As we head into 2023, it’s more important than ever to make sure that we’re taking the necessary steps to protect our online accounts from cybercriminals. One of the most effective ways to do this is by using strong passwords and regularly updating them.
You might be thinking, “I already know that I should use strong passwords, so why should I read this article?” Well, the truth is that even though we all know that we should be using strong passwords, many of us still aren’t. According to many old and recent studies, the most commonly used passwords stubbornly remain “password” and “123456”, which is obviously not very secure.
The problem with using simple passwords like this is that they can be easily guessed or cracked by cybercriminals using automated tools. This means that if someone gains access to your account, they could use it to steal your personal information, make fraudulent purchases, or even hold your data for ransom or use it for extortion.
Simple passwords leave you open to what is called brute-force attacks — a tactic that cybercriminals often use to gain access to your accounts is through a brute-force attack. This is where they use automated software to repeatedly guess your password until they get it right. These attacks can be incredibly effective, especially if you’re using a simple or easily guessable password.
To protect yourself against brute-force attacks, it’s important to use a strong password that’s difficult to guess. As mentioned earlier, a strong password should be a combination of upper and lowercase letters, numbers, and special characters, be at least 12 characters long and enable two-factor authentication (2FA)on your accounts. 2FA requires a second form of verification, such as a fingerprint or a code sent to your phone, in addition to your password. This makes it much more difficult for cybercriminals to gain access to your accounts, even if they are able to guess your password.
Yet, even with 2FA, it’s crucial to use strong passwords that are difficult to guess or crack. A strong password is typically a combination of upper and lowercase letters, numbers, and special characters, and is at least 12 characters long. You should also avoid using common words or phrases, and never use the same password for multiple accounts.
Of course, creating and remembering a strong password for each of your accounts can be a hassle. One solution to this is to use a password manager, which is a tool that securely stores your passwords and automatically enters them for you when you need them.
Another important step is to regularly update your passwords. This is because even if you start out with a strong password, it can become compromised over time. For example, if you reuse a password for multiple accounts and one of those accounts is hacked, your password is no longer secure. Additionally, a website that you have an account with also may have had a data breach.
So, even if you’re using a strong password, it’s still a good idea to update it every few months to further protect your accounts from cybercriminals.
To better understand how cybercriminals might attempt to access and abuse your credentials, let's have a look at the type of attacks they use.
Credential Access Attacks Typology
Credential stuffing, credential dumping, and credential access attacks are all types of cyber attacks that involve the use of stolen or compromised login credentials, but they differ in how they are executed and what they aim to achieve.
Credential access attacks, also known as Credential harvesting, are a type of attack where attackers use a variety of methods to gain access to a user’s login credentials, such as phishing, keylogging, brute-force, or malware. The attacker’s goal is to obtain a specific set of login credentials for a targeted individual or organization. Once the attacker has the login credentials, they can use them to gain unauthorized access to the targeted account or use them for further attacks.
Maintaining healthy password hygiene by using unique strong passwords, regularly updating them, and being cautious before clicking on potentially infected links are the best lines of defense against that type of attack.
Credential dumping is a type of attack in which an attacker exfiltrates or steals a large
number of login credentials from a specific website or application. The attacker can achieve this by exploiting a vulnerability in the website or application, or by using malware to infiltrate the system and extract the login credentials. The goal of a credential dumping attack is to obtain a large number of login credentials, which can then be used in future attacks, such as credential stuffing attacks or account takeover attacks.
External websites requiring you to enter a password are tasked with keeping your credential safe in their system, but they might be breached. Enabling 2FA when possible is your best line of defense against that type of attack.
Credential stuffing is a type of attack in which an attacker automates the process of trying a large number of stolen login credentials on a specific website or application. The attacker uses a list of email addresses and passwords that have been obtained from previous data breaches to try and gain access to accounts. The goal of a credential-stuffing attack is to gain unauthorized access to a large number of accounts at once.
Following password hygiene and activating 2FA whenever available are the best technique to prevent your credentials from landing in cybercriminals' hands and being used for nefarious goals.
Comments