Tricky Passwords
The three most common ways to break an account
based on analyses of account misuse in the university network:
1. Submission to phishing alias “I gave it away myself”
Phishing is fraudulent email that manipulate the recipient to enter their email password on a fraudulent www page that mimics, for example, their work webmail. More about phishing you find in article dangerous emails.
2. Escape from another service alias “I have one password all over the place”
The attacker may rob a database of the login details of a service not in the university network (e.g. e-commerce), but to which a university employee registered with a work e-mail address and (unfortunately) the same password. So the attacker has an email, according to the domain, he finds webmail the university, try a password – and succeed. Registering with external services with work email password is a big mistake!
On ’;–have i been pwned? you can test if the email address in a leaked password database, finds out which database service it came from and when the passwords were leaked.
Whoever uses the same password everywhere and has found “have i been pwned?” has a really big problem.
3. Guess or Trivial Password
Attackers also try to guess passwords simply. They succeed exceptionally because they only try a few the most well-established passwords (e.g. “12345678” or “11111111”), but it happens. Beware, first names are also on the index.