How are passwords commonly compromised?
Social Engineering
Social Engineering is a tactic frequently to exploit human vulnerabilities, which typically involves impersonating a user to a company to have your password reset, as seen in this example case. Phishing and spear-phishing are common examples of social engineering.
Resetting a password by correctly answering the “privacy questions” for an account, using personal information available Online, is another example. This is how a number of celebrities and other high-profile accounts have been “hacked” in recent years, but not only celebrities have information about personal “answers” available Online.
False Account Alerts
Sometimes users receive notifications, from social media sites or other Online services, alerting “You’ve had your account hacked” or “Someone may be attempting to access your account” – these can mean a number of things:
Sometimes it’s completely out of a user’s control, and a service or a company has been compromised with your username, password,
and (sometimes) other information falling into the wrong hands (this has happened with LinkedIn and Twitter, most notably).
Another possibility is that the email is not actually from the site or service it claims to be, but rather is a phishing or spear-phishing attempt,
where a third-party creates an email that looks exactly like one that might be sent by a website asking users to “reset” their passwords in reality, the current password entered will be captured and then used to access your accounts. It can also mean that you’ve been specifically targeted, and someone with enough incentive and resources wants access to your account enough to try to break into them, or hire someone to do so.
Since the activity includes several discussions, the trainer finally concludes the
activity with a discussion on:
- How would it feel to lose all this information?
- Has anything similar happened before, are there any personal examples we
can learn from? - If we were doing the exercise again, what would they do differently? What
would they back up?