From social engineering to shoulder surfing or simple guessing, ESET researchers explain the dangers how to stay safe

BIGSTOCK/Copyright: TeroVesalainen

Passwords are the Achilles Heel of digital life, as they are often the only line of defense between cybercriminals and our personal and professional information. And as the number of passwords needed to simply get through the day is perpetually on the rise, many cut corners by recycling them or using weak ones, often unaware of potential dire consequences. Internet security company ESET researchers elaborate.

What can a hacker to with my password?

Passwords are the virtual keys to the digital world. They enable access to online banking services, email, social media, streaming and all of the data stored in the cloud. If a hacker gets hold of our password, they can:

• Steal our personal identity information and sell it to other cybercriminals

• Sell the access to the actual account on the Darknet. Buyers would be able to use the access for a wide range of activities.

• Use the breached password to hack additional accounts which are protected by the same password.

How do hackers steal passwords?

1. Phishing and social engineering

It’s not that difficult to trap people. In many cases, we make the wrong decision when we are in a hurry. Cybercriminals exploit these weaknesses through social engineering – a psychological trick designed to make us do something we are not supposed to do, and phishing is probably the most well-known example.

In phishing attacks, hackers impersonal legitimate entities such as friends, family, business contacts and so on. Targets will receive text messages or emails that appear legitimate, but in fact contain a malicious link or attachment, that by clicking on them will either infect the device with malware or lead to a fake webpage that asks for personal information.

2. Malware

Cybercriminals also use malware to obtain passwords. While the main vector for this is phishing, such an attack is possible also by clicking on an advert containing malware or by entering a hacked site. Unofficial app stores also host a myriad of legitimate-looking apps, which actually contain malware.

There are many types of data stealing malware, but the most common are programmed to document keystrokes, or take screenshots which are sent back to the attacker.

3. Brute force attacks

The number of passwords held by the average person has increased by 25% in 2020 alone. As a result, many use passwords that are easy to remember (and guess), and set the same passwords for multiple sites and services. This can open the door to brute force attacks.

One of the most common methods is credential stuffing, in which the attackers enter large quantities of usernames and password combinations into sites using automated software, hoping to find a match in one of the combinations. It is estimated that there have been over 139 billion credential stuffing attack attempts this past year.

Another brute force attack technique is called password spraying. Hackers use automated software to cross-reference the username and a list of common passwords.

4. Guessing

Sometimes, hackers don’t even need to employ any sophisticated tools: often, a simple guess can do the trick. The most common password in 2020 was 12345, followed by “123456789” and by “password”, which came in 4th. Password recycling makes the job even easier for the hackers.

5. Shoulder surfing

Now that more and more people are returning to work from the office, the conventional method of peeking over one’s shoulder to catch a glimpse of the password are becoming more prevalent. ESET researcher Jake Moore conducted an experiment to determine how easy it would be to hack a person’s Snapchat account through this simple method.

How to protect your password?

• Only use strong and unique passwords and passphrases to all online accounts – especially bank, email and social media accounts.

• Do not recycle passwords.

• Use a password manager.

• Immediately change password you are made aware of any possible breach.

• Only go to HTPPS websites.

• Do not click on links or open attachments from unknown addresses.

• Only download apps from official app stores.

• Use strong and reliable security software for each device.

• Watch out for anyone over your shoulder.

• Do not log into your accounts from a public network. If you must, use a VPN.