What Can You Do to Protect Your Passwords from Getting Stolen?
You've heard all those security specialists who continue banging on about how your password should be long, random, full of a variety of different symbols and characters, and how it should look like nothing you've ever seen before. You might be wondering why those people seem so unnecessarily paranoid. Well, they're not paranoid.
They say all those things because today's cybercriminals have more than a few ways of guessing your password. By "guessing," we don't mean trying out "password," and when that doesn't work, giving "password1" a go. Today's password cracking attacks involve powerful hardware that can try out thousands of different combinations per second which is why while something short and simple like the name of your dog might have worked years ago, right now, it won't do much to stop the attackers. Password cracking and brute-forcing is something every computer user should be aware of, but it should also be pointed out that this is not the only way of compromising a password. Sometimes, all the criminals need to do to break into your account is to steal the login credentials.
How do cybercriminals steal passwords?
Password theft could actually be much easier than password cracking. Sometimes, the users are too negligent. In other cases, the service providers are at fault. It must be said, however, that attackers are good nowadays, and they are not to be underestimated. Here are some of the techniques they can use to get their hands on your passwords.
- Data breaches. It is a shame that in the 21st century, some online service providers have yet to come to grips with the task of securely handling users' login credentials. If sensitive data is stored correctly, hackers shouldn't be able to see it, even if they do manage to get their hands on it. Unfortunately, we've seen leaked passwords that have been hashed with weak algorithms or left in plain form. We've also seen sensitive data that's been put in a database and left completely unsecured and exposed to the Internet. In such cases, the hackers don't actually need to hack into anything. They just need to hit the Download button.
- HTTP. When you press the Login button on a page, your password and your username are sent to the server hosting the website which checks whether they're correct. Before they get to that server, they travel through a number of different hubs, and they can be intercepted. That's why the shape in which the data travels is extremely important. If you see HTTPS, along with a green padlock in the address bar of the browser, your login credentials will be encrypted before they're sent on their way, and if hackers steal them in mid-flight, they won't be able to read them. If, on the other hand, you see HTTP at the beginning of the URL, every piece of information will be sent in plain form which means that it can easily be abused.
- Poorly configured free Wi-Fi networks. Once again, encryption is involved, only this time, it's between your device and the router in a hotel or a café. Wi-Fi is ubiquitous nowadays, and it must be said that its security has evolved over the last decade. That said, there are vulnerabilities even in the most recent protocols that encrypt the data between your device and the router. Exploiting them is not easy, and a hacker probably wouldn't bother trying to compromise your home network. When it comes to public wireless routers that handle the data of tens and probably hundreds of users, however, it's a bit of a different story.
- Phishing. Last but not least, we've got what is perhaps the simplest and easiest-to-pull-off type of cyberattack. Criminals love it so much because it aims to exploit the user. And no matter how many security precautions have been taken, if the user isn't careful enough, a successful attack is not only possible but likely. Blaming the regular people is easy, but it must be said that the phishers' techniques are becoming more and more sophisticated, and it's sometimes extremely difficult to spot that you're actually giving your credentials away to the crooks.
How can you protect your passwords from thieves?
Now that you know what crooks can do to steal your password, it's time to find out what you can do to protect it.
- When it comes to data breaches, not everything is under your control. After all, it's up to the vendor to ensure that its systems are secure and that the information is correctly stored. What you can control, however, is who you give your data to. Try to use trusted providers only, and don't create any online accounts unless you really need to.
- We're in quite a lot of hurry nowadays, and when we navigate through different websites, security isn't the first thing on our minds. We have to change this, and one of the first steps is to take a peek at the address bar every time we enter our usernames and passwords. Look for the green padlock and the HTTPS protocol. HTTPS alone can't guarantee that your password won't be stolen, but without it, you can be almost certain that sooner or later, the crooks will get their hands on it.
- Avoid public Wi-Fi networks. Yes, cafés and hotels set up wireless networks for the sake of their clients' convenience, but they did it back when the adversaries had fewer resources and less knowledge. There's a heap of threats associated with free Wi-Fi, and if you do need to use it, make sure that your browsing doesn't involve any sensitive or private information. If it does, a trusted VPN service is the way to go.
- This inbox of yours could be hiding some pretty nasty things. Don't open any files or links you don't trust. Look carefully at who is sending the message, but even if the address looks legitimate, regard it with suspicion. If the email is saying that you need to change a password or validate an account that already exists, don't click any links in the message. Open a browser, type in the URL manually, and, after checking again for the green padlock, do what you need to do.
All the measures we've listed so far are preventive. Applying them will certainly help you build a better security posture, but even that might not be enough under some extreme circumstances. There are two other things you can do, however, to make sure that if all else fails, the damage will be contained.
- Enable Two-Factor Authentication (or 2-step verification). Two-Factor Authentication is a relatively simple mechanism that can protect you in case the crooks have your username and password. See how it works, check if the providers you use offer it, and make sure that it's on.
- Start managing your password properly. It's not easy, not when you try to do it on your own. But, as we mentioned already, when your passwords are complex, the hackers won't be able to crack them, and when they're unique, a single stolen password won't jeopardize all your online accounts. To help people take control of their passwords, we created Cyclonis Password Manager. It's a free tool that encrypts and stores login credentials, profile and payment information, and other sensitive data. To read more about Cyclonis Password Manager click here.