Password Security: How Hackers Steal Data and Savvy Users Keep It Safe
Posted: Feb 15th 2015
Digital security has never been more important than it has been in 2014. Cyber crimes are becoming both more prolific and more devastating.
Most recently, the world learned that Russian hackers had stolen 1.2 billion unique password and user name combinations. Shortly afterward, two US supermarkets announced they too had been hacked. Customers' credit card information was stolen from 180 stores across seven states.
Hackers have also targeted the healthcare industry. Over 200 hospitals across the US suffered from a major security breach. The criminals took 4.5 million patient records by exploiting a flaw in a system made vulnerable by the Heartbleed bug.
Heartbleed shocked the world after news of its existence broke in April 2014. It left millions of websites open to attack. Reuters estimated that the bug cost businesses tens of millions of dollars.
These examples illustrate the increasing scale of cyber criminal attacks. Recent studies confirm that these attacks affect an exponential number of people, with a related surge in the revenue acquired by criminals.
How Hackers Are Doing It
There's no limit to the time and creativity being invested by the latest generation of cyber thieves. This has led to an ever-expanding number of tactics and exploits through which attacks may be executed. As a result, cyber thieves now have more tools at their disposal to help them steal protected information or money online.
Currently, the most newsworthy method is breaching the security of a major corporation or organization, as was the case in the examples discussed earlier. Unfortunately, there's nothing that the average person can do to protect his or her information from this type of attack.
Hackers also steal their victims' information by strong-arming their way into otherwise secure systems. These brute-force efforts crack passwords by systematically running through every password possibility. Criminals using this attack can narrow down the search using known details about the password or user. They can also speed up the process using dictionaries of common password combinations, like "abc123" or "password."
Another popular hacker trick is phishing. Phishing occurs when hackers pose as trustworthy companies to trick people into giving up their sensitive account information. Typically, the recipient receives an email or instant message urging them to enter their account information on a fake website that looks identical to the real one.
Criminals also use social engineering techniques to trick people into giving up their passwords. They know that people will sometimes accidentally reveal important information to friendly strangers. Similarly, hackers can convince people to give up their passwords by pretending to be legitimate IT specialists hired by the company.
While many of these methods seem crude, they can be very effective.
How Users Are Staying Safe
While it seems little can be done to defend against these attacks, the first and most important step is to revisit password strategies.
In order to properly use passwords, one must understand the concept of password strength. IT professionals evaluate the durability of a password by classifying it in terms of bits. In short, the more bits a password has, the stronger it is.
Passwords with 12 case-sensitive letters have 64-bits which could take a hacker quite some time to crack. However, the use of symbols, numbers, and case-sensitive letters can substantially improve password strength. According to information security expert George Shaffer, an eight-character password of this complexity is unlikely to be cracked for two years.
A single strong password isn't enough protection, though, as it may be leaked to an attacker through social engineering or some other attack. Given the risk, the best strategy is to use a unique strong password for every account.
Password Managers
Password managers offer a convenient solution for the handling of complex passwords. These applications typically provide features for the generation and storage of passwords.
Many password managers also provide automatic password auditing to identify weak or shared passwords. Some even issue alerts in the event that a password is compromised, providing a chance to salvage a compromised account before any damage is done.
There are few downsides to using a password manager. The most notable is the chance of the password database being stolen or compromised. However, many of these databases are stored online in encrypted form, so the benefits tend to outweigh the risks.
Multi-Factor Authentication
Standard authentication, or logging in, relies on a username and password. If an attacker obtains the password associated with a username, they can easily compromise the related account. As its name suggests, multi-factor authentication (MFA) instead relies on multiple pieces of information, providing an added degree of protection.
Typically, MFA requires two pieces of information: something you know and something you have. An example of MFA in everyday life would be authentication for ATM access. In order to access your bank account through an ATM, you need something you know (your PIN) and something you have (your card). Similarly, accessing an MFA-enabled account requires not only a password, but also interaction with something you have, such as a mobile phone or digital fob.
When available, MFA is one of the best available options for protecting an account. Banks and larger IT service providers, like Google and Microsoft, usually offer MFA, but most services do not.