It is said that the first digital form of a password was invented by MIT professor Fernando Corbato in the year 1961. However, using passwords in other forms had existed long before that.
Ever since humans first developed the feeling of keeping their belongings and possessions safe and secure, the need to create and develop such mediums came into existence.
Where earlier these safety mediums were in the form of vaults, strongholds, locks, and keys, today we tend to find them mostly in the form of digital passwords and other such computerized authentication technologies.
This is because, with the due course of time, even what we had called or considered to be resources or assets earlier shifted from tangible things and objects such as gold, silver, rubies, etc, to intangible things such as data and information.
Hence, at present, I believe there is nothing more important than strong passwords, and there is nothing more scary than having your data or information compromised as a result of exploitation of such passwords.
Complete Security is a myth
Now, you have to understand that complete security, both in the physical and digital realms, is a myth. There is nothing impossible, and there is nothing impenetrable in this world. If there is a lock, there is always a way to unlock the lock. If there is a vault, there is always a way to break the combination into the vault. And, if there is a locked account or device, then there is always a way to gain access to such an account or device. Nothing is completely safe or secure. Every key can be broken, and every secured system can be accessed, one way or the other. “Complete Security is just a myth.”
Hence, the best you can do or try to achieve is to try to secure your accounts and devices as much as possible. There is no 100% success rate, but you can aim for 99%.
In this article, we will discuss everything there is to know and learn about passwords, as well as the various ways and means with the help of which you should be able to reach that 99% pretty easily and efficiently.
Know your Enemy
A good hacker is always very persistent. Where skills play a major role in the game of hacking and penetrating into systems, persistence and patience play an even greater role. Hence, in order to beat a hacker trying to find vulnerabilities in your system and exploit them, you must try to break this persistence and patience by pulling the game as long as you can.
Hence, the main ‘key’ here is to try and figure out such a password which basically takes a very, very long time to decode and crack. Once you reach the very end of this article, I am pretty certain that you will be able to do just that quite effectively.
Types of Password Attacks
In order to prevent something from happening, you must know how that something is happening.
This wisdom and knowledge will not only help you use the various tricks or hacks to make your password stronger. But, it will also allow you to improvise your own ways to make your system uncompromisable and protected as well.
So, what are the different types of Attacks that a Hacker might carry out?
They may be as follows:
- Phishing Attacks
- Brute-Force Password Attacks
- Dictionary Password Attacks
- Password Spraying Attack
- Keylogging
- SQL Injection
The above are some of the very common and widely used password attacks out there that a hacker might employ to find vulnerabilities and crack passwords to gain access to your accounts and systems.
Obviously, there may be other attacks as well since new vulnerabilities and approaches to decode passwords keep on developing every other day. Hence, it is very important that you too, must keep yourselves up to date as well, by keeping track of what new attacks have developed and how to deal with them. This way, you can always manage to keep your data safe and uncompromised in the long run.
So, to understand how these attacks work and how they might help hackers gain access to your accounts and devices. Let us have a look at each one in detail and discuss the remedies to deal with them as well.
1. Phishing Attacks
Although, this would not exactly count as a phishing attack. Still, you can call it more or less to be the beginning of such attacks. In this kind of attack, a hacker will basically impersonate you to find details about your login credentials with the help of other such data and information linked to you, such as your D.O.B, permanent home address, or other IDs credentials from websites and even organizations where you might be enlisted or subscribed too.
There may also be times when an attacker may impersonate an executive in an organization or service where you may be subscribed to trick you into giving your credentials on your own. Hence, when such calls or people over a call ask you for your personal information in the name of service or to verify your identity. You must always reply to such individuals with caution and only proceed if you feel the other party is genuine and actually is someone who he claims to be.
Now, coming back to how hackers can use such data as your credentials, In most cases, they usually sell your personal data to big ad companies or on the dark web, where anybody can auction such data and use it for malicious purposes, landing you in trouble or compromising your account to multiple malicious attacks.
