You don’t need someone’s password to access their personal information, steal their identity or just ruin their day. Attacking someone’s password, however, is very common and it may be the first step that an unethical person takes to mess with your life. I would just like to discuss some of the ways that a criminal might try to access your documents or online accounts.

Through Trickery (Phishing)

With the ‘anonymity’ of the internet, everyone can pretend to be anybody. Anyone can easily contact you with some type of story designed to trick you into sharing your personal information. These communications will usually come in the form of emails, instant messages, links on social networks, and maybe even some phone calls. Regular people are able to send you an email that looks just like the emails that you have been receiving from your bank, eBay, PayPal, and so on. Probably the most popular storyline in any of these communications is that there is some type of fraudulent activity or other problem with your online account. An official looking email is usually sent out in a spam-like fashion, and it’s purpose is to ‘alert’ you to this (fake) problem with your account. Now that you’re worried about the account that’s in (fake) jeopardy, you will be encouraged to click on a link so that you can be taken to the website where you can resolve this issue. This is what’s known as phishing (and with good reason) – basically the criminal is casting a line and waiting for a sucker to take the bait.

When you click on the link that’s supplied in the email (or other communication) – you are usually taken to a counterfeit website that looks exactly like your online bank, stock broker, email provider, or whatever company the crooks are pretending to be. This website is fake and has only one purpose; to capture your login or other sensitive information. Everything relies on you being flustered by the original alert in the first communication. The criminals want you to concentrate on trying to fix this ‘problem’ or ‘fraud’ that is associated with your account, so that you aren’t paying attention to anything else. Once you’re good and frantic, the link directs you to the website that looks exactly like what you’re used to and you just start entering whatever information it prompts you for. This information goes directly to the hooligans behind these fake emails and website. They use your information to login to the real website and access your identity and/or financial data.

Read my other article to learn how to protect your information.

Venturing a guess

The closer you are to a person, the easier it is to guess their password. I know that you think you’re pretty smart and you have an original password, but as Tyler Durden would tell you – you are not a beautiful and unique snowflake. Most people use the same crap when it comes to creating passwords.

When guessing a password, you might as well start with names. People like to use the name of their pets, lovers, children, friends, relatives, and so on. Names would also include your favorite celebrity, sporting team, athletes, school, city, etc. Once you’ve failed with the name game, numbers are your next best bet. People might use important dates, digits of their social security number, license plates, or even the ridiculously stupid ‘123′ and such. When you come up short with numbers alone, you should try a combination of important names and numbers. After that, you can try passwords comprised of one word or something short and very simple like qwerty, password, passcode, admin, love, letmein, money, secret, or even a swear word. If your password isn’t one of the guesses mentioned above, I applaud you.

Like I said, the more you know about a person – the easier it is to guess their password. Criminals don’t necessarily need to know you on a personal basis in order to obtain this type of information though. A lot of background information can be found on the web for free and almost anything else that can’t be found, is available for under $50. To a criminal, it might be worth the $50, depending on what they can get after they have your online accounts.

Keep in mind that most websites require the use of at least one number in your password. This means that most people will simply add a 0 or 1 to the beginning or end of their password. Obviously, any guesses would need to conform to your account’s specific password requirements. What I mean is that if the website requires that your password be at least 6 characters long and include at least 1 number – all of the guesses would be adjusted to meet that criteria.

Read my tips for choosing better passwords.

Brute Force Attacks

Imagine that your password consisted of only 1 lower-case letter in the English alphabet. A piece of brute force software would systematically attempt all of the 26 possibilities until it found your password. For the sake of argument, we’ll say that this program can attempt 1 password a second. This means that in a maximum of 26 seconds, your password would be cracked. While it may only take 1 second if your password was the letter ‘a’ – assuming that the brute force started guessing from A and finished with Z.

