• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Kudos5 Stats

How do Hackers Steal Passwords: #30SecTech Video

Passwords are to a hacker like keys to a thief. Although keys and passwords by themselves don’t have much value, the personal information and property that they can expose does. Think of your passwords as your digital keys. They allow access to your personal life, including your networks of friends and colleagues, contacts, photos, videos, emails, and maybe even banking and payment details, among other gems of information.

Weak passwords can be easily guessed, and taking poor security measures could provide information instrumental for password hackers. However, by creating secure passwords and implementing security measures, you can thwart an attackers attempt to break in and steal your stuff.

Hackers don’t use magic or exotic methods to discover passwords. They simply guess by unleashing dictionary attacks, by taking information from social media, and by employing password-cracking programs.

Dictionary attacks

Dictionary attacks are carried out using programs that cycle through a predetermined list of common words often used in passwords. Passwords with words or phrases are weak and thus the easiest for these programs to guess. To protect your accounts from dictionary attacks avoid using common words and phrases in your passwords.

How to protect your user passwords from dictionary attacks

  • Avoid using common words or phrases in your passwords.
  • Never reuse the same password across different websites.
  • Never write down your passwords, or share them with anyone.
  • Use two-factor authentication whenever possible to add an extra layer of protection to your accounts. If a hacker discovers your password they will still need the second factor to access your account.
  • Change your passwords regularly. Every three months if possible. TIP: If you need assistance remembering multiple passwords use Norton Identity Safe

Security questions and information lifted from social media

Our social media accounts are a gold mine of information: the status updates we send, the information we share, the likes we give, and the comments we post, all provide information about many aspects of our lives. Think about it, if you get a new job, move to a new place, or adopt a new pet, you want to share the experience, and share you do.

Introducing Buddy—your new Labradoodle puppy—to your friends or displaying the name of your high school sounds pretty harmless, right? But what if a hacker is on your tracks, and makes this discovery? Perhaps, they can use the information you personally provide to answer the security questions to access your accounts. See the idea? Readily sharing information suddenly doesn’t seem so harmless after all.

Passwords & social media tips:

  • Don’t broadcast personal details that could compromise your passwords.
  • Don’t use personal information of any type in your passwords.
  • If a spammer follows you or begins to send you links don’t just ignore them, block them.
  • Always report spam accounts. The social networking site will monitor the account and, if enough people report the same account, they will remove it.
  • Use Norton Safe Web for Facebook. This free app scans your newsfeed for like-jacking scams and malicious links and warns you of any potential threats.

Password crackers

A password cracker is a program used to crack passwords by brute force, repeatedly trying millions of combinations of characters, until your password is detected. Shorter and less complex passwords are quicker to guess for the program. Longer and complex passwords take much longer to guess. If this is the case, the attacker is more likely to use a dictionary attack because of the lengthy amount of time it will take for the program to figure out the password. To protect your user passwords from password crackers use complex passwords.

How to create a complex password

  • Never use phone numbers, addresses, birthdays, your SSN or your name, the name of a family member or pet in your password.
  • Use a combination of uppercase and lowercase letters, numbers and symbols in your passwords.
  • Never use commonly used passwords like “123456,” “password,” “qwerty,” or a word like “apple.”
  • Make sure your passwords are at least eight characters long. Passwords with more characters and symbols are more difficult to guess.
  • Do not use words or phrases, if you must, misspell words and abbreviate phrases. For example if you want to use the word “Eleven” you can convert it to e13v3N or if you want to use the phrase “I love to shop” you can change it to 1luv2shop, make it even more complex by adding symbols and punctuation: #1Luv2shop!
  • Use two-factor authentication whenever possible to add an extra layer of protection to your accounts. Many websites like Facebook, Twitter, LinkedIn, Yahoo! Mail, Gmail and PayPal offer two-factor authentication login.
  • TIP: If creating complex passwords is an issue, you can use Norton Identity Safe Password Generator to help you create complex passwords.

Mobile Passcode Security

  • Use a password on your smartphone to prevent unauthorized access. Always opt for extra security beyond a simple four-digit pin. If you’re an iOS user, change it to a longer alphanumeric code in your iPhone's Settings -> Password and turn off "Simple Passcode”.
  • Make sure your device auto-locks when not in use.
  • Install mobile security software on your phone as an extra layer of security.

What to do if you think your passwords have been stolen

If you suspect your account has been hacked, take immediate action.

  • First determine the kind of attack. Was it an online breach or a POS breach?
  • Monitor potentially compromised accounts, especially your online banking accounts.
  • Change your passwords to complex passwords on all of your accounts, especially if you tend to reuse the same passwords for different websites.
  • Implement two-factor authentication whenever it is possible or offered.

Comments

Kudos0

Please add 2-Factor authentication (Symantec VIP) to log into Norton Identify Safe.     If a hacker ever was able to figure out my Norton Identify Safe password they would then have access to everything which could be solved by requiring a VIP code to be also entered log into Norton Identity Safe.  

Kudos0

If you have a Local Vault you have your Windows user account password and your Vault password.
If you have an Online Vault you have your Norton Account creds and your Vault password
Do you want a third password....?

Kudos0

Dictionary attack is very 1990's - it is more a "full on brute force" with Ascii and Unicode, all character attack.

Problem highlighted by Cambridge University Prof. Anderson; "...think up a password You'll never remember ...and don't write it down". 

Personally, I think access control technology is 3rd rate, 20th century thinking that needs to be innovated away from current behaviour, especially in our "content anywhere mobile world". If the unwary have contracted a key-logger, no strength in passwords will sort that out. ...now lets look at that list...

How to protect your user passwords from dictionary attacks

  • Avoid using common words or phrases in your passwords. (doesn't matter - strong passwords are no stronger than if you were to use 123456 - the 3 attempts at a pass on the third and then "lockout", is the norm) 
  • Never reuse the same password across different websites.(The human mind cannot work like that - so don't ask them to. Too many PINs and passes raise their own security issues and helpdesk swamp because people cannot remeber those they don't practice very often)
  • Never write down your passwords, or share them with anyone. (strong passwords cannot be remembered by humans - so even companies are now saying "write them down"....and on sharing them, you may have no choice if you are infected with a keylogger)
  • Use two-factor authentication(link is external) whenever possible to add an extra layer of protection to your accounts. If a hacker discovers your password they will still need the second factor to access your account.(I agree with this one...but we need innovation to come forward to make that 2nd factor a "hardware encryption - NOT a software one...and certainly not another password access control) 
  • Change your passwords regularly. Every three months if possible. TIP: If you need assistance remembering multiple passwords useNorton Identity Safe (Good policy to have change control...but I still think access controls need a rigorous 21st century re-think)