2. Brute-Force Password Attacks
The next type of attack, known as ‘Brute-Force’ is more or less a general attack covering a wider range of small attacks, so to speak.
This basically comprises all such attacks out there involving the ‘trial & error’ approach.
In this type of attack, a hacker will try multiple accounts with multiple passwords in combination with one another using various tools, which helps to do the process at computational speeds, making the task of finding which combination works with trial and error a piece of cake.
The attacks, which we will be further discussing below, may be linked to brute force attacks either directly or indirectly.
One however, may think such an attack to be a tedious one, where combinations are to be done between one credential to the other. But let me assure you that is not true. An individual, with the help of correct tools and correct resources, can easily crack open an account and gain access to it in no time.
3. Dictionary Password Attacks
One of the most common and widely used attacks out there would undoubtedly be a dictionary password attack. I would call this the go-to attack for hackers, both beginners and experts. There is just no hacker in this world who would not know how to execute such an attack or would not love it.
Given that you have the proper tools to execute such an attack. All you need to do is to avail or get your hands on a good password dictionary consisting of all such passwords out there used by users till that or all such possible passwords that a user might be using in his or her profile. And Voila! A simple attack with the tool trying out all such combinations of passwords on a single user ID should do the trick.
All a hacker needs here is the Username or User ID, and accessing an account is very much possible.
4. Password Spraying Attack
It’s pretty similar in concept to a Dictionary Attack. Here, in order to crack a password, a hacker, instead of trying different passwords in combination with a single User ID or username, tries multiple different accounts or usernames with a single password.
There is always a possibility a commonly used password should give access to an account or multiple accounts using the same password. Hence, it is always important that you create a password as “unique” as it can be and not something that is easy and may be commonly used.
5. Keylogging
Where Brute-force attacks are usually carried out in a trial-and-error approach, which may be time-consuming as well as resource-consuming, there are other such attacks where the only thing needed is a simple tool installation such as a KeyLogger tool or a RAT tool, and an attacker can see whatever a user types or is doing on their respective PC’s.
Keyloggers are apps or tools that record keystrokes typed or clicked on the keyboard by a user and get recorded in any readable format. This document, consisting of all the keystrokes a user might have fed in while trying to gain access to their respective accounts, is then retrieved by a hacker later on, and that data is used to gain access.
6. RAT attack
Just like a Keylogger attack, as discussed above, a RAT attack also involves installing a malicious RAT program into the victim’s system and then enabling the attacker to monitor and keep track of all your actions on the screen.
Once such a tool or program has been installed onto your system, either with or without your knowledge, it gives access to a hacker to see everything you are doing on your PC remotely from anywhere in the world as long as you are connected to the internet or through any other form of wireless connection as well.
Thus, with the help of tools such as Keyloggers and RAT programs, one can easily keep a check on your actions or see whatever you may be doing on your respective PCs and use it to simply gain access to the accounts which you might have compromised as such malicious apps were doing the job in the background.
7. SQL Injection Attack
Where the above attacks usually dealt with approaches or methods carried out from outside or from inside a user’s (victim’s) system, there may also be such attacks where an attacker might not even have to deal with their victim directly.
This is called a Database Attack. If a website database consists of information about your personal details, a server is more vulnerable to breaking into than hacking into an account separately. In such cases, gaining access to a server database and obtaining login information or other useful information is a much better and profitable option for a hacker.
Common Password Mistakes
Now that you have seen and understood what the various kinds of password attacks there are and how they can be used to decode and crack passwords, let us next have a look at some of the most common and easily made mistakes by people out there, leading to accounts and devices getting easily compromised.
1. Using weak and predictable passwords
By now, you must have already figured it out or were already aware, more or less, that using weak or predictable passwords for your account is one of the worst mistakes you can make to compromise the security of your respective systems or accounts.
