See and recognize the methods used to intercept passwords and how to protect yourself.
Password remains the first and strongest solution to protect and secure your data. We use passwords almost everywhere, from our debit card to our Gmail account.
But there are methods where hackers can steal your passwords and breach your accounts.
There are a total of nine password cracking methods that have to do with the attack method. You will hear about methods like brute force, phishing, social engineering, and other strange terms.
Let's try to explain them and give you instructions on how to defend against them.
Table of Contents
Lists of frequent codes.
With the growth of the internet, the use of passwords by billions of people and huge lists of stolen passwords, fraudsters have realized that users like to use easy-to-remember passwords. A good example is 123456.
So they made various lists of the most frequently used passwords and with these lists they try to gain access to your accounts by trying them one by one. And these lists are really huge. They contain thousands of codes.
Of course they don't do it by hand, but automated with a computer that "taps" random accounts and tries to log in using every word from a specified list.
In these lists you will find codes that you have certainly used at some point, such as 123456, qwerty, password, iloveyou, qwertyuiop, 123123, 111111 abc123, admin, 1q2w3e4r, 654321, qweasd and other imaginative ones.
Of course, if you want to avoid falling victim, don't use easy-to-remember passwords. What is easy to remember for you is easy for the hacker to guess.
Use a huge password with letters, numbers and symbols, setting a different password for each account, and combined with a password manager app. The password manager allows you to store your other passwords in one storage.
Brute Force
A brute force attack is the process in which an attacker tries every possible combination of characters in an attempt to guess your password.
The passwords they try to guess will match the complexity rules, and have for example an uppercase letter, a lowercase letter, numbers, symbols.
A brute force attack will also try the most commonly used combinations of alphanumeric characters first. These include the passwords listed previously, as well as any possible combination thereof.
For example if your name is Dimitris, they will start and try dimitris, 1dimitris, d1imitris, di1mitris, dim1tris and so on.
It can take a long time for them to find your password using this method, and it depends entirely on the complexity of the password.
If you want to be safe from the brute force method in passwords, put some symbols in random places, such as $, &, {, ], * etc. and extend your password to 16 characters (at least!).
This way you multiply the combinations and finding the password becomes extremely difficult.
Mask Attack
What if the person trying to steal your password already knows some of it? He might know some letters and that will make it easier for him to crack the rest of the password
That's exactly what Mask Attack is. As it still involves testing many password combinations, a Mask Attack is similar to a brute-force attack.
However, in a Mask Attack, if the thief already knows some valuable characters from your password, that will make the process of finding the rest easier.
To protect yourself always use a long, unique password with a wide variety of characters and be sure to keep it hidden from prying eyes. Change it from time to time with a new one.
Phishing
The Phishing or otherwise fishing it's not exactly hacking, but falling victim to a phishing attempt usually ends badly.
The usual tactic is phishing emails that are sent by the billions to all internet users around the world, with the aim of getting some to "bite" and hand over their password to the attacker.
A phishing email will look like it's coming from an important organization or business and will prompt you to take an action that will give away your password.
User credentials are stolen and either sold, used maliciously, or both. Imagine that the daily volume of spam sent worldwide remains high, accounting for over half of all email sent worldwide.
If you want to avoid becoming a victim of phishing always be suspicious of email, set your spam filter to the highest level, or better yet, use a proactive whitelist.
Use a link checker to make sure an email link is legitimate before clicking.
Social Engineering
Η social engineering (Social Engineering) is essentially phishing in the real world.
A key part of any safety audit is assessing what the workforce understands. For example, a security company will call the business they audit, doing the work that a malicious fraudster would do.
The "attacker" tells the person on the phone that they are the new office support team and need the latest password for something specific. An unsuspecting person might hand over the keys without a second thought.
The scary thing is how often this works. Social engineering has been around for centuries. Being duplicitous to gain entry to a secure area is a common method of attack, and one that can only be guarded against with training.
This is because the attack will not always ask for a password directly. It could be a fake plumber or electrician asking to enter a secure building because there is a leak, and so on. When someone says they were tricked into revealing their password, it's often the result of social engineering.
Skilled social engineering fraudsters can extract high-value information from a range of targets. It can be deployed against almost anyone, anywhere.
