You don’t need someone’s password to access their personal information, steal their identity or just ruin their day. Attacking someone’s password, however, is very common and it may be the first step that an unethical person takes to mess with your life. I would just like to discuss some of the ways that a criminal might try to access your documents or online accounts.

Through Trickery (Phishing)

With the ‘anonymity’ of the internet, everyone can pretend to be anybody. Anyone can easily contact you with some type of story designed to trick you into sharing your personal information. These communications will usually come in the form of emails, instant messages, links on social networks, and maybe even some phone calls. Regular people are able to send you an email that looks just like the emails that you have been receiving from your bank, eBay, PayPal, and so on. Probably the most popular storyline in any of these communications is that there is some type of fraudulent activity or other problem with your online account. An official looking email is usually sent out in a spam-like fashion, and it’s purpose is to ‘alert’ you to this (fake) problem with your account. Now that you’re worried about the account that’s in (fake) jeopardy, you will be encouraged to click on a link so that you can be taken to the website where you can resolve this issue. This is what’s known as phishing (and with good reason) – basically the criminal is casting a line and waiting for a sucker to take the bait.

When you click on the link that’s supplied in the email (or other communication) – you are usually taken to a counterfeit website that looks exactly like your online bank, stock broker, email provider, or whatever company the crooks are pretending to be. This website is fake and has only one purpose; to capture your login or other sensitive information. Everything relies on you being flustered by the original alert in the first communication. The criminals want you to concentrate on trying to fix this ‘problem’ or ‘fraud’ that is associated with your account, so that you aren’t paying attention to anything else. Once you’re good and frantic, the link directs you to the website that looks exactly like what you’re used to and you just start entering whatever information it prompts you for. This information goes directly to the hooligans behind these fake emails and website. They use your information to login to the real website and access your identity and/or financial data.

Read my other article to learn how to protect your information.

Venturing a guess

The closer you are to a person, the easier it is to guess their password. I know that you think you’re pretty smart and you have an original password, but as Tyler Durden would tell you – you are not a beautiful and unique snowflake. Most people use the same crap when it comes to creating passwords.

When guessing a password, you might as well start with names. People like to use the name of their pets, lovers, children, friends, relatives, and so on. Names would also include your favorite celebrity, sporting team, athletes, school, city, etc. Once you’ve failed with the name game, numbers are your next best bet. People might use important dates, digits of their social security number, license plates, or even the ridiculously stupid ‘123′ and such. When you come up short with numbers alone, you should try a combination of important names and numbers. After that, you can try passwords comprised of one word or something short and very simple like qwerty, password, passcode, admin, love, letmein, money, secret, or even a swear word. If your password isn’t one of the guesses mentioned above, I applaud you.

Like I said, the more you know about a person – the easier it is to guess their password. Criminals don’t necessarily need to know you on a personal basis in order to obtain this type of information though. A lot of background information can be found on the web for free and almost anything else that can’t be found, is available for under $50. To a criminal, it might be worth the $50, depending on what they can get after they have your online accounts.

Keep in mind that most websites require the use of at least one number in your password. This means that most people will simply add a 0 or 1 to the beginning or end of their password. Obviously, any guesses would need to conform to your account’s specific password requirements. What I mean is that if the website requires that your password be at least 6 characters long and include at least 1 number – all of the guesses would be adjusted to meet that criteria.

Read my tips for choosing better passwords.

Brute Force Attacks

Imagine that your password consisted of only 1 lower-case letter in the English alphabet. A piece of brute force software would systematically attempt all of the 26 possibilities until it found your password. For the sake of argument, we’ll say that this program can attempt 1 password a second. This means that in a maximum of 26 seconds, your password would be cracked. While it may only take 1 second if your password was the letter ‘a’ – assuming that the brute force started guessing from A and finished with Z.

When calculating how long it might take a brute force program to solve your password, the important things to consider are:

Now, let’s pretend that you upgraded your password of 1 lower-case letter to a 10 character password consisting of upper and lower-case letters. There are 26 lower-case letters and 26 upper-case letters, so each of the 10 characters in your password would contain 1 of these 52 available characters with the possibility of having duplicate characters. To see how long this would take to crack we’ll start with what we know so far. (a) = 52 and (b) = 10. We’ll say that this evil person is able to attempt 1,000,000 passwords per second, which isn’t uncommon (against a password hash) – and he’s working with only one computer. These assumptions give us (c) = 1,000,000 and (d) = 1. Now that we have everything we need, let’s figure out the maximum amount of time that it will take for our criminal friend to crack our 10 letter password with the brute force method. The formula goes like this, (a) to the power of (b) divided by (c) which is divided again by (d).

