How do cyber criminals get access to passwords? And how to ensure password security? With these tips you slip through the hackers’ nets.

The status quo: “hello,” “honey,” and “password.”

Let’s be honest, we all know certain basic rules for a secure password: For example, a password should be as complex as possible and changed frequently. In addition, it probably should be clear to everyone that the length of a password should increase the password’s security. Using a separate password for each account is even safer.

And yet: According to a study by the web portal Web.de, 61 percent of users use the same password for online services. Words like “hello,” “quertz” and “honey” are still the favourite passwords of the Germans. Common words used in the general language, such as “honey”, are sometimes cracked in less than 21 seconds. In the study, 36 percent also stated that they had not changed their e-mail password for more than a year.

What applies to the private sector often does not look better in business. If no company regulations exist, the same insecure private passwords are often used as passwords. Often times post-its are stuck to computer screens detailing username and password for access to the company’s intranet or administrative structure. Considering that a hacker often only needs one access path to place malware or tap data, this is a frightening security breach.

The attack routes – How do hackers crack my passwords?

Offline Cracking: Hackers steal user data and passwords directly from the provider (e.g. Facebook). The passwords are usually stored there as hash encryptions in the database. The hacker now tries to decrypt the hashs on his own PC, this is called offline cracking.

Brute force attacks: With a brute force attack, a hacker tries out all possibilities for decrypting passwords or Hash´s using computer calculations. If the password is e.g. 8 characters long, it takes about 12 years to try out all combinations with a home computer. However, the hacker is often helped by chance and the hash is cracked earlier.

Dictionary Attack: In a Dictionary Attack, a hacker uses common lexical terms or uses the victim’s vocabulary. If the victim lives e.g. in London, the hacker will include the words “London”, or sentences like “London Tower” in his combination search or include them in a preferential search, because those location-related passwords are often used. Brands, advertising slogans, club slogans or well-known lyrics (e.g. “London calling”) are also popular.

Acquisition & Shoulder Surfing: The victim presents or loses his own passwords, so that a hacker can acquire them (e.g. a piece of paper with noted passworts in a stolen wallet). For the so-called Shoulder Surfing, someone looks over the victim’s shoulder when entering the password or, for example, sees a Post-IT with passwords stuck to the PC screen and uses them against the victim’s will.

Social Engineering Attack: The hacker tries to get user data and passwords through the means of social engineering attacks – e.g. he pretends to be the company’s system administrator on the phone and tells the victim that he urgently needs the password in order to quickly install new updates against a virus rampant in the company.

Malware: Malware is installed on the victim’s PC while surfing the Internet or through a social engineering or phishing attack. This spies out passwords and sends them hidden to the hacker.

And it’s not that hard – 5 basics for password security

Neutrality: Avoid all word connections in one password, which can be traced back to you as a person. Passwords which contain terms from topics like family, occupation, hobby, interests and life data are expressly not to be used. These could, for example, allow the password to be cracked in a dictionary attack. For example, a password with the name of your dog and your date of birth (e.g. SantasLittleHelper1980 or Rollo85) would be fatal.

Length: In recent years it has been shown that the length of a password correlates with its security. The Federal Office for Information Security (BSI) recommends, for example, a minimum length of 8 characters for alphanumeric passwords. For particularly relevant passwords and security multipliers, such as the password to a main email account, we recommend using twice the length. If mind supports are indispensable, it is also safer to use sentences than single words. Even more security is achieved by twisting the words in the sentence (e.g. Jonofthequietlake -> ofquietlaketheJon -> Even better, use numbers and special characters: 3of6quietlake1the7Jon$%)

Complexity: The further away a password is from a recognizable word form, the more difficult it becomes for a hacker to crack it with automated scripts (Londoncalling -> also not very secure, because it would be location-bound, but already better: L0nd0nca!!inG).

Variance: If possible, use a different password for each login account. It makes sense to consider a password system if necessary and to vary password sets (e.g. one set each for profession, private and for hobbies such as games accounts).

Change: Although in today’s security discussion the length of a password in the context of security is emphasized above all, the change of passwords remains an indispensable preventive instrument. As a customer, you usually notice a breach or hack in a provider’s database with passwords at a very late stage. Changing a password can increase security in this respect. It is therefore advisable to exchange passwords at least once a year.

3 more useful tools for more password security

Two-factor authentication (2FA): For this technique a second device is integrated into the log in process, usually the mobile phone via SMS or APP. An absolute must, especially for fiscal accounts such as PayPal. Also, important e-mail accounts should be protected by 2FA login.

Password generators: Password generators help to optimally implement the criteria of neutrality, length and complexity for a good password. The only disadvantage is that these passwords are usually very difficult to memorize.

Password organizer: If a reputable provider is chosen, it is generally safer to manage passwords with a password organizer. It significantly facilitates the use of complex and varying passwords, which in turn increases the variance and also facilitates the password change.

About SoSafe

The SoSafe awareness platform sensitizes and trains employees in dealing with the topic of IT security. Phishing simulations and interactive e-learnings teach employees in an effective and sustainable way about what to pay particular attention to when using e.g. e-mails, passwords or social media. The employer receives differentiated reporting and can finally make awareness building measurable – of course completely GDPR-compliant.