How to Protect Passwords from Hackers: 13 Best Cybersecurity Practices15 min read03/12/2018
With the rise of cyber fraud, users have faced the problem of protecting their personal information. The methods hackers use are continuously improving thus making technology vendors like Symantec and Avast create new cybersecurity countermeasures. However, ordinary computer owners may be unaware of how to protect their passwords in the most effective way.
According to the report by Verizon, the main reasons of 81% of all data breaches happened in 2017 were weak or stolen passwords. This dramatic statistics shows the low quality of cybersecurity education among Internet users. So CyberPulse prepared the common ways to protect passwords. To ensure your account safety, you should know the methods hackers typically use to compromise sensitive data.
How hackers can steal your password
To compromise your personal data, scammers may use either automated or manual methods. Some attacks imply victims providing an attacker with their credentials by themselves. In other cases, you may not even notice that your login details have been compromised.
The most common ways scammers can access your accounts are:
- Keylogger attacks
- Brute force
- Dictionary attacks
- Rainbow attacks
- Credentials theft via public Wi-Fi
- Cookies theft
- SMS fraud
To protect your confidential information from disclosure, you should know how each type of an attack works.
A keylogger is a digital tool that tracks and records your keystrokes. Once infected, your computer will send any data you type in with your keyboard. Therefore, your login details, credit card information like a PIN, primary account number (PAN), CVV2, or expiry date can be compromised.
Brute force attacks
Brute force attacks refer to the use of automated password guessing techniques. This attack uses the vulnerability of simple, common, and weak passwords like “qwerty” or “123456”. Hacking tools use various algorithms that explore lists of commonly used passwords stored on certain servers and enter these credentials one by one to access accounts. In 2013, The Verge reported about the massive brute force attack affected tens of millions of WordPress-based websites across the globe. The attack targeted those sites with the default “admin” username.
This attacks can target accounts in any online services including email, social networks, Internet banking, and content management systems.
As of 2017, the top 20 common passwords are:
It’s worth mentioning that popular online platforms like Gmail, Facebook, and WordPress now have the password guessing countermeasure. After 3-5 incorrect password attempts, these systems block accounts to avoid them to be hacked.
Social engineering may not require scammers to be hackers. This method includes psychological manipulation techniques that make victims disclose their credentials. It involves various phishing tricks that enable attackers to get your personal sensitive data.
In 2018, a British teenager managed to gain access to intelligence operations in Iran and Afghanistan using social engineering. During the conversation with call handlers, he pretended to be the head of Central Intelligence Agency (CIA) to access the computers of specific CIA agents. Then he manipulated CIA help desk staff by pretending to be the CIA Deputy Director to gain access to the agency’s database. The 15-year-old got their personal information, took control over their iPads and TV screens, and uploaded pornography to their computers.
Social engineering is related to reputation management tools. Within the search engine reputation management (SERM), social engineering is removing negative feedbacks about a certain person or company on the Internet using manual or automated techniques. In this way, businesses strive to build a positive image thus attracting new clients.
Using phishing techniques, a scammer can try to make victims to share their sensitive data by applying psychological manipulation tricks via email, websites, SMS, or notifications. A typical email-based phishing attack involves sending a fake email styled like if it’s a real email from the provider of services a certain victim use. Such emails usually contain a fake cover story. For example, you may receive a Gmail email saying your email address has been added to the blacklist. To avoid all your future email to get into a spam folder, you should confirm your credentials. By clicking on the attached link, you will be redirected to the malicious website that will track and store login details you will enter on it. Therefore, scammers will get your sensitive data.
Unlike typical phishing, spear-phishing targets specific people or a company. This is exactly the technique the above-mentioned British teenager applied. Scammers may use spear-phishing to gain access to confidential information of the specific company in order to get the unfair competitive advantage.
Phishing attacks can be divided into their channels. Scammers can conduct these attacks via SMS, phone, or interactive voice response (IVR). Once, I faced a phone phishing attack when a scammer called me and pretended to be a customer support department representative from my bank. My bank has a service that allows clients to withdraw cash from ATMs without a debit card. To confirm the operation, you need to enter one-time-password (OTP) sent by the bank via SMS to your mobile phone.
This is exactly what the attacker tried to do using my phone number. He just selected one of my credit cards on the ATM display, called me, and asked me for dictating the OTP sent to my mobile device. Otherwise, “the bank” could block my account. Fortunately, I’m aware of such phishing attacks and now you’re too.
Dictionary attacks use the vulnerability of simple passwords consisting of commonly used words. Special malicious algorithms connect to the server with a list of such words like password, admin, and master and try to enter them one by one until the scammer gains access to your account. Furthermore, the mix of these words is unlikely to secure your data.
Rainbow attacks rely on tables of pre-computed hashes (numeric values of encrypted passwords) used in many modern systems. These tables include hashes for all possible password combinations for any kind of hashing algorithm. It takes less time to hack a password with a rainbow table compared to the time needed to find the hashed password in the list.
However, rainbow tables are huge and they require a lot of computer capacity to explore them. This attack is worthless when the hash the system is trying to find has been complicated by adding random characters to the password before applying the hashing algorithm. Rainbow tables mostly target passwords containing less than 12 characters since long passwords make these tables too large to maintain.
To compromise sensitive data, hackers may use malicious software (malware) or trojans such as Carberp and SpyEye. These hacking tools gain access to personal computers, collect credentials like usernames and passwords, regularly take screenshots, and can even hide all the traces of their presence. Trojans can be embedded in other software. Once you double-click on the shortcut of the infected tool or file, the malicious code gets automatically activated. When the malware is deployed, it can start stealing your cookies, installing keyloggers or other trojans, etc. This malware can embed its malicious code into the code of other software which makes them difficult to remove.
Password theft via Wi-Fi
Have you ever used free Wi-Fi in public places to access your bank account, email, or social networks? Well, you shouldn’t have done it.
How attacks via public Wi-Fi happen:
- An attacker connects to his password-protected Wi-Fi and starts sharing the Internet from his laptop with a sniffing software installed.
- When you access one of your accounts using a web browser, the browser offers you to remember your credentials. Thus, you won’t need to enter your login details the next time you visit the online service.
- Once you click “Agree”, the web server creates a cookie file with your username and password and sends it to the browser.
- The sniffer intercepts cookies sent by user devices.
- Once the hacker collects enough package data, he stars decoding and analyzing it.
This data packages contain sensitive information like usernames and passwords for any accounts you use via the public Wi-Fi access point.
Hacking via SMS
SMS-based attacks target personal accounts rather than login details:
- Hackers initiate the account recovery procedure to make a victim confirm new credentials entered by attackers are correct.
- To make sure the account recovery initiator and account holder is the same person, services like Facebook or Gmail send an OTP to the phone number associated with the account.
- The hackers send the other SMS to the user with the “cover story” about suspicious activity detected in his account. To protect the account, the user “has” to reply this SMS with the OTP he’s just received.
- Thus, attackers get the OTP and then they can change the initial credentials.
- Therefore, the user no longer can access his account since the username and password he enters is now incorrect.
How to protect your passwords
With the information about how cybercriminals can hack your passwords in mind, you will be able to better understand the further personal data protection measures. You’re most likely to be already aware of some of them, but now, you know why they’re that important.
Practice #1: Use complicated passwords
Weak passwords can be easily guessed with either manual or automated techniques. To protect your credentials from brute force attacks, use complicated passwords containing digits, letters, and special symbols like @ or %.
Practice #2: Avoid using your personal information
One of the best things you can do to help an attacker guess your password is to use your personal information as a means of a password. Your birthdate, address, phone number, or name of your girlfriend/boyfriend is probably the worst password you can create. Otherwise, the attacker doesn’t even need to use any software to compromise your accounts.
Practice #3: Avoid using words
Those passwords containing real words are vulnerable to a dictionary attack. That’s why you should avoid using them in your password. Instead, you should use both uppercase and lowercase letters. This will increase the complexity of your password and make your sensitive data more secure.
Practice #4: Use long passwords
The complexity of passwords can be determined with its entropy. This term refers to the binary logarithm calculated from the total number of necessary password guessing attempts. For example, the 8-character password containing only digits 0-9 and lowercase letters has the entropy equal 16 bits. It means that hackers need to make 216= 65,536 attempts to guess the password.
However, they use special tools with certain algorithms that can “forecast” how people create passwords thus significantly reducing the number of needed attempts. However, the longer passwords the higher entropy they have and the harder they are to compromise. Use complicated passwords that contain at least 12 characters to protect your accounts from rainbow attacks.
Practice #5: Don’t share your password
When you share your password with someone, anyone else can get access to this data in different ways. Therefore, this is only your person you can blame in the case where your account gets hacked. According to the Norton Cybersecurity Insights Report, 31% of millennials are likely to share their passwords compared to only 15% of baby boomers.
Practice #6: Update your passwords once per two months
Sometimes, you may not even know that an attacker has already gained access to your account and tracks all your activity. To restrict access to your personal data, change your passwords now. Furthermore, you should do this at least once every two months. This measure won’t protect your passwords from attacks, but it will help you protect your personal information just in the case your account has been already compromised.