For our specific example we end up with this formula: (52^10) / 1,000,000 / 1.

Our calculation shows that the brute force could take a maximum of 144,555,105,949 seconds. This is an equivalent of 2,409,251,766 minutes, 40,154,196 hours, 1,673,092 days or 4,584 years. For comparison, a password containing 6 lower-case letters would only take 5 minutes to brute force with the same attempts per second. Keep in mind that your password is likely to be solved before the very last attempt; and the bad guy could always use multiple computers to cut down on the time that it would take to run the brute force.

Read my other article to learn how to create stronger passwords.

Dictionary Attacks

Somewhat similar to brute force attacks, dictionary attacks will attempt to guess your password by submitting word after word from a huge list. Dictionary attacks will usually result in a faster completion over the brute force method because it only guesses passwords that are more likely to exist rather than every single possible combination of letters, numbers and symbols. Since most people choose simple passwords that are fewer than 8 characters – these passwords are usually very easy to predict. All a crook needs to do is create and maintain a custom list of common passwords (with a few variations of each) and then unleash it on some unsuspecting target.

Don’t let the word ‘Dictionary’ fool you – it’s more of a custom list that is downloaded off of the internet or created by the criminal performing the attack. The password ‘iloveben’ wouldn’t be found in your common dictionary, but it might be included on a list used for dictionary attacks. The beauty of a dictionary attack is that the criminals can tailor their list to a particular person or websites that they want to attack. If the bad guy is trying to gain access to an administrator account on some website about butterflies, the bad guy can simply import butterfly related words and phrases to the password list being used for the attack.

Read my other article to learn how to create stronger passwords.

Password Reset

It appears that this method may be the easiest one that someone can use to gain access to your online accounts. We have all used the “Forgot your password?” option at one point or another. This is where the website that you’re trying to access will ‘do you a solid’ and email your old password to you or hook you up with a new password after you answer some security questions. The trouble with this reset function is that the security questions are usually pretty dumb. Anyone would be able to reset your password if he/she can find out the name of your dog, where you attended school, where you were born, what streets you’ve lived on in the past or some other trivial crap.

This is where your extravagant blog posts or information on myspace, Facebook or Twitter come into play. You have probably already posted something about every answer to your each of your security questions without even thinking twice about it. People have even started stockpiling this information by sifting through webpages and social networks to build databases of common pet’s names, and related content that they can then sell to information-hungry criminals.

Read my other article to learn how to be safer online.

Recording your keystrokes

As the name suggests, a ‘keylogger’ will maintain a log of the keystrokes made on a given computer. This means that whenever you type your login information, it is recorded and stored on your computer for later review or secretly transmitted to the person who wants to steal this information. Keyloggers are very common on public computers (such as those in an internet cafe) and work computers.

Keyloggers exist in a variety of forms.

It could be a piece of software that pretty much runs invisibly on your computer. Most of the time, you will not see a keylogger program running on your taskbar or system tray. Sometimes keyloggers are hidden inside of other programs or renamed to look like other software, which makes it hard for a human to detect. These keyloggers could accidentally be installed by you, your family members or perhaps a friend. Another possibility is that someone intentionally installed the keylogger on your computer.

Another type of keylogger is a little piece of hardware that is physically connected to your computer. It could be as simple as a USB stick that is plugged into on the back of your computer or it could be located inside of the computer case. Just imagine an unscrupulous computer technician working at your local repair shop, attaching a keylogger to every computer that comes his/her way. Whenever you take your computer in to get fixed, he/she downloads your keystrokes and then accesses your accounts or sells the information.

I suggest you download the free trial version of AVG Internet Security and scan your computer.

Final Ramblings

Once you have read how these criminals attack your password, it’s pretty easy to figure how to prevent them from doing so.

