Ever wonder how hackers get your password and gain access to your account?
Recent research has identified several major ways:
- Password theft
- Password guessing
- Unauthorized password resetting or bypass
“The biggest reason why people hate passwords is they’re all being told that they all need to be longer and longer and more complex,” started Roger Grimes, a Data-Driven Defense Evangelist at security awareness training company KnowBe4.
He says phishing emails are a top way hackers get our passwords. You’ve seen them before – they say your Netflix account is about to be deactivated, your Facebook account has a copyright issue or something needs to be fixed with your Instagram.
They trick us into handing over our information by making us log into a page that looks like the real thing but instantly sends our username and password to hackers, who immediately take over our accounts.
Another top way your password gets out into the wild: when a website is hacked. This is a treasure trove for hackers, since they often get access to millions of usernames and password combinations they can then try on other websites.
“If you’re a normal everyday internet user, twice a year your password is stolen from a website you belong to,” explained Grimes.
This is why you should never reuse the same password over and over, or even a variation of that password.
“People think they’re being really crafty but probably 80-90 percent of passwords are fairly predictable even if I don’t know you,” explained Grimes.
The passwords you create are easy for hackers to guess using simple software.
“I know of hackers today routine guessing up to 16 to 18 characters human created passwords all the time just as what they do every single day,” said Grimes.
So, how do you protect yourself and your accounts?
First, don’t get tricked.
Learn the signs of phishing emails and social engineering and slow down, especially if a message urges you to act immediately.
Also, keep the software on your devices up to date, enable two-factor authentication on your accounts and most importantly, use a password manager.
“As far as we know, an 11 or 12-character perfectly random password is unguessable, uncrackable,” said Grimes.
Good choices for password managers include Bitwarden (free!), Dashlane and 1Password. Google and Apple also have built-in password managers, but I typically only recommend those if you’re sticking to just their products.
If you must create a password yourself on the fly, try a passphrase instead. This is a long, random sentence that you can remember, but that would be tough for someone else to guess. Just don’t use common phrases.