February 9, 2023
We’ve all seen movies or TV shows where criminals sit down at someone’s password-protected computer and within seconds announce, “I’m in.”
The hackers then proceed to access secret files and sensitive information.
You may have wondered – how likely is this scenario?
The answer may surprise you.
A recent survey published by NordPass – a proprietary password manager – reported what were found to be the most common passwords used worldwide.
This list of 200 passwords also included the approximate time it would take a hacker to crack the various passwords.
Researchers found that 168 of the 200 passwords could be defeated in under one second. Weak passwords are among the principal vulnerabilities that lead to data breaches.
Hint: if your password contains the word “password,” it’s not secure.
Cybercrimial tactics
Criminals use a variety of techniques to bypass weak passwords.
The first, and arguably the easiest, is using social engineering tactics – which is a form of manipulation in which criminals trick people into sharing their sensitive information, including passwords.
To save time, these criminals will use previously leaked data to target a large number of people, sometimes sending thousands of emails and text messages a day.
They may pose as your IT department, corporate officer or a customer service representative, typically urging you to open a malicious link.
Or they may try to fool you into granting them access to internal resources that contain private data.
Either way, they are after your account credentials.
Another tactic of cybercriminals is to take advantage of already leaked passwords.
Since many people use the same passwords across different websites, criminals are able to exploit these data leaks by trying to use stolen credentials across multiple sites.
Often executed through large-scale, automated attacks, this tactic, known as credential stuffing, can be effective for criminals.
A more time-consuming, yet still popular way criminals can access your passwords, is by using a tactic called dictionary attacks – which involves an attacker systematically trying common words and phrases, along with lists of leaked passwords, to access accounts or networks.
This tactic can also be used to defeat file encryption efforts.
Rather than randomly trying combinations of letters, numbers and symbols, which is called a brute force attack, cybercriminals focus on a collection of potential solutions that have a high probability of being successful.
One drawback of this tactic is that many websites will lock an account after too many unsuccessful login attempts.
To overcome this, criminals may use a technique called reverse hashing.
When you create an account online that requires login credentials, the host will often try to protect your data by hashing it.
This means that the login credentials are run through an algorithm that changes a simple password like “password123” into a hash value, similar to “d852a07c1a3065d42be9b119fd92091e.”
If a criminal uses a dictionary attack to run probable passwords through common hashing algorithms, they could possibly use the results to reverse hash passwords obtained through malicious breaches.
There are other less technical ways a criminal could steal your passwords, such as shoulder surfing or extortion.
Simple protection steps
Whichever the method, there are a few common-sense steps you can take to mitigate the risk.
First and foremost, create strong and unique passwords.
Strive for at least 12 characters – include upper- and lower-case letters, numbers and symbols, and avoid common words or phrases.
Don’t reuse passwords across different accounts or websites, and update them regularly.
The more complex and unpredictable your passwords are, the better.
Second, creating and remembering unique passwords can be difficult, so consider using a password manager.
These widely available tools help to generate complex passwords and store them in a single location.
Many vendors offer business versions for larger companies or organizations that offer additional security features.
Make sure passwords are not stored in plain text.
Third, consider utilizing two-factor (2FA) or multi-factor authentication (MFA).
The benefit of 2FA and MFA is that account security is not reliant on just a username and password.
The three types of MFA are often described as:
Something you are, e.g. biometrics.Something you know, e.g. passwords.Something you have, e.g. a token or key.
This tool isn’t immune from compromise, but combining strong passwords with multi-factor authentication significantly reduces your chances of falling victim to password hacking.
Finally, employee education is key.
As with almost any cybersecurity issue, human behavior is often the weakest link. Cybercriminals thrive by exploiting complacency and fear.
A recent study by LastPass – a password manager – found that while 89% of respondents acknowledged using the same password or variation was risky, only 12% use different passwords for different accounts, and 62% always or mostly use the same password or a variation.
It’s important to educate employees about how to recognize phishing attempts, and stress the importance of good password security habits.
Consider establishing strict, company-wide password policies.
To check NordPass’s list of the most commonly used passwords, visit: nordpass.com/most-common-passwords-list.
To check the strength of your current passwords, consider this tool: roboform.com/how-secure-is-my-password.
Detective Eric Edson is a 29-year veteran of the Sheboygan Police Department. In his role, Edson is responsible for investigating major crimes, which include financial crimes and fraud.