October is Cybersecurity Awareness Month. To do our part, we have decided to publish a series of posts that deep-dive into specific cybersecurity topics. With this first article, we’ll start with the Royalty of cybersecurity: password security. To do that, we’ll do it from a different perspective—the hackers.
The art of cracking passwords
As ethical hackers at Negative PID, we are familiar with various techniques to crack passwords and gain unauthorized access to accounts. Here are three common methods hackers employ.
Social engineering
Social engineering involves psychological manipulation or deceit to trick individuals into divulging confidential information, such as passwords. Hackers may impersonate trusted entities or exploit human emotions to trick users into revealing passwords.
For example, someone might impersonate your boss or someone with authority and ask you for sensitive information with urgency. Another common example is someone impersonating a friend or a social media connection asking for help to retrieve their credentials through your phone. Providing them with a security code sent to your device will allow them instant access to your account.
In doubt, choose to keep safe.
DO’S
- Use email aliases when you sign up for a service, social media, or other free accounts. Email providers or browser plugins provide these.
- If a friend or a connection asks for confidential or unusual information, propose continuing the conversation by phone or on a different account.
- If you doubt that the person reaching out to you is not who they say they are, ask them questions they would only know how to answer.
- If you are asked for confidential or unusual information by a person you don’t know (such as a banking institution, Government body, etc.), ask them to send you an email from their work email address or phone number so that you can validate their identity.
DON’T’S
- Don’t share your actual DOB, physical address, Social Insurance Number, or phone number on your profiles, not even in your friends/private circles.
- Don’t store information or pictures you don’t want to be public on social media accounts or the cloud. Don’t send them to yourself or anybody else by email, chat or phone. If your account is hacked, it can be used for extortion.
- Never share access to an account with someone else, and never approve unrequested access requests or links.
- Never help “a friend” recover their account by using your phone number to receive their verification code. Most of the time, the person behind the request tries to access your account, but it is not theirs.
Guessing based on interests or common words
Hackers often leverage information from social media profiles, public records, or personal interactions to guess passwords based on users’ interests, hobbies, or commonly used words. These attacks exploit predictable patterns and weak password choices. The dark web hosts lists of the most common passwords used in different countries, and these can fed to scripts that try to guess your password based on various combinations.
DO’S
- Value your privacy over likes, followers, and post shares. Keep your details private and protect the information of people you’re close to.
- If you post frequently or are a public figure, make sure that your actual location is not shared in real-time on your posts and that your pictures don’t reveal personal details or those of your family.
DON’T’S
- Don’t use names of people you’re close to, pet names, easily guessable words that your public profile or DOBs for your passwords can deduct.
- Avoid answering chains with quizzes or tests on your life or experiences: they are designed to gather user information to be exploited for password guessing.
Brute forcing
Brute-force attacks involve systematically trying every possible combination of characters until the correct password is discovered. The length and complexity of the password significantly impact the time and resources required to brute-force it. Longer passwords with a mix of characters are more resilient against brute-force attacks.
DO’S
- Use a different password for different accounts. This way, if a hacker gets access to one account, they won’t be able to access everything else.
- Prefer long passwords to complex ones. However, if you choose a short password, make it complex using lower- and uppercase letters, numbers, and special characters.
DON’T’S
- Never use the same password for different accounts, especially for personal and work stuff. Hackers will try to access as many as possible with their cracked passwords.
- Never use the password you use for your email address for another account. Your email contains valuable information and can be used to redirect emails to a different recipient without your knowledge.
How to choose a secure password
Now that you know the methods hackers use to crack passwords, here’s how you can choose a secure password you’ll remember to protect your accounts:
- Use a Passphrase: Consider using a passphrase instead of a traditional password. A passphrase is a sequence of words or sentences that is easy to remember but difficult to guess. For example, a line from a book is a strong passphrase that’s easy to remember but challenging for hackers to crack.
- Mix Characters and Symbols: To increase your password’s complexity, use a mix of uppercase and lowercase letters, numbers, and special symbols. Avoid using easily guessable substitutions or patterns, such as replacing “e” with “3” or “o” with “0.”
- Length Matters: Opt for longer passwords whenever possible, as they offer greater security against brute force attacks. Aim for at least 12 characters, but consider using even longer passwords for added protection.
Go the extra mile with a password algorithm
If you’re afraid you’ll never remember a long, complex password, here’s a trick from cybersecurity professionals. You can easily create your password algorithm. It’s easier than you think:
- Use the passphrase as a fixed part of your password.
- To identify the account, use a special symbol to separate the passphrase from the code.
- Append a code that you will use to identify the account you’re using that password for, the user and the date or number of the password change.
Embrace password managers and biometrics
Finally, you can use a reputable password manager to securely generate, store, and manage complex passwords. Password managers offer the convenience of storing all your passwords in one encrypted vault, accessible only with a master password or biometric authentication.
Many devices also support biometric authentication. It’s a safe option that will eliminate your password-remembering troubles.
So go ahead and keep your accounts safe with an uncrackable password!
