I guess you must have been wondering how your passwords end up in the hands of hackers. The hard truth is that no matter where your password is stored, even with password managers, it can still and most often get into the hands of hackers. In many cases, hackers (cybercriminals) get your password not because of how or where you store it, but how and where you use it.
Hackers get your password not necessarily because of how or where you store it, but mostly due to how and where you use it.
I will shed light on the technique most used by hackers to compromise your password.
5 Major Ways Hackers Get Your Password
There are numerous ways a password could be compromised. Here are the most used techniques:
Phishing
Phishing is a type of cyberattack that tricks people into handover their password to a cyber-criminal. The cybercriminal then uses the obtained password to access the victim’s account. 43% of breaches involved phishing and/or pretexting as in Verizon’s 2021 Data Breach Investigations Report (DBIR). Email is the main attack vector for phishing. More than 96 % of phishing attacks are delivered via email.
This is how phishing works:
- The cybercriminal sends an email to a victim with a link to a fake website
- The victim clicks on the link in the email
- The fake website (disguised as the real website) asks the victim to enter their password
- The entered password is sent to the cybercriminal
- The cybercriminal can then use the password to access the victim’s account.
Phishing works because most people cannot differentiate between a fake website and the real one. Also, most people just click on links in email, even when they don’t know the sender.
The most effective way to safeguard yourself against phishing is to be cautious of links and where you enter your credentials. if you don’t know the sender or not expecting the message, don’t click on any links in the email. Also, when visiting a website – type the website address yourself. You can bookmark it for subsequent access. This way, you’re sure of the website. If a website looks suspicious – don’t enter any of your credentials, It may be a phishing site.
If a website looks suspicious. Don’t enter any credentials.
Multi-factor authentication (MFA) would make it more difficult for a cybercriminal to access your online account but not impossible. For example, MFA that uses a One-time password (OTP) as a second factor can still be phished. A cybercriminal captures the OTP and uses it immediately to access the account. This is called On-the-fly phishing. The surest phishing prevention is Passwordless Authentication. With Passwordless Authentication, there’s no manual entry of a password as there’s no password. As a result, nothing to phish.
Credential Stuffing
This is the type of attack where a cybercriminal uses the passwords leaked from data breaches to attack other systems where users have used the same password. More than 65% of people reuse the same password for multiple or all accounts Cybercriminal automates login attempts against systems using known emails and password pairs. What this means is that if, for example, a password is reused on 10 systems. If one of those systems is breached, the other 9 systems can be accessed with the password stolen from the breached system. This is why Credential Stuffing is so devastating.
The most effective way of preventing credential stuffing attacks is by ensuring that you never re-use a password anywhere.
Password Spraying
This is where cybercriminals use commonly-used passwords in an attempt to access several accounts. For example, a cybercriminal goes to the website “example.com” and tries the password “123456780” on one million accounts. There’s a high likelihood that some of the accounts may use “123456780.
The only thing you could do to protect yourself against Password Spraying is to enable MFA if supported by the service. Even if your account password is discovered, the cybercriminal still requires another factor to access your account.
Brute-Forcing
This is where cybercriminals automate guessing large numbers of passwords until the correct one is discovered. All passwords can be brute-forced, it just needs time. Choosing a strong password doesn’t mean it cannot be brute-forced. It only makes it much harder. Considering the time and resources (work factor) it will take to brute-force a password, cybercriminals won’t waste their resources brute-forcing one password. That’s the reason why a strong password is always advised.
All passwords can be brute-forced, it just needs time.
Malware
Cybercriminals install malware on people’s computing devices to harvest passwords. Passwords can be harvested from where it’s stored in the computing device or when the victim is manually entering it (keylogging).
The best way to prevent this type of attack is to make sure that you have up-to-date anti-malware on all devices.
There are many other techniques but move five are the most prevalent means that hackers get your password.
Top 5 Prevention Tips
The following tips would help you to safeguard your accounts.
- Ensure all your device have an up-to-date anti-malware
- Never click on suspicious links or enter sensitive information
- Never re-use a password. Use strong random passwords.
- Enable MFA on all your accounts
- Go Passwordless
See Simple Steps to Stay Secure Online on how to better protect yourself.