Over the past 20 years, cybercriminals have devised various ways to get people's passwords. For hackers, it's worth the effort. To them, your password is the key to potential untold riches. If your personal password is stolen, a hacker could take out a loan in your name, make dozens of unauthorized online purchases, or install malware on your computer. If your business is compromised, the rewards may be even greater. Hackers could access sensitive information and steal your customers' data. Considering what's at risk, you need to know how to create secure passwords that will keep cybercriminals at bay.
Importance of secure passwords
You should never underestimate the creativity of cybercriminals to hack your password. That's why you should also be at your most creative when coming up with passwords. The more unusual your password is, the harder it is for a human or machine to guess it.
So many password hacks are successful because:
- We share so much information about ourselves online.
- We use the same password again and again across accounts.
- We're not creative at coming up with passwords.
Was your son James born on Feb. 1, 2015? Did you mention it on Facebook? If your password is "James20150201," you shouldn't be too surprised if a hacker guesses it correctly.
But successful password hacking is much more than guesswork, as you can see below.
Types of cybersecurity attacks on passwords
Dictionary attack
Dictionary attacks don't actually go through every word in the dictionary to guess people's passwords. They work by attempting common words, phrases and easy-to-guess passwords in quick succession.
What are easy-to-guess passwords? According to NordPass, at least 12 million Americans use one or more of these top 20 guessable passwords.
| Password | Number of U.S. users |
| 123456 | 3,572,081 |
| password | 1,730,765 |
| 12345 | 958,799 |
| 123456789 | 873,522 |
| password1 | 666,746 |
| abc123 | 610,867 |
| 12345678 | 440,687 |
| qwerty | 382,302 |
| 111111 | 369,258 |
| 1234567 | 356,163 |
| 1234 | 338,093 |
| iloveyou | 325,539 |
| sunshine | 299,738 |
| monkey | 289,665 |
| 1234567890 | 283,760 |
| 123123 | 276,867 |
| princess | 267,470 |
| baseball | 260,282 |
| dragon | 254,165 |
| football | 241,400 |
Brute-force attack
Brute-force attacks are less sophisticated versions of dictionary attacks. They work by systemically going through endless combinations of characters, numbers and letters to succeed very quickly.
Password spraying
Hackers attempt to access hundreds or thousands of accounts at any one time with dictionary attacks and brute-force attacks. Password-spraying attacks are different: They focus on hacking just a small number of victims.
The software hackers use detects how many wrong logins can be attempted at the start of an attack before an account is locked and referred to the internal IT team. It then returns to each user's login page at set intervals to try to get into the system without causing the user's account to be frozen.
Rainbow attack
On your home or office network, your passwords are encrypted using a cryptographic alias of "hash." If cybercriminals don't guess your hash, you're safe. If they do, then the passwords of everyone on your network become available.
To get into these networks, hackers have begun to work together to create "rainbow tables," allowing them to share information on hashes they've already created. This is because hashes take a long time to generate, and, by pooling their information together, they can attempt to break in using more hashes in a shorter time frame.
Social engineering
Have you ever received a call, email or letter from someone pretending to be from the IRS? You're not alone. Their latest trick is to send victims fake CP2000 forms to convince taxpayers to transfer money for alleged unpaid and overdue taxes. Sometimes these CP2000 forms also contain malware.
Our lives are so hectic these days that we've learned to take shortcuts to cope – and hackers take advantage of these shortcuts. This is called "social engineering."
To pull off these scams, cybercriminals pretend to be authority figures. They then rely on their victims' trust in an institution or business to get the information they want, including their passwords. This is called "vishing" when done over the phone and "smishing" when done by text message.
Phishing
The most common form of social engineering is by email – often called "phishing." A common phishing attempt is sending people emails that invite them to log in to a website because their account was frozen in response to "suspected fraudulent activity." Sometimes it's an email from a courier, asking them to pay to receive a package.
More sophisticated "spear phishing" attacks involve getting information about the senior people in your company from social networks like LinkedIn. The attackers then pretend to be the CEO or another higher-up and send spoof emails to employees, asking for sensitive information like network passwords and shared drives.
Keylogging
Keyloggers are malicious software programs that record the strokes you make on your keyboard. Every time you press a key, it's recorded and sent back to the hacker. So, whenever you visit a website, the hacker can see where you've gone even though they can't see your screen. They can then match the username and password you use to log in to a particular network or account.
