Passwords are the most practical way to protect our online identities to ourselves. Passwords are used for your personal devices, emails, banking applications and for almost for everything you need internet. With all of this sensitive data at stake, creating good passwords is very important to prevent identity theft. Also passwords are the most commonly used mechanism to authenticate users to an information system. Passwords play a major role of defence against hacking your accounts or devices. The techniques used by cyber criminals are almost the same either for women or anyone else. Let us see few techniques used commonly by cyber criminals to get hold of your passwords.
Various Techniques used by hackers to retrieve Passwords
Shoulder Surfing
One way of stealing the password is by standing behind an individual and over looking their password while they are typing it. It can happen even by listening to your conversation if you give your credit-card number over the phone. Shoulder surfing is easily done in crowded places. Your confidential information will be at risk if your passwords are observed by Shoulder Surfers. They can use your password information for logging into your account and they may do harm to your information. Few tips to avoid threats from shoulder surfing.
- Be aware of Shoulder Surfers at public places while you are entering your passwords into the login accounts.
- Do not reveal your usernames and passwords to strangers.
- Cover the keyboard with your hand or something else to prevent view to a stranger.
Bruteforce attacks
Another way of stealing the password is through guess. Hackers try all the possible combinations with the help of personal information of an individual. They will try with the person’s name, pet name (nick name), numbers (date of birth, phone numbers), school name…etc. When there are large number of combinations of passwords the hackers uses fast processors and some software tools to crack the password. This method of cracking password is known as "Brute force attack". Few tips to avoid threats from Brute force attack.
- You should not use a password that represents your personal information like nicknames, phone numbers, date of birth etc.
- Making passwords more complex increases the difficulty of attacks that rely on brute force or educated guessing.
Dictionary attacks
Hackers also try with all possible dictionary words to crack your password with the help of some software tools. This is called a "Dictionary attack". Few tips to avoid threats from Dictionary attack.
- You should not use dictionary words (like animal, plants, birds or meanings) while creating the passwords for login accounts.
- Better to lock the account or increase the delay between login attempts when there have been repeated failures
Password recovery/reset systems
An intruder may not need to get the password from the user if he can persuade the authentication system to either mail it to him or change it to something of his choice. Systems to allow the legitimate user to recover or change a password they have forgotten can also let other people do the same. Helpdesk operators need to be particularly careful to check the identity of anyone asking for a password reset. On-line systems that rely on “secret questions” such as “name of first school” or “birthday” are trivial to defeat if that information can be found on a social network. Systems that send reminders to a backup e-mail address or phone number can fail if the user changes address or number allowing the abandoned backup to be registered by someone else. Remember that any rule that applies to your password also applies to your password recovery question, which should be something no one should guess – and, like your password, something you should never reveal to others.
- Use information that is not in social media for recovery of password.
- Activate two factor authentication
Rainbow table attack
Rainbow tables aren't as colourful as their name may imply but, for a hacker, your password could well be at the end of it. This table contains hashes of all possible password combinations for any given hashing algorithm. Rainbow tables are attractive as it reduces the time needed to crack a password hash to simply just looking something up in a list. However, rainbow tables are huge, unwieldy things.
Phishing
Phishing is the practice of sending fraudulent communications that appear to come from a reputable source. It is technique used by cyber criminals to trick the email recipient to believe that the message is a way to acquire information such as usernames, passwords, PIN, bank account and credit card details by masquerading as a trustworthy entity through e-mail. Phishing is typically carried out by e-mail or instant message spoofing and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Phishing is an example of social engineering techniques used to mislead users.
- Be watchful of emails asking for login information
Password embedded in code
Passwords are also sometimes disclosed by being included in scripts or programs. While this may appear an easy way to automate access to an interactive system it carries high risks of disclosure and alternatives should be used wherever possible. The worst possible outcome is for a script containing a plaintext password to end up on a public website.
- If there is no other alternative then the script or program must be very carefully protected against deliberate or accidental access.
Social engineering
The simplest way to discover someone’s password is to make them tell you their password. Sharing the passwords with the unknown persons (strangers) may also lead to loss of your personal information. They can use your login information and can get the access to your information. The persons like strangers after getting access to your information they can do anything with it. They can copy, modify or delete it. This can be done by persuading them to type it into a website you control (phishing).
- You must not share passwords with unknown persons (strangers) through email or SMS or any other means.
Trojan, Virus & Malware
A keylogger, or screen scraper, can be installed by malware which records everything you type or takes screenshots during a login process, and then forwards a copy of this file to hacker central. Some malware will look for the existence of a web browser client password file and copy this which, unless properly encrypted, will contain easily accessible saved passwords from the user's browsing history.
- Install Antivirus to protect your device from malware, Trojans and Virus
Using weak Passwords or blank passwords
Weak and blank passwords are one of the easiest ways to attackers to crack into your system. Cyber criminals can use the same techniques used to guess the answers to secret questions can also be used to guess passwords. Anything based on something your friends will know, or that is available from a website, is a very poor choice as a password.
- Always you need to “Use Strong Passwords”
Writing your passwords on the papers or storing it on hard disk
The strangers search for the papers or the disk for passwords where they have been written.
- You should not write the passwords on the paper or on any disk drive to store it.
- Do not select 'Yes' when applications ask you if you want them to remember your passwords for you.