LetMeIn101: How the Bad Guys Get Your Password

Content provided by our partner Tom Bull, Two River Computer ~

Passwords are essential to our cybersafety. We all know it, but if you’re like the rest of the digital society, you probably have dozens of passwords to remember. It’s a lot. So, you might take shortcuts.  We understand. But taking advantage of our laissez-faire attitude is one way bad guys access your passwords.

Incredibly, there are still people out there using “password” or “123456” in their access credentials. Some people don’t change the default passwords on their devices when they first set them up. So, anyone can pick up a router, look at the sticker identifying the password, and access that network.  Even if the bad guys are not around to physically look at your device, they can hack into your network from the outside and wreak some real havoc.

Tip: Avoid the obvious passwords! When you have to create a password, make an effort. When it’s time to update a password, don’t ignore it and change it now. Steer clear of simple, easily guessed patterns.

Cybercriminals can also guess your password. With a little bit of research about you online, they can make some informed guesses. Common passwords include pet names, birthdays, and anniversaries. These are all easy to find via your social media accounts.

Tip: Be careful what you share on social media! Don’t befriend strangers, as you are giving them access to a goldmine of info for personalizing an attack on you.

If that doesn’t work, criminals may try brute force. They might get really sophisticated and script an automation bot to run thousands of password permutations until they get a hit. The software will try a long list of common passwords and run through dictionary words to gain access to your stuff.  Not cool.

Tip: Use a complex password with numbers, letters, and symbols or a passphrase. A passphrase is typically at least 19 characters long but is more memorable, as it unique to you.  Try some song lyrics and some meaningful numbers.

The criminal may also be working with info from a data breach. In early 2019, a security researcher found more than 2.7 billion email/password pairs available on the Dark Web. Criminals accessing that database could use the data as a starting point, as many people duplicate their passwords across accounts.  So once a bad guy gets into one account, they can keep going and try other accounts.

Tip: Use a unique password for each site. Yes, that’s overwhelming to remember, and that’s also why you should use a password manager to keep track of it all for you.  A password manager is a piece of software that runs on your computer and smartphone and records and manages your website logins, making your life easier. You can create a Master password that opens the vault to all your other passwords.  You can also simply use a notepad or password book. Less sophisticated and convenient, but gets the job done.

Criminals can also access your account if you’ve used a hacked public computer.  The bad guys may have installed a key logger on the computer. The logger records every key you press on the keyboard. Or they might have compromised a router or server to be able to see your information if you’ve connected to free wifi (we say that’s always a No-No!).

Tip: Be cautious about your online activity on computers or networks you don’t trust.

Of course, there’s one more method of getting your password that we haven’t addressed yet. It’s a familiar phishing attack. For instance, you get an email that looks like it was sent by your bank or another familiar place. Phishing typically has an urgent message and a link that directs you to what looks like a credible page.  You click a link and it asks for your email address and email password. Once you’ve done that, you gave the bad guys your credentials.

Tip: Pay attention to who is sending the email and hover the mouse over the link to see where it goes. If you are concerned about your bank account, for example, open up a browser and type the URL manually rather than clicking the link.  Or if you’re really nervous, call the number on the back of your credit card or ATM card and ask the bank if they sent you the email. Another trick is to simply hit the REPLY button and see where the email is going…if it looks sketchy and unusual it’s probably bad.

One of our favorite exercises is to have everyone change their email and banking passwords when you change the clocks for daylight savings.  That way your oldest password is just 6 months and you will be familiar with the process in case you’re away from your computer and need to get into one of your accounts.

Finally, turning on 2FA (2-factor Authentication) or MFA (Multi-Factor Authentication) is a great way to secure your accounts.  Basically, when you login to your email or bank it will send a one-time code to your cell phone in order to get into the account.  So, if a bad guy tries to hack into your account, he won’t be able to because he needs the code sent to your phone. It’s a good thing.

These tips can help you to protect your valuable passwords. Still, setting up a password manager and amping up your internet security can help too. Need support getting ahead of the cybercriminals?  Contact our experts today! Call us at (732) 747-0020 or visit us at www.TwoRiverComputer.com