Passwords are the virtual “keys” for the digital world, and respectively hackers try in imaginative ways to gain access to sensitive data on a personal computer and large organizations.
With compromised passwords a hacker can:
Steal personal user information and then sell it to other criminals. To sell passwords directly, as websites of the “dark web” trade handsomely this information. Use passwords to unlock other accounts with the same password.
Cybersecurity firm ESET unveiled the five key ways hackers steal passwords:
Phishing and social engineering
In phishing, hackers disguise themselves as friends, relatives, companies you have worked with, etc. The email or text you receive will look authentic, but it will include a malicious link or attached file, which if you click, will download malware or take you to a website to fill in your personal information.
Phishing emails are a primary vector for this type of attack, although you can also be a victim by clicking on a malicious advertisement on the internet (malvertising) or by visiting a hacked website (drive-by-download). Malware can even be hidden in a mobile app that looks legitimate, which is often found in third-party app stores. There are various kinds of malware that steal information, but some of the most common ones are designed to record typing or take snapshots of the device screen and send it to the attackers.
Brute Forcing Attacks
Many use passwords that are easy to remember (and also guess someone else) and use them on many different websites. However, this can open the door to so-called brute-force techniques. One of the most common are those of the credential stuffing type, in which attackers feed into automated software large volumes of username/password combinations that have been compromised in the past. The tool then tests these combinations on a large number of web pages, hoping to find a match.
That way, hackers can unlock multiple accounts with a single password. According to an estimate, last year there were about 193 billion such efforts worldwide. Another brute-force technique is the password spraying attack, in which hackers use automated software to test on the user’s account a list of frequently used passwords.
Although hackers have automated tools at their disposal for violating passwords, sometimes these are not even necessary: even simple guesswork—as opposed to the more systematic approach used in Brute Force attacks—can do the job. The most common password of 2020 was “123456”, followed by “123456789”. In fourth place was the word “password”. Most people use the same password or a derivative of it across multiple accounts, so they make it easier for scammers.
Shoulder surfing – Peeking over the victim’s shoulder
Some tried and tested long-time interception techniques continue to pose a risk. These presuppose the physical presence of the attacker near the victim-user, so that the first one has eye contact and can see the keyboard and the screen of the second. A more high-tech version, known as a “man-in-the-middle” attack involving WIFI wireless signal interception, can allow hackers connected to public WIFI networks to monitor the password as the unsuspecting user enters it while connected to the same node.