Hence, it is very important that you always try to come up with strong passwords and, at the same time, follow good password practices to avoid any sort of vulnerabilities that may compromise your security.
Also, to help understand better what kind of passwords work best and how to develop better and more effective passwords, ExpressVPN’s research on passwords is one such resource that you should find really useful and handy to understand the more ‘technical aspect’ of password protection, and use this knowledge later on to frame strong and effective passwords. The research provides a more detailed and elaborate explanation of most of the topics and common mistakes, as well as what to do and not to do when it comes to password and password framing.
2. Reusing the same passwords for multiple accounts
Another very common mistake people often make is keeping the same password for multiple accounts. Obviously, it makes things easy for the user since keeping track and remembering multiple passwords is never easy. However, this also makes things easy for a hacker, as getting access to one account automatically allows a hacker to gain access to the other accounts of that particular user using the same password.
Thus, to avoid such situations, it is always a good idea to use separate and different passwords for different accounts.
3. Not changing passwords regularly
If you have a strong password, changing passwords regularly may not be needed. However, that does not mean that you completely ignore changing your passwords every once in a while.
There are a number of reasons why you should change your passwords every once in a while, if not regularly. This is because whenever you set a password for a device or an account, there may be times or instances when you might need to share your password with someone else.
4. Keeping Multi-factor authentication services disabled
The development of two-step authentication or multi-factor authentication happened for a reason. A few years back, accounts were getting hacked into and compromised in such a large number, that developers and security experts had to come up with a system to make the systems and accounts more secure. Hence, the employment of two-step authentication.
To know more about what goes on in a multi-factor authentication system. You can learn more about it from the video below:
5. Installing Malicious Apps (Consisting of apps like Keyloggers and RAT)
Malicious apps involve everything from different kinds of viruses to malicious trojans and programs such as Keyloggers and RAT files. All of which can compromise the security of your system.
Sometimes, you unknowingly or knowingly download such apps when you are trying to download cracked files off the internet or something that is not very legal. In this process, hackers usually attach or hide such malicious files with or inside the downloaded content, which then work in the background to steal all your data and send it back to the attacker who is trying to gain access to your accounts.
6. Changing Passwords with a Single Character
If you are creating a new password or changing your old password with a new one, it is very important that you avoid changing just a single character to the old password to create your new password.
Although changing just a single character seems like an easy option for you, this makes your account more vulnerable to attacks where a hacker already knows or has figured out your old password.
For instance, if your old password was something like ‘passw0rd’, and you changed just one character to turn it into ‘p@ssw0rd’. Then, all a hacker needs to do is simply try changing the characters in your old password with a combination of new ones and easily gain access to your account thereafter.
7. Keeping Passwords based on Personal Information
There is nothing as easy as remembering one’s personal information. That is also the very reason why many users often opt to keep passwords related to or involving their personal information.
Suppose a hacker comes to know about such information, either directly from you or indirectly from any other sources such as your workplace, school, or college. In that case, he can easily gain access to your accounts by simply trying out such information.
Thus, as a rule of convention, one must always avoid keeping their passwords based on such personal information and resort to keeping passwords completely different and unrelated to oneself. Something that can never be easily figured out.
8. Using Short Passwords
I guess by now, our readers have realized that whatever makes things easy and simple for you also makes things easy for a hacker as well.
Hence, anything you think might be easy and uncomplicated to figure out should always be avoided. This includes short passwords as well.
The shorter your passwords, the easier it may be for hackers to be able to crack them. A dictionary attack is all it needs to crack such passwords. Thus, it is always good practice to keep passwords as long as possible.
9. Storing Passwords randomly or insecurely
If you are using a password manager or keeping track of your passwords on a physical medium such as a notebook, diary, or paper, it is very important to do so with caution and care.
Storing passwords in places where they are easily accessible or using managing apps without any security of any kind can compromise your passwords easily. Hence, you must always keep caution while storing your password and do it responsibly to prevent it from landing in the wrong hands.
