How can hackers steal your and your employees’ passwords? How can password managers help secure your passwords and mitigate hackers’ most common tactics?
Passwords can’t protect your business or your employees. Unfortunately, there is no sugarcoating for this fact. Hackers can eventually, with the right tactics and tools, eventually get your employees’ passwords. If your enterprise only uses single-factor authentication, then you lay out the welcome mat for external threat actors.
Of course, your enterprise can (and should) embrace multifactor authentication as a way to make hackers jobs that much harder. Every obstacle and factor between the access request and the access deters or deflects hackers en masse. However, passwords will probably remain a critical component of your identity and access management for years to come.
You need to secure those passwords. Therefore, you need to understand all of the ways hackers can steal your passwords.
How Hackers Can Steal Your Passwords
1. Just Guessing Them
Yes, it appears that hackers can straight-up guess your credentials. Partially, this stems from employees and other users creating weak passwords. Research indicates that users frequently call upon passwords that would be jokes in other contexts; these include “123456” and “password.” Thus, hackers don’t even need to exert effort in cracking these passwords.
Even in cases where users don’t use such pathetically weak passwords, that doesn’t necessarily stop hackers. They could glean a lot of information about their targets through social media posts and other publicly available information. Then, hackers could try passwords based on the information gathered, with a few common variations (using “3” to replace “E”).
Alternatively, the information publicly available online could help external threat actors bypass passwords altogether. After all, aren’t the security questions to password resets things like “What was your high school mascot?” and “What is your mother’s maiden name?” For a more direct approach, hackers could also create a social media “quiz” and simply ask users to supply the information they need.
Of course, this assumes that users employ distinct, one-account-only passwords. Yet this rarely proves true.
2. Gathering Passwords From Previous Breaches
Users reuse their passwords for any number of reasons. First, many users worry about forgetting their passwords and having to go through the arduous process of password resetting. Second, users face an unprecedented number of accounts to remember—possibly numbering in the hundreds. Third, users want to just log in and do their jobs, so they gravitate to easy passwords that they can plugin on the fly. If they reuse a password, then that’s just one faster login.
So hackers often don’t need to seek out target passwords. All they need to do is wait for another data breach that leaks passwords and just try the list on the target. Every data breach feeds into another one, and with every reused password your own employees open that attack vector more.
3. Stealing Passwords Directly Via Phishing
Of course, hackers could always just steal users’ passwords directly. They could do this through phishing attacks, disguising their attacks as urgent communications from banks or other critical institutions. Conversely, they could use a spear-phishing attack, using public information to make the attack feel more real than other messages.
Employees need to understand the importance of their passwords and how to recognize what messages might be fraudulent. If hackers keep trying to steal your passwords, what can your business do to prevent them?
How Password Managers Can Help
A password manager acts as a secure vault for all of your employees’ passwords and credentials. Instead of having to manually type in a password, a password manager can autofill the login; all the employee needs to do is click the button to login and away they go.
Further, because it stores all of the passwords, password managers encourage employees to create new, advanced passwords hackers can’t easily crack. This alleviates two problems at once, both simple or weak passwords and repeated passwords.
Of course, dozens of providers offer password managers with unique features. To help you find a password manager that can prove the most effective for your business processes and identity management, we provide this brief Directory of Password Managers.
- Dashlane securely stores and auto-fills all your passwords, payments, and personal info while you browse the web.
- ESET Software offers a password manager as a part of its Ultimate Protection package.
- Iolo Technologies / ByePass is a platform-agnostic, secure password manager that also helps protect your online purchases.
- Keeper Security generates strong passwords, autofills passwords across your apps and sites and organizes passwords on all platforms and devices.
- LastPass simplifies your online life and remembers all your passwords across devices.
- NordPass remembers all your complex logins, autofills online forms, and generates strong passwords.
- RoboForm can import passwords from your browser or from other password managers.
- Enpass works as a secure vault to store everything in one place using a single master password and to secure online shopping carts.
You can learn more about password managers and identity management in our Identity Management Buyer’s Guide.
- The Many Forms of Single Sign-On - July 23, 2021
- Analysis: The 2021 Gartner Magic Quadrant for Privileged Access Management - July 21, 2021
- The Highest-Rated Books for Identity Management Engineers - July 21, 2021