Passwords are what separate you from someone else’s private information, their money, their subscriptions, their personal data, their business, and even their livelihood. If you were able to easily crack a password, you’d have access to the wealth and identity of another person. In this blog, we’re going to show you just how to do that.
Need a few extra grand to get yourself through the weekend? How about access to your neighbor’s Netflix account so you don’t have to pay for yours? Maybe you just want to hack into your former employer and cause a little chaos.
It’s incredibly easy to do.
Unfortunately, we’re not going to show you exactly how to do that. That would be, well, immoral.
But we got your attention, so there’s that.
It’s worth understanding just how easy it is for hackers and bad guys to infiltrate your work, your network, your online accounts, and just about everything else you do.
And hey, if you got this far in here because of the title of the blog, we don’t necessarily think you are one of the bad guys. It’s actually really interesting how this stuff works, and understanding it can help you become a whole lot safer online.
We’re going to use Homer J. Simpson as our example. No, not that Homer J. Simpson. As it turns out, the 1940 American census has one single Homer J. Simpson on it, and he was born in 1914. We’re pretty sure there haven’t been a lot of babies born with the name Homer J. Simpson ever since the 90s, so this is a pretty safe bet for our fictional victim. Everything from here on out, we’re just going to make up.
So let’s say we really don’t like Homer, and want to make his life miserable. Actually, scratch that. Let’s say we don’t know a gosh darn thing about him.
You see, Homer had a MyFitnessPal account back in 2018. Homer was using it to track his calorie intake and his daily steps. In February of 2018 (this is true), MyFitnessPal suffered a data breach that exposed 144 million unique accounts, including their emails and passwords. 144 million accounts getting stolen is small potatoes in the world of data breaches, but these types of data breaches happen all the time, and it means that the data you entrust to a business or online service could get you more exposure than you were counting on. Literally thousands of online entities have been breached over the last few years, from Sony to Wendy’s to Yahoo to Facebook to Experian to Doordash, and the list goes on.
Well, Homer’s MyFitnessPal account and his old password are floating around the dark web, and it’s available for me to scoop up. You might ask, how much value could I get from a MyFitnessPal account, especially years later, and long after the service forced Homer to reset his password?
Well, I know Homer’s name, his email, and a password he likes to use.
I can make my way over to Google.com and start looking up Homer on social media. I can find his date of birth, the town he grew up in, and his mother’s maiden name. I can pull up his LinkedIn and find out where he works, who he networks with, and what his job title is.
In 10 or 15 minutes, I can get a pretty decent snapshot of who Homer J. Simpson is, especially if he uses social media. I can learn the name of his kids, his dog, his wife, and the type of car he drives. I can easily find his address.
So how does all of this help me determine his password?
Most people use information about themselves in their passwords. It’s a really dumb idea, but it’s true. So many people put in birthdates, or birth years into their passwords, and then use their pet’s name. It might take you a little time, but if you are clever, you might be able to extrapolate a password based on their personal information. When in doubt, if their dog’s name is Woofy, replace the O’s with zeroes.
Don’t have a lot of time and just want to ruin someone’s day? There is software available on the dark web that makes it easy to crack sophisticated passwords. As long as the user’s password isn’t too complex (if it’s 9 or 10 characters, or a few more but without special characters) most cracking tools can usually get right in within a few minutes to maybe a day or two. Of course, if the user has a longer password that is truly random, and doesn’t contain any obvious terms like their favorite sports teams, their car make and model, or the word “password,” then it might start to take longer.
Complex passwords are harder for the software to crack, but fortunately, most of these tools will try the most common permutations first, so if your victim is lazy about their password generation, you should be able to get in.
This is probably the step you should have started with because it’s the most effective way to steal a password. In fact, this is the number one way cybercriminals get access to things they shouldn’t.
It’s true. Around 95% of modern cyber breaches these days start with a phishing attack. It has such a high success rate that it’s a no-brainer to use if you want to get into someone’s account.
Here’s how it works.
You send them an email saying you are, let’s say, their bank.
You tell them that something is wrong with their account. If you are pretending to be a bank, you have lots of options, because people get a strong emotional reaction when something happens to their money. Tell them that a payment has been authorized for $2500 for something. Be specific, be creative! The goal is to throw them off guard!
Now here’s the trick… Instead of sending them to their actual bank, send them to a webpage that you built, that looks an awful lot like their bank. The catch is when they try to log in, they give you their username and password.
It’s that easy!
This happens all the time. It’s very illegal, and you shouldn’t do it, but it’s also very difficult to catch cybercriminals who are doing this sort of thing.
It’s more important than ever to keep yourself and your business secure. Always use strong, complex passwords, and never use the same password twice. Set up Multi-factor authentication (MFA) everywhere you can, and be extremely skeptical of random unsolicited emails. If something doesn’t seem right, scrutinize it!
We can help your business become more secure. To get started today, give us a call at 855-GET-FUSE (438-3873).
Comments