Keyloggers are often inadvertently installed onto computers when they are hidden in free software bundles.
Man-in-the-middle attacks
Man-in-the-middle attacks involve a cybercriminal intercepting company email communications. They pretend to be one of your employees and email requests to your customers to log in to your website. Of course, it's not your website the hacker will send your customer to; it's theirs. When your customer inputs their details, it reveals their username and password.
Traffic interception
This is like a man-in-the-middle attack, but instead of intercepting communications from customers, hackers monitor and capture valuable data sent over your network. Wi-Fi networks and unencrypted data are particularly vulnerable.
Even on secure networks, sensitive information such as passwords can be intercepted.
Best practices for maintaining and keeping your password safe
Hackers use other techniques to steal passwords in addition to the nine we've listed. Ultimately, though, your password security begins and ends with you. So, how should you defend yourself?
1. Make your passwords long.
The longer your password is, the harder it is for hackers to guess. Long passwords also make dictionary, brute-force, password-spraying and rainbow attacks much harder for cybercriminals.
One way to make your passwords longer is to make them sentences. To complicate them further, you could capitalize the first (or last) letter of every word by separating them with symbols like dollar signs or exclamation marks.
2. Vary your passwords.
If a hacker gets into one of your accounts, that's bad. But if they can get into a lot more of them because you always use the same password, this could cost you a lot of money. If a hacker gains access to multiple systems because you use the same password, this is the type of data breach that could be catastrophic financially and reputationally. Clients won't stay with a company they don't trust with their personal and business details.
Use a different password for each online, cloud and network account you have. That way, if one is compromised, the rest are still safe.
3. Use single sign-on.
If you have dozens or hundreds of different logins, it may not be feasible to remember that many passwords. Safe password tools such as single-sign-on (SSO) solutions act as a central database of your usernames and passwords for every account you have. All you have to remember is the username and password for the SSO.
4. Use a password manager.
Password managers take the concept of safe password tools one step further – they're essentially online access control systems. Your password manager recognizes when you're on a particular website and auto-fills your username and password into the relevant boxes.
5. Make sure your password hasn't already been compromised.
When cybercriminals steal usernames, passwords, and other personal information (particularly debit and credit card information), they often sell them on the dark web to other hackers.
Free services like Have I Been Pwned? allow you to see if your phone number or email address has been involved in a breach. Paid alternatives are also available.
6. Use a random password generator.
Perhaps best used with either a safe password tool or a password manager, a random password generator allows you to generate your own secure passwords.
7. Use a VPN or the cell network to connect.
Consumers and businesses use virtual private networks (VPNs) to protect their online anonymity. VPN encryption is particularly powerful. Plus, your VPN provider scrambles your username and password whenever you log in to a company network or an e-commerce store.
If you don't have a VPN and you want to log on to a network or site, choose the cellular network over any local Wi-Fi network. Wi-Fi networks are insecure and particularly prone to man-in-the-middle attacks.
8. Check for the padlock.
Whenever you visit a website that prompts you for any information, make sure it's secure by checking whether there is a padlock icon next to the web address in your browser.
If you visit a website by clicking on a URL in an email or text message you receive, you should also see if the URL looks authentic. If it doesn't, log in to the website using the URL you normally would, just to be sure.
9. Use authenticator smartphone apps.
Authenticator apps offer an additional layer of security. On certain apps, you can request an authentication code when you try to log in to your account. You then receive a code by text, which you'll input to access the website.
This means that, even if someone guesses your username and password, they can't access your account because they don't have the authentication code.
10. Use multifactor authentication.
Multifactor authentication works similarly to authenticator apps. It requires you to log in two or more times, first with your username and password. The second authentication method could be, for example, scanning your fingerprint or iris on your phone.
11. Keep your password to yourself.
Don't share your passwords with anyone, even friends and family. In vishing attacks, someone pretending to be from your bank, the IRS, or another online service you use may request your password as part of their "security clearance protocols." Under no circumstances should you do so. In this situation, it's better to end the call immediately.
12. Don't share so much online.
Targeted phishing attacks rely on publicly available information, particularly on social media. Many of us use the names, birthdates, and birthplaces of relatives (particularly children) in our passwords, because this is information we're not likely to forget. However, if a hacker can find out this information via your social media, they're likely to use it when trying to log in to your account.