From social engineering to looking over your shoulder, here are some of the most common tricks that bad guys use to steal passwords.
The concept of the password has been around for centuries and passwords were introduced into computing way sooner than most of us can remember. One reason for the enduring popularity of passwords is that people know instinctively how they work. But there’s also a problem. Passwords are the Achilles’ heel of the digital lives of many people, especially as we live in an age when the average person has 100 login credentials to remember, with the number only trending upwards in recent years. It’s little wonder many people cut corners and security suffers as a result.
Given that the password is often the only thing standing between a cybercriminal and your personal and financial data, crooks are more than eager to steal or crack these logins. We must put at least the same amount of effort into protecting our online accounts.
What can a hacker do with my password?
Passwords are the virtual keys to your digital world – providing access to your online banking, email and social media services, our Netflix and Uber accounts, and all the data hosted in our cloud storage. With working logins, a hacker could:
- Steal your personal identity information and sell it to fellow criminals.
- Sell access to the account itself. Dark web criminal sites do a brisk trade in these logins. Unscrupulous buyers could use access to get everything from free taxi rides and video streaming to discounted travel from hijacked Air Miles accounts.
- Use passwords to unlock other accounts where you use the same password.
How do hackers steal passwords?
Familiarize yourself with these typical cybercrime techniques and you’ll be far better placed to manage the threat:
- Phishing and social engineering
Human beings are fallible and suggestible creatures. We’re also prone to make the wrong decisions when rushed. Cyber-criminals exploit these weaknesses through social engineering, a psychological con trick designed to make us do something we shouldn’t. Phishing is perhaps the most famous example. Here, hackers masquerade as legitimate entities: like friends, family, and companies you’ve done business with etc. The email or text you get will look authentic, but includes a malicious link or attachment which, if clicked on, will download malware or take you to a page to fill in your personal details.
Fortunately, there are plenty of ways to spot the warning signs of a phishing attack, as we explain here. Scammers are even using phone calls to directly elicit log-ins and other personal information from their victims, often pretending to be tech support engineers. This is described as “vishing” (voice-based phishing).
Another popular way to get hold of your passwords is via malware. Phishing emails are a prime vector for this kind of attack, although you might fall victim by clicking on a malicious advert online (malvertising), or even by visiting a compromised website (drive-by-download). As demonstrated many times by ESET researcher Lukas Stefanko, malware could even be hidden in a legitimate-looking mobile app, often found on third-party app stores.
There are various varieties of information-stealing malware out there but some of the most common are designed to log your keystrokes or take screenshots of your device and send it back to the attackers.
- Brute forcing
The average number of passwords the average person has to manage increased by an estimated 25% year-on-year in 2020. Many of us use easy-to-remember (and guess) passwords as a consequence, and reuse them across multiple sites. However, this can open the door to so-called brute-force techniques.
One of the most common is credential stuffing. Here, attackers feed large volumes of previously breached username/password combinations into automated software. The tool then tries these across large numbers of sites, hoping to find a match. In this way, hackers can unlock several of your accounts with just one password. There were an estimated 193 billion such attempts globally last year, according to one estimate. One notable victim recently was the Canadian government.
Another brute force technique is password spraying. Here, hackers use automated software to try a list of commonly used passwords against your account.
Although hackers have automated tooling at their disposal for brute-forcing your password, sometimes these are not even needed: even simple guesswork – as opposed to the more systematic approach used in brute-force attacks – can do the job. The most common password of 2020 was “123456”, followed by “123456789”. Coming in at number four was the one and only “password”.
And if you’re like most people and recycle the same password, or use a close derivate of it, across multiple accounts, then you’re making things even easier for attackers and put yourself at additional risk of identity theft and fraud.
- Shoulder surfing
All of the paths to password compromise we’ve explored so far have been virtual. However, as lockdowns ease and many workers start heading back to the office, it’s worth remembering that some tried-and-tested eavesdropping techniques also pose a risk. This is not the only reason why shoulder surfing is still a risk, and ESET’s Jake Moore recently ran an experiment to find out how easy it is to hack someone’s Snapchat using this simple technique.
A more hi-tech version, known as a “man-in-the-middle” attack involving Wi-Fi eavesdropping, can enable hackers sitting on public Wi-Fi connections to snoop on your password as you enter it in while connected to the same hub. Both techniques have been around for years, but that doesn’t mean they’re not still a threat.
How to protect your login credentials
There’s plenty you can do to block these techniques – either by adding a second form of authentication to the mix, managing your passwords more effectively, or taking steps to stop the theft in the first place. Consider the following:
- Use only strong and unique passwords or passphrases on all your online accounts, especially your banking, email and social media accounts
- Avoid reusing your login credentials across multiple accounts and making other common password mistakes
- Switch on two-factor authentication (2FA) on all your accounts
- Use a password manager, which will store strong, unique passwords for every site and account, making log-ins simple and secure
- Change your password immediately if a provider tells you your data may have been breached
- Only use HTTPS sites for logging in
- Don’t click on links or open attachments in unsolicited emails
- Only download apps from official app stores
- Invest in security software from a reputable provider for all your devices
- Ensure all operating systems and applications are on the latest version
- Beware shoulder surfers in public spaces
- Never log-on to an account if you’re on public Wi-Fi; if you do have to use such a network, use a VPN
The demise of the password has been predicted for over a decade. But password alternatives still often struggle to replace the password itself, meaning users must take matters into their own hands. Stay alert and keep your login data safe.
written by Phil Muncaster, ESET