Tech Insight: How the Bad Guys Get Your Password

Passwords are essential to your cyber security. You know it, but if you’re like much of the digital society, you probably have dozen of passwords to remember. It’s a lot to keep in order, so many of us take shortcuts. Taking advantage of your laissez-faire attitude is one way bad guys access your passwords.

Despite what you might think, incredibly there are still people who use ‘password’ or ‘123456’ as their password. Many people don’t change the default passwords on the devices they purchase. In these instances, anyone can pickup a router to look a the sticker with the identifying password, and access that network.

TIP: Avoid obvious passwords. When you need to create a new password, make an effort to make it complex. When it’s time to update a password, take these same steps. Try and stay away from simple, and easily guessed passwords, as well as using patterns in your passwords.

Cybercrimnals can also guess your password. With a relatively small amount of resource about your online, they can make some uncannily informed guesses. Common passwords will often include pet names, birthdays, and anniversaries. These are all easy to find via your social media accounts.

TIP: Be careful about what you share on social media. I’m not going to go into my own personal opinions about my opinion on sharing habits that take place on different social media platforms (that is for another article), but be wary. Don’t automatically befriend strangers, as you are providing them access to a golden of info for personalizing an attack on you.

If social engineering your password doesn’t work, cybercriminals may attempt to brute force your credentials. They might write a script to automatically attempt thousands of password choices against your account(s) until they get a hit. This software will typically attempt a long list of common passwords, as well as run through variations of such passwords.

TIP: Use a complex password with letters, numbers, and symbols or a passphrase. A passphrase is typically at least 19 characters long, but is more memorable, and (hopefully) unique to you.

Alternatively, the attacker may be working with information they purchased from a data breach. The Dark Web is a very real place. In 2019, a security researcher found more than 2.7 billion email + password combinations available on the Dark Web. Criminals accessing that database could use the data as a starting point, as there is a significant percentage of users who use a single password across multiple accounts.

TIP: Use a unique password for each account or site. Yes, this can be overwhelming and at time an inconvenience, but that is why I recommend you leverage a password vault. It is a piece of software specifically designed to help you securely manage your credentials for you (see recommendations below).

Cybercriminals can also access your account if you’ve used a hacked public computer. The may have installed a key logger on the computer. The logger records every key pressed on the keyboard. Or they may have compromised a router or server to be able to intercept your information (why you should use a VPN when access a public network).

TIP: I feel this one if obvious, but I’m going to say it anyway. Be cautious about your online activity when using computers or networks you (or someone you trust) control. Using a VPN client on your laptop and phone, is a good practice to secure your communications if you need to use non-trusted network.

Then, there’s the tried and tested phishing attacks. When successful, they allow the attacker to have you give them your password. For instance, you get an email that appears to have been sent by your bank. It leverages the fear of the message, to try and get the user to visit the link provided and to enter their credentials. These are amazingly successful when you look at the percentages, and given how many are sent out, it is easy to see why they continue to compromise people.

TIP: Always pay close attention to whom is sending the message you are reading, and hover over the link provided before clicking on it. If you are concerned about the authenticity of the message, visit the site directly through a web-browser. Just like when your Credit Card company calls you, you shouldn’t be providing them with information. Tell them you’ll call them back at the number on the card.

I hope these tips will be useful to some, and that they help you protect your valuable passwords. A Password Vault (aka. Password Manager) can help you with your password security also, and I recommend you have a look at some of them below.

  • 1Password
  • Bitwarden
  • Dashlane
  • KeePassXC
  • Keeper
  • LastPass
  • RoboForm

If you need support to get ahead of cybercriminals, or want to chat about your password management practices, let me know. Feel free to reach out to me.

Leave a Reply