5 Reasons to Assume Your Odds of Getting Hacked Are 100%
Everybody worries about their computer getting hacked or their phone being tapped. While it’s pretty unlikely that you have a spy movie-style villain after you who’s intent on closing in on your deepest and darkest secrets, that’s not a reason to assume that you won’t be the target of a hacker. In fact, just the opposite may be true. It’s safest to assume that your chances of getting hacked are 100%. Read on to check out some of the reasons why you should assume your email, devices, and accounts are going to get hacked.
1. Your email is likely to get hacked or leaked
Timothy B. Lee reports for Vox that it’s safe to assume that your email will get hacked or leaked eventually “as more and more of our communications move to electronic media.” The kinds of leaks we saw in the 2016 presidential campaigns should make us all more cautious about the kinds of conversations we hold via email. As Lee notes, “Private venting over email or other online communication platforms won’t necessarily stay private. It’s better to save your most vitriolic wisecracks for face-to-face meetings behind closed doors.”
Most people can’t totally “sanitize” the emails they send. But they can become more technologically savvy, and more readily able to catch the phishing emails that are traps set by hackers. As Lee advises, “The lesson here is that you should never click on a link in an email and then enter your password.” He continues, “And if they do click a link, users should check the address bar to make sure that it’s the address they expected.”
It’s also worth noting that even if you’re careful about your security, your messages could still be leaked if someone with whom you communicate isn’t careful. Another danger is that your email provider could be hacked. Lee posits that while “people should be doing more to lock down their private communications,” there’s still “probably nothing we can do to fully prevent these kinds of attacks. Everyone is potentially vulnerable to having their emails stolen.” You should lock down your email account with two-factor authentication, but you should also be careful about what you write in an email.
2. Vulnerable devices will definitely be hacked
The Atlantic’s Andrew McGill reports, “It is now within the capability of hackers to literally scan the entire internet, looking for vulnerable servers with open ports. And every hacked computer adds another recruit to the search effort, shortening the time required geometrically.” According to Cloudflare co-founder and chief executive Matthew Prince, the upshot is that anyone who’s hooking up a poorly-secured IP device to the internet “can expect to see that gizmo hacked within a week, if not much sooner.”
Prince tells The Atlantic, “Assuming it’s publicly accessible, the chance [of being hacked] is probably 100 percent.” He explains, “The IPv4 address space just isn’t that big. You can now run a scan across that entire space in hours, especially if you have a big botnet. The scans for vulnerability are continuous, and if anything, have accelerated over the last couple of years.”
McGill notes that this doesn’t mean that every Internet of Things device is vulnerable. Most of the devices that you connect to the web via your home Wi-Fi “are probably okay,” since your router will be able to quash most hacking attempts. (This is assuming your router isn’t compromised.) But devices that are hooked up to the modem directly, which is common in industrial settings, are more vulnerable. McGill warns that “the vastness of the internet can no longer protect us.” Sloppy security mistakes can leave you vulnerable to being found by a hacker.
3. Your passwords probably aren’t strong enough
It’s no mystery that people routinely choose insecure passwords. The specifics of the most popular insecure passwords may vary year to year. But Lisa Pollack reports for the Financial Times that “our crummy password construction is predictable. And with large breaches of popular websites, hackers are getting to know us better than ever.” Passwords are vulnerable to hackers in what Pollack characterizes as “a couple of indirect ways.” She explains the most people — as many as 60% by some estimates — reuse passwords. So the login details from one site can be tried out with other sites. And the data sets can be added to “dictionaries” which can be used to crack passwords.
Pollack also notes that if you use a password strength meter when you’re creating a new login, it may not be quite as helpful as you think. That’s because these tools underestimate hackers’ understanding of users’ habits, and therefore overestimate how difficult it would be for a hacker to figure out your password. “In an ideal world, website owners would strengthen their own security to protect users. But if their customers use weak passwords — or reuse strong ones on other, less secure sites — there’s only so much they can do.”
Researchers have found that consumers’ misunderstanding of what constitutes a strong password, and their tendency to make poor password choices, often stems from “an underestimation of the risk of potential attacks and a lack of knowledge about how dangerously common certain construction techniques are.” The upshot is that even if you think you’re being creative in thinking up a password, chances are good that it’s not as original (or as secure) as you assume that it is.
4. Your passwords probably aren’t original enough
Just as Pollack notes that password construction has become extremely predictable, Michael Kassner reports for TechRepublic that most hackers are concerned about turning a profit. So according to security researchers, hackers look for attacks that will be successful “on average, not just when circumstances are favorable.” A hacker pays for every attempt to access an account, but will only get a return when the attack succeeds.
In the interest of making sure that an attack doesn’t succeed — especially when it comes to critical logins like the one for your bank account — you don’t want your passwords to be predictable. You don’t want to follow popular password constructions, and therefore create logins that are easy to predict and exploit. Random passwords are a much better choice than passwