Passwords are notorious for being the weakest link between a network and a successful attack.
Using the same password for multiple accounts, sharing passwords, keeping sticky notes on your monitor with login information, or just having a weak password in general are big no-no’s when it comes to cyber security.
Password attacks can result in substantial data leakage. Verizon has found that 63% of data breaches happen because of weak or stolen passwords in its 2016 Data Breach Investigations Report.
With stats such as this, it’s important to know how hackers are targeting your passwords and what steps you can take to prevent a successful attack.
Hackers have many tools to harvest your passwords. Here are a few types.
One of the most popular ways to steal a password is with social engineering.
Social engineering occurs when a hacker creates a fake social situation that tricks the user into giving the hacker login credentials or other information.
An example of such an occurrence would be an attack in which the hacker pretends to be an IT specialist within a company in an email sent to an employee.
This could also be done with a phone call. In the message, the hacker could ask for login information from said employee, and given the hacker’s IT disguise, the employee may be fooled into providing the information to the hacker.
Phishing is a particularly prominent subset of social engineering that is becoming a mainstream method of attack.
A phishing attack usually consists of a hacker emailing or otherwise pushing a malicious link or attachment to a victim, disguising it as something benign.
A common example of this type of attack would be an email that appears to be from an individual looking for employment opportunities within a company.
However, the attached “resume” in this email is actually malware designed to snag passwords and other information from the victim’s computer.
Another way attackers can target your login credentials is through a brute-force attack, which happens when a hacker uses a program to guess your password by generating and trying as many potential passwords as possible.
Dictionary attacks are similar, but instead of creating password combinations, this type of password attack uses words directly from a dictionary to try and break into your account.
Hackers can always go the old-school route of simply guessing your password.
Lists of common passwords – such as default router passwords and worst password lists – can make this process easier.
Some attackers have started looking up industry jargon in an attempt to guess passwords that may be related to a particular field.
Many malware packages provide tools that can help attackers to steal your passwords.
Keystroke logger programs are one of the most common examples. They secretly track the user’s keystrokes and save them for review by an attacker.
Given all of these avenues a hacker could potentially take to crack your passwords, it’s important to create strong passwords and to diligently practice good password hygiene.
The best way to avoid a successful password attack is to start off with a stronger password. Here are some tips for creating one.
As a base guide, a strong password usually consists of more than 8 characters, includes upper and lower case letters, numbers and symbols.
The longer and more complex your password is, the better.
Since brute force attacks generate combinations of characters to guess passwords, by having a longer password, you can increase the amount of time it takes to guess your password.
Another way to make it harder for a brute force or dictionary attack from being successful is to avoid using full words or names in your passwords.
So instead of using the word ‘Look’, you might consider using ‘L00k’ or ‘l/0/0/k’ to make a strong password.
However even with these safeguards, using personal information in your password is still not recommended. This includes people’s names, birthdates, street addresses, and even the name of your pet.
Keep in mind that only using characters that show up in a sequence on your keyboard, such as asdfghjkl; or 123456789, in your password will make for easy pickings when it comes to hackers.
Passwords such as these regularly circulate Worst Password lists year to year, and should be avoided at all costs.
Making easy-to-remember passwords can be as simple as using the first initial of each word in your favorite lyric instead of the lyric itself.
For example, instead of using NeverGonnaGiveYouUp, use NGGYU as part of your password.
Add numbers or symbols to further complicate your password like so: /NgGyU/7891/, -n1g9g8y7u-.
For even more security, ‘salt’ your password with more characters: ---//n-1-g-9-8-y-7-u//--
By adding more complex characters to your password, you’ll be making it even hard for hackers to crack.
Feel free to apply this methodology to other songs, books, movies, or whatever else you can easily memorize.
In the event one of your passwords is cracked, the last thing you want is for the hacker to have access to your other accounts, so be sure to use a unique password for every account you have.
One way to make this easier is to use a contextual password.
A contextual password works by requiring you to remember only one password and then varying that password based on where it is used.
For a simple example, you can start with the password: K!w4a*0x8b
To use this password for your bank, you can alter it by adding the characters “ba” and “nk”: K!baw4a*0xnk8b
To use the password for your wifi router, you can add “wi” and “fi”: K!wiw4a*0xfi8b
You can also make the password more complex by altering how you select and alter the password’s characters for each context.
Consider enabling two-factor authentication for your accounts in the future.
Two-factor authentication is a way sites can further ensure that the person trying to access your account is really you.
They do this by requiring more information than just your login and password.
Many sites offer to send you a code to your phone, which you then have to enter along with your username and password in order to log into your account.
Creating a strong password is only part of the solution. You must also protect it with sound password security.
For example, if you have to share a password with someone, change it once they no longer need it.
In fact, it is recommended to change your password every 6 months or so regardless of whether or not the password has been shared.
With all of the new passwords, it’s important that you don’t leave an easily accessible file or paper record containing all of your password information out and about.
If someone has access to your computer and such a list, they could easily compromise ALL of your accounts, making all of the hard work you’ve put in to maintaining strong passwords a moot point.
If you’ve got to have a backup copy of all of your passwords, keeping a written list in a locked drawer or cabinet that you and only you have access to is an option.
If you’d rather go digital, consider using an encrypted USB or password managing program to safeguard your master password list.
Don’t email this list around though, and if you want to back it up, only do so with an encrypted hard drive.
Even with these precautions in place, password breaches can still occur.
In the event that your account is breached, the most important thing is to change your password immediately.
If you lose access to the hacked account, many vendors have reclaiming options that can help you reclaim it.
Once you’ve changed your password, check the changelog if one is available.
You’ll also want to comb through all of the settings of your account since the hacker could have altered the changelog.
Look for any changes that would make it easy for them to compromise your account again.
For example, the hacker may have changed the account’s backup email to one under their control.
This would mean that changing the password of the account would do nothing to re-secure your account post-breach.
Check all online profiles and logins related to the compromised account, especially if it is an email account.
How many sites ask you for an email address to log into their site or to place an order?
You’ll also want to check the settings of these linked accounts, since they may have also been accessed and tampered with by the hacker.
Some of the final steps to take when recovering from a breach is scanning your computer for malware, notifying your contacts that you’ve been breached, and checking all correspondence for further signs of any other breaches as well as any new accounts that could have been made in your name.
Whether you’re a network security guru looking to explain the importance of secure passwords to your clients or just a beginner wanting to shape up your approach to securing your online information, using strong passwords habitually is an important building block to a successful network security plan.
Multi-Factor Authentication: What it is and why small businesses should care
Have I Been Pwned? A site that lets you check your accounts to see if they’ve been hacked