Passwords are the virtual “keys” for the digital world, and respectively hackers try in imaginative ways to gain access to sensitive data on a personal computer and large organizations.
With compromised passwords a hacker can:
Steal personal user information and then sell it to other criminals. To sell passwords directly, as websites of the “dark web” trade handsomely this information. Use passwords to unlock other accounts with the same password.
Cybersecurity firm ESET unveiled the five key ways hackers steal passwords:
Phishing and social engineering
In phishing, hackers disguise themselves as friends, relatives, companies you have worked with, etc. The email or text you receive will look authentic, but it will include a malicious link or attached file, which if you click, will download malware or take you to a website to fill in your personal information.
Phishing emails are a primary vector for this type of attack, although you can also be a victim by clicking on a malicious advertisement on the internet (malvertising) or by visiting a hacked website (drive-by-download). Malware can even be hidden in a mobile app that looks legitimate, which is often found in third-party app stores. There are various kinds of malware that steal information, but some of the most common ones are designed to record typing or take snapshots of the device screen and send it to the attackers.
Brute Forcing Attacks Many use passwords that are easy to remember (and also guess someone else) and use them on many different websites. However, this can open the door to so-called brute-force techniques. One of the most common are those of the credential stuffing type, in which attackers feed into automated software large volumes of username/password combinations that have been compromised in the past. The tool then tests these combinations on a large number of web pages, hoping to find a match.
That way, hackers can unlock multiple accounts with a single password. According to an estimate, last year there were about 193 billion such efforts worldwide. Another brute-force technique is the password spraying attack, in which hackers use automated software to test on the user’s account a list of frequently used passwords.
Guessing
Although hackers have automated tools at their disposal for violating passwords, sometimes these are not even necessary: even simple guesswork—as opposed to the more systematic approach used in Brute Force attacks—can do the job. The most common password of 2020 was “123456”, followed by “123456789”. In fourth place was the word “password”. Most people use the same password or a derivative of it across multiple accounts, so they make it easier for scammers.
Shoulder surfing – Peeking over the victim’s shoulder
Some tried and tested long-time interception techniques continue to pose a risk. These presuppose the physical presence of the attacker near the victim-user, so that the first one has eye contact and can see the keyboard and the screen of the second. A more high-tech version, known as a “man-in-the-middle” attack involving WIFI wireless signal interception, can allow hackers connected to public WIFI networks to monitor the password as the unsuspecting user enters it while connected to the same node.
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Cookie settingsACCEPT
Privacy & Cookies Policy
Privacy Overview
This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
