People talk about their online accounts being “hacked,” but how exactly does this hacking happen? The reality is that accounts are hacked in fairly simple ways — attackers don’t use black magic.
Knowledge is power. Understanding how accounts are actually compromised can help you secure your accounts and prevent your passwords from being “hacked” in the first place.
Reusing Passwords, Especially Leaked Ones
Many people — maybe even most people — reuse passwords for different accounts. Some people may even use the same password for every account they use. This is extremely insecure. Many websites — even big, well-known ones like LinkedIn and eHarmony — have had their password databases leaked over the past few years. Databases of leaked passwords along with usernames and email addresses are readily accessible online. Attackers can try these email address, username, and passwords combinations on other websites and gain access to many accounts.
Reusing a password for your email account puts you even more at risk, as your email account could be used to reset all your other passwords if an attacker gained access to it.
However good you are at securing your passwords, you can’t control how well the services you use secure your passwords. If you reuse passwords and one company slips up, all your accounts will be at risk. You should use different passwords everywhere — a password manager can help with this.
Keyloggers are malicious pieces of software that can run in the background, logging every key stroke you make. They’re often used to capture sensitive data like credit card numbers, online banking passwords, and other account credentials. They then send this data to an attacker over the Internet.
Such malware can arrive via exploits — for example, if you’re using an outdated version of Java, as most computers on the Internet are, you can be compromised through a Java applet on a web page. However, they can also arrive disguised in other software. For example, you may download a third-party tool for an online game. The tool may be malicious, capturing your game password and sending it to the attacker over the Internet.
Use a decent antivirus program, keep your software updated, and avoid downloading untrustworthy software.
Attackers also commonly use social engineering tricks to access your accounts. Phishing is a commonly known form of social engineering — essentially, the attacker impersonates someone and asks for your password. Some users hand their passwords over readily. Here are some examples of social engineering:
- You receive an email that claims to be from your bank, directing you to a fake bank website with a very similar-looking URL and asking you to fill in your password.
- You receive a message on Facebook or any other social website from a user that claims to be an official Facebook account, asking you to send your password to authenticate yourself.
- You visit a website that promises to give you something valuable, such as free games on Steam or free gold in World of Warcraft. To get this fake reward, the website requires your username and password for the service.
Be careful about who you give your password to — don’t click links in emails and go to your bank’s website, don’t give away your password to anyone who contacts you and requests it, and don’t give your account credentials to untrustworthy websites, especially ones that appear too good to be true.
Answering Security Questions
Passwords can often be reset by answering security questions. Security questions are generally incredibly weak — often things like “Where were you born?”, “What high school did you go to?”, and “What was your mother’s maiden name?”. It’s often very easy to find this information on publicly-accessible social networking sites, and most normal people would tell you what high school they went to if they were asked. With this easy-to-get information, attackers can often reset passwords and gain access to accounts.
Ideally, you should use security questions with answers that aren’t easily discovered or guessed. Websites should also prevent people from gaining access to an account just because they know the answers to a few security questions, and some do — but some still don’t.
Email Account and Password Resets
If an attacker uses any of the above methods to gain access to your email accounts, you’re in bigger trouble. Your email account generally functions as your main account online. All other accounts you use are linked to it, and anyone with access to the email account could use it to reset your passwords on any number of sites you registered at with the email address.
For this reason, you should secure your email account as much as possible. It’s especially important to use a unique password for it and guard it carefully.
What Password “Hacking” Isn’t
Most people likely imagine attackers trying every single possible password to log into their online account. This isn’t happening. If you tried to log into someone’s online account and continued guessing passwords, you would be slowed down and prevented from trying more than a handful of passwords.
If an attacker was capable of getting into an online account just by guessing passwords, it’s likely that the password was something obvious that could be guessed on the first few tries, such as “password” or the name of the person’s pet.
Attackers could only use such brute-force methods if they had local access to your data — for example, let’s say you were storing an encrypted file in your Dropbox account and attackers gained access to it and downloaded the encrypted file. They could then try to brute-force the encryption, essentially trying every single password combination until one works.
People who say their accounts have been “hacked” are likely guilty of re-using passwords, installing a key logger, or giving their credentials to an attacker after social engineering tricks. They may also have been compromised as a result of easily guessed security questions.
If you take proper security precautions, it won’t be easy to “hack” your accounts. Using two-factor authentication can help, too — an attacker will need more than just your password to get in.