In 2023, over 1.7 billion passwords were compromised. This number is over five times the population of the United States or an average of over 46,000 passwords per minute. Compromised records refer to personal data, such as passwords, that have been stolen or leaked, often through data breaches or hacking attacks. Chances are good that some of your credentials are out there. These compromised records often end up on the dark web. The dark web, a hidden part of the internet accessible only through specialized software, is known for its anonymity and is often used for illegal activities. Hackers use the dark web to buy, sell, trade, or steal data, as seen in the recent Rockyou2024 data leak. This makes it a popular marketplace for hackers to acquire compromised passwords and other sensitive information. Once hackers have the data, they engage in a process of guessing, information gathering, and tricking to commit identity theft. Each phase is designed to exploit the data that the attackers already possess.
The hackers try to guess your password
Hackers can launch a brute-force attack with just an email address. A brute force attack is an automated, trial-and-error method known as “password spraying.” In password spraying, a cyber attacker tries common passwords across many accounts, avoiding account lockouts and remaining undetected. For hackers, a list of passwords is merely a starting point. Bad actors employ a variety of tactics to decipher your credentials.
They try sequential number combinations – Hackers often try sequential number combinations. As the table below shows, most passwords share a common feature: sequential numbers, such as 12345. Avoid using these in your passwords as they make them predictable and easy to guess
|
|||||
|---|---|---|---|---|---|
| 2019 | 2020 | 2021 | 2022 | 2023 | |
| 01 | 12345 | 123456 | 123456 | password | 123456 |
| 02 | 123456 | 123456789 | 123456789 | 123456 | admin |
| 03 | 123456789 | picture1 | 12345 | 123456789 | 12345678 |
| 04 | test1 | password | qwerty | guest | 123456789 |
| 05 | password | 12345678 | password | qwerty | 1234 |
| NordPass | |||||
Using sequential numbers is also a bad idea for the four-digit PIN of your debit card.
They guess common phrases – Hackers often guess common phrases. Therefore, avoid using common words or phrases. Common words or phrases in passwords are predictable and can be easily cracked. While they may be easy for you to remember, they are also among the first passwords that hackers will guess.
In lists of the most common passwords, the word “password” has consistently been in the top 10 for the past five years. Phrases such as “Admin,” “iloveyou,” “qwerty,” and “guest” frequently appear in the top 25.
They look for substitutions – Hackers often look for substitutions. Using common words with case and numerical substitutions in a password is risky. Attackers frequently use dictionary attacks. Dictionary attacks occur when the bad guys attempt common words, phrases, and predictable substitutions. Attackers often use common words with case and numerical substitutions, such as ‘4’ for ‘A,’ ‘3’ for ‘E,’ ‘1’ for ‘I,’ and ‘0’ for ‘O’.” Therefore, even with these substitutions, your password could still be relatively easy to crack. For example, they will try “password,” “Password,” “Pa$$word,” and “Passw0rd” too.
Next they gather information
They try pet and family names – Hackers often try pet and family names. In your passwords, do not use easily guessable information such as your pet’s, child’s, or spouse’s name. Bing warns that this kind of personal information can often be found on social media or through other means. This makes it easier for someone to guess your password. An attacker who has obtained some of your personal information may also check your family’s accounts to try to access your records.
They use significant dates – Hackers often use significant dates. Just like family names, it’s not good to use significant dates such as a birthday, anniversary, or a loved one’s birthday as passwords. These dates are easy to guess because they are memorable. Hackers can easily guess or discover special dates through social media. Hackers can also figure them out quite easily if they have access to your personal information.
Hackers try to trick you into giving them your passwords
They go phishing – Hackers often go phishing. Phishing is one of the easiest ways for attackers to obtain your credentials. They send out bogus emails disguised as legitimate ones. Malicious actors send phishing emails to trick you into revealing personal information (such as passwords and credit card numbers) through fake emails or websites.
Clicking on a phishing email will redirect you to a fake website. Once there, they will capture your user ID and password. Therefore, don’t open emails from unknown sources.
Job phishing – Job phishing is a scam that takes advantage of the unemployed or those looking to change jobs. Job scammers may send emails or create fake job listings that require applicants to provide personal information or pay fees upfront. Be wary of job offers that seem too good or ask for sensitive information before an interview.
Hackers often use password reset questions – Have you ever registered your username and password with a company for tech support or some swag? And then later, did you receive an email asking if you requested a password change, even though you didn’t? It was probably a hacker.
Cybercriminals can use your password reset questions to change your password and lock you out of your account. For instance, if you suddenly find yourself unable to access your Facebook account, you may have been hacked.
One way to prevent this is by providing nonsensical answers to security questions. Instead of providing accurate information, provide quirky responses that only you would know. The next time your account asks where you were born, You could say Butterfly.
They create bots –If they have exhausted their resources, hackers have one final tool to break your code. They can create a bot. A phishing bot is a program that automatically sends fake emails or messages to trick people into revealing personal information. The bot can try every possible combination of user ID and password. Modern computers can be very fast at guessing passwords. Here’s a breakdown:
- Faster guesses for simpler passwords: Hackers can very quickly try millions of simple passwords (like “password123”).
- Slower guesses for stronger passwords: More complex passwords with a mix of uppercase and lowercase letters, numbers, and symbols take much longer to crack.
rb-
The key is to make it as difficult as possible for hackers by using strong passwords. Even with powerful computers, a strong password can take years to crack.
Related article
Ralph Bach has been in IT for a while and has blogged from the Bach Seat about IT, careers, and anything else that has caught my attention since 2005. You can follow me on Facebook or Mastodon. Email the Bach Seat here.
In an 
Identify your tasks that are repetitive or rule-based.
Bain & Co.’s Beck also recommends that IT pros focus on skills like creativity, persuasion, and leadership: “Workers who want to future-proof their careers should invest in skills that are hard for AI to mimic.”