5 ways hackers steal passwords.

Passwords are the virtual keys to your digital world – providing access to your online banking, email and social media services, our Netflix and Uber accounts, and all the data hosted in our cloud storage. With working logins, a hacker could:

  • Steal your personal identity information and sell it to fellow criminals.
  • Sell access to the account itself. Dark web criminal sites do a brisk trade in these logins. Unscrupulous buyers could use access to get everything from free taxi rides and video streaming to discounted travel from hijacked Air Miles accounts.
  • Use passwords to unlock other accounts where you use the same password.

How do hackers steal passwords?

Familiarize yourself with these typical cybercrime techniques and you’ll be far better placed to manage the threat:

1. Phishing and social engineering

Human beings are fallible and suggestible creatures. We’re also prone to make the wrong decisions when rushed. Cybercriminals exploit these weaknesses through social engineering, a psychological con trick designed to make us do something we shouldn’t. Phishing is perhaps the most famous example. Here, hackers masquerade as legitimate entities: like friends, family, and companies you’ve done business with etc. The email or text you get will look authentic, but includes a malicious link or attachment which, if clicked on, will download malware or take you to a page to fill in your personal details.

Fortunately, there are plenty of ways to spot the warning signs of a phishing attack, as we explain here. Scammers are even using phone calls to directly elicit logins and other personal information from their victims, often pretending to be tech support engineers. This is described as “vishing” (voice-based phishing).

2. Malware

Another popular way to get hold of your passwords is via malware. Phishing emails are a prime vector for this kind of attack, although you might fall victim by clicking on a malicious advert online (malvertising), or even by visiting a compromised website (drive-by-download). As demonstrated many times by ESET researcher Lukas Stefanko, malware could even be hidden in a legitimate-looking mobile app, often found on third-party app stores.

There are various varieties of information-stealing malware out there but some of the most common are designed to log your keystrokes or take screenshots of your device and send it back to the attackers.

3. Brute forcing

The average number of passwords the average person has to manage increased by an estimated 25% year-on-year in 2020. Many of us use easy-to-remember (and guess) passwords as a consequence, and reuse them across multiple sites. However, this can open the door to so-called brute-force techniques.

4. Guesswork

Although hackers have automated tooling at their disposal for brute-forcing your password, sometimes these are not even needed: even simple guesswork – as opposed to the more systematic approach used in brute-force attacks – can do the job. The most common password of 2020 was “123456”, followed by “123456789”. Coming in at number four was the one and only “password”.

And if you’re like most people and recycle the same password, or use a close derivate of it, across multiple accounts, then you’re making things even easier for attackers and put yourself at additional risk of identity theft and fraud.

5. Shoulder surfing

All of the paths to password compromise we’ve explored so far have been virtual. However, as lockdowns ease and many workers start heading back to the office, it’s worth remembering that some tried-and-tested eavesdropping techniques also pose a risk. This is not the only reason why shoulder surfing is still a risk, and ESET’s Jake Moore recently ran an experiment to find out how easy it is to hack someone’s Snapchat using this simple technique.

A more hi-tech version, known as a “man-in-the-middle” attack involving Wi-Fi eavesdropping, can enable hackers sitting on public Wi-Fi connections to snoop on your password as you enter it in while connected to the same hub. Both techniques have been around for years, but that doesn’t mean they’re not still a threat.

How to protect your login credentials

There’s plenty you can do to block these techniques – by adding a second form of authentication to the mix, managing your passwords more effectively, or taking steps to stop the theft in the first place. Consider the following:

  • Use only strong and unique passwords or passphrases on all your online accounts, especially your banking, email and social media accounts
  • Avoid reusing your login credentials across multiple accounts and making other common password mistakes
  • Switch on two-factor authentication (2FA) on all your accounts
  • Use a password manager, which will store strong, unique passwords for every site and account, making logins simple and secure
  • Change your password immediately if a provider tells you your data may have been breached
  • Only use HTTPS sites for logging in
  • Don’t click on links or open attachments in unsolicited emails
  • Only download apps from official app stores
  • Invest in security software from a reputable provider for all your devices
  • Ensure all operating systems and applications are on the latest version
  • Beware shoulder surfers in public spaces
  • Never log on to an account if you’re on public Wi-Fi; if you do have to use such a network, use a VPN

The demise of the password has been predicted for over a decade. But password alternatives still often struggle to replace the password itself, meaning users must take matters into their own hands. Stay alert and keep your login data safe.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s