We live in a time in which most of the daily actions are carried out through the Internet: from managing the bank account to scheduling medical appointments, going through the income statement, among other procedures, for the that different platforms ask users to set a password. Knowing the strategies most used by cybercriminals to get our keys, as well as establishing a password that meets minimum complexity requirements, will be essential to protect the money in the checking account and personal data.
One of the strategies that violate the privacy of users on the network consists of guessing their passwords based on trial and error, as reported by the National Institute of Cybersecurity (Incibe). To do this, "cybercriminals try different random combinations, combining names, letters and numbers until they find the correct pattern." They are called "brute force attacks". Depending on the length and complexity of the password, cracking it can take a matter of years or a few seconds.
Another of the techniques they use consists of trying to find out a password by trying all the words in the dictionary. A software automatically takes care of doing it, starting with simple letters like ''a'', ''AA'' or ''AAA'' and progressively with more complex words. This type of attack is usually more efficient, since many users tend to use an existing word in their language as a password to make the key easy to remember, which is not a recommended practice.
Another common technique is phishing, in which the victim is tricked into filling out a fraudulent form that impersonates a service with their login credentials. In order to deceive the user, cybercriminals resort to social engineering techniques.
Another of the threats are keylogger attacks, or key loggers, which enter the victim's computer when clicking on a link or downloading a file from the Internet. Once installed, the keylogger tracks and records all keystrokes, including passwords, and sends the data to cyber criminals.
Many users ignore advice to create a strong password, leaving them more vulnerable and susceptible to being targeted by cybercriminals. "Currently, being victims of attacks, theft or scams on the Internet depends, to a large extent, on the password we choose," says Sonia Fernández, a professor at the U-tad University Center and an expert in cybersecurity.
Using the same password in different accounts, but changing a few characters, is a widely used practice that carries a high risk for the user. For this reason, Fernández indicates the most common errors that put personal data at risk on the network:
- Recycle a key or use the same one for everything. "If we do this, and a hacker finds out our password, they will have access to all our information, and almost all of our lives! It is advisable to use several passwords, that is, one service, one password," explains the expert.
- It is very common to use passwords based on specific dates, vacation spots and the classic names of children or pets. In these cases, attackers will have it "very easy" to get hold of a password "because of their ability to find information about us on the internet." Later they create a personalized dictionary with all the collected information that they use to, after multiple combinations, find the correct word.
- Publish personal information on social networks and create keys that are related to the user's life. "For example, we want to tell our friends that our cat Maxi is 10 years old today, December 10. This information, seen through the eyes of an attacker, becomes Maxi101213," says the expert.
- Use services that do not have double authentication systems. In addition to entering the password, the user who uses this type of service must enter a number sent by SMS, a fingerprint or an email confirmation to complete the activity. "This double authentication will be necessary with the entry into the market of quantum computers, since, due to their ability to perform massive and parallel calculations, they will be able to break passwords much faster and more efficiently than with classical systems", details Fernandez.
- Not regularly checking if passwords have been compromised through data leaks on websites or through social engineering attacks. In case this happens, it is recommended to change them immediately. By entering portals such as https://haveibeenpwned.com, it is possible to verify if an email has been compromised on any occasion.
