How passwords are hacked (and how to protect yourself)

February 4, 1:09 PMGadgets ExaminerDan Appleman

Previous Next

Comment Print Email RSS Subscribe

Subscribe

Get alerts when there is a new article from the Gadgets Examiner. Read Examiner.com's terms of use.

Email Address   Include other special offers from Examiner.com Terms of Use

Your password is your key to many web sites

Many websites you visit use accounts that are secured using passwords. These websites allow you to shop, bank, trade stocks, manage loans and credit cards and more. Control over your money and personal information is secured by your password. So it’s important to choose good ones and use them properly. Failure to do so is one way to quickly join the ranks of those whose identities have been stolen.

One of the best ways to understand how to protect your password is to understand how passwords are stolen.

• Phishing sites: one of the best ways to steal a password is to create a fake site that looks just like the real one and trick someone into entering their user ID and password. This is often done using links in Email – in the hope the user won’t notice that when they click on it they ended up on the wrong site. Defense: don’t click on links in Email. Always type in the web address and check for the “lock” indicating you are on a secure site.
• Brute force attacks: Many sites use what is called 128 bit encryption – meaning there are about 10³⁸ possible keys. A brute force attack (trying every possible key) would take very long time. But, if you use an 8 letter password (including upper and lower case letters and numbers), there are only about 10¹⁴ possibilities. A brute force attack on an 8 letter password is quite doable – one way is to reprogram today’s high speed graphic cards (some of which contain hundreds of processors) to break the encryption. Since many people use shorter passwords, these kinds of attacks can be very effective. Defense: To get the full benefit of 128 bit encryption, you would have to use passwords that are at about 21 characters long including punctuation and numbers.
• Dictionary Attacks: Many people use words or pairs of words. Assuming a vocabulary of 50,000 words or so, pairs of words give you about 10¹⁰ keys – relatively easy to break even using a fast PC. Add in birth dates and geographic locations and you have a good job of finding the password. Defense: don’t use words, dates, names or places.
• Site break-ins: People tend to use the same password on multiple sites – so if you can break in to one bank or online store, you may have access to multiple sites for each password you have retrieved – especially if you broke into a site that stores the actual password instead of an encoded (hashed) version of the password. Defense: use different passwords on different sites.
• Listen in on wireless networks: Unsecured public internet sites transmit data in a way that is easy to spy on. Watch long enough and you can easily snag user names and passwords and, if a computer doesn’t have a firewall enabled, you can completely take it over. Defense: always use a firewall on public wireless networks, and avoid accessing sensitive sites (banking, shopping, etc).

Some of those defensive measures are easy to follow. But some are tough – long complex passwords are easily forgotten – more so if you use different ones on different sites. Sure you can write them down somewhere, but then if someone gets their hands on that list they won’t have to steal your identity – you’ve given to them.

But there are answers to this dilemma – watch for the next article in this series.