How to Steal a Password in Three Easy Steps

For most people, the only thing protecting all of their personal data, their email, access to all of their online accounts, their bank, and more, is just a handful of characters. It’s estimated that there is about a 20% chance that any given account doesn’t have any sort of multi-factor security, so if you can figure out a person’s password, you might be able to gain access to whatever you want.

How to Hack Your Way Into Almost Any Account

Whether you are looking to steal a few grand from someone’s bank account, order yourself some furniture through someone else’s Amazon account, or just cause some trouble for a former employer, it’s probably easier than you think.

In fact, with a little bit of effort, you can likely accomplish it even if you aren’t very tech-savvy.

Let’s be serious; we’re not going to show you how to do it. Theft is immoral, unethical, and well, it’s also a crime.

But since we have your attention, it’s a good idea to understand just how easy it is for hackers and cybercriminals to break into your accounts, infiltrate your business network, and have their way with things. It’s all about finding the smallest little crack in your armor, and understanding a thing or two about human nature.

First, Try the Obvious Stuff

Most human beings are really bad at being random, and struggle to memorize complex strings of random characters. Most people also incorrectly assume that they aren’t worth targeting, so they think they can get a free pass from the password rules that everyone always preaches.

You can use this to your advantage. 

After analyzing over 18 million passwords, cybersecurity experts came up with a list of the most common passwords in the world. Here are the top 30:

If you are using a password like this, you should update all of your passwords immediately. Most cybercriminals have easy access to tools that are designed to brute force their way through logins. These tools work like this; they just start guessing your password. 

They make dozens or hundreds of attempts every minute, and they start with the obvious stuff first. If you have a longer, more complicated password that is using capital and lowercase letters, numbers, and symbols, then it would take the best of these tools weeks, months, or maybe even years to break into an account.

If those passwords don’t work, you can always just move on to the next step:

Second, Get to Know Your Victim

Some people wear their passions on their sleeves, or in some cases, on their social media. If you know a little about the person you are targeting, it’s easier to guess a password they might use. 

More than a third of American pet owners have used their pet’s name as part of a password. A whopping 59 percent of US adults use either their birthday or name in their password. Does your target have a vested interest in a particular sports team? What about a hobby? Look them up on social media and find out what their maiden name is, or the name of their kids—there’s a decent chance they use that information in their password.

When in doubt, if their dog’s name is Pooch, replace the O’s with zeroes and give it a try in a few permutations, or stick an exclamation point at the end of a password knowing your victim needed to meet the requirement to use a special character.

Does any of this feel a little too close to home for you? If we just started to debunk your password generation abilities, it’s definitely a good time to update to stronger passwords. All passwords should be at least 16 characters, and have a random mix of uppercase letters, lowercase letters, numbers, and special characters. 

Your special character usage shouldn’t just be an exclamation point at the end of the password too, that’s being lazy and one of the first things password-guessing software is going to try.

Third, Spend a Few Dollars on the Dark Web

The Dark Web is essentially the black market of the Internet. It can’t be reached by regular web browsers like Google Chrome, Microsoft Edge, and Firefox. Instead, you need to install specific software to get there. In some ways, the Dark Web is more secure than the regular Internet, because your access and usage is, more or less, anonymous. You aren’t jumping around public-facing servers, but instead connecting directly to a singular “Tor” network (which stands for The Onion Router, in case you were curious). That being said, the Dark Web is filled with both harmless content and dangerous illegal content. 

The Dark Web is used to peddle illicit goods, ranging from drugs to dangerous chemicals to illicit weapons to grotesque content. It’s also a marketplace of stolen information.

Whenever a big website or company suffers from a data breach, there’s a chance that the stolen information will be put up for sale on the Dark Web. That includes credit cards, Social Security numbers, bank accounts, username and passwords, medical information, and so much more.

The vast majority of American adults have stolen information on the Dark Web. In fact, it’s estimated that 9 out of 10 people have some form of information available for sale or download from the Dark Web. The Dark Web isn’t some fringe bar on the outskirts of town either; there are more than 8 million users registered on the top 10 most active forums on the Dark Web. It’s an active place.

When a major business gets breached, it can lead to millions of stolen records made available to purchase. Often, a “record” can include a person’s name, address, and other personal information. More expensive ones include financial information, and the most expensive ones typically contain healthcare information.

If you spend a little time looking, you can usually find a record of a person that includes a stolen password, like a Netflix or Facebook account that was hacked. These records can go for as little as a dollar or two. 

If you purchase a few records of a person with passwords, you might find one of two things:

1. They use the same password across multiple accounts.
2. They have a cute little pattern and use similar passwords across multiple accounts.

This is a common shortcut that most people make if they actually use a complex, secure password. Since it’s so hard to memorize a single password, they only make a few, or they make a little system around a complex password to help memorize them. For example, maybe the entire password is the same between multiple accounts, but the first letter is a capital that represents the site or service they are logging into (N for Netflix, G for Gmail, etc.).

Again, this is why you should always use complex passwords that are completely unique. Don’t ever use the same password on two different accounts, because if one of those accounts gets compromised, the other can too.

Take Your Passwords Seriously

It’s easy to fall victim to a data breach, because cybercriminals are getting more and more clever, and they have a wealth of tools at their disposal. We didn’t even get into how easy it is to simply ask a person for their credentials and get them that way.

We’ll cover this more in a future blog post, but it only takes a little effort and a few dollars to buy a domain name that’s similar to, say, a local bank, and send emails from that domain that look like legit emails from the bank. People tend to trust their bank, so they won’t think twice if their bank asks them to log into their account and check a problem. This doesn’t require any “hacking,” just a little time and effort.

That’s why we help businesses gain control over their sensitive data with strong cybersecurity best practices and staff training. Your staff are going to be the weakest part of your defense against cybercriminals, and the bad guys know it. Arming them with knowledge could help prevent future issues.

To get started and talk to one of our professional IT security experts, give us a call at (512) 343-8891 today.