Don’t get tricked

Find a strong internet security suite to protect you from spam emails, fake websites and keyloggers. Don’t download any programs attached to communications from suspicious sources. Don’t click any links in any private messages that are notifying you of a problem with your account. If you think that there might be a real problem with your account, manually type the website’s address into your browser and login to fix it. Don’t tell anyone your login information; even if they say that they are some official person working at some official company. Companies will never ask you for that kind of information, they already have access to it and they can even reset it if they need to.

Create strong passwords

Create long passwords that use as many different characters as possible. Use a different password for every account that you have. If you need help remembering these passwords, you should definitely get your free copy of RoboForm and / or the portable version, RoboForm2Go.

Create strong security answers

I would recommend that you use strong passwords for your security questions, but that’s because I keep them saved in my SafeNotes with RoboForm. If you don’t want to use random characters for your answers, I might suggest that you lie to them. Tell them anything else that’s easy to remember, as long as it isn’t the real name of your dog. =)

If you have the time – read this next article on creating and maintaining good passwords.

In the past I have tried out a lot of anti-virus, anti-spyware, firewalls and other applications. I purchased a two-year subscription for all three of my computers back in October of 2007. This set me back $86.95 which was relatively inexpensive, considering that I was protecting all of my computers for less than $4 a month. I do spend a lot of time on the internet and I download a large quantity of files from questionable sources. =] This is why I choose to give myself a little bit of protection.

Most of the other brands that I’ve tried were either (a) too annoying to setup/implement, or (b) weren’t catching malicious content that AVG was finding. I started off using AVG’s free anti-virus and anti-spyware software, which only has 33% of the functionality included in their Internet Security suite. I used to download one file onto my laptop while it was “protected” by some other anti-virus software and I would eventually transfer that file to my desktop which was running the free version of AVG. I soon found out that AVG was much better than most others when it was catching malicious files that the other applications were letting slip by. AVG’s Internet Security 8 has received the VB100 award by detecting a wide variety of viruses in its default state during on-demand and on-access scanning without any false positives. AVG has since earned my trust and I haven’t experienced any problems finding those naughty files since using their software. The following paragraphs contain my review of AVG Internet Security as well as some basic information about viruses and what not.

Getting Started

You will most likely be interested in trying AVG’s Internet Security free of charge. This trial doesn’t pull any punches; it is fully functional for 30 days. You will have access to technical support as well as all of the suites features, just as if you had paid for it. The download is 56.3 megabytes and you won’t need to give up any personal information. Once downloaded, just run the simple install and it will help you through each step. Once installed the interface is also very easy to operate.
Keep in mind that some specifics may have changed since I wrote this article.

How It All Works

AVG’s Internet Security brings together every type of security product that you’ll need to protect your computer. This software suite protects it’s users from viruses, worms, trojans, spyware, adware, identity theft, phishing, fraud, spam, hackers, threatening websites, dangerous instant messages, as well as other hidden threats and malicious content. Malicious software is able to copy, corrupt and even erase the data on your computer.
One of the newest features is the ability to scan a website’s address prior to you actually going to the website. This way, if the website you were going to visit is a known threat – AVG will warn you before you go any further and possibly get infected.

Why do I need all this?

Anti-Virus

One of the foundations to your computer’s protection is the Anti-Virus feature. The number of Viruses out there in the world is expected to reach one million by sometime in 2009. A Virus is an application that can duplicate itself and infect your computer without you even knowing about it.

Worms differ from Viruses because they are able to spread themselves without a user’s actions. The Code Red Worm infected more than 359,000 servers in less than 14 hours. The Sapphire/Slammer SQL Worm took approximately 10 minutes to spread worldwide and infected at least 75,000 victims.

Trojans basically hide inside a file that you would think is harmless. Most of the time it is very hard to detect a Trojan before it is actually executed. If you accidentally run a Trojan, it can practically cause any kind of damage that it wants to your computer.

Around 40% of computer users have been infected by a computer virus.

Anti-Spyware

Spyware can do a variety of nasty tasks. There are programs that can steal your personal information, email address and address books. Some Spyware likes to keep a log of everything that you type (like your passwords) and then it sends those logs to the Spyware creator so they can steal your identity. There are a lot of Anti-Spyware programs that pretend to be security solutions but actually consist of Spyware themselves.

