As the famous English proverb says, “Forewarned is forearmed”.
How passwords are stolen
There are three main ways to capture passwords:
- get passwords from the user himself;
- intercept passwords on the way from the client to the server;
- Intercept passwords on the server side, exploiting its vulnerabilities.
We will consider in detail only the first two ways in which the user can influence the situation. If, of course, he is informed. Accordingly, the protection against password theft will vary from case to case.
Client-side password cracking
Passwords are generated by entering user identification information known to the hacker: name, last name, year of birth, nicknames, hobbies, slogans posted in statuses, etc.
Hackers can also pick up passwords using the “dictionary attack” method. Its essence is to go through the frequently used words and catchphrases. After hacking into one account, hackers may also try to use the same password on your other accounts.
Hacker password protection
- Do not use short and simple passwords like 12345, qwerty, abvgd, etc.
- You don’t need to encrypt your password with your data, which can easily be found in the public domain: name, year of birth, phone number or slogan.
- Do not use the same password in different accounts.
- Hide your personal numbers and mailing addresses on social networks. So that attackers can not for sure know your login, which can be an address or phone number. Do not use public information to create passwords.
- Do not use your company email credentials (passwords) to sign up for other services.
- Use additional account protection, such as physical security keys.
Атаки Brute Force
This method is also called the “brute force” or “total overkill” method. Password matching in this case is done with the help of utilities with built-in dictionaries and frequent combinations. The most popular crackers are Brutus, RainbowCrack, Wfuzz and Medusa.
Short passwords of up to 7 characters are picked by machines in a matter of seconds. For more complex passwords, it may take weeks, months, or even years. Although to speed up the process, hackers can spread tasks over several machines. Thus, in a local network up to 2000 passwords can be checked in 1 second!!
Protect passwords from brute force
- It is recommended to change passwords in all accounts from time to time, namely once every 30, 60 or 90 days.
- Create complex passwords using different characters and letter cases.
- Do not use the same password for all accounts.
- Protect your data on social networks. Provide phone numbers and addresses unrelated to account login.
- Connect two-factor authentication.
Keylogger and other surveillance methods
An intruder can snoop on your password when you use it in a public place, such as at work or in a co-working space. Or find your password sticker, install a keylogger, plant a flash drive with malware.
A keylogger is a software that allows you to track which keys you press on your keyboard.
Password protection from keyloggers
- Do not leave devices unattended.
- Protect entry to computers, tablets, and phones.
- Use password managers in your workplace so that your keystrokes cannot be tracked and recorded.
- Do not pick up “lost” flash drives and do not put them into your computer.
- Do not click on suspicious links and install only licensed software.
- Set two-step or two-factor password protection from hackers.
Stealing passwords with the help of social engineering methods is quite common. Its essence is that the attacker contacts the victim by phone, mail or in social networks and, influencing his emotions, extracts the desired information. He does this either through threats: “your accounts have been blocked,” “you have been fined,” “your daughter is in danger,” etc.; or by reporting a big win in the lottery, an unexpected inheritance, etc.
This method requires the cheater to know psychology and empathy skills. In addition, information about the victim is often collected beforehand (name, phone number, position, interests, children, services used), so it is sometimes difficult for a normal person to recognize the trick. Especially if he expects to win or is really afraid of fines, blocked accounts, etc.
Password theft protection using social engineering
- Never give out personal data: passwords, code words, SMS-codes. Real employees of banking, government and other institutions never ask for them.
- Don’t write publicly about your goals, plans, accomplishments, pains. Or at least limit the range of people in social networks for whom personal posts can be accessed.
- Check your sources of information. Make sure it comes from real people in the appropriate position. You have the right to ask for the name of the institution, the full name and position of the employee.
- If, after communication, you feel that you were “tricked”, immediately change the passwords and block the cards.
- Update your software regularly and install a reliable antivirus.
- Remember: two-factor authentication is a more secure way to protect your information than passwords, which can become known to third parties.
This method also belongs to social engineering, as it is based on surveillance of the victim. The essence of this method is that the scammer, already knowing what services you use, substitutes them for you. He offers to go to a site for password theft instead of a real one, sent an allegedly special offer from the company, for example, to the mail.
