You already heard the story of James, the shopaholic. Today, we'll take a look at Emma's story. On a Monday morning, Emma wakes up to a message from her bank, informing her of a transaction she did not initiate. Shocked, she contacts the officials only to find out her account has been hacked. After an extensive investigation, Emma learns her credentials were leaked from a different site where she used the same username and password as her bank account. Who do you think is responsible for the compromised security in Emma's case?
While it's easy to point fingers at one entity or the other in cases like these, the reality is much more complicated because, in a two-way transaction where both the service provider and the user have access to an account, its security becomes a collective responsibility.
How does your password reach the wrong hands?
There are lots of different ways a hacker can extract your password. From brute-force attacks (where one guesses common combinations of weak passwords) to SMTP crackers, hackers have several methods up their sleeves to exploit even a minor user mistake. Let's take a look at some of the common user mistakes that lead to an account getting compromised.
There is no denying that the debug mode in Laravel is a highly beneficial tool that helps developers find errors in their applications. The problem however arises when a Laravel developer forgets to disable the debug mode before pushing their application live. With the debug mode enabled on live applications, hackers can easily cause an exception to extract sensitive data like keys, passwords, and other information that can compromise the security of your accounts.
In cases like this, the only way you can secure your account is by switching off the debug mode. If you only change the passwords of your accounts, the automatic file requests and transfers will keep exposing your account credentials in a vicious cycle.
Hackers get the SMTP details of a user in multiple ways. It could be via a web application, Laravel, or even directories. One of the uncommon but not impossible ways hackers get their hand on a user's SMTP details is through online tools that help you check SMTP status.
These hackers scrape such sites for server details and then use a brute-force attack to compromise its security. It shouldn't come as a surprise that accounts with common, easily guessable passwords are much more susceptible to being victims of this attack.
Prevention is the best cure
Using strong passwords
One of the major reasons brute-force attacks are so often successful is the lack of strong passwords. Using a strong, unique password increases the number of combinations a hacker has to iterate. So make sure to always include capitals, numerals, and special characters in that password you are creating.
Even if a hacker manages to find your password, they can't move forward if you have two-factor authentication (2FA) enabled. There have been many cases where 2FA has prevented account breaches for users who had it enabled. So, why settle for one security gate when you can have two?
A unique password for every account
According to a poll by LogMeIn, 59% of people use the same password everywhere. The problem with using the same password for all your accounts is that when one account's password gets exposed, all other accounts can be compromised as well. Many people tend to use the same password for multiple or all accounts because it's easier for them to remember, but convenience is never worth the risk. Luckily, you can overcome this difficulty by using secure password managers like Zoho Vault.
Never interact with phishing emails
Hackers often use socially engineered phishing emails to manipulate users and extract sensitive data. When you suspect an email to be of unusual nature, take a closer look and cross-verify before taking further action.
We at Zoho Mail are constantly updating our security features and blocklists to keep our user accounts safe and secure. However, if you haven't secured your Mail account with strong, unique passwords with 2FA, then please don't hesitate even a second to update your password and adhere to password best-practices. The safer your password, the more secure your account stays.
If you haven't changed it yet, update your password conforming to the security standards we just discussed. Let us know with a #myPasswordIsSecure hashtag in the comments below.