Skip to content

How passwords get hacked and what you can do about it

Lily Howell Dec 16, 2020 12:00:00 AM
Password login on computer screen, Unlock laptop, cyber lock internet security concept. Man working on an office desk

How many passwords do you use in a given day? Almost everything on the internet requires a password. It can be tricky to keep track of them while thinking up new strong passwords and before you know it, they’ve expired and you have to create a new one all over again – frustrating!

The disdain for passwords leads to a lot of bad password practices. This includes reusing passwords or keeping them basic. But steps to make passwords easier to remember also makes them easier for hackers to guess.

The password is often the last line of defence between criminals and your work and life data. So, with this in mind and for your password safety, we’ve broken down ways to get hacked and how to avoid being hacked!

Ways you can get hacked

Before we delve into how to avoid your password getting hacked, let’s first learn about the different techniques cybercriminals use to steal your passwords and break into your accounts.

Social Engineering

Social engineering is the term used for a broad range of malicious activities accomplished through human interactions. It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information.

What makes social engineering especially dangerous is that it relies on human error, rather than vulnerabilities in software and operating systems. Mistakes made by legitimate users are much less predictable, making them harder to identify and thwart than a malware-based intrusion.

Dictionary attacks

Avoid repeated keyboard combinations— such as qwerty, asdfg or 12345. Don’t use dictionary words, slang terms, or words spelt backwards. These cracks rely on software that automatically plugs common words into password fields. Password cracking becomes almost effortless with a tool like John the Ripper or similar programs.

Why should your company provide Security Awareness Training? Read our Security Awareness blog

Brute force attack

Like the dictionary attack, the brute force attack comes with a bonus for the hacker. Instead of only using words, a brute force attack lets them detect non-dictionary words by working through all possible alpha-numeric combinations from aaa1 to zzz10.

Spidering

Savvy hackers have realised that many corporate passwords are made up of words that are linked to the business itself. Studying corporate literature, website sales material and even the websites of competitors and listed customers can provide the ammunition to build a custom word list to use in a brute force attack.

Hackers have automated the process and let a spidering application, like those employed by leading search engines to identify keywords, collect and collate the lists for them.

Cracking security questions

Many people use first names as passwords, usually the names of a loved one (or pets) all of which can be deduced with a little research. Clicking the “forgot password” link within a webmail service or other site, sometimes asks you to answer a question or two. More often than not, the answers can be found on your social media profile.

Simple passwords

Don’t use personal information such as your name, age, birth date, loved one’s name, pet’s name, or favourite anything, etc. When 32 million passwords were exposed in a breach last year, almost 1% of victims were using “123456.” The next most popular password was “12345.” Other common choices are “111111,” “princess,” “qwerty,” and “abc123.”

Reuse of passwords

Reusing passwords for email, banking, and social media accounts can lead to identity theft.

Password protection is only effective against hacks if you are sensible when creating and using your password. The easiest way to make yourself vulnerable to being exploited by criminals or opportunists is to create an obvious password like PASSWORD 1 or 123456. These passwords are so prevalent that they are next to useless as a barrier for your security. So here are some tips for checking your password protection is effective.

How you can avoid getting hacked?

Practice good password hygiene

Although annoying and hard to keep track of, always use different passwords for each account. To help you keep track of your passwords, use a password manager – they also generate strong passwords for you.

If you don’t want to use a password manager, check out our advice on how to create a strong password. The blog includes advice like:

  • Use a mixture of upper- and lower-case letters, numbers and symbols.
  • We suggest picking two or more unrelated words to create your passwords, e.g. yellow turkey. So, we could make our password [y3lL0w?7urK3y!] – as you can see, we’ve used the above two rules, as well as this one.
  • Don’t use your first name, or others in your family to create a password.

Check out our guide on password safety “12 Good Password Habits to Make

Lock your screen

Always lock or log off devices if you are walking away from them – even if no one’s around, it’s good to build up a routine.

Avoid public WiFi and computers

Where possible, avoid using public WiFi (like a coffee shop) – hackers can quickly gain your passwords and other data through unsecured networks.

You should also avoid logging into accounts on computers you don’t directly control, like library computers – they could be infected with password-stealing malware.

Keep passwords a secret

Never tell anyone your password, whether they’re your friend or trusted colleague – keep them to yourself, it’s better to be safe than sorry.

Never write your passwords down on a sticky note, on your computer, in your notebook or anywhere – you never know who could go snooping.

And never send your password by email or text!

Social media

It’s all too easy to share your birthday, wedding anniversary, child’s name, favourite sports teams, etc. on social media. Facebook accounts with little security measures make it easy for hackers to learn about you. So avoid putting personal details on social media and always make sure your accounts are as secure as they can be.

Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation previously said. “When you post your photos to Instagram, or you make posts to Facebook, or you tweet something about your location, people can take that stuff, put it into another context, and suddenly you have been doxed. What people can really give away about you is the stuff that you’ve already given away about yourself.”

As well as a password manager, multi-factor authentication (MFA) should be turned on for as many sites and services as possible. This is one of the most effective ways to secure your accounts from hackers. The most common type of MFA is two-factor authentication where another piece of information, on top of your password, is required to login to a service. Most commonly this is an SMS message, authenticator app, or physical security key. A list of websites and apps supporting 2FA can be found here.

With all these tips and tricks, you should be fully equipped to create strong passwords of every one of your accounts! But if you find yourself wanting tighter security, please get in touch with one of our experts!

Managed Cyber Security Service