PASSWORD HACKING IS NOT MAGIC (Original article by Laura Moynihan of DHM)

By Laura Moynihan, Director, Digital Helpmates

Published 3/7/2022

Two-question survey:

Question 1: 

Have you ever wondered how a magician pulls a dove out of a pocket that seemed empty just a moment ago?

Question 2: 

Have you ever wondered how your password gets hacked?

These Two Questions are Related.

My guess is that if you are like most people, you may answer “sure!” to question #1, and “not really” to question #2. When it comes to hacking passwords, you just know that it can happen. 

When a magician pulls a dove out of a pocket, people in the audience stare in wonder and then applaud. But no one applauds when their money is stolen, passwords hacked, data pilfered…all due to a password that has been guessed and mysteriously pulled out of that virtual pocket that belongs to YOU.

The mechanics of hacking seem too complicated for most home and business users to spend their time wondering about. So, when it comes to choosing a new password for a website or other account, people sometimes freeze up or panic. They often feel short on time and ideas, and choose the same variation of a password already used dozens of times.

Can you relate? About 10 years ago, I used to approach passwords this way, choosing the same password over and over, never really understanding how, or how often, they are stolen. Since then, I’ve learned that If you want to create unhackable passwords, it’s crucial to avoid passwords that are short, similar, or simple. 

The adage is true — information is power.

When I feel anxiety about any topic (which is often), my most common weapon is to gather as much information on that topic as I can get my hands on. Understanding how we are hacked or, more specifically, how our passwords are guessed, is key to keeping our information safe. Once you know the “magician’s secrets,” that sleight-of-hand is no longer invisible. You know how to spot when you are vulnerable; you are no longer distracted.

This is bad news for password hackers. These cybercriminals rely on the overwhelming feeling most people have when choosing a password and on the seemingly complicated nature of hacking to dissuade people from wondering “how.” 

I hear far more clients asking “Why?” — as in, why are people wasting their time trying to get my password? The answer is quite simple. There is more money being made in hacking today than in the global illegal drug trade (Morgan, 2020). The drug lords of the 80s and 90s now play second fiddle to the information hackers. I highly recommend watching the episode of Trafficked by Mariana Von Seller called “Scams,” available on streaming platforms and NatGeo’s website (Ohlmann, 2020).

While some of the scams on this episode take place through simple “confidence-man” techniques and trickery, the easiest way to steal money online is through weak passwords hacked by a simple script. From here, the criminal takes your data and opens credit cards or loans in your name, purchases expensive items from Amazon that they then steal off your front porch, transfer money to themselves from your PayPal account, and more. They can grab your credit card number stored on any number of websites, and use it to make purchases of their own (which they then resell for cash). They can gain access to your system and hold all of its data hostage in what’s known as a Ransomware attack. These cybercriminals are creative, and they come up with new ways to make money off your passwords that you haven’t thought of (Poppy, 2019).

Although the ways criminals can use your data are seemingly endless, the tricks they use to hack your password are not magic. They’re not even numerous. They tend to rely on the same tricks that work to hack most passwords. Understanding how these techniques work is the key to keeping the locks on your vault strong and secure by simply choosing passwords that cannot be hacked.

Hat Trick: The Three Main Techniques.

The three most common methods of hacking passwords and safeguarding passwords are:

1. The Brute-Force Attack

This is a common attack where a simple script or “bot” continually tries a different combination of letters, numbers, and symbols in an attempt to guess your password. These brute-force attacks are the reason your password system locks you out when you get it wrong after a certain number of tries. 

A computer with a super-fast processor can guess between 10,000 and 1 billion tries per second (Scott, 2020). This means that if you have a password that is short (9 or fewer characters) and simple (just words or numbers), it can take seconds for this script to guess your password. This is scary.

The antidote to this attack: Use long, complex passwords. The longer and the more types of characters it uses (letters, numbers, symbols), the more combinations there are for the computer to guess. Each additional character could double the number of hours or days it takes to guess your password.

2. The Dictionary Attack

Similar to the brute-force attack, this script uses words in the dictionary to guess your password. It can be combined with the traditional brute-force attack. This means that once they determine a word in your password, the remaining characters can be quickly guessed by the brute-force method.

The antidote to this attack: Use a non-English word or one that is not considered the common language of the country you live in.

3. The Keystroke-Logger Attack

This attack relies on a bit of malware installed on your computer without your knowledge. This program makes a record, or a log, of every keystroke you make on your computer. It then sends the criminals these reports, where they analyze them (using computers) for patterns. These patterns are your passwords — or parts of them. Knowing part of your passwords helps them to rapidly crack the rest.

The antidote to this attack: Make every password unique.

Again, to Sum Up:

The key to foiling all three of these methods of password hacking is to make your passwords:

1. Long

2. Complex

3. Unique (for each website or account)

Password Managers

There are very helpful apps called password managers that can suggest these long, complex, and unique passwords for you. You may already use one — most major web browsers come with one built-in, but there are also stand-alone password managers that can be even more robust than the browser versions. The one I suggest and train on exclusively is called LastPass. If you are interested in trying it out for free, here’s an affiliate link: https://lastpass.wo8g.net/mPbkX.

The problem, however, with using these 25+ character passwords is that they are too unwieldy for use in real life. Although a password manager can generate, remember, and fill in your passwords for you automatically, there will be instances (perhaps 10 percent of the time) when you will need to fill in a password by typing it in manually, character-by-character. Or yelling it across a room (like with your WiFi password, for a guest). Imagine those two scenarios when your password looks like this:

aY4*06xdt2gbU89r  

(1 trillion years to hack)

And when your password looks like this:

Latrofrice3894! 

