In a recent experiment conducted by Sophos Labs, the cybersecurity team was able to guess, by hand, 17 of the top 20 passwords in Have I Been Pwned Pwned Passwords in under two minutes.
So if you trust your personal security to be protected by “qwerty” or “12345”, you are preparing to be hacked.
However, even if you deploy a long, strong password with a combination of letters, numbers, and special characters, your password is still not bulletproof. Cybercriminals can obtain passwords in a number of ways without having to guess your dog’s name.
For example, some Internet services still store passwords in the clear, whether due to bugs in their system or sloppy practices. Google and Twitter have both reported this issue to users in recent years, and while plain text data storage is now rare, it still happens occasionally. Therefore, when hackers compromise any of these servers, they can access each user’s data without any decryption required.
Malware also plays an important role in how hackers can steal passwords. If a server has been hacked, it can host memory-demanding malware, which can find raw passwords while they are being verified, even though the password is never saved to disk. Keylogging malware can also be downloaded directly to your device, which captures passwords and other sensitive data as you enter them. This is why using a powerful antivirus solution is an integral part of personal and business devices.
Once hackers have your password, no matter how complex or long, they can gain access to all other accounts that share it. This process is known as credential stuffing. If a password works on one account, it almost costs no time and effort for a hacker to try the same password on other accounts.
While using a single password for all accounts will leave you vulnerable, using passwords that are obviously linked should also be avoided. If your Facebook password is ‘FBpassword123’, it is not too far for your Twitter password to be ‘TWpassword123’, which makes this strategy not safer from credential stuffing than using the same password for everything.
So how can individuals and businesses effectively protect their account credentials?
• Do not reuse passwords. Likewise, don’t use a template for your slightly changed passwords for each different account. Cyber criminals are on the lookout for this and will bypass it.
• Use a password manager. Password managers will generate random, independent passwords for each account, meaning that even if one password is compromised, the rest of your accounts remain safe. Remember that you don’t have to put all your passwords in a manager app if you don’t want to: you can have a special way of managing your most important accounts, especially if you don’t use them. not often.
• Activate 2FA if you can. While two-factor authentication does not guarantee the security of your account, it does prevent criminals from carrying out large-scale attacks because passwords alone do not grant access.
• Install virus protection on all your devices to protect yourself from malware. In addition to antivirus software on your computer, you should also consider installing an antivirus application on your mobile device, such as Sophos Intercept X for Mobile. Make sure these apps are updated and run regular scans to protect your devices.
• Report payment anomalies. Track your outgoing and incoming payments for irregularities and report any errors as soon as possible, regardless of the amount. Report errors as soon as you see them, even if you haven’t lost money. The sooner you report it, the sooner you can secure your account.