Practice #7: Use different passwords for different account
Despite a single password for all your accounts seems to be a suitable option in order to avoid forgetting your credentials, this significantly increases the vulnerability of your personal information. By doing so, you put at a risk your accounts altogether. Create a unique password for each particular account. This will increase your chances to protect most of your accounts in the case of hacking brute force, rainbow, and dictionary attacks.
Practice #8: Update your software
Besides online services, your software may also contain vulnerabilities that can put your sensitive data at a risk. Cybercriminals can use these vulnerabilities to compromise your personal data. However, most software providers are continuously working on improving the cybersecurity of their tools and regularly release new updates.
When you see a notification offering you to install a new update for a certain tool, you should not ignore it. In 2017, users with the old 32-bit CCleaner version faced the massive malware attack that was sending IP addresses and other confidential information about infected computers to a third-party server. To avoid a data breach, update your software on a regular basis.
Practice #9: Don’t enter your credentials on computers or networks you can’t control
Web browsers or mobile apps may save entered login details. Thus, you may accidentally share your sensitive data on your own and provide third-parties with access to your accounts. Furthermore, avoid using public Wi-Fi access points, especially password-unprotected ones. Otherwise, you will put your personal information at risk of the Wi-Fi data interception attack. If you need to connect to public Wi-Fi, at least visit those websites that don’t require logging in.
Practice #10: Use two-factor authentication
The two-factor authentication (a.k.a. 2FA) is the best way to protect passwords from hackers. It’s the last fortification that can protect your accounts in the case where your credentials have been compromised. This technology adds an additional security layer to the standard authentication procedure. With 2FA, you have to enter an OTP or scan your face or fingerprint with your smartphone besides entering your username and password in order to access your account.
If your service offers different types of the two-factor authentication, pick the biometrics-based one since OTPs sent via SMS are vulnerable to man-in-the-middle (MITM) attacks. These fraudulent techniques enable cybercriminals to intercept your text messages thus getting your one-time passwords. The Biometrics-based 2FA can secure accounts from such threats as keylogger, rainbow, dictionary, brute force attacks, and attacks via the public Wi-Fi connection. In addition, you can use the Google Authenticator app to protect passwords for your WordPress accounts.
Practice #11: Consider using a password manager
If you have accounts in many online services and you have issues with remembering complicated passwords for each account, consider using a password manager. These tools store all your passwords in encrypted form thus enabling you to remember a single password instead of lots of them.
This may sound as putting all your eggs in one basket but powered with 2FA and encryptions algorithms, your passwords may be in a safer place than your spreadsheet. Even though cybercriminals will somehow hack your password manager account, they’re most unlikely to decrypt your credentials. Furthermore, with password managers like Norton or LastPass, you don’t need to copy and paste your password to access a certain account. Instead, these tools automatically fill in login form fields.
Practice #12: Don’t write them down
Remember the “Friends” episode where Joey asked Phoebe for dictating his PIN he had written down on the ATM? Don’t be like Joey. Never write your passwords down on a paper or type in Google spreadsheet even though you’ve restricted access to this file. Otherwise, in the case where hackers gain access to your Gmail account, you can lose your personal data from all your other accounts.
Practice #13: Doubt all unusual information you receive via email, SMS, or phone
To avoid becoming a victim of any phishing attack, you should doubt any unusual information coming from people you don’t know who ask you for doing something via SMS, phone call, or email. The required action may be following a certain link, launching a file, or typing in your password. Never do this, recommends the National Institute of Standards and Technology (NIST).
Furthermore, you should always pay attention to the website address you’re going to log in on since cybercriminals often copy the web design of popular sites to manipulate users and make them enter their credentials on the malicious website. Check whether the website connection is safe: the website address should start from https:// not http://, for example, https://cyberpulse.info. This will ensure any data you enter on the site comes to the server in the encrypted form.
How to create a secure and easy-to-remember password
Creating and remembering complicated long passwords with lowercase and uppercase letters, digits, and special symbols is a difficult task. So here’s a lifehack. Pick a song and use first letters from each its lyrics line. Then replace every second letter with an uppercase letter as well as replace letters “o” with “0” and “i” with “1”. Add the “&” symbol to divide two lines.
- I just called to say I love you
- I just called to say how much I care
The password may be: 1jCtS1lY&1jCtShM1c
To create different passwords for different accounts using this method, you may replace the first letter of the password with the first letter in the name of the service you use. For example, a password for Facebook can be the following: FjCtS1lY&1jCtShM1c. You can go even further and create your own unique concept. Feel free to share your ideas below in the comments section.