Other malicious software can consistently deliver advertising emails to your inbox, use your computer to broadcast pornography to others, slow down your internet connection and/or crash your computer.

Adware usually keeps track of what you’re browsing on the internet, redirect you to certain websites, and open pop-up windows all of the time. A program using Adware (like some of the toolbars out there) will display advertisements that are related to what the Adware notices you’re viewing while it is spying on you.

Around 91% of high-speed internet users have some form of Spyware on their computers.

Anti-Rootkit

A Rootkit is another type of malicious software that takes control of your computer system. This allows someone else to access your computer while avoiding detection. It manages to do this by hiding files, looking like it is part of the system and concealing the processes that it runs.

Anti-Spam

Approximately 14.5 billion Spam messages are sent out across the globe each day. Spam consists of unwanted messages that are related to advertising, adult-related topics, financial matters, fraud, phishing and other scams. Not only a constant annoyance, Spam also contains links to the above mentioned Viruses and Spyware.

Firewall

Another threat that is lurking around out there is the individual that tries to access your computer and the data contained within. This person could steal your personal information or perform illegal acts from your machine without your knowledge. Imagine getting in some legal trouble because your computer was responsible for launching a Spam attack or hosting child pornography. A firewall will help to prevent any unauthorized application or person from having access to your computer and it also stops applications from spreading to the internet from your computer.

Other Safe Services

AVG Internet Security is always screening for threats, even while you download files or communicate with others on the internet. There are also security exploits and drive-by downloads that are executed by malicious websites; meaning that you can get infected just by visiting a web page. AVG Internet Security makes sure that your search results, websites, and favorites are safe before you open them.

Tech Support

There are Frequently Asked Questions, video tutorials and a lengthy PDF User Manual for you to look at if you have any problems. You can also email AVG’s Technical Support via e-mail but you have to pay to talk to someone on the phone.

Not Just For Home Users

Businesses are not immune to the threats of malicious software. The costs can be horrendous and are usually associated with loss of data and productivity. When you operate a business – it isn’t just your operations and financial data that is at stake, but your customer’s information as well. Usually large companies pay IT professionals to protect them from such vulnerabilities, so it is actually the Small and Medium Businesses that need to worry about protecting themselves. Since all of those big enterprises are so secure, most criminals will often spend their time attacking easy targets like your entrepreneurial quest.

The Cons

AVG Internet Security doesn’t give you much info about infections. All I’ve ever gotten from them is the name of the threat that it caught. On the other hand, it is quite easy to research the infection once you have the name and I’ve never really need to look too far into it – because AVG has always removed the threat.

Some say the AVG Internet Security 8.0 slows down their computers. Some have claimed that a full system scan use up to 70% of their system resources. I personally have experienced any problems with AVG and the speed of my computer. I prefer not to have anything else running when I’m scanning for viruses anyway, so I do my full system scans when I’m asleep or away from the keyboard.

AVG doesn’t search for Rootkits by default, you have to manually search for them. This doesn’t really make any sense to me, but it isn’t hard to perform either. This would probably be the one feature that I would change if given the choice.

I don’t like programs that have partnerships with other services and then try to dupe the user into installing that service along with their program. I always recommend that you perform a custom install whenever possible and do not install any additional toolbars or services that aren’t related to the program being installed. AVG does ask if you want them to set Yahoo as your default search engine (in Internet Explorer) and Yahoo Search will be on their toolbar as well. I didn’t default to Yahoo and I didn’t install the toolbar – you actually don’t need the toolbar to be fully protected.

While we’re on the subject..

For security and usability reasons, I suggest that you never use Internet Explorer. Instead, you can download Firefox or Google Chrome which are both free. I also recommend that you make Google your default search engine because they are extremely accurate with search results.

Final Ramblings

AVG offers a 100% free Anti-Virus & Anti-Spyware (doesn’t expire) program. This is good if your 30 day trial of AVG’s Internet Security expires and you choose not to pay to be fully protected. When I wrote this article, AVG’s free software was the most downloaded file over at CNET’s Download.com with 1,649,472 downloads.

AVG is trusted by over 80 million users. You need to be protecting your computer(s) from all of the threats out there. It is also important to realize that installing a good security program is a good first step, but you also need to backup your data. Do not let Internet Security or Data Backup sit on your to-do list, take care of them now!