Whether it is the massive data breach at the Marriot Hotels or the much smaller hack of your Facebook account, the question is the same: Just how did those guys get into the accounts.
While there probably 50 ways for the bad guys to hack your accounts, they probably aren’t using all of them. In fact, they are probably using just a handful of them. Knowing each strategy also makes it easier for you to defend yourself and the integrity of your various account login credentials and passwords. Here are 7 ways the bad guys can pick up your passwords and credentials – and 7 ways you can protect yourself.
1. Brute force
A brute force is simply an attacker trying various password combinations and seeing – by simple trial and error – what works. It’s gotten smarter over time for two reasons. First, attackers can generate by computer huge lists of potential credentials. Second, thanks to the huge databases of stolen passwords from sources such as Yahoo and LinkedIn, attackers have good statistical analysis on real password use.
Skip the bad passwords – using simplistic passwords such as 1234 or qwerty are the easiest way to fall victim. Use complex passwords of 12 characters including upper and lower case letters, numbers, and symbols.
2. Credential Stuffing
Credential stuffing has attackers trying to login to accounts with a list of stolen credentials. They do in on a large scale with automated login requests and they do it intelligently with real – albeit stolen – credentials such as password names and passwords.
Don’t recycle passwords – Stuffing works because there are huge databases of stolen credentials and passwords available on the black market and many people reuse the same credentials across their various accounts.
3. Your favorite e-commerce site or ISP
It’s not just how you protect your private data. It’s also a question how others secure their data about you. Whether this is a hotel chain, department store, or your local doctor, they all have data about you. Whether it is their poor patching discipline, storage of unencrypted data, or lack of two-factor authentication, the results are the same for you – your private credentials have been breached and leaked into the black market.
Regularly change passwords. Watch the news. If a beach took place where you have an account – change that password. Thanks to new laws such as GDPR, there is also greater likelihood that the breached company will contact you directly.
Phishing involves fake emails and websites that have been constructed to look just like the real thing – with all the right text, colors, and logos. They want you to either just click on a link or enter your password data. Once done, you’ve just handed over your login credentials to the bad guys on a silver platter. Commonly distributed via email, the PayPal phishing attempts usually focus individuals with the fake invoices often directed to company accounts.
Be skeptical – Whether at home or in the office, be careful about what you click on.
5. Public Wi-Fi
By definition, public Wi-Fi is not private. While it is clear that online content is not secure, a lesser known risk is that your account credentials can be sucked up by the bad guys watching network traffic.
Seal it up – Use a full-fledged VPN to keep all of your subsequent communication and login details in a secure encrypted envelope.
6. Data-stealing malware
The bad guys can use an assortment of malware to steal everything steal files on your device where passwords are stored all the way to keyloggers that track your keyboard activity.
Use an antivirus app – Have an up-to-date, tested antivirus app on your device.
7. Just pick it up
That piece of paper tucked away under your device with a list of account names and passwords could get lost or taken. It happened last year to a staff member at the American White House – he left his list at the bus stop.
Get a password manager. Really.
This post is also available in: German