A password to an internet service account, social media profile, computer, or mobile phone is perceived nowadays as something undividable from information technology in general. As narrow checkpoints to whatever lies beyond them, passwords inevitably attract the attention of hackers.
In this article, we recall the biggest password danger and give tips on how to think up a strong password, protect yourself from password stealers, and not become a victim of a password-related scam. Spoiler: you can’t overestimate a strong password!
Tips that Help to Create Strong Passwords
Passwords are the first data protection measure against hackers and malware, so users should not take them as a formality. The stronger the password guarding your Internet accounts is, the safer your valuable information will be. Users often think that a password is an outdated defense, and if hackers want to break it, they will always find a way to do it. But that is such an ignorant thing to think!
- Have a unique password for each of your accounts. The email account password should not be your banking account password. If evildoers manage to grab one of your passwords anyhow, they will try to apply it everywhere. However, the rest of your accounts should be impenetrable.
- A strong password consists of digits, upper-case and lower-case letters, and special symbols. It should also be at least eight characters long. The time difference between brute-force attacks on a weak and strong password is astonishing. An instant against eons.
- Use anything but your data. No names, dates, favorite colors, or literary characters. Password breakers research their victims, and if they approach your password, they will most likely be already armed with information about you. Don’t ease their work!
- Make sure you don’t use consecutive keyboard combinations like “qwerty.” These can be cracked very quickly. Also, mind that people tend to make very predictable keyboard strokes when trying to type something “random.”
- Don’t be too lazy to log out whenever you leave your computer or portable device, especially if it is about your workplace device. Besides, don’t forget about the possibility of signing out from accounts on all devices remotely.
Avoid this in Creating a Strong Password
Of course, cybercriminals might try to hack your password, but there is no guarantee they will succeed. It will take a password cracking program less than a second to break a password like “qwerty”, needless to say about “123”. But the same software will be busy over an 18-character code with letters of both cases, numbers, and special symbols for more than a quadrillion years. The point of maintaining strong passwords is to make a brute-force attack impractical.
- Avoid inputting your passwords on questionable machines that you don’t control. The threat is the possible presence of password-stealing or keylogging malware described above. If you had to do it anyway, change that password as soon as possible.
- The same goes for unsecured wireless networks. The hacking attack via a compromised Wi-Fi is called “man-in-the-middle,” It is fraught with stolen passwords and other credentials.
- Don’t tell your password to anyone, even friends. Never share what you wouldn’t like your enemy to know with a friend. And that is not because your friends are wrong.
- Change your passwords from time to time. People hate doing that, but all safety precautions seem excessive until found saving. Disagree when a browser offers you to store your passwords. Always select “never.”
- Try not to write your password on paper at your workplace. Someone might find it, and chances are high – somebody will. Remember, people think they are safe because they consider themselves uninteresting to crooks. But that is not always so.
Cyber Criminals Hack Passwords
Use a two-factor-authentication! Google has made it obligatory for its accounts, and that is good! It is reasonable to activate it on all accounts where it is possible. You will need to confirm your identity by clicking one button on your mobile phone as you or someone else is trying to access your account.
Phishing is one of the most dangerous attacks in terms of password protection for one simple reason – they don’t imply breaking passwords. Phishing doesn’t even need malware! A successful phishing campaign is sheer deception and social engineering.
Victims themselves deliver their credentials to the frauds, mistaking them for someone legitimate. However, since you are reading this, you will hopefully know that unexpected letters, even more so – attachments to them or links inside, are something to be careful with. The topics of such letters are:
- Often a delivery that is waiting for you.
- A money transfer.
- Something tempting like a sudden lottery win.
Often criminals offer their victims to confirm their passwords on a seemingly trustworthy website (like Facebook) that turns out to be a spoofed web page. The login and password entered into the form on that site go straight to the crooks.
While phishing usually uses fake websites, hackers can intercept the data of any actual sign-in form. That is possible with the help of a form-grabber, a Trojan-delivered malware that runs on the victim’s machine. It does not mess up the user’s communication with the website, but the form data is copied and delivered to the crooks.
