Passwords are the string of characters that are used to verify the identity of the users during the authentication process. It is a security measure for the point of entry to the personally identifiable information (PII). Password security is no joke as they maintain the confidentiality of our sensitive information. According to the 2017 Data Breach Investigation Report from Verizon, around 81% of the password-related attacks in the world have been carried out either by stealing the passwords or for using a weak password. One of the biggest mistakes we do while creating passwords is using easy to guess passwords. These common passwords based on keyboard patterns, phonebooks make it easier for hackers to break into the systems.
To make you clear about how the hackers can get access to your passwords, here is a list of top 10 most common password threats:
- User disclosure: One mistake we often do is sharing passwords with other people. This seems obvious but you should never share or reveal your passwords to other people. Avoid messaging or emailing your passwords to other people. You never know who is trustworthy and who is not to share your passwords and even if the person is trustworthy you never know if only they are seeing that password. You should also avoid writing your important passwords on obvious places like mobile phones, sticky notes, and laptops. If you have to, write it in a such way that only you can understand.
- Social Engineering: It is a way of psychologically manipulating the targets to reveal their password. The attackers might create such social situations and encourage you to reveal your passwords. It is better to confirm the authenticity of calls, messages, and emails if they ask you to share passwords.
- Phishing: It is also a kind of social engineering. In phishing scams, the cybercriminals mostly send you some fancy emails or messages so that they can encourage you to click on the false links attached to it. As said earlier, it is always wise to check the authenticity of the emails and messages.
- Key logging: It uses some computer hardware or software to record every keystroke of the user in order to gain access to your passwords. In the case of hardware, it is always better to check your keyboard plug if any other keylogger devices are plugged into it. However, keylogging software is invisible to the user but they might be tracking your keystrokes from your computer. The best protection from keyloggers is informed use of your own computers and caution with the use of computers that are controlled by others.
- Wireless sniffing: It is always wise not using public wifis and understanding how the wireless networks work. In wireless sniffing, the attackers might intercept your passwords and information by creating some wireless hotspots and using packet sniffers at their end.
- Brute Force Guessing: The cybercriminals use software to guess every possible password of your account until they find the right one. It is always better to use a long string of passwords that uses lowercase and uppercase alphabets, numbers, and symbols which make it difficult for attackers to guess. Instead of using passwords like ‘Command123’ you can create passwords like ‘c0mM@nD#9’. And avoid using the same password for many accounts, you can use trustworthy password managers (applications) if you find difficulties in remembering many passwords for different accounts.
- Dictionary attacks: A dictionary attack is a method of breaking into a password-protected computer or server by systematically entering every word in a dictionary as a password. Cybercriminals use the dictionary of popular patterns of passwords.
- Spidering: Sophisticated attackers have recognized that the professionals in the business mostly use the passwords associated with the company itself. These cybercriminals have systematized this practice by crawling into the websites to find the words and phrases that could be used as a password. This is process is called spidering.
- Shoulder surfing: It is always wise to check around before entering your password into an account. Always check if someone is trying to steal your password seeing over your shoulders.
- Security Questions: It is better to lie or use random string additions to answer the security questions while creating usernames and accounts. Make sure you can answer these security questions when you forget the password. The attackers cannot answer such questions if they fail to guess the passwords during the attack and will be asked to answer security questions while resetting the password.