If you’re like many of us, you probably have a huge list of passwords for every program, app, and website you visit. You’re also probably fed up with trying to remember each one, especially since it seems like there’s a new data breach every day. It may even seem like your efforts to maintain password security are all for nothing. However, here at ADKtechs, we believe that knowledge is power. Learning how passwords are hacked, how far they’ve come, and how you can make them stronger can help you feel like a password hero instead of a password zero.
The history of passwords
The original concept of passwords dates all the way back to ancient times (i.e. “Open Sesame”) but the modern password precursor is thought to have been created in the 1960s at Massachusetts Institute of Technology. MIT built a huge time-sharing computer called the Compatible Time-Sharing System (CTSS). CTSS laid the computing groundwork for things such as email, file sharing, instant messaging, and virtual machines. Once MIT started adding multiple CTSS terminals accessed by multiple users, the idea of passwords seemed like a straightforward method of privacy and security to CTSS pioneer, Fernando Corbató. These first passwords were stored in plain text, right out in the open.
It may then come as no surprise, that CTSS was also probably the first system to be breached. Some MIT researchers were allowed four hours per week on the system. In 1962, one of these researchers, Allan Scherr, wanted to engineer a way to increase his allotted time. Scherr did this by printing out all the stored passwords then sharing them out to other users to hide his involvement. Assuming this was all just a system bug, this first data breach wasn’t discovered until 50 years later when Scherr admitted to it.
How passwords get hacked
Today’s hacking attempts are much more sophisticated and malicious. Thanks to the dot-com boom of the 1990s and the rise of social media in the 2000s, the number of internet users has skyrocketed to a point where over half the global population is online. This vastly increases the number of targets for cybercriminals. According to our partners at Fortinet, these are some of the top techniques hackers are currently using to hack your passwords:
- Social engineering: Social engineering is when someone maliciously tries to deceive a person into divulging confidential or personal information. Phishing via email, phone, or text and seemingly harmless social media trends are all social engineering attempts.
- Dictionary attacks: A lot of people use easy to remember words as their passwords. Knowing this, attackers use a list of common dictionary words to try to guess a password. Think adding numbers before or after a basic word makes it a better password? Think again. Hackers account for this, too.
- Brute force: A brute force attack is when a cybercriminal tries to barge his or her way in by systematically trying many password or passphrase combinations until one is correct.
- Password spraying: Password spraying is a type of brute force attack that targets more than one account. Unlike a basic brute force attack that can often lead to account lockouts, password spraying involves only guessing a few common passwords against multiple user accounts in the hopes of breaking in to at least one of them.
- Key logging: One of the oldest forms of malware, key logging software can be surreptitiously installed on a victim’s device to track keystrokes, successfully capturing usernames and passwords for various accounts.
- Traffic interception: Hackers use software to monitor network traffic and capture password information. If the network traffic isn’t strongly encrypted, they can decipher passwords.
- Man-in-the-middle: Cybercriminals create replicated websites or apps to trick a user into entering their username and password into the fake site. These fake sites are commonly the links in phishing emails.
Ways to protect your password
Although passwords are still perfectly imperfect, we’ve come a long way since CTSS. Here are two simple ways to protect your passwords:
Make it strong
- Make your passwords random with a combination of uppercase and lowercase letters plus numbers and symbols.
- Your password should be at least 10 characters. The longer your password is, the harder is it to crack.
- Never ever reuse passwords. If a hacker guesses it, they suddenly have access to multiple accounts.
- Change your password frequently.
- Use a password manager to generate and store your complex passwords. Password managers encourage you to follow best practices since you don’t need to worry about remembering all these long, complex passwords on your own.
- Passphrases are also a great alternative to a standard password. A passphrase is a collection of multiple, sometimes random or abbreviated words and are often easier to remember. Examples include things like ponyRoadtrickPantscouch or abbreviating a sentence like “My 6 year old dog, Fiona, loves to eat peanut butter on the weekends” into M6yodFltepbotw”.
Avoid including birthdays, phone numbers, company information, names (like movies or sports teams), and jazzing up common words (i.e. P@$$w0rd).
Use multi-factor authentication
For even more protection, combine a password/passphrase with multi-factor authentication (MFA). MFA adds an extra layer of security to a standard password. You may already be using MFA and not even realize it. For example, if you log into Facebook from a computer for the first time, a code may be sent to your password-protected Facebook mobile app to confirm that you’re you. Essentially, MFA is a combination of two or more of the following:
- Something you have (such as a randomly-generated code sent to your mobile phone)
- Something you are (such as a fingerprint)
- Something you know (such as a password)
In order to defend yourself, it’s important to know your enemy. Identifying the techniques that hackers use to steal your passwords and using best practices can help shield your privacy and stave off data breaches.