Understanding Data Breaches
One of the most common misconceptions about data breaches is how they work. Most people think "nobody has any reason to hack me." While this may be true, rarely is a cybercriminal going to target a total stranger who might not even have anything worthwhile. The "I'm not a valuable enough target" mentality betrays a fundamental misunderstanding of how today's digital hacking landscape works. Here's how data breaches and modern hacking really work most of the time:
If you're reading this, you likely have an account with a major service that has millions of users like Gmail, Amazon, eBay, or Facebook. Smart cybercriminals target these major companies. These companies endure anywhere millions of attacks every day. The defender needs to succeed every single time, but the attacker only needs to be successful once. Once the attacker is in, they steal everything they can before they get noticed and kicked out of the system: usernames, passwords, card numbers, IP addresses, anything the service logs and they can access.
Typically, responsible companies encrypt the most sensitive information like passwords and card numbers but not things like username and IP address (which can reveal your exact physical location). This matters because step two is to sort through and decrypt whatever information the hacker has stolen. Various programs exist - totally legal and for free - to help crack your password. A given password can be cracked in less than one second depending on the complexity of it and the criminal's computer. This doesn't require a government-grade supercomputer, either. A decently-powerful computer capable of cracking dozens or hundreds of passwords in an hour can cost somewhere around $1000 and can be purchased off the shelf at your local electronics store.
How Password Cracking Works
There's two main methods of guessing a password. The first is called a "dictionary attack." This when the criminal loads a dictionary into the software and it checks your password against the dictionary, including common variations. For example, "P4ssw0rd" is a common variation of "password," so the program will check for that. Various dictionaries are available for free, including song lyrics, famous names, quotes, and more. A hacker can even easily make their own dictionary tailored to you with information like names of family members, important dates, pets, sports teams, and more.
The second method is called a "brute force attack." This is where the hacker specifies parameters (such as "upper and lower case letters" and length) and the software guesses every possibility, starting with "aaaaaa,"then moving on to "aaaaab," and so on. Passwords less than six characters, regardless of complexity, can be brute forced in less than a second.