Learn how the bad guys try to snatch them and how to keep them safe!
Have you ever stopped to think about how someone might actually steal your password? It sounds like something out of a spy movie, but unfortunately, it's a very real and common threat. In fact, according to reports from IBM, stolen passwords are the number one way attackers get into systems. The good news is, by understanding their methods, you can significantly boost your own defence.
This blog post, drawing on insights from a video by IBM Technology, will break down five common ways hackers try to get your passwords.
Don’t worry, we’re not giving away any secret hacker knowledge the bad guys already know this stuff! Our goal is to empower you, the "good guys," with the knowledge you need to stay safe.
The Sneaky Five
How Hackers Try to Crack Your Code
Let's dive into the five key methods discussed in the video:
Guessing Games: Sometimes It’s Just a Shot in the Dark
Imagine a burglar simply trying every key they have in the lock. That's essentially what password guessing is. The attacker tries to log in using common passwords or information they might know about you. This could be anything from your pet's name to obvious sequences like "123456".
1. Where do they get their guesses?
- Imagination or basic knowledge: They might just take a wild stab based on common sense or what they know about you.
- Sticky notes and visible clues: Believe it or not, hackers sometimes rely on people writing down their passwords on sticky notes near their computers the video refers to these collections as the "PC sunflower".
- Password databases from past breaches: When websites or services get hacked, their password lists sometimes end up online. Attackers can use these massive lists of real passwords to try on other systems.
Luckily, most systems have a built-in defence against simple guessing “the three-strikes-and-you’re-out rule”. After a few failed login attempts, your account usually gets locked, preventing endless guessing. This is why simply guessing isn’t usually a very effective method for attackers unless they get very lucky or have some good clues.
2. Password Harvesting: When They Already Know (or Think They Do)
This method is more sophisticated than just guessing because the attacker aims to obtain your actual password without having to guess. There are a couple of common ways this happens.
- Malware - The Silent Spy: Imagine a tiny program secretly recording everything you type on your computer, including your passwords. This type of malicious software is called a “keylogger” or an information stealer. The hacker then collects this information, giving them your passwords directly. This is why keeping your devices free from malware is crucial.
- Phishing - The Fake Website Trap: Have you ever received an email that looked like it was from your bank or a social media site, asking you to log in? This could be a phishing attack. The email directs you to a fake website that looks very similar to the real one. When you enter your username and password on this fake site, you’re actually handing your credentials directly to the attacker.
In both these harvesting scenarios, the attacker doesn't need to guess – they've effectively tricked you or your computer into giving them the keys to your accounts.
3. Password Cracking: Decoding the Digital Vault
Most websites and apps don’t store your password in plain text. Instead, they use a process called hashing, which turns your password into a scrambled code. This means that even if a hacker breaks into a system and steals the password database, they won’t see your actual password. However, resourceful attackers have ways to try and figure out the original password through a process called cracking.
- How does cracking work? Since hashing is a one-way process (it can’t be easily reversed), attackers try to “back their way” into discovering your password. They do this by:
I . Using lists of common passwords: They take publicly available lists of frequently used passwords or password dictionaries.
II. Applying the same hashing process: They take a password from their list, hash it using the same method as the hacked system, and then compare the resulting code to the stolen hashed passwords.
III. Checking for a match: If the codes match, they know the original password, even though they never "broke" the encryption.
IV. Brute force (the last resort): In a more time-consuming approach, they might try every possible combination of characters until they find a match.
So, while they can't directly reverse the hashing, they can try enough guesses and comparisons to potentially uncover the original passwords.
4. Password Spraying: One Key, Many Doors
Imagine a master key that an attacker tries on multiple doors within the same building. That’s the idea behind password spraying. Instead of trying many different passwords on one account (which would likely trigger the three-strikes rule), the attacker takes a “Single, Common Password” and tries it on many different user accounts within the same system.
- Why does this work? People often reuse the same passwords across multiple accounts. So, a password that was exposed in a previous data breach elsewhere might still work for someone on a different system.
- The advantage for the attacker: By only trying one password per account, they can avoid triggering account lockouts and stay under the radar. They don’t need to get into every account; they just need to find one that uses that common password.
5. Credential Stuffing: Spreading the Net Wider
Credential stuffing is very similar to password spraying, but instead of focusing on multiple accounts within a single system, the attacker takes a known username and password combination (often obtained from previous data breaches) and tries it across many different websites and services.
- The logic: Just like people reuse passwords, they often reuse usernames (like their email address) as well. If a hacker has a list of usernames and passwords from one hacked site, there’s a good chance some of those combinations will work on other sites too.
- Harder to detect: This type of attack can be even harder to spot because the login attempts are spread across different systems, and the security teams for each individual system might not see the bigger picture.
Fortifying Your Digital Castle: How to Stay Safe
Now for the most important part: what can you do to protect yourself from these attacks?
Let’s focus on what you can do for prevention.
- Build Strong Walls (Password Strength): When creating passwords, aim for a good level of complexity and, more importantly, “length”. Longer passwords are generally much harder to crack than shorter, complex ones.
- Avoid the Known Weaknesses: When choosing a password, make sure it doesn’t appear on lists of known vulnerable passwords (many systems will check this for you).
- Different Keys for Different Doors (Unique Passwords): Try your best to use a unique password for every website and service you use. This means that if one account is compromised, the attackers won’t automatically have access to all your other accounts.
- Your Digital Bodyguard (Password Managers): Password managers are tools that can generate strong, unique passwords for you and securely store them, so you don’t have to remember them all. They can significantly reduce your risk of reusing passwords.
- Double the Locks (Multi-Factor Authentication - MFA): Don’t rely on just a password. Enable multi-factor authentication whenever possible. This adds an extra layer of security, often requiring a code from your phone or a biometric scan (like your fingerprint or face ID) in addition to your password. This means even if an attacker steals your password, they likely won’t be able to log in without that second factor.
- Consider the Ultimate Key (Passkeys): Use “passkeys” as a more secure alternative to passwords. These are based on cryptography and offer a stronger form of authentication. If you have the option, consider using passkeys.
- Guard the Gate (Be Wary of Phishing): Always be suspicious of emails or messages asking you to log in to your accounts, especially if they seem urgent or unexpected. Double-check the website address to make sure it’s legitimate before entering your credentials.
- Keep Your System Clean (Avoid Malware): Install and regularly update antivirus and anti-malware software on your devices to protect against keyloggers and other malicious programs.
Stay Vigilant, Stay Secure
Understanding how hackers try to steal your passwords is the first step towards protecting yourself in the digital world. By implementing strong password practices, using password managers and multi-factor authentication, and staying vigilant against phishing and malware, you can significantly reduce your risk of becoming a victim. Remember, making life harder for the bad guys is the goal! Stay safe out there!
