How does a password get hacked?
Cybercriminals have several password-hacking tactics at their disposal, but the easiest one is simply to buy your passwords off the dark web. If you’ve been using the same password for many years, chances are it’s been compromised.
However if you’ve managed to make sure your passwords have not been leaked, cybercriminals have to crack them.
There are multiple types of password attacks commonly used:
A brute force attack involves the attacker trying every combination possible, this is automated using software. Passwords under 12 characters in length are most vulnerable to this type of attack.
A dictionary attack targets one of the most common password formulation techniques. As its name suggest a dictionary attack tries combinations of specified words.
The final most common vector of attack is phishing. This involves cybercriminals attempting to trick you by socially engineering you give away your own sensitive information such as passwords or credit card details.
In order to check if your passwords or email accounts have been compromised you can use haveibeenpwned. This however is not a conclusive resource and if your password is not flagged by this tool it is still best to follow the steps below and assess if it is a strong password.
Importance of using a password manager and a random password generator
A password manager keeps track of all of your passwords and does all the remembering for you, except for one thing — the master password which grants you access to your password manager.
In order to generate a secure master password you can use a random password generator. LastPass has a great tool available for free online here. Whatever password generation tool you use we recommend you set the password length to at least 12 characters and include symbols, numbers and upper and lower case characters.
If you are struggling to remember the master password you can try the method the National Cyber Security Centre recommends for home users, Three random words.
Passwords can only do so much
Passwords can only do so much to protect your accounts and data. Even when implemented correctly, passwords are limited in helping prevent unauthorised access. If an attacker discovers or guesses the password, they are able to impersonate a you and gain access to your accounts.
To combat this effectively it is important to enable MFA where possible. The best MFA method is to use a specialized app for your smartphone. This ensures that even if an attacker manages to discover or guess your password they will be unable to do anything without access to your phone.