when someone finds your password in plain text and uses it to gain unauthorized access to your accounts or devices. Local discovery of your password can be made by law enforcement, a colleague, relative, or acquaintance.
How Does Local Discovery Work?
You are particularly prone to local discovery if you write your passwords down in plain text on a journal, sticky note or digital file. It can also happen if you leave your accounts open in a public space or via shoulder surfing, when someone sees you typing in your password without your knowledge.
How to Avoid Local Discovery?
To avoid compromising your passwords, don’t leave your personal accounts open in public places or leave your passwords in a place someone can find them. When you’re entering your password, make sure you use your body or your surroundings to hide any sensitive information you may be typing.
Extortion: Low-Level Risk
Extortion is probably the least common form of stealing passwords, but it’s not unheard of. It’s a type of blackmailing in which hackers force you to reveal your passwords to avoid an outcome that could hurt you.
How Does Extortion Work?
Extortion is outright blackmailing. It mainly depends upon the relationship that you and the attacker have. Someone may demand your login credentials if they have the means of harming your reputation. The hacker can blackmail you in many ways, such as revealing your images, browsing history, videos, sensitive information, or even threats to harm you, your family or friends.
How to Avoid Extortion?
There is no straightforward way of dealing with extortion.
Why Do Passwords Matter?
Passwords are a key aspect of your digital security, and the main goal of digital security is to ensure the safety of your personal and sensitive data. In this section, we cover some of the best tips to help you improve your password security
Tips for Creating Better Passwords
Here are some tips for creating strong passwords:
At Least 8 Characters in Length
Aim to create passwords that are between eight and 16 characters long – the more characters, the better. To put it into perspective, an inexpensive computer takes less than a second to break a password that is three characters. On the other hand, an industrial-scale computer powered with a strong GPU takes five days to crack a password that is eight characters long.
Include Lowercase, Uppercase, Symbols, and Numbers
The strongest passwords are the ones that contain lowercase letters, uppercase letters, symbols and numbers. A perfect example for such a password would be as following:
Never Use Personal Information
If you have a public social media accounts, then it’s possible a lot of your personal information is easy to find. Maybe your birthday, hometown, email, name of your dog, username, etc. Because of this, it’s never a good idea to include any personal information in your passwords that people may be able to guess.
Avoid Reusing Old Passwords
If you reuse the same passwords across multiple accounts, it’s easier to fall victim to credential stuffing. Once a hacker gets a hold of one password, they could potentially have access to multiple online accounts. To avoid this, make sure to have unique passwords for each account.
Use Password Managers
You can easily elevate your password security habits by using a password manager. Password managers help you create strong and unique passwords, they remove the need to memorize them, and they help you update them regularly.
Use Two-Factor Authentication
Two-factor authentication, also known as dual-factor verification or multifactor authentication, is a practice of using more than one way of authentication. It adds an additional security layer to your account where you’ll need to enter a security code (generated in real-time) that you receive via email or text to log in. In this way, hackers need your password, in addition to something you own, for them to access your accounts successfully.
Update Your Passwords Regularly
Data breaches happen all the time. There are billions of compromised passwords on the dark web that hackers and identity thieves can buy to access online accounts. Statistically speaking, almost everyone’s sensitive information has been leaked in at least one data breach. So make sure you update your passwords regularly to reduce the likelihood that someone gets their hands on a valid password you still use. We recommend updating your passwords every 72 days.
There you have it. We hope this guide helped you get a better understanding of cybersecurity risks and how you can improve your digital security to better protect your digital identity.