Despite their limitations, passwords are still the most prevalent form of protection applied to secure data among enterprises across the globe.

It’s understood that if a malicious actor acquires a private password used by a business, the results can be disastrous. Data breaches are exceptionally expensive incidents and when threat operators gain access to information vaults and email accounts, they can quickly delete, alter or steal company content and use any personally identifiable information (PII) contained within to harm data subjects.

While such issues are now common knowledge, many people are completely unaware of how passwords are obtained by cybercriminals. Read on to find out how these key credentials are being collected for insidious activities today.

Social engineering trickery

Among the most common ploys used to obtain passwords are social engineering tactics. Phishing emails manipulate recipients into acting in ways that disclose passwords. This may involve a spoof email pretending to be a trusted contact, or an urgent message that appears to be from a bank or established organisation containing a malicious link. If clicked on, the user will be taken to a fake log-in page that harvests their password once it is entered.

Using available information

Hackers also pick up passwords from leaked files following a data breach. If a user employs the same password for multiple accounts and it is compromised in a breach, threat actors in possession of a leaked password will try to use it on other protected areas.

Internal threats can see cybercriminals obtain passwords that are left unprotected. Users often retain passwords in log-in fields to speed up signing in processes and even leave sticky notes on their machine detailing credentials for ease of access.

Shoulder-surfing is another risk from internal cybercrime and when passwords are entered in public places. A threat operator walking by can take advantage of the situation to steal credentials.

Cybercriminals will also scour social media platforms and online profiles for information that helps them manually guess a password, seeking out pet names, football clubs and birthdays that may have been used for inspiration.

Cracking the code

If weak passwords are deployed, threat actors can often crack them with ease. Password spraying involves criminals using several commonly adopted passwords to access many different accounts while password hash file theft enables them to break the hash and recover original passwords.

Brute-force attacks employ automated guessing of passwords, number crunching until the right password is found. Another known tactic is to maliciously install spyware or a dedicated keylogger on a user’s device. This malware records keystrokes and reports passwords back to the malicious operator behind the attack.

A secure workspace for your staff

At Galaxkey, we have created a secure system where enterprise employees can perform their duties in a safer environment. Equipped with innovative options like end-to-end encryption and electronic signatures, our user-friendly features make it easier than ever to operate safely. Additionally, our secure workspace has zero backdoors that hackers can exploit, and no user passwords are ever stored where they can be stolen.

For optimum security, book a free two-week trial of our secure solution for your staff today.