Like any other malware1, form-grabbers end up on victims’ computers via common routes: dubious websites, questionable downloads, and unexpected emails and messages with attached files. Security programs like GridinSoft Anti-Malware are good at detecting and removing this class of malware.
Brute Force Attack
Exhaustive search (or brute-force search) systematically checks all possible keys to the problem until the solution is found. Its effectiveness is undeniable. If the key consists of four digits, a person will have spent a lot of time checking all the variants between 0000 and 9999. A modern computer will do the job in less than a second, giving an obvious advantage over the human.
But what if the password is a 24-character word that includes letters, capital letters, digits, and special symbols? Brute force is useless here as it will take years to break such a password. Brute-force search effectiveness can be heightened considerably by lists of candidate solutions. Dictionary attacks are a form of such assistance.
A brute force attack is an ideal procedure that will potentially break any defense. Dictionary attacks combine brute force features, namely the automatic picking process, with algorithms that operate with the supposed vocabulary of a person who is believed to be the one who thought up the password. If you set a goal to create a strong, randomly formed password, you will succeed, of course. But people rarely do that.
NOTE: Password counter services put Internet users at risk. Change your password to a more secure one immediately!
Password choice is usually determined. The basis of the password is often a word, a name, or a date that means something to the victim. People tend to add some digits to that word for show. Adding special symbols is too much for the average practice.
Understandably, if the malefactors possess the names of the victim’s family members, their dates of birth, and other information, they can use only the variations of these words and numbers. If that works – the password will succumb much earlier.
Keylogger Malware Attack
Keyloggers2 are a type of malware. Such programs can be injected into the victim system as Trojans. As a keylogger runs, it records every key pressed by the user and sends these records to the hackers who introduced the keylogger into the victim’s device. It is easy to harvest passwords from such logs after that.
What can limit the effectiveness of a keylogger is the usage of a virtual keyboard (who would do that, though,) password manager, and of course, anti-malware software.
Password stealer is Trojan-related malware capable of extracting saved passwords from programs that store them for users’ convenience, like web browsers, for example. Google Chrome keeps passwords on the users’ cloud accounts, but some browsers still store passwords on the machine serving as local password managers. Stealers are pretty detectable, and GridinSoft Anti-Malware, for example, has no problem quarantining them instantly. You should learn and understand the need to change the default password of any network device to a strong one.
Data Breach Attack
Eventually, hackers can steal passwords to Internet services otherwise. If the servers belonging to the service in question are breached, the malefactors might get access to their user’s passwords. It is hardly possible to oppose anything to such a threat; however, large companies have efficient data protection systems, so it is reasonable to trust them.
Malware Takes my Passwords?
Strong passwords are a must-have basis for data security. However, some harmful programs and malicious hacker techniques are designed not to break your password but to steal or detour it. Here are examples of well-known password-stealing malware.
IMPORTANT INFORMATION: Spam emails are still the most popular way for viruses to spread. Smoke Loader – password stealing malware just added a new way to infect your PC.
RedLine stealer is a malware-as-a-service product sold on hacker black markets. After it is purchased, it is distributed as a Trojan. For example, there were cases of Redline being disguised as a Windows 11 update. When it is infiltrated into the victim’s machine, the malware behaves like a versatile stealer of passwords and other credentials.
The notorious email spread virus “I love you,” which led to the shutdown of email servers worldwide back in 2000, also contained a password-stealing Trojan that grabbed passwords from the compromised systems and sent them to the server in the Philippines.
A Few More Words on Malware
As for the most recent events, in March 2022, more than 100,000 Android users have suffered from a Facestealer – a password-stealing malware that masks itself under the Craftsart Cartoon Photo Tools application.
Understandably, a stolen password is no fun. It may lead to information theft, digital vandalism, fraud, and identity theft as an apogee of the event’s vile impact. Protection against password-stealing malware is no less important than having strong passwords.