Passwords have become a daily part of everyone's lives as much as mobile devices and technology have. People use passwords to gain access to company resources, manage their personal or financial accounts, and for entertainment and recreational purposes. Unfortunately, many take password protection for granted and end up being the victim of a cyberattack.
Stealing passwords is easier than most people think, and cybercriminals can employ various methods to do it — and hackers are so unscrupulous that they’d take advantage of the COVID-19 pandemic, too.
From employing trial and error to monitoring your keyboard activity, here the ways that hackers can steal your passwords.
#1 Credential stuffing
In credential stuffing, cybercriminals use programs to bombard systems with multiple combinations of exposed usernames and passwords until they find a match. Once inside a system, cybercriminals are free to steal any information they want, including more passwords. And since many people use the same set of credentials for multiple accounts, hackers are free to infiltrate these accounts.
#2 Monitoring public Wi-Fi
Wi-Fi traffic monitoring is another method hackers use to steal passwords. With the help of a simple application, cybercriminals can monitor the traffic on public Wi-Fi networks. The app will send hackers a notification once a user inputs their credentials to access a specific site. The hackers can then intercept and steal this information, allowing them to commit fraud or selling the information on the dark web.
Keylogging is one of the oldest methods cybercriminals use to steal passwords and other valuable information. They use monitoring software called keyloggers, which are one of the many types of malicious programs internet users/web surfers can get from infected sites and phishing emails. Once a keylogger is installed, it covertly tracks and logs a person's keyboard activity and sends it back to the cybercriminal who planted it.
#4 Phishing emails
Phishing is one of the most common types of cyberattack hackers use to steal passwords and other valuable information. It involves an email planted with a malicious link that takes users to a spoofed site and tricks them into giving out their private information. Phishing emails can also contain attachments that will infect computers with malware once clicked.
#5 Brute force attacks
A brute force attack is a tactic hackers use to gain unauthorized access to a network by guessing usernames and passwords. They can either do this manually or with the help of applications or automated programs called bots. This method is almost similar to credential stuffing, but the only difference is that credential stuffing relies on stolen credentials rather than guessing.
#6 Unsecured sites
People using unsecured sites open themselves up to a man-in-the-middle (MitM) attack. In a MitM attack, a hacker inserts themselves in a conversation between two parties, usually a user and an application. The hacker impersonates one of the parties to eavesdrop and steal the user's personal information.
#7 Extortion or blackmail
Some hackers use straightforward blackmail and extortion techniques to steal passwords. They will use sensitive and often private information (e.g., videos and photos) to either embarrass or harm their victims if their demands are not met.
#8 Local discovery
Sometimes a user's carelessness is enough for a hacker to steal that user’s password. Listing down passwords and leaving them in plain sight is an open invitation for hackers. Some cybercriminals will even go as far as to dumpster-dive to acquire usernames and passwords.
How to prevent hackers from stealing passwords
Businesses and individuals can keep their passwords from being stolen by:
- Being wary of suspicious email – Phishing emails are the preferred method of most hackers to steal information. A suspicious email should be deleted or reported immediately.
- Using antivirus software – Reliable antivirus software can filter websites and emails for malware such as keyloggers.
- Staying away from public Wi-Fi – Public Wi-Fi is a treasure trove of information for cybercriminals and a big security risk. A better alternative is to use mobile data or a virtual private network.
- Avoiding unsecured sites – When visiting any site that asks for personal information, make sure it's secure. Check the URL of the site. It should start with an https (Hypertext Transfer Protocol Secure) prefix instead of just http. An https prefix means the site is using a secure socket layer connection to encrypt data before sending it over to a server. Another sign to look out for is a lock or shield icon on the address bar of the browser. The presence of either icon is a sign that a site is secure.
- Using multifactor authentication (MFA) – MFA adds an extra layer of security to passwords by requiring the user to provide additional credentials such as a fingerprint, voice recognition, or retinal scan. So even if hackers use a stolen password, they would still need to provide the other credentials.
To prevent hackers from stealing important information like passwords via phishing and other illicit email-based means, businesses should partner with a cloud-based email security solutions provider like Graphus. Here at Graphus, we use a simple and but powerful cloud email security system designed to protect organizations from various cyberthreats like phishing, identity spoofing, and credential theft. Sign up for a free trial today.