Password Protection
Cyber-attacks happen all the time, and we see it either on the news or in fiction. Some of us are very careful, and some think that will never happen to us, but we are all susceptible to cyber threats, and we all should take some precautions.
To steal passwords, cybercriminals, or hackers, use combined techniques and powerful tools, which are sometimes available online for free. Some of those techniques are:
1 - Traffic Interception and Man in the Middle Attacks
As passwords are transmitted over a network, cybercriminals can use software to monitor network traffic and capture passwords or other sensitive information, even when protected by weak encryption level. To be able to track or intercept traffic, attackers need to be inserted between the source and the destination through an attack such as man in the middle (MITM). After a successful MITM attack, the attacker can then use software to monitor the network traffic and capture units of data that carry passwords or other sensitive information.
MITM attacks are generally facilitated by another attack that lures the user to introduce their credentials on a fake website or app. The program monitors the information and actively inserts itself in the interaction to capture sensitive information.
2- Brute Force
These attacks use tools to automate guessing passwords, initially starting with weaker combinations to more random character sets, including variations on upper and lowercase until it hits the correct password.
3- Dictionary attack
It is a type of brute force attack. Cybercriminals often use a list of common words, the dictionary, combined with numbers to try access to employee accounts, and usernames, which are often based on the names of the employees. The knowledge of most common passwords, user profiles, employment lists, or any other data hackers could have access, such as usernames, birthdays, and family members, are used to feed the dictionary.
4- Manual Guessing
Some personal information, such as a dog’s name, and birthdays, are easy to guess as common passwords.
5- Searching
Information saved in devices can be searched and stolen. Hackers can get access to the data saved in plain text format through different ways, for example, accessing your screen remotely or using your computer while you are away.
6- Offline Detection - Looking Outside the Box
Stealing password
It is not only the information insecurely saved on devices that can be stolen but also the passwords written in notebooks or post-its. Cybercriminals can eavesdrop as users share the passwords with a trusted person and get information from waste such as computer package and office trash bins.
Shoulder surfing
Another common practice is to observe while someone is typing their password.
7- Social engineering
Cybercriminals use social engineering techniques to trick people into revealing sensitive information. It can be a phone call, phishing emails, and others.
Phishing - is a technique using emails, texts, and others, to trick users into providing sensitive information, by clicking on a link that installs malicious software, or leads to a fake website.
Spear phishing - is a better-tailored version of phishing, using targets’ information.
Baiting - is an attempting to infect employees’ devices by leaving infected USBs or other devices where employees have access, hoping they will use them.
Quid quo pro - is a technique which cyber criminals pretend to be a professional such as a help desk employee, to get sensitive information from the user during their interaction.
8- Keylogging
Cybercriminals can use malware to infect users’ devices with a malicious code that will intercept passwords as they are typed. This technique can target a whole department or even organization, sending sensitive information, keyboard and mouse tracks, and screenshots to hackers’ servers. That allows cybercriminals to know where and what information was entered.
Some ways to protect your cyber identity and passwords are:
Use strong passwords with at least seven characters, a mix of upper and lowercase, letters, numbers, and symbols. Avoid easy to guess passwords, and site-specific words, such as the name of the site or app you are logging into. Check the passwords against the dictionary and create a blacklist of passwords. Remember, even strong passwords have limitations. And only use them where they are critical.
Use technical defense solutions also for places where simple passwords can be used. Account lockout, throttling, and monitoring failed login attempts help prevent brute force attacks. Companies should use single sign-on (SSO) to allow people to log in to apps or sites with one credential being necessary to memorize only one strong password and eliminating the use of many passwords. Multi-factor authentication (MFA) is another option, making it more difficult for cybercriminals to steal credentials, as it requires an extra piece of information to log in.
Password generators and managers should come from well-known companies and should be downloaded from official websites. They allow users to store passwords securely. Passwords should not be stored in plain text format, and encryption should be used to secure transactions and storage.
Passwords should be different for each account and never the same for work and personal accounts, and they should also be changed regularly. Default passwords should as well be updated before using the device or software.
There are many techniques for cybercriminals to steal a password, and one of the best practices to prevent it is to give your team the necessary knowledge. It is critical to train users and incentivize them to report suspicious activity, prioritizing administrator, and remote user accounts.
Post inspired on UK National Cyber Security Center’s infographic.
Password Security - National Cyber Cyber Security Center UK
Follow us on Linkedin, Twitter, or Facebook to get our updates.
This article was written by Juliane Verissímo - Marketing Department of VisionSpace