The waves of change have brought humanity to the current digital age. We are living in the 4th Industrial Revolution marked by impactful technologies and platforms glued together by the Internet and enabled by hyper-scale cloud. 

Digital acceleration has created many benefits for humankind but has also opened avenues for criminals to exploit our vulnerabilities. One such glaring vulnerability is the password. An antiquated form of security, passwords bring the least protection to their users as they are easily copied, guessed, and hacked. 

Since the early days of computing, the password has been around to keep our private data private. But the idea of password security has always been somewhat iffy. Even with our 12-character passwords containing random symbols, letters and numbers, if cybercriminals want to find a way into your private data, they will. According to the Microsoft Digital Defence Report 2021, the Azure Active Directory observed 50 million password attacks daily. Out of these 50 million attacks, most users did not adopt strong authentications such as Multifactor Authentication or MFA. 

To combat this threat, we at Microsoft envision a secure password-less future for the world. Be as it may, the time has yet to come for this to be a reality outside the Microsoft ecosystem but it may soon very well be as conversations surrounding the topic has increased. In the meantime, we must learn to protect ourselves through understanding the tactics that these password hackers utilise.

In the spirit of understanding such tactics, I have detailed five typical ways your passwords can be hacked:

1. Phishing
   One of the most common cybercrimes of our time is phishing. It is a social engineering technique where cybercriminals will trick you into submitting your credentials to what you think is a legitimate site or vendor. Phishing usually occurs through emails where links and attachments can bring you to duplicated websites or infect your systems with a malicious file.

2. Password Spraying
   Humans tend to forget that ‘history repeats itself. We choose passwords like ‘12345’, ‘qwerty123’ or the ever redundant ‘password’ because (1) we’re lazy and it’s easy to remember or (2) we think we’re playing with some form of laughable reverse psychology. Password spraying is a tactic that cybercriminals use to take advantage of our gullibility and does precisely what the name says. They try their luck with a list of common passwords on multiple accounts and succeed a fraction of the time. 

3. Credential Stuffing
   When cybercriminals successfully obtain breached usernames and passwords from a site with lousy protection, they typically test it out on other sites. They even have automated tools to do all the testing for them. As humans, we tend to use the same passwords for multiple accounts as it is easier to remember but it can be a significant security risk. 

4. Keystroke Logging
   Using Spyware, this method takes a little more planning on the part of the criminal. First, they must infect your system with malware that records and transmits everything that is typed on your computer or another device, and then wait to filter through the amount of information obtained from your system. 

5. Brute Force
   A hacker will run an algorithm against your encrypted password, which systematically tries every possible combination of numbers, letters and symbols until the right combination is discovered. This isn’t the tactic most cybercriminals use, as it takes a significant amount of time and effort but if your password is too short, weak or common (in other words, guessable), you are highly at risk. A great way to know how safe your password will be against a brute force attack is to refer to this updated table from HiveSystems about how long it will take for attackers to bypass your password. If you don’t want to be a victim of a brute force attack, you should ensure your passwords fulfil the criteria of the “green zone”. 

Did these attack methods scare you? 

There is no need to incite panic and never use technology again. Nowadays, we have multi-factor authentication if your passwords fall into the wrong hands. However, people still need to be proactive in practising good cybersecurity hygiene by regularly changing passwords, ensuring passwords are longer than 16 characters and employing good security solutions. Like life, no one solution is perfect; hence, we must take all the necessary precautionary measures not to fall victim to these cybercriminals.

If you want to learn more, this article where I explained secure authentication may interest you as I’ve detailed the different types of authentication better suited for keeping your data safe.

Dr Dzaharudin Mansor

Dr Dzaharudin is the National Technology Officer (“NTO”) for Microsoft Malaysia. With more than 33 years of professional experience in ICT, he engages with key national technology stakeholders including academics and policymakers to contribute to national development. Passionate in technology, he works closely with academia, holding advisory positions at several universities.