Understanding Data Breaches
One of the top responses I get whenever I talk about cyber security with somebody is something along the lines of "eh, I don't think anybody has any reason to hack me." And let's be honest: 99% of the time, this is true. Rarely is a hacker going to sit down and go "let me use my skills that I spent years mastering and perfecting just to mess with John Doe that I've never met who might not even have anything worthwhile." But this train of though betrays a fundamental misunderstanding of how today's digital hacking landscape works. Here's how data breaches and modern hacking really work most of the time:
If you're reading this, I'm willing to bet that you have a Gmail account, or an Amazon account, or an eBay account, or a Facebook account, or some sort of account on a website with hundreds of thousands, if not millions, of users. Smart hackers - and skilled ones - target these major companies. These companies endure anywhere from thousands to millions of attacks every day. The defender needs to get it right every single time, the attacker only needs to be successful once. Once the attacker is successful, they steal everything they can: usernames, passwords, card numbers, IP addresses, etc. Anything the service logs, they take.
It's important to note that usually (but not always) the most sensitive information like passwords and card numbers is encrypted while things like username and IP address (which betrays your exact location) are not. This matters because step two is to decrypt whatever information the hacker has stolen. So if they stole usernames and passwords, they now need to decrypt the passwords only. Various programs exist - totally legal and for free - to help hackers crack your password.
Password cracking deserves its own explanation. There's two main methods of guessing a password. The first is called a "dictionary attack." The way these work is that the hacker loads a dictionary into the software and it checks your password against the dictionary, including common variations. For example, "P4ssw0rd" is a common variation of "password," so the program will check for that. Various dictionaries are available for free, including song lyrics, famous names, quotes, and more. A hacker can even make their own dictionary tailored to you with information like names of family members, important dates, pets, sports teams, and more. It's as easy as making a text file.
The second method is called a "brute force attack." This is where the hacker specifies a length, parameters (such as "upper and lower case letters") and the software guesses every possibility. For example, it may guess "aaaaaa" and if that doesn't work, it tries "aaaaab" and if that doesn't work, it tries "aaaaac" and so on. Passwords less than six characters, regardless of complexity, can be guessed in less than a second.