Protection against phishing
- Carefully study the site on which you enter data.
- Do not make purchases on unknown sites.
- Pay attention to the site protocol in the browser: the https protocol is protected. It means that the site has been verified and is genuine, the owner has rights to it, and the data on it is encrypted.
- Enable two-step authentication. At the very least, protection with one more password will create an additional barrier against data theft.
- Use hardware security keysthat work on the principle of asymmetric encryption. They will not send your data to a phishing site for the simple reason that they must first receive an encrypted request from the real server.
This method of stealing passwords is also indirectly related to social engineering, if the attacker chooses a victim to learn data from specific services that she uses. Further technical matters — he drops a Trojan to steal passwords, offered to download something for free. And when the program works, he gets access to the computer.
Trojan programs also accompany pirated products that users try to download online for free. In this case, the victim himself opens access to the attackers.
Ways to protect passwords from Trojan programs
- Use licensed software.
- Regularly update programs to eliminate vulnerabilities.
- Install a reliable antivirus.
- Use security keys or other methods of two-factor authentication. In this case, if an attacker steals a file with passwords, it will be difficult for him to enter the service under your name.
- Update your passwords regularly as they can be compromised.
Interception of passwords on the way from the client to the server
There are situations of authorized interception of the flow of information carried out by state services. In other cases, these actions are considered illegal. We will briefly describe the algorithm of actions carried out by attackers.
- The client connects to the server and is authorized.
- The attacker connects to the local network and runs a script to steal passwords.
- In response, the server sends your cookies from the browser (where, by the way, you sometimes store passwords) to the e-mail address of the attacker.
- Next, it reads and decrypts the necessary data from the cookie, pretends to be the end user and gets access to all the information it needs.
Wi-Fi access points
The most vulnerable place where data interception is possible is a public Wi-Fi network in cafes, airports, train stations, etc. In it, a hacker works a little differently: after connecting to the network, he uses utilities to read incoming IP addresses. Next, he changes his address with the help of utilities and enters the network under the name of the outgoing user. As a result, after connecting to a public network, you may lose data. Password protection will not help in this case.
You can also accidentally open access to hackers if you set up your home network incorrectly.
Methods of protection against theft of passwords in Wi-Fi access points
- Do not store passwords in browsers.
- Turn off Wi-Fi and Bluetooth when you are not using the Internet.
- When setting up a home Wi-Fi network, use the WPA-2 protocol.
- Protect your Wi-Fi network with a secure password.
- Log out of your accounts after the session is over.
- Change passwords as often as possible if you periodically use a public Wi-Fi network, and enable two-factor authentication.
- Make two-factor authentication mandatory at any login, not just on another device.
- To enter accounts easily and without entering passwords, use physical security keys.
- Always try to be aware of how to protect digital information.
The most reliable password protection against theft today
We briefly considered the most famous methods of hacker attacks and made sure that account protection uses passwords is currently insufficient. Physical security keys, which are simple and easy to use, will protect your accounts best of all. Keys produced in Sweden and the USA stand out from them — YubiKey.
- Absolute reliability, protection against mechanical damage, moisture and dust IP68.
- They work on the principle of asymmetric encryption.
- A wide range of products suitable for a variety of purposes: both for personal home use and for enhanced protection at the level of state security.
- Thousands of services are supported, including such giants of the IT industry as Google, Microsoft, Binance.
- You can use security keys instead of passwords and log in to accounts with one touch.
To learn more about the possibilities of using Yubikey keys, go to the next page.
Cybersecurity is a constant race against the clock: hackers find vulnerable chains and try to gain access to confidential information, while security experts build security systems that attackers try to break into after a while. And this happens all the time....
Unauthorised access to personal information, financial accounts or trade secrets can cause a lot of damage. This can lead to large losses due to the loss of reputation and financial assets, violation of user privacy, etc. Therefore, every person, organisation, business or financial institution must take care of data protection.
How the YubiKey protects against brute-force attacks: technicalities of attacks and key encryptionBrute force attacks are one of the most common hacking methods. It is considered one of the simplest, because in fact, in order to start an attack, an attacker only needs...