In today’s day and age, choosing a secure password has never been more important. Using different passwords for all your accounts is crucial, too. If you don’t take security seriously, you will eventually get hacked – and if you are running a business, this could be devastating. There are plenty of things you can do to prevent a hack, however, all the security tools and precautions aren’t going to help if you use a weak password. Someone with very little technical skill, and a whole lot of ingenuity can get the keys to the castle if you’re not careful.
I have a fairly decent knowledge of security, and have spent a good amount of time researching hacker methodologies. In this article, I will outline what a hacker out to steal your password might do. This may seem over the top, but I’ve seen it happen – never underestimate them.
Most of the time, all the information found below is on the internet. Should it not be, they might use something such as Google’s Newspaper Archives to dig up relevant information.
So, what might a hacker do to get your password?
- Lookup your wife, kids, brothers, uncles and cousins and get their nicknames, birthdays, anniversaries, and any other dates associated.
- See where you went to school, and get all your teachers names. (Popular recovery question)
- Look for trends in numbers you like. Your FB URL is 161, it’s in your email address, and it’s in the username of that gardening forum you frequent he found by reverse image searching profile pictures you use a lot, it’s probably in your password.
- Find all those FB surveys you did way back when – that ask silly questions like what your favorite color is, or the name of your first pet. Those are also popular recovery questions.
- See what sports teams and players you like, favorite animals, cars – things of that nature.
- Find street names that might be relevant, such as the street you grew up on.
- What kind of car you drive is always popular. “Mustang67” (your car + birth year) might sound secure.. but you need something better.
And, with all that information, they really really good probability of guessing the security questions or password to your email address.
If that doesn’t work, they might put all those birthdays, names, and dates into a file and feed it to an automated system that tries out every combination. This is known as ‘brute forcing.’ If it’s really stubborn, a hacker will throw a dictionary into the mix with words to try.
Should none of that work, they could combine that info with a pre-made word list. Good wordlists are thorough. A friend of mine who happens to be a security researcher has compiled a 15 GB wordlist specifically for this purpose, combining every single wikipedia article, some public domain books, and other large sources of text that would have unique words, and even misspellings. If you’re interested, you can find that here. A real good bruteforcer will also try letter substitutions, so il0v3cats isn’t safe anymore, either.
Your email password should be very strong.
You might be wondering why a hacker would go for that first, it’s mostly junk mail right? Wrong. All those confirmation emails you get from sites when you sign up, let them know what accounts you have. From there, it’s simple enough to go hit the “Forgot my password” button on any of them, and then a link to reset the password is sent to the email.
And the failed attempt lockouts?
Not usually a problem. If I was a hacker, I would go for the email – although, any good email account will have a limit to failed passwords. Unfortunately, most people use the same password for everything. So, a hacker will target the weak link. An old website you signed up to and forgot about with that very same password as the email address, might not afford the same security of your email provider.
The bottom line is, there is no limit to the ingenuity of hackers. Everything I have outlined here might sound like it is overboard, but I’m sure at some point you must have scratched your head and said ‘Wow, that actually might work..’ I know I certainly have.