How to stay safe from hackers?

"Social media are fast becoming a vital part of our lives, seriously when was the last time you went a day without checking your Instagram or Facebook...?"

Raging from the number of followers you have on Instagram and Twitter to the number of likes you get per post on Instagram and Facebook, everything matters and if you see a sudden dip in the number of likes you are receiving it just makes us restless and as this social media fad is increasing so is the thirst of people to get more followers and likes, well there is nothing wrong in that. As the world is progressing this is fast becoming part of our lives.

WHAT'S THE POINT OF THIS BLOG

Through this article, let's try to understand why it is important to limit the amount of information you post online and how hackers can particularly target you and your social accounts and ruin your social and professional life. Also, how easy it is to create a wordlist to initiate a password cracking attack and how to protect ourselves from falling prey to a wordlist brute-force attack.

UNDERSTANDING IMPORTANCE OF PERSONAL DATA

So it may look like a normal thing to share your personal information like birthdate and pet names with other people, but when you actually bottle it down to its core, it's nothing but raw information that can be used against you. The information I am talking about is.

• Sharing your birthdate.

It's observed that many of us often share our birthdate on Instagram under the bio section.

And if we go by the stats, it's also observed that 59% of people still use birthdate or either combination of their birth date and name to generate a password, just because it's easy to understand. That's the basic information a hacker would look for when he is trying to create a wordlist to attack you. So if you are among those people who use such passwords, I'd suggest you change it asap.

• Sharing favorites and pet names.

People unknowingly share some vital information such as their favorites which include favorite color, movie, or favorite place to visit. Sharing this information openly can act as a pivoting point to gain access to your G-mail and social accounts. When it comes to 'Security questions', often, the questions are based on our daily lives such as: what was your first pet's name? Or which is your favorite color? And if you have that information posted, then you actually give a potential way to hackers to gain access to your accounts.

• Sharing live locations.

Social media has put us all literally in the public domain. Every time you post your location tag, you could be sharing your location with potentially a huge audience. It's an audience that you may or may not know, so sharing geolocation can give stalkers a substantial amount of information about your traveling habits and people you hang out with.

Secondly, it makes it easy for a thief to keep an eye on your live location updates, and as soon as you leave your home, it becomes easy for thieves to rob you.

WHAT ARE WORDLISTS?

Alright, amigos, let's try to understand this,

What are wordlist and how are they so powerful?

A wordlist is basically a dictionary containing words or containing potential password combinations. So there are several wordlists available now, but let's just focus on one of the most popular and widely used wordlist, i.e., Rockyou.txt.

The chances of success by using rockyou.txt are pretty major cus' this list contains passwords that were actually used by people.

Rockyou.txt is available in kali under ~$ /usr/share/wordlists/

HOW TO CREATE CUSTOM WORDLISTS?

Spoiler alert!!!

It's a super easy task to create a wordlist but as a hacker, you have to be really picky and intelligent in choosing the correct words that your target might have used while creating his/her password.

Let's just focus on a simple tool called Crunch, which is available in Kali Linux by default.

It's super easy and has some of the easiest syntaxes. But when it comes to creating complex wordlists tools like Cewl, Mentalist, and Combinator come into play.

Let's say there is a guy named John and his birthday is on 14th Feb and let's assume he uses

a name@birthdate format to generate his passwords.

so basic information we have is; Name- John Birthdate- 14-Feb

~$ crunch 5 5 john14@# -o johnpasslist.txt

crunch command envokes the crunch script

<min> <max> {5 5} - denotes minimum and maximum number of characters used in password.

john14@# - These letters and characters are supposed to be the combinations that crunch will try and use to create all possible outcomes.

In this case, 32768 password combinations were generated by the crunch.

And just like that, your basic wordlist is created to attack your character named John. It's super easy, right?

You can use multiple characters and all alphabets to generate a much larger and complex wordlist.

Now that you have a good wordlist available you can just invoke tools like medusa and hydra to start brute-forcing for user John.

Wordlists are getting better and are being updated frequently in the hacker community so rather than creating a custom wordlist it's often good to go for the lists available on the internet.

One such resource is Seclists on GitHub, They have many passwords lists also directory fuzzing payloads, Usernames and passwords for SSH, and several other sensitive data collection.

PROTECTING OURSELVES FROM GETTING HACKED

There are plenty of other ways by which people can get hacked. 'Phishing' is one of them, but as this blog focuses majorly on password strengthening, let's just talk about that. Creating a strong password is really essential for staying safe even if password hashes get leaked online in major data breaches, "The stronger the password, the stronger the hash" because that hash won't easily be detected by any rainbow tables, thus can keep your password from being displayed in plaintext.

While creating a password one must have at least 8 characters with a combination of a punctuation mark or you can just go ahead and use complete sentences as your passwords cus' they are long and won't be easy to crack.

One must realize the consequences of using weak passwords it not only puts you to risk but opens the door for an attacker to pivot from your personal or work email account and exploits the company that you are working for, cus' employees usually share their companies VPN access credentials via email in plaintext now imagine your email being hacked well it will put your company at major risk and can cause serious financial damage. So we must realize the importance of creating strong and complex passwords and even if you have a strong password make sure you are not leaking any secondary information you've specified as a security question.

If you are an active Facebook, Instagram, and Google services make sure you have dual-factor authentication turned on along with app authentication available for Instagram. These security features add up a lot of security for your accounts.

And if you are among those people/employees who still have to share passwords and login credentials via emails make sure at least you do it via secure email services like Protonmail.

Also if you have a hard time remembering passwords use popular password managers each of these is a reliable option,

• DashLane

• LastPass

• KeePass

Another key point to note is don't reuse the same passwords for multiple accounts. If one of the accounts is compromised the attacker can easily gain access to the rest of your social accounts in no time.

How does a strong password look like?

• AMZn+humTdumt$@t0nAwa11

• C@ts-and-Dogs-Living-together

• Sa782 aesf7 2ur8yhujjhfe#@uh8

Well, keep that in mind make sure your password looks as funky as mentioned above.

This brings us to the conclusion that how important passwords can be you may think that no one can guess if I use a simple password but in reality, password cracking is done by computers, and for them, it's a pretty easy task to carry out with great efficiency.

If you didn't act concerned now then maybe you can be the next victim of identity theft.

Signing off!

Stay safe!