Now, let’s pretend that you upgraded your password of 1 lower-case letter to a 10 character password consisting of upper and lower-case letters. There are 26 lower-case letters and 26 upper-case letters, so each of the 10 characters in your password would contain 1 of these 52 available characters with the possibility of having duplicate characters. To see how long this would take to crack we’ll start with what we know so far. (a) = 52 and (b) = 10. We’ll say that this evil person is able to attempt 1,000,000 passwords per second, which isn’t uncommon (against a password hash) – and he’s working with only one computer. These assumptions give us (c) = 1,000,000 and (d) = 1. Now that we have everything we need, let’s figure out the maximum amount of time that it will take for our criminal friend to crack our 10 letter password with the brute force method. The formula goes like this, (a) to the power of (b) divided by (c) which is divided again by (d).

Our calculation shows that the brute force could take a maximum of 144,555,105,949 seconds. This is an equivalent of 2,409,251,766 minutes, 40,154,196 hours, 1,673,092 days or 4,584 years. For comparison, a password containing 6 lower-case letters would only take 5 minutes to brute force with the same attempts per second. Keep in mind that your password is likely to be solved before the very last attempt; and the bad guy could always use multiple computers to cut down on the time that it would take to run the brute force.

Read my other article to learn how to create stronger passwords.

Dictionary Attacks

Somewhat similar to brute force attacks, dictionary attacks will attempt to guess your password by submitting word after word from a huge list. Dictionary attacks will usually result in a faster completion over the brute force method because it only guesses passwords that are more likely to exist rather than every single possible combination of letters, numbers and symbols. Since most people choose simple passwords that are fewer than 8 characters – these passwords are usually very easy to predict. All a crook needs to do is create and maintain a custom list of common passwords (with a few variations of each) and then unleash it on some unsuspecting target.

Don’t let the word ‘Dictionary’ fool you – it’s more of a custom list that is downloaded off of the internet or created by the criminal performing the attack. The password ‘iloveben’ wouldn’t be found in your common dictionary, but it might be included on a list used for dictionary attacks. The beauty of a dictionary attack is that the criminals can tailor their list to a particular person or websites that they want to attack. If the bad guy is trying to gain access to an administrator account on some website about butterflies, the bad guy can simply import butterfly related words and phrases to the password list being used for the attack.

Read my other article to learn how to create stronger passwords.

Password Reset

It appears that this method may be the easiest one that someone can use to gain access to your online accounts. We have all used the “Forgot your password?” option at one point or another. This is where the website that you’re trying to access will ‘do you a solid’ and email your old password to you or hook you up with a new password after you answer some security questions. The trouble with this reset function is that the security questions are usually pretty dumb. Anyone would be able to reset your password if he/she can find out the name of your dog, where you attended school, where you were born, what streets you’ve lived on in the past or some other trivial crap.

This is where your extravagant blog posts or information on myspace, Facebook or Twitter come into play. You have probably already posted something about every answer to your each of your security questions without even thinking twice about it. People have even started stockpiling this information by sifting through webpages and social networks to build databases of common pet’s names, and related content that they can then sell to information-hungry criminals.

Read my other article to learn how to be safer online.

Recording your keystrokes

As the name suggests, a ‘keylogger’ will maintain a log of the keystrokes made on a given computer. This means that whenever you type your login information, it is recorded and stored on your computer for later review or secretly transmitted to the person who wants to steal this information. Keyloggers are very common on public computers (such as those in an internet cafe) and work computers.

It could be a piece of software that pretty much runs invisibly on your computer. Most of the time, you will not see a keylogger program running on your taskbar or system tray. Sometimes keyloggers are hidden inside of other programs or renamed to look like other software, which makes it hard for a human to detect. These keyloggers could accidentally be installed by you, your family members or perhaps a friend. Another possibility is that someone intentionally installed the keylogger on your computer.

Another type of keylogger is a little piece of hardware that is physically connected to your computer. It could be as simple as a USB stick that is plugged into on the back of your computer or it could be located inside of the computer case. Just imagine an unscrupulous computer technician working at your local repair shop, attaching a keylogger to every computer that comes his/her way. Whenever you take your computer in to get fixed, he/she downloads your keystrokes and then accesses your accounts or sells the information.

I suggest you download the free trial version of AVG Internet Security and scan your computer.

Final Ramblings

Once you have read how these criminals attack your password, it’s pretty easy to figure how to prevent them from doing so.