A successful social engineering attack will be completed before you realize anything is wrong. Education and safety awareness is a key avoidance tactic. Avoid posting personal information that could later be used against you.
Rainbow Table
A rainbow table is usually an offline password attack. For example, an attacker has obtained a list of usernames and passwords, but they are encrypted. The encrypted password has been hashed. This means they look completely different from the original passwords.
For example, your password is (hopefully not!) 123456. The MD5 hash for this password is “e10adc3949ba59abbe56e057f20f883e”.
But in some cases, the attacker will first encrypt in their infrastructure a huge list of plaintext passwords through a hashing algorithm, and compare the results with your already encrypted password.
So the Rainbow table is a huge set of pre-computed hash values for specific algorithms and specific passwords. Using a rainbow table drastically reduces the time it takes to crack a hashed password, but it's not perfect.
Additionally hackers can purchase pre-populated rainbow tables with millions of possible combinations.
If you want to stay safe avoid any sites that use SHA1 or MD5 as their password hashing algorithm. Avoid any sites that limit you to short passwords or limit the characters you can use. Always use a complex password.
Malware / Keylogger
Another surefire way to lose your login credentials is to fall for malware. Malware is everywhere, with the potential to cause massive damage. If the malware that enters your computer has a keylogger, you will quickly find that all your accounts have been compromised.
Alternatively, the malware could target specific personal data or inject a remote access Trojan to steal your credentials.
Another option for fraudsters is to analyze the network to steal any passwords that are sent as plain text instead of cipher text (in a man-in-the-middle attack).
The use of malware extends to stealing your password from your smartphone as well. If you download malware or a keylogger to your smartphone or tablet, it's the same problem as your desktop or laptop computer.
Your smartphone likely hosts countless apps, and you usually need a password for each one, and smartphone malware will happily steal your banking, social media, and other credentials.
The solution, of course, is not to get a virus. Install and update your anti-virus and anti-malware software regularly. Carefully consider download sources. Do not click on installation packages that contain bundleware and others. Stay away from dangerous or malicious websites. Use script blocking tools to stop malicious scripts.
Spidering
When a hacker targets a specific institution or business, they may try a series of passwords related to the business itself. The hacker will read and gather a series of relevant words and terms related to the company or use a spidering to do the work for him.
You may have heard this process as "Web Crawler" or in Greek "Web crawler". this is a technique similar to the bots that exist on the internet indexing content for search engines. The custom wordlist is then used against user accounts in hopes of finding a match.
This combination and a user's carelessness can potentially unlock accounts in an organization. If you want to stay safe, only use strong one-time passwords made up of random strings. Nothing related to your personality, business, organization and so on.
Eavesdropping
Americans call it Shoulder Surfing. It's about having someone next to you peek over your shoulder while you type your password.
It seems old fashioned but it happens. If you work in a busy downtown coffee shop and aren't paying attention to your surroundings, someone could get close enough to note your password as you type.
In the past, it was more common in Internet cafes. Today they could very well see and videotape you typing on your cell phone from the next table in the coffee shop or fast food joint.
So when you're in a public place, be careful of those around you when entering your password. Cover your keys while typing. If you do it at ATMs why not at coffee shops?
General instructions and countermeasures
To prevent a hacker from stealing your password you should keep the following in mind:
Unique password: Using a strong, unique one-time password is important. If your passwords are compromised, your unique password will only provide access to one service.
Complexity: Make sure your passwords will be complex, having all kinds of characters in them. That is, lower and uppercase letters, numbers and symbols. And be at least 16 characters in length or longer
Antivirus/antimalware: Make sure you're using a decent security tool that you keep up to date.
Software update: Keeping your software and operating system up to date is an essential resource. Outdated software leaves known backdoors and security vulnerabilities that can lead to unpleasant situations.
Attachments: Do not open attachments if you do not know the sender. Use an antivirus tool to scan any attachments before opening them, and if you can't verify or aren't sure, don't open them.
Manage passwords: Consider installing a password manager to keep track of your passwords. They can help protect your online accounts.
Attention to the environment: If you want to make a bank transaction and you are abroad, make sure to do it at an ATM as well. Be careful not to let prying eyes see your code.