[ ] Alperen Soyalp
Personal Cyber Security · entry #990 · 2024.12.24 · 4 min · 840 words

$ cat how_do_hackers_steal_passwords?.md

How Do Hackers Steal Passwords?
X
Alperen Soyalp
TAC Enginer · signed commit a1f9c…7be
[ rss ]

We use passwords to protect our online accounts, personal data, and digital identities. Unfortunately, passwords are also the target of hackers who want to access our information for bad purposes. How do hackers steal passwords, and what can we do to stop them? In this article, we will explain the most common methods that hackers use to crack, guess, or steal passwords. We also included some tips to protect yourself from these attacks.

Brute Force Attacks

Hackers use brute force attacks to find out what is the password used for a specific account. They mostly use applications to create possible passwords with pre-provided info. And they try to log into your account with these passwords. To make the process of obtaining the password faster, they use compromised devices (botnets, zombie devices) most of the time. Depending on the number of zombie devices, hackers can try tens of millions of passwords every second.

What can I do to protect myself?

  • Use strong passwords. By strong, we mean long, complex, and a mix of uppercase and lowercase letters, numbers, and symbols.
  • Avoid using predictable personal information in your password, such as your name, surname, birthdate

See Fig below; use at least 12 numbers of characters and make sure it includes upper and lowercase letters

strong password
Strong Password

Dictionary Attacks

Dictionary attacks are very similar to Brute Force Attacks, In this methods hackers use a predefined lists to guess passwords. If the password is weak and guessable, it is possible to reach the password faster with this method, and it takes a shorter time. Some of the following passwords are the most used elements of this dictionary list:

  • 123456
  • password
  • qwerty
  • qwe123
  • iloveyou

Dictionary attacks can also include words from specific languages and words that are relevant to the target user.

What can I do to protect myself?

Avoid using simple guessable passwords. Change some of the letters with numbers and add some symbols to your password. Do not use your name or dates of important historical events.

Data Intercepts

Data intercept, technically called Man in the Middle attacks, is one of the techniques hackers use to obtain passwords by capturing data transmitted between two devices, such as your computer and a website. Hackers can intercept data by exploiting vulnerabilities in the network or the encryption protocols. One of the most used methods for this is to mimic a legitimate WiFi network that is available publicly.

What can I do to protect myself?

To avoid data intercepts, you should always use secure and encrypted (HTTPS) connections when accessing websites. Make sure that the padlock icon on your browser is there and that there is an HTTPS at the beginning of the URL you browse, as shown below:

HTTPS trusted website

If possible, do not log into sensitive accounts and banking websites from Public Wi-Fi. Use trusted VPNs if you have to use Public Wi-Fi to browse the internet.

Phishing

Phishing is a technique that is used by hackers very often. It involves sending fake emails, messages, phone calls, and similar communication methods that pretend to be from legitimate sources like banks, email providers, government agencies, etc. The main goal of phishing is to trick the user into clicking malicious links, downloading malicious attachments, and providing sensitive – personal information. Hackers mostly try to scare you and rush you to increase the chance of making mistakes. Phishing emails may claim that our account has been compromised and ask us to verify our passwords or update our payment information by clicking a link. In fact, the link will take us to a fake website designed to steal our login and password information.

What can I do to protect myself?

Always be careful when opening and reading new emails and messages. Verify the sender’s address or number to make sure it’s from trusted sources. Do not open the attachments inside the emails if you do not expect one from that specific sender. Never click on an unknown URL sent to you via any communication channel. Use antivirus and spam filters to detect potential phishing emails.

Credential Stuffing

Credential stuffing is a method that involves testing previously stolen usernames and passwords against online accounts to see if they are still valid. Hackers often obtain these credentials from data breaches. Since It’s common behavior for people to use the same password for different accounts, hackers can use automated tools to try millions of combinations in a short time and gain access to online services.

What can I do to protect myself?

Use a unique password for each online service. For example, you might select a generic password and add the consonants in name of the online service in the beginning to create a unique password, as shown below:

generic password: eRcashk123!!

twitter password: twtr-eRcashk123!!

gmail password: gml-eRcashk123!!

icloud password: cld-eRcashk123!!

Change your passwords on a regular basis. Continuously check if there is a breach related to your email address.

For more details on how to create a strong password, check out this article: https://alperensoyalp.com/how-to-create-a-strong-password/

Read other articles:

Is public Wi-Fi risky?

// ALSO IN THIS THREAD

3 related
#988 · 2024.08.06
HOW TO CREATE A STRONG PASSWORD?
Personal Cyber Security
#986 · 2024.08.06
IS PUBLIC WI-FI RISKY?
Personal Cyber Security
#984 · 2024.08.06
IS MY E-MAIL COMPROMISED?
Personal Cyber Security
// end of transmission

If this dropped a useful nugget, the cheapest way to thank me is to email me the bug it helped you find.

[ ESTABLISH CHANNEL ] [ < BACK TO BLOG ]
// signature
-----BEGIN PGP SIGNATURE-----
ask
-----END PGP SIGNATURE-----