Find a strong internet security suite to protect you from spam emails, fake websites and keyloggers. Don’t download any programs attached to communications from suspicious sources. Don’t click any links in any private messages that are notifying you of a problem with your account. If you think that there might be a real problem with your account, manually type the website’s address into your browser and login to fix it. Don’t tell anyone your login information; even if they say that they are some official person working at some official company. Companies will never ask you for that kind of information, they already have access to it and they can even reset it if they need to.

Create long passwords that use as many different characters as possible. Use a different password for every account that you have. If you need help remembering these passwords, you should definitely get your free copy of RoboForm and / or the portable version, RoboForm2Go.

I would recommend that you use strong passwords for your security questions, but that’s because I keep them saved in my SafeNotes with RoboForm. If you don’t want to use random characters for your answers, I might suggest that you lie to them. Tell them anything else that’s easy to remember, as long as it isn’t the real name of your dog. =)

If you have the time – read this next article on creating and maintaining good passwords.

If you’re looking to get free software, you should probably read this other article about TrialPay.

TrialPay increases a customer’s willingness to pay by removing the cost associated with your product. Let’s say that you have a customer that won’t purchase your product outright but he or she might be a good lead for a different company’s product or services. TrialPay lets you leverage the brand recognition of the advertisers in the TrialPay network to convert such customers. TrialPay saves your abandoned shopping carts and turns them into successful conversions by matching your customers with other preferred brands.

When your potential customers complete an advertiser’s offer (for example: signs up with freecreditreport.com to monitor their credit), you will receive money from the advertiser (worth the full price of your product) which allows you to give your product away for “free” to the customer. With TrialPay everybody comes out a winner – the customers get their free products, advertisers acquire new leads / customers, while merchants earn significant revenue from customers that would otherwise be lost.

Cost Per Action or Acquisition

TrialPay advertisers operate through an online advertising pricing model known as CPA. Rather than paying for clicks, the advertisers only pay when a specified action (such as a purchase or form submission) is completed. This payment process allows every party involved to be compensated quickly and efficiently. Once the action is completed by the customer, you will get paid by the advertiser which allows you to send out the product license (or whatever you’re selling) to the customer.

Will TrialPay actually improve sales?

Many merchants have reported that TrialPay does indeed increase conversion rates. If you would like proof, I suggest that you read the case studies hosted on the TrialPay site. Basically all you’ll need to do is add the TrialPay payment option to wherever your customers are exiting without making a purchase. Some popular placements include: exit pops/overlays, trial uninstall messaging, reactivation campaigns, e-mail messages, rewards programs, standard payment options and many more. TrialPay is excellent at walking you through and explaining the various ways to capture more conversions. There is zero commitment between you and TrialPay – if you aren’t happy with the results, simply stop using them. The TrialPay payment platform is completely free to use – they don’t charge you for processing payments or customer service. You will also receive comprehensive merchant services like custom graphics, marketing tools and fully developed html pages from TrialPay, free of charge.

TrialPay guarantees that you will be paid (at least) the minimum that you require for each transaction and you will usually receive more than that. Let’s say you’re charging $35 for your product, with TrialPay you will definitely receive $35 for each transaction – but you could also earn $40 or $50. If you’re receiving a direct sale from the customer, you will only get $35.

Final Ramblings

When I wrote this article, there were over twelve million shoppers using TrialPay. Personally, I have used TrialPay to obtain products that I would never seriously consider spending my money on. Getting such products for free when I spent the same money on other services/products just seemed to make sense though. At the very least, merchants should use TrialPay to confront customers that are abandoning their shopping cart or uninstalling their software. When the customer sees that there is an alternative payment method available, they may reconsider walking out on your product. TrialPay is especially effective when a customer learns that they can get your product for free when they try out something else that they were already interested in. If I’ve been thinking about joining BLOCKBUSTER Total Access for a while and then one day, I found out that by joining Total Access, I could get AVG Anti-Virus 8.0 for free – I would definitely be more likely to go through with it. Getting 2 things for the price of 1 is always enjoyable for customers. So, don’t let these customers slip through the cracks – offer TrialPay as a payment method for your products today.