If you've seen this when you log in, chances are your account has been compromised.
So how did your account password get stolen? Where did these leaked passwords go?
The era of big data is an era without privacy. It is said that in just a few minutes, you can buy hundreds of bank card information online, including bank card number, card owner's name, ID card number, reserved mobile phone number, and bank password. The scary thing is that 100 card numbers are randomly selected for information verification, and 91 bank card passwords are correct!
In the era of big data, who hasn't had a number stolen?
Many people have the experience of having their numbers stolen, and even some people have property losses because of stolen numbers. Some of these people don't even know how their account numbers and passwords were stolen!
One: exhaustive law
The easiest way to know your password is to "try". The simplest and most brutal "try" method is the exhaustive method, that is, arrange and combine numbers and letters, and then try them one by one.
The easiest and crudest way to crack a password
The disadvantage of the exhaustive method is that the efficiency is relatively low, in order to improve the success rate, hackers will also use "dictionary cracking", because many people will use English words, initials, birthdays, mobile phone numbers, etc. as their own passwords, so if you build a "password dictionary" containing a large number of English words, phrases and number combinations in advance, the chance of brute force cracking using this password dictionary will be greatly improved.
Exhaustive method uses password dictionaries, dictionary cracking
Simple passwords are useless in front of exhaustive methods and password dictionaries, and may be cracked in seconds.
Simple password cracking time
So don't bother when setting a password, try to set a medium to high difficulty password.
It takes about 1 hour to crack a 7-digit password
It takes about 1 hour to crack an irregular seven-digit password
Passwords should be as complex as possible, numbers, letters, and case combinations
If it is a combination of numbers, uppercase and lowercase letters, and special symbols, it will take more than a month.
A password that is complex enough can be a recipe for cracking software, which is why so many websites require passwords to contain multiple characters. Moreover, the website can also limit the number of times you can enter an incorrect password, and immediately freeze the account after that, and directly abolish the exhaustive method.
Passwords that are complex enough are not enough to be exhaustive
Two: the monitoring law
The so-called monitoring is to monitor your computer or mobile phone. This is not actually to implant a Trojan horse in your computer to achieve monitoring, in fact, just monitor your keyboard input!
The hacker backstage receives the keylogger's password
Some software appears to be harmless to humans and animals, and is not harmful to the operating system. But it doesn't appear to attack the operating system, but to secretly remember your account and password without you knowing! It is then sent to hackers in the background.
In the era of Internet cafes, Internet café administrators and even bosses would install such tools in their computers, steal your account password, loot your game equipment, or use your account to chat passionately with strangers.
Intrusion into microsite servers
Three: SQL injection for website database cracking
If the first two cases, the user still has the initiative, the third situation is completely passive, you give the account password to the website, if the website is not properly kept, it will be hacked, and your password will be leaked. The industry often refers to the theft of a website's password database as "dragging".
The two methods mentioned earlier are that stealing only one password at a time is still too inefficient. Therefore, technically skilled hackers often choose to "drag the library", that is, directly hack into the website server, steal the database that stores user data, and steal the information of millions or even tens of millions of people at a time.
SQL injection is generally used for web website intrusion
Once the password database is compromised, if the password database of the website is not encrypted, then your password is equivalent to being exposed in front of hackers, and the "CSDN password leakage door" that was previously exposed is the password stored in plaintext, even if the website is encrypted, there is also a risk of being cracked.
What's more, "dragging" can also affect your other accounts on the Internet. After passing the "dragging library", hackers will first "wash the warehouse", that is, monetize valuable personal information through the black industry chain, such as stealing online game equipment, Q coins, or selling personal information such as your ID number and mobile phone number to spam advertising companies.
Being washed is a serious matter
After several rounds of "washing", the value of your account itself has been squeezed clean.
So hackers will continue to "stuff the dock", that is, take your account password and try to log in to other websites or platforms to obtain more personal information. If you are used to using the same combination of account passwords, the loss will be immeasurable.
Credential Stuff logs in to other platforms with a known account password
Finally, the information that has been dragged into the library will also be packaged and made into a "social worker library", which will be sold on the black industry chain to squeeze the last wave of value.
Dragging, washing, stuffing, social work storage
The "house opening record inquiry", which once caused an uproar, is a typical case of social work pool.
A typical social worker bank case
In order to prevent being "dragged into the database", most websites will encrypt and save user information on the server through hashing algorithms or "salting".
The hashing algorithm encrypts user information to prevent dragging the library
In this way, even if the library is dragged, hackers need to spend a lot of time decrypting, giving websites and users more time to react, change passwords in time, and minimize losses.
Digital signatures, security tools
As individuals, what we can do is to use security tools such as secret cards, dynamic tokens, or mobile phone verification codes to provide a second layer of protection for our accounts, so that hackers cannot log in to your account even if they are dragged.
Dynamic token, U shield, secret card, verification code
Four: Social Engineering
The definition of "social engineering" is: social engineering refers to the way of manipulating others by taking advantage of human weaknesses, making them psychologically affected, making certain actions or revealing some confidential information through legitimate communication with others. This is generally considered an act of deceiving others to gather information, commit fraud, and hack into computer systems.
Social Engineering
In fact, in the current field of information security, the weakest link is not the technology, but the people behind it. If you are really targeted, hackers will often "trick" the password directly.
SMS scams, phone scams, phishing
Ordinary people may encounter similar methods. For example, you may have received a strange security reminder email asking you to click on the URL and change your password.
Strange secure messages
This is actually someone taking advantage of fear to trick you into voluntarily handing over your account password through phishing emails and phishing websites.
Security of citizens' personal information
And hackers steal passwords in a variety of ways, so friends, to prevent password theft, we need to keep our eyes open, carefully screen, and always be vigilant! Develop the following good habits!
First, try to set up complex passwords containing numbers, letters and symbols, do not try to save trouble and create opportunities for hackers;
Second, use mobile phone verification when logging in to QQ on the PC side, and try not to log in to QQ in Internet cafes;
Third, different websites should set different login passwords, and modify them regularly, a 10,000-year-old login password will open the door to hackers to stuff the garage;
4. When downloading software, try to download it on the official website or regular website, and regularly disinfect mobile phones and computers to prevent the invasion of Trojan viruses;
5. Do not open files, links or mini programs of unknown origin, these are likely to be phishing traps set by hackers, do not pay attention to notices such as password changes received through unofficial channels, and be cautious about entering your own password Assess the possible risk of number theft.
By doing the above points, we can effectively protect our information security and prevent hackers from taking advantage of it