Moreover, if you are using a password manager app or service to store your passwords, always go for trusted brands offering uncompromised security and safety.
Some other Miscellaneous Mistakes
Apart from the mistakes discussed above, there may also be some other mistakes. Although they fall under common sense to be avoided, many users still seem to commit it, regardless of whether they know about it.
Hence, such miscellaneous mistakes may be as follows:
1. Sharing credentials with others
Be it your friend or family, you should always avoid sharing your passwords or login information with them. There may be times when someone is trying to access your system or account and misuse them. Therefore, always try to avoid sharing such information no matter what (unless it is very important or crucial that you do so). Even if you do it for a good reason, do remember to always change your credentials later on.
2. Exposing passwords to others while entering
Suppose you are someone who forgets to cover or enter their passwords without anyone noticing or looking at you while doing so. In that case, it is high time you change such a habit and be more careful while entering your credentials, especially when you are doing it in public places.
There have been instances where hackers hacked into accounts by looking at the keys pressed by users over CCTV footage. You must be aware of your surroundings and feed in your credentials very carefully.
3. Visiting unsecured or shady websites
The best way not to fall into traps is to avoid them. Similarly, the best way to compromise yourself is to not go to places or websites over the internet where it is possible that your details may be compromised. In this digital era, no one is completely anonymous. Suppose you think you are visiting an illegal website such as a trojan site or sites that promote piracy or any other shady websites. In that case, you should know that doing so also puts your system, data, and privacy at risk.
Thus, avoiding such websites is always a good idea, and only visiting or downloading files to and from websites that are secured with SSL protocols and other such safety measures.
4. Installing untrusted plugins
Just like visiting shady and untrusted websites and downloading untrusted files might compromise your security. Similarly, downloading and installing untrusted plugins onto your browsers might also put your system and accounts at risk of getting hacked.
This is similar to how malicious programs like Keylogger applications and RAT files may compromise your system and accounts. Even in the case of plugins and extensions, similar ones might be doing the same job. Thus, you must install such plugins and extensions from a trusted source and avoid such situations from arising.
5. Staying logged in
Staying logged in or enabling the option of remembering your account credentials on the browser can also contribute to getting hacked by hackers out there.
When you are logged in like that or have enabled such settings on your browser, you automatically save such information on your browser’s cache. A skilled hacker can easily compromise such a cache.
Hence, it is usually a good idea to opt to stay logged in or save your password with your browser.
Vulnerability
Now, you have an idea about the various types of password attacks and mistakes that a hacker can carry out and a user can make. Next, let us look at the various vulnerabilities that contribute to such attacks by successful attackers.
1. Faulty Session Time-out
If your browser ever shuts down or closes abruptly without you being able to log out of your account properly, then in the next login session made by another user, your account may be already logged in. If so, then depending on what kind of person has launched the browser or is trying to log in after you, your account might be compromised or breached.
Hence, if you ever face such a situation where a browser in a public system or device closes off abruptly without giving you a chance to log out, it is a good idea to always start a new session on the same device and log out properly (or log out of all devices if such an option is available for the particular account).
2. Weak recovery setup
There may be options on certain websites that ask questions about forgetting your password and recovering your credentials. Just like setting up passwords based on personal information, answering those questions might backfire on you.
Even in the case of recovery questions, keeping questions such as your NickName, your address, or your pet name, which others might know as well, might not be a good idea.
3. Flawed Two-Factor Authentication
Suppose you use a compromised SIM or handset device to receive OTPs for an account using two-factor authentication and the same device to access that account. Then, there is a high chance that you have more or less spoon-fed your details to an attacker on your own.
The only way to avoid such a vulnerability would be to regularly run scans on your device and reset your device every once in a while to its factory settings or format such device completely to remove any kind of malicious programs that might compromise your device as well as your data and hijack the two-factor authentication process.