(15 billion years to hack)

Both passwords satisfy all requirements of complexity for every website (uppercase, lowercase, letter, number, symbol). Both passwords are super secure and for all intents and purposes, cannot be hacked. I predict we will move beyond using passwords as a primary security measure within the decade, so anything that takes longer than that to hack is secure in my estimation.

But one of them is going to make you far less stressed out when you need to type it in by hand. One of them is going to make you want to throw your against the wall on the third try when you miss that zero, thinking it’s an uppercase O. And one of them is just as easy to come up with — password manager or not. 

(Side Note: I have a simple Password Recipe “cheat sheet” that I use to craft these unique passwords quickly. If you would like a copy, click this link: https://ddp.digitalhelpmates.com/ddp-password-recipe-bonus/)

Bad Passwords

Enough about good passwords; I want to address bad passwords — specifically, how terrible we humans are at creating good passwords. The most common password used in all countries in 2021 was 123456. (I kid you not.) The second most common (in the USA) was “Password.” This list goes depressingly on (Hooven, 2021).

Why do we do this? 

Most of us can understand and see the huge, damaging effects of password hacking. Most of us have been hacked ourselves, or known of someone who has been hacked. Some of us have even lost money that was unrecoverable (such as when a hacker convinces you to purchase gift cards and hand over the codes). 

In my personal and professional experience, there are three main reasons people do not choose secure passwords: 

1. They do not believe hackers are targeting them, or their passwords. They believe hacking happens to “other people.”

2. They believe their system of making up passwords with the same words, phrases, or numbers in different combinations is keeping them safe, but somewhat easy to remember without writing them down. (This was me.)

3. They are stressed and in a rush, and choose a poor password “for now” that never gets changed.

All of these boil down to one main culprit:

People often do not have a quick and easy way to create, store and update the long, complex, and unique passwords they know they should have.

Remember that password manager I noted earlier, LastPass? For me, this was the answer. Learning LastPass — and more recently, coming up with a solid “recipe” for creating secure passwords — changed my life. Password resets were a thing of the past. Using personal information in passwords? Passé. Writing down passwords were way more work than just using the password manager.

But most importantly, I have not yet been hacked (in that, my password has never been stolen, to my knowledge) in the years since I have been using LastPass. And, I have managed to teach dozens of other clients how to become “unhackable” by adopting this password manager. Many were resistant to learning something new, but none (to date) has regretted getting their passwords migrated to the platform. Most say it is the most valuable app they use for keeping them secure and making password problems a thing of the past.

Digital Disaster Planning

Helping with passwords and teaching online safety best practices has become such a crucial service in tutoring practice that I created a six-week course around it called, “Digital Disaster Planning.” (For more information on this course, click here: https://ddp.digitalhelpmates.com/course.)

In it, I teach my clients not only how to get passwords changed and stored into an app, but also how to store documents, credit cards, and more in this “digital lockbox.” And then — best of all — you can designate one or more people who act as Emergency Access contacts and can get into your digital lockbox when needed. (No magic act needed.)

Cybercrime centers focus on guessing passwords that are “low hanging fruit.” Criminals need very little computer knowledge or resources to get them. And I believe the reason more of us do not change our weak passwords (once we are made aware that they are unsafe) is the feeling of overwhelm that we need “perfect passwords,” an easy way to remember them, and be able to easily input those passwords by hand (when needed) on a tiny screen with an even smaller keyboard. This need for “perfect” passwords (mostly pushed by IT professionals) drives me batty.

To significantly curb cybercrime, we do not need a handful of people doing passwords perfectly. We need millions of people doing passwords just a little bit better than they were before. 

(And, we all need to use a good password manager.)

A Tech Tutor can help you painlessly get your passwords and more safely stored in a “digital lockbox.” Visit https://digitalhelpmates.com/ to find out more. 

References:

Cain, E. (2018, October). Why dont we follow password security best practices? Increment. Retrieved 21 February 2022 from https://increment.com/security/password-security-best-practices/

Hooven, D. (2021, Nov. 29). What are the most common passwords of 2021? Schneider Downs. Retrieved 21 February 2022 from https://www.schneiderdowns.com/our-thoughts-on/most-common-passwords-of-2021

Morgan, S. (2020, Nov. 13). Cybercrime to cost the world $10.5 trillion annually by 2025. Cybercrime Magazine. Retrieved 28 February 2022 from https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/

Ohlmann, A. (Director). (2020, Dec. 2). Scams (Season 1, Episode 1) [Tv series episode]. Trafficked with Mariana Von Seller. National Geographic. Viewable at https://www.nationalgeographic.com/tv/shows/trafficked-with-mariana-van-zeller/episode-guide/season-01/episode-01-scams/vdka21300917

Poppy, J. (2019, Jan. 1). The hackers economy. Bulletproof. Retrieved 21 February 2022 from https://www.bulletproof.co.uk/blog/the-hackers-economy

Scott, B. (2020, Aug. 17) Learning password security jargon: brute force attack. Nordpass. Retrieved 21 February 2022 from https://nordpass.com/blog/brute-force-attack

Laura Moynihan is a former graphic designer, copy editor, journalist, and high school English teacher. In 2020, she founded Digital Helpmates, her fourth business venture, after tutoring technology full-time since 2015. Today, she manages several other Tech Tutors and teaches them how to provide the best one-on-one tech help available today. She holds degrees from Pepperdine and Dominican Universities. Her burning desire is to help elevate humanity through teaching and technology.  

Laura Moynihan

Digital Helpmates

Phone and Text: 360-712-0445 

laura@digitalhelpmates.com