We’ve talked about phishing recently when

1. Phishing

We’ve talked about phishing recently when scammers began taking advantage of the COVID-19 pandemic to target their victims. Criminals would send emails impersonating legitimate government organizations, attempting to trick users into clicking embedded links or downloading attachments that would take over the user’s system or act as a hidden backdoor to steal credentials. These types of phishing scams are one of the most common ways hackers use to steal your passwords. Phishing can occur through email or SMS – really any electronic communication where the sender can’t be readily identified.

2. Malware

Malware is another common tool criminals use to steal credentials. There is a broad range of malware families out there that do everything from secretly capturing your movements to outright locking up systems or destroying files. Keylogging malware will track the strokes typed directly onto a keyboard or pin pad. Spying malware might hack into webcams to watch and record you. Ransomware is a malware attack that blocks access to a business’s data or systems until that business pays up – typically costing a company millions of dollars. Then, of course, there’s the malware that sits quietly in the background collecting data, like passwords, from browser caches.

3. Brute Force

Bad actors use many tactics to make brute force attacks less time-consuming and expensive. Dictionary attacks utilize lists of unique words, common passwords, and compromised credentials called cracking dictionaries to quickly guess passwords users are most likely to choose. Password spraying is similar, but the hacker typically already knows the victims’ usernames and is attempting to break into their accounts by more slowly running down a list of commonly used passwords. Credential stuffing takes this one step further. The attacker has already obtained lists of stolen credentials, password and user name combos, and then they test those against other accounts to see if they match. This tactic works well even when sites have suitable security measures because employees are reusing passwords that were compromised in data breaches of other sites. Mask attacks occur when hackers know something about a password, like if a special character is required, and they tailor the brute force guesses to that criterion. All of these approaches involve brute force guessing campaigns to hack into your systems

4. Data Breaches

Data breaches are slightly different because hackers can take advantage of password vulnerabilities, a configuration flaw or other vulnerability to gain network access to your system. Once they do, they can obtain the user table from your identity and access management system (like Windows Active Directory) that holds all your user names and passwords. Good cybersecurity hygiene means that your business isn’t storing these lists of passwords in clear text but encrypting them with hashing and salting algorithms. (You’re doing that, right?) However, as we’ve talked about before, hashing and salting aren’t foolproof. The dark web makes this kind of password attack viable by sharing tools like rainbow tables that can quickly decipher stolen credentials.

5. Technical Hacks

Outside of malware, other technologies make it easier for bad actors to get their hands on your passwords. Network analyzers, for example, allow interlopers to monitor and intercept data from your network, including plain text passwords. All a hacker needs is access to a network switch or your wireless network, either by way of malware or being there in person, and they can use an analyzer to search for and capture password traffic. A VPN can help tie up this kind of vulnerability, but with more employees working from home than ever before, many systems remain unguarded from this threat.

6. Targeted Personal Attacks

There are quite a few password-stealing methods at a criminal’s disposal when they can be somewhere in person. Targeted personal attacks are advantageous if a hacker is going after a specific, high-value individual. Spidering is a process where a hacker studies their target, gleaning intimate details about their work and home environments to socially engineer their way to the right username and password combo. Shoulder surfing is exactly how it sounds. Someone is simply looking over your shoulder to ascertain your company login information or MFA security code sent via text. Of course, there’s always snooping around an employee’s desk for a password scribbled on a sticky note!

We’ve done our best to group the main methods hackers use to steal your passwords. Now, the question is, what can you do about it? Businesses need to take proactive steps to mitigate their exposure to these tactics. Multi-layered cybersecurity strategies are the best defense for your organization. From implementing training for all of your employees to embracing admin tools that prevent users from creating compromised passwords, there are so many methodologies you can use to defend against these password-stealing attacks.