Someone once said passwords are like apples in a fictional garden. They are perfect, ripe and there for the taking! Twitter today (n.b. this article was written on May 4, 2018) announced that they had discovered a glitch in their systems that stored passwords in plain text (rather than being hashed), however, that no misuse or breach has been detected. But what would have happened if there had been an actual breach? If you use the same password for Twitter and a number of other apps and accounts, a cybercriminal only needs to get their hands on this once to potentially gain access to private and even financial information. Let’s look at this in more detail as well as other common ways hackers get hold of passwords!

1. Hacking one password and getting access to the rest

Once any one site is hacked and that password is stolen, it can be leveraged to access other accounts. If the hackers can get into their user’s email account, they will use that to reset the user’s password everywhere else. Numerous high profile people have been taken down by password reset attacks. Hackers also try to brute-force passwords by using lists of common passwords, dictionary lookup tables, and password cracking tools like John the Ripper, Hashcat, or Mimikatz.

No matter how complex you think your password is (just because you’ve used symbols, capital letters and numbers), the truth is that human generated passwords are simply easy to crack by hackers, especially as password cracking tools that criminals use have become quite sophisticated. If you’re curious to find out how strong your password is and how long it would take a hacker to crack it check out https://howsecureismypassword.net/ . A rule of thumb is, if you can remember it, it isn’t a good password. Sorry.

2. Rainbow Table

A rainbow table is typically an offline password attack. Hackers get hold of lists containing usernames and passwords, but they’re encrypted. The encrypted password is hashed. What this means is that it looks completely different from the original password. For instance, your password is ‘logmein’ (we hope not!). The known MD5 hash for this password is “8f4047e3233b39e4444e1aef240e80aa.” The attacker will run a list of plaintext passwords through a hashing algorithm, comparing the results against an encrypted password file. Instead of processing hundreds of thousands of potential passwords and matching their resulting hash, a rainbow table is a set of precomputed algorithm specific hash values which then decreases the time it takes to crack a hashed password.

3. Botnets

In order to attack large public sites, attackers use botnets to try out different combinations of logins and passwords. They use lists of login credentials stolen from other sites and lists of passwords that people commonly use. These lists are available for free, or at low cost, and include login information on about 40% of all internet users. Pretty scary, right? Unfortunately, those passwords stay valid for a long time. Even post-breach, many users will not change their already breached password. That’s why we always advise you to change your passwords immediately after you’ve been made aware of a breach.

A common mistake users do is having the same password across multiple sites. Having a pretty complex password does not mean it is okay to use that same password for your email AND for your bank login AND for your Social Media profiles. Hacks are reported after it is too late, at which point your one very complicated password is already compromised, and so is all of your information.

By the way, “123456” is still the most common password on the planet!

4. Phishing Attacks 

One of the most common credentials theft techniques is through phishing. You know those dodgy looking emails that you get from your bank saying that you must update your account details now or else…? When users receive these emails and they click on the links, usually two things happen:

1.  A malicious payload is downloaded onto your computer which will use a variety of techniques in order to steal your email credentials and login information.
2. Nothing is downloaded, but you are encouraged to enter your login credentials into a form which you could swear is from your bank! As soon as this happens, you have freely given your sensitive information to hackers.

5. Wi-Fi Monitoring Attacks

Have you ever connected to a public Wi-Fi and then logged into any accounts? Then your password could’ve already been stolen. Through WiFi traffic monitoring, hackers can easily intercept your information (usernames and passwords you are using on various sites while being connected). They use simple applications that can be downloaded for free and it takes them minutes to steal your credentials.

What are the key takeaways from this article? Here’s some quick tips.

Firstly, really pay attention to the complexity you set for your passwords and never use the same password for multiple accounts.

Secondly, do turn on MFA (Multi-Factor Authentication) wherever possible.

Thirdly, keep your passwords secure. Writing them on a post-it and sticking it on your laptop screen is as far from being secure as you can image. There are numerous password manager programs out there that securely store passwords, like Keeper Security.

Fourthly, avoid connecting to public WiFi. There may come a time when your only option is an unsecured, free, public WiFi hotspot, and your work simply cannot wait. If you find yourself in a situation where you absolutely must connect to WiFi (first ask if you REALLY need to connect) try to use a VPN or use your mobile data as a hotspot.

Lastly, and this goes without saying, really pay attention to the emails you’re getting. If it looks even remotely suspicious, it probably is. Always check the email address it comes from, the header, the salutation, the urgency, the sender etc.