Many people underestimate the security of passwords, only seen as a method for authentication to various online services.
Whereas for cybercriminals, passwords are worth more than that. By knowing passwords, cybercriminals can not only obtain accounts, data, money and even personal identities, they can also use them to attack online friends, relatives or even employers.
Various sources of password leaks
Phishing
This is indeed one credential collection method that mostly relies on human error. Hundreds of phishing sites, aided by thousands of emails leading to them, appear every day.
This method is almost as old as the internet we use today, so cybercriminals have plenty of time to develop various social engineering tricks and camouflage tactics. Even professionals sometimes can't tell a phishing email from the real one at a glance.
Malware
Another common way to steal your credentials is with malware. According to Kaspersky statistics, most of the active malware consists of Trojan thieves, whose main goal is to wait for users to log in to some site or service, and copy their passwords and send them back to the creator.
And Trojan stealer isn't the only password-hunting malware. Sometimes cyber criminals inject web skimmers in sites and steal anything entered by users, including credentials, names, payment card details and so on.
Third party leaks
By becoming a user of an unsafe internet service or a corporate client who leaks databases with customer data, it is enough to put yourself at risk. Companies that take cybersecurity seriously don't store user passwords at all, or at least do so in encrypted form.
Early access brokers
Modern cybercriminals prefer to specialize in a certain area. They may steal user passwords, but not necessarily use them: it is more profitable to sell them wholesale.
Purchasing such password databases is highly attractive to cybercriminals, as it provides them with an all-in-one: users tend to use the same passwords across a number of platforms and accounts, often tying them all to the same email.
Brute force attack
In some cases, cybercriminals don't even need the stolen database to figure out your passwords and hack your account. They can use brute-force attacks, in other words trying thousands of variants of common passwords until one of them works.
It sounds inconclusive, but they don't need to repeat all possible combinations because there are special tools namely Wordlist Generators which can generate probability lists of common passwords (so-called brute-force dictionaries) based on the victim's personal information.
Such a program looks like a mini-questionnaire about targeted users. They ask for names, last names, dates of birth, personal information about spouses, children and even pets. Attackers can even add additional keywords they know about the target that can be entered into the combination. Using this mix of words, names, dates, and other data, word list generators generate thousands of password variants, which attackers then try at login.
So, how do you protect passwords from being leaked? Let's look at the following tips from Kaspersky:
Don't reuse the same password for multiple accounts
Make your passwords long and strong and store them securely
Change it as soon as you hear the first news about a data breach on the service or website you use
Password management software can be helpful for storing all the different (or the same) passwords from various services
There is also a feature in the Kaspersky application that can monitor the security of all stored passwords in real-time, including checking whether a leak has actually occurred or not.