Cracking the Code: How Cybercriminals Steal Your Passwords and How to Protect Yourself

How are my Passwords Being Stolen?

Despite the proliferation of advanced biometric technologies such as facial recognition, fingerprint scanning, and eye tracking, passwords remain an integral part of IT security and online service logins.

The consequences of passwords falling into the wrong hands can be catastrophic, making it essential to comprehend how hackers obtain them, the consequences and how we can safeguard ourselves. Cyber attackers utilise several techniques to crack passwords; here are some of the most prevalent methods:

1. Brute Force Attack: This is a trial-and-error method used to obtain information such as a user password or personal identification number (PIN). In a brute force attack, automated software is used to generate a large number of consecutive guesses of the value of the desired data.

2. Dictionary Attack: This type of attack uses a targeted technique of successively trying all the words in an exhaustive list called a dictionary (from a pre-arranged list of values). In contrast with a brute force attack, where a large proportion of keys are searched systematically, a dictionary attack tries only those possibilities which are deemed most likely to succeed.

3. Phishing: This is a method of obtaining sensitive information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. This is typically carried out by email spoofing or instant messaging, and it often directs users to enter personal information at a fake website that matches the look and feel of the legitimate site.

4. Keylogging: This involves the use of a program to record every keystroke made by a computer user, especially to gain fraudulent access to passwords and other confidential information.

5. Social Engineering: This is an attack that relies heavily on human interaction and often involves tricking people into breaking normal security procedures. It is a term that describes a non-technical kind of intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures.

What are the Implications?

Below are several instances of significant corporate breaches where passwords were compromised or exploited to gain unauthorised access to their systems.

Medibank Data Breach:

In October 2022, Medibank, one of Australia's largest health insurance providers, experienced a major cybersecurity incident. The breach was initiated when someone gained access to Medibank's systems using fake or compromised credentials. The hacker contacted the company to negotiate over 200 gigabytes of customer data they claimed to have stolen. The compromised data included names, addresses, dates of birth, Medicare numbers, phone numbers, and medical claims data. The exact number of affected customers was not disclosed, but Medibank has about 4 million customers. Source

Latitude Data Breach:

In March 2023, Latitude Financial Services, an Australian loan giant, disclosed a cyber-incident where a threat actor stole an employee's login to breach two of the company's service providers holding Latitude's customer data. Initially, the company estimated that the intruder accessed about 328k customer records, mostly driver's licenses. However, after further investigation, Latitude revealed that the impact of the incident was much more significant, now believed to have affected 14 million customers or loan applicants from Australia and New Zealand. The compromised data included customers' full names, addresses, telephone numbers, dates of birth, and approximately 53,000 passport numbers. Source

Dropbox Data Breach:

In 2012, this breach resulted in 60 million user credentials being stolen, and it started with an employee reusing a password at work. The employee had reused a password that had been leaked in another LinkedIn data breach, and this allowed the attackers to gain access to Dropbox's corporate network and the user data stored within it. Source

Research by GoodFirms:

According to a survey conducted by GoodFirms, 30% of respondents reported password leaks and security breaches due to poor password practices and weak password setups. The research highlighted common insecure password practices such as sharing passwords with colleagues, family members, and friends; writing down passwords on sticky notes, papers, planners; changing passwords only when prompted; or using the same passwords for multiple sites. Source

How to Improve your Digital Security?

Despite being cautious and avoiding scams or phishing attempts, hackers have grown more sophisticated, making it easier for them to deceive even the most vigilant individuals. Therefore, it is crucial to prioritise strong password practices to safeguard sensitive information. Here are our top recommendations for effective password management to steer clear of significant issues:

1. Use a reputable Password Manager: LastPass or Trend Micro's secure password vault, can keep your passwords safe and organised.

2. Implement two-factor authentication (2FA): Using an Authenticator app like Microsoft Authenticator. This secondary verification method ensures that you receive a notification or use a code from the app on your phone to approve any login, providing an added layer of security against unauthorized access.

3. Don’t Reuse Passwords: Refrain from using the same password across multiple platforms. Instead, rely on your password manager or a password generator website to create unique passwords for each service you use.

4. Make them complicated: Strengthen your passwords by incorporating a mix of capital letters, numbers, and special characters. Similarly, specify how complex the password is with a password generator.

If you follow these steps and one of your passwords is compromised, some password managers will notify you if that login is no longer safe to use. Additionally, only one service will be at risk which means you only need to change one problematic password, not every login.

Is everything too difficult, and you just need help?

As your local IT company, Zelrose can provide a range of services to help protect against password theft and enhance overall cybersecurity. Here are some ways they can assist:

1. Security Assessment: We can conduct a comprehensive security assessment of your systems to identify potential vulnerabilities that could be exploited by cyber attackers. This includes checking for weak passwords, outdated software, and other security risks.

2. Password Management Solutions: We can implement a password management solution for your business. This tool can help generate strong, unique passwords for each of your accounts and store them securely. It also ensures that passwords are changed regularly and can provide multi-factor authentication for added security.

3. Employee Training: We can provide training to your employees on best practices for password creation and management. This includes teaching them about the importance of using unique passwords for each account, avoiding common words or phrases, and changing passwords regularly.

4. Monitoring and Response: We can monitor your systems for any signs of a security breach and respond quickly if one is detected. This includes identifying any attempts to crack passwords and taking immediate action to prevent unauthorised access.

5. Regular Updates and Patches: The IT company can ensure that all your software is up-to-date and that any security patches are applied promptly. This can help protect against known vulnerabilities that could be exploited by attackers.

6. Data Encryption: They can implement data encryption to add an extra layer of security. Even if an attacker manages to steal a password, they won't be able to read the encrypted data without the decryption key.

7. Backup and Recovery: In the event of a security breach, the IT company can help recover any lost data and restore your systems to normal. They can also set up regular backups to ensure that your data is always protected.

By partnering with Zelrose, you can ensure that your business is well-protected against password theft and other cybersecurity threats. Contact us below to see how we can best help.