The theft of passwords and accounts is based almost exclusively on the naivety of the victims which, often due to carelessness or little technical competence, can be deceived by opening up an easy gap to overcome. Once someone finds the password for an online account, they can use it to spy accounts (if you think about emails or Facebook) or, worse, to change information or take advantage of the account for advertising or commercial purposes. To understand how to defend oneself and how not to fall into the most common traps, it is important first of all to know what are the methods and techniques most used to steal passwords on the internet.
In this guide, we have collected the most common techniques that can be used by a hacker, with advice on what to do to avoid falling into these traps.
- Simple passwords
- Hacking sites
- False emails
- Unprotected Web pages
- Other useful tips
If we use a very simple password, it will be guessed within minutes by the hacker, who can have a database of common passwords. In fact, the hacker tries all the most common passwords starting from his database and, once you find the right one, you can access the account you have targeted very easily.
This is one Bruteforce technique with a dictionary attack, one of the most used to find the simplest and most common passwords users can use. This vulnerability is even more serious if we have used the same password on several different sites: once a password is discovered on a site, it can also be tested on others who are suspected of being connected to our person or to our accounts.
For this reason, we always recommend choosing a strong and possibly different password for each account we create, so as not to compromise all our sites. On the subject, we recommend reading our guides on how to test the security of a password is How to choose a secure password for any account.
Another option is to use a password manager that is a program that hides all the different access keys used behind a single master password, which will become the only one to remember by heart.
Another technique with which hackers can get our passwords is not our PC or our network in particular: the hacker or a group of hackers can decide to attack a site and force access to the database with all the passwords, email addresses, and data of registered users. In this way, the site is compromised and our password to access it comes into the possession of the bad guys, who can use it to access our account or they can resell it on the black market to make money.
The speech is similar to that of the first chapter: if we have used the same password on different sites if one of them is compromised all the other sites will also be compromised. To avoid this we recommend changing the passwords for access to the most used and sensitive sites (home banking, e-commerce, etc.) at least once a year, so as to nullify the effects of hacking on a compromised site (of which we probably still know nothing).
If, on the other hand, the owners of the compromised site notice the damage, they will often send an email to all the registered users to notify them of the incident and proceed with the immediate password change: when we receive this type of email, let’s make sure that they are authentic then we proceed with the immediate password change (the faster we are, the less risk we will run).
To find out if our passwords are compromised, we can carry out a check on the HaveIBeenPwned site, where it will be sufficient to insert the email we use most often on the sites to see if we have already been compromised in the past.
One of the most used techniques involves the use of counterfeit emails, with logos and symbols similar to those of legitimate sites. Hanging back to the speech made in the previous chapter, the hacker could send us an email disguised as a safe and famous site (PayPal, Amazon, bank site, etc.) explaining about an alleged hacker attack that put at risk our personal data or our money, often with too sensationalistic tones.
The purpose it’s generating fear: panicked in fact we will click on the link in the email, which will take us back to a page where we can enter the old password. After entering the required data the page “will disappear” and will no longer be accessible: we are just Take yourself a victim of a phishing attack in full rule. Recognizing fake emails can require great experience or good computer knowledge, but sometimes even a bit of healthy cunning is enough: if we receive the email from a bank where we don’t have any type of account, how can the account be compromised and put the supposed money at risk?
If instead we receive an email from a site or a bank where we are actually customers, better to avoid any link in emails and proceed with changing the password by going to the official website: in this way, both in the case in which the email was false and in which the email was true, we will have proceeded to change the password putting ourselves away from any possible problem. To increase the security of our emails we can also use a spam filter recommended in our guide to best anti-spam services to protect business and web email.
Unprotected Web pages
Fortunately, this type of attack is falling into disuse, but until a few years ago it was one of the most popular and easy to carry out. Web pages without encryption (starting with HTTP) provide their content in clear text on the Web, so when we connect to them all data can be intercepted with a network sniffer or by intercepting Web traffic (Man-in-the-Middle attack).
If we insert a password in an unencrypted page, it will be intercepted without problems by a hacker, without it being necessarily a master of the sector: programs for sniffing packages are accessible and often offer simple interfaces so that they can also be used by who does not know anything about computer science.
To avoid this type of attack, make sure we only use sites with encrypted and secure access (web pages that start with HTTPS): in this way, all the data exchanged between the browser and the website will be encrypted and difficult to intercept. All the most famous sites have already switched to HTTPS, but to force access to secure pages on all sites we recommend reading our guide for a browse in https on all bank sites, stores, Facebook and others, with the secure connection.
In this case, the hacker uses a special program hidden on the victim’s computer to carry out the theft of passwords and data; the keylogger records all the keys typed on the keyboard and sends the captured data to the outside, on the hacker’s site. With deception (via fake emails) or with direct access to the PC to compromise the hacker can intercept all the victim’s data without his being aware of it.
Some advanced keyloggers are available as small devices interposed between USB or PS / 2 port, so as to intercept the data at the hardware level: they are very difficult to detect and practically impossible to stop, but require physical access to the computer in order to recover the data.
To protect ourselves from software keyloggers, we need to install a good anti-keylogger, like those seen in the guide best Anti-keylogger free against malware that spies on your computer. If we don’t want to install other programs, it can be useful to use the on-screen keyboard when typing passwords, so as to prevent capture by keyloggers: below we find the article on how to use the virtual keyboard on-screen to write-protected by keyloggers and password theft.
Other useful tips
Other general tips to protect our passwords I’m:
- Use an updated antivirus on your computer, like those recommended in our guide best free Antivirus for PC.
- Use a VPN when we connect to public networks and hotspots; the best VPNs to try we can find in the article the best services and free VPN programs for safe and free browsing.
- Create a secure Wi-Fi network at home, as described in our guide secure your home WiFi connection and protect yourself from network intrusions.
All the advice given in this guide can make it very difficult for hackers to access our data and passwords, but remember that a really good hacker goes anywhere without problems: the only thing we can do is slow it down enough to make the “game” inconvenient (the classic)the game is not worth the candle“).
READ ALSO -> Online safety guide against hackers, phishing and cybercriminals