Prevention of such mistakes and vulnerabilities
Prevention has always been the best cure out there. Hence, preventing an attack from happening right at the source initially would be the best way to deal with today’s problem.
Let us, at last, have a look at some of the very common prevention practices you can employ to prevent such a situation from occurring, either due to mistakes made or vulnerabilities being taken advantage of.
1. Using Multi-factor authentication
Nowadays, making use of a Multi-factor authentication service has become extremely important. This way is putting two extra layers of security, which would otherwise be limited to only a single wall, the login page.
With a multi or two-factor authentication process, you are using multiple platforms to grant access to a single account or device, making such logging extra secure.
2. Linking a Recovery Account
This can be seen as less of a preventive measure and more of a backup measure. By linking a recovery account, you are able to use it to gain access to the linked account if and whenever it is hacked into, preventing you from accessing the linked account directly.
Moreover, this approach is also helpful in cases where users forget their own credentials and may be barred access to their own accounts.
Thus, one way or the other, it is very important that you always link an account to a recovery account to regain access to your account whenever such a situation arises.
3. Using a good VPN app or service
A VPN app or service may have a number of uses. But, most importantly, it can be used to secure connections whenever browsing the internet.
A good VPN also allows anonymity, making it difficult for hackers to carry out attacks on a line or device that is unknown or kept hidden under a different alias.
It would be a good idea to find out more about the security mechanisms on your own and find a VPN that suits your needs.
4. Always using a strong Antivirus or Firewall Service
One major and most common reason accounts or devices get compromised is not having a good Antivirus or Firewall service enabled on a system.
An Antivirus or Firewall service can act as a great wall of defense when it comes to detecting and eradicating malicious elements off and from your systems that may be responsible for compromising the safety and security of your devices.
Most malicious programs such as Keyloggers, Trojans, RAT files, and other such files can be easily detected by good and strong Antivirus (Firewall) apps and services, keeping your devices safe and sound.
5. Updating software and systems regularly
The older a system or app gets, the more vulnerable it becomes. This as a result may give hackers and attackers opportunities to breach into a system or account and gain control over it.
Thus, regularly updating software and systems to fix bugs and defects in software or apps that may compromise the security or safety of your device and accounts involved or accessed on the device is always a good idea.
Conclusion
The evolution of passwords has mirrored humanity’s quest for security, shifting from physical fortresses to digital codes safeguarding our most valuable asset: information. While passwords are the cornerstone of our digital defense, the landscape is fraught with vulnerabilities and threats, requiring a vigilant approach to maintain security.
Understanding that absolute security is an elusive concept is the first step in fortifying our defenses. No system is impervious, and the myriad of attacks, from phishing to brute force attempts, underscores this reality. Every weakness in our security chain is an entry point for a potential breach.
Recognizing common password mistakes illuminates pathways for attackers. From predictable, easily cracked passwords to sharing credentials, each oversight can be exploited. Yet, empowerment comes from awareness. We must acknowledge these pitfalls to mitigate their impact on our digital lives.
Moreover, hackers exploit vulnerabilities beyond password missteps. Flaws in session timeouts, weak recovery setups, or compromised two-factor authentication can compromise our defenses. Prevention, therefore, becomes our strongest ally.
Employing multi-factor authentication, linking recovery accounts, utilizing VPNs, robust antivirus software, and regular updates are proactive steps to shield against attacks. By understanding the enemy’s tactics, bolstering our defenses, and staying vigilant, we inch closer to achieving the elusive 99% security.
As we navigate this dynamic digital realm, safeguarding our information demands perpetual vigilance, adaptability, and a commitment to evolving security practices. Striving for robust digital fortresses is an ongoing endeavor, and by continuously learning, adapting, and implementing best practices, we fortify our defenses against the evolving landscape of cyber threats.
Like This Post? Checkout More
