ST. GEORGE — Every day in the U.S. and around the globe, malicious cyber criminals compromise websites and online accounts, posting lists of usernames, email addresses and passwords on the darknet. The average person has anywhere between 25-30 online profiles or accounts, according to CNET, but uses only five passwords for all of them. This leaves an enormous amount of personal information vulnerable to hackers.
And cyber criminals capitalize on those weaknesses.
In 2018, there were data breaches at 16 major retailers, including Macy’s, Sears, Kmart, Saks Fifth Avenue, Adidas, Gamestop, Best Buy and others. Many were caused by flaws in company payment systems that were taken advantage of by computer schemers.
Data breaches overall are on the rise for both retailers and other businesses, but retailers seem to be the preferred venue for hackers. According to one cyber security firm, Shape Security, of all of the login attempts made on retailer websites, nearly 90 percent of those attempts are hackers using stolen data, the highest percentage of any sector.
Data breaches in other sectors can be devastating as well, as was seen when the information of 143 million Americans was put at risk in the notorious Equifax breach, or the Exactis breach that affected 340 million people. Exactis is a data accumulator with the sole function of collecting as much data on as many people as possible, which is then sold to legitimate businesses.
One research firm, Cambridge Analytica, was able to obtain personal data from as many as 50 million Facebook users and used that data as part of its work on Donald Trump’s 2016 presidential campaign. More than 270,000 of those users “willingly” gave the information over by signing up for a personality quiz app. As a result, Facebook was fined $660,000 for lack of transparency and failing to protect users’ information, as reported by Forbes in July 2018. But the fine was merely a slap on the wrist, as it is roughly the amount of revenue the social media giant generates every 5 ½ minutes, according to The Guardian.
Additionally, Facebook recently reported a major security breach in which 50 million user accounts were accessed by unknown attackers.
Read more: Facebook says 50M user accounts affected by security breach
Any breach can place an individual’s personal information at risk of ending up in the hands of fraudsters, but there are several online security measures that can be taken to create unbreakable barriers. One of the best ways to do that is to set up strong, unique passwords for each online account, and the best way to choose a strong password is to know how they can be broken.
Password hacking 101
Passwords are the first line of defense against a cyber-thief stealing the keys to the kingdom. TrendMicro says “password security has always been a trade-off between what people can remember and what’s difficult for attackers to guess.”
Almost everything done online is protected with a password, making them tempting targets for attackers. As computers have become faster, hackers can test more passwords per second, millions of them, in fact. Password-cracking programs can run for days on several devices simultaneously.
Knowing how cyber attacks work can help in creating passwords that can stand up to any assault. The two most common methods of password extraction are the “brute force attack” and the “dictionary attack.”
Brute force attack
Cyber thieves are armed with several password-hacking tactics. One technique, the “brute force attack,” uses automated software to try as many combinations as possible as quickly as possible. Some hacking software is so advanced it can try 350 billion guesses per second, according to Ars Technica, leaving any password under 9-12 characters vulnerable to being cracked.
Dictionary attack
Whereas a brute force attack tries every combination of symbols, numbers and letters, a “dictionary attack” cycles through a prearranged list of words similar to what is found in a dictionary. This type of attack can be very effective because many people have a tendency to choose passwords which are short – seven characters or fewer – such as single words that can be found in a dictionary.
Other attacks obtain the password using other means, which can include the “keystroke attack,” the “phishing attack” and the “cookie theft.”
Keystroke attack
A hacker uses a program to track all of a user’s keystrokes, and at the end of the day, everything the user has typed is recorded, including their login IDs and passwords. The key logging program used is malware or can be a full-blown virus that makes it onto the user’s devices often by clicking a link in an email.
This attack differs from other attacks in several ways, but one important difference is that stronger passwords don’t provide much protection against them, which is one reason that multi-factor authentication is becoming a must-have for all businesses and organizations.
Phishing attack
Phishing is a cyber attack that uses disguised email as the main weapon, with the goal of tricking the email recipient into believing that the message is something they want or need, such as a request from their bank. Users are instructed to click a link that asks for their login credentials or other sensitive information, or the recipient is instructed to download an attachment.
The cookie theft
The cookies of a browser keep our personal data, such as browsing history, username and passwords for different sites that we access. Once the hacker gets access to your cookies, they can fool a browser into authenticating themselves as you.
The darknet
The easiest method of procuring passwords and personal information is to buy them off of the darknet, which has become a lucrative market where passwords and login credentials are bought and sold on the black market.
Ironclad passwords
For those who have used the same passwords for many years, chances are they’ve been compromised. To check if an email has been compromised in a data breach, go to “Have I been Pwned.” To verify if a password has been compromised, go to “Pwned Passwords.”
Cybersecurity experts list the use of strong, unique passwords as one of their top recommendations, which is also one of the least commonly followed recommendations because of the difficulty inherent in remembering long, complex passwords. A password made up of an extremely uncommon word or one made up of multiple words used together, such as “towelbluedolphinelion,” can generally outsmart a dictionary attack.
Using a random password generator is useful because people tend to use words or symbols that have meaning to them, making them easier to guess. Having unique passwords for each account is also recommended; otherwise, a hacker that learns the password to one account then has the password for others as well.
Four tips for password safety
- Make it long — This is the most critical factor. Choose nothing shorter than 15 characters, more if possible.
- Use a mix of characters — The more the letters, both upper and lowercase, are mixed up with numbers and symbols, the more potent the password is, and the harder it is for a brute force attack to crack it.
- Avoid common substitutions — Password crackers know what to look for and what individuals use as typical substitutions. Whether “DOORBELL” or “D00R8377” is used, the brute force attacker will crack it with ease. Random character placement is much more effective.
- Don’t use memorable keyboard paths — Much like the advice not to use sequential letters and numbers, do not use sequential keyboard paths either – like “qwerty.” These are among the first to be guessed.
According to Isight, a software and corporate security company, “poor password protection is like handing over your house keys to a thief.”
Email: [email protected]
Twitter: @STGnews
Copyright St. George News, SaintGeorgeUtah.com LLC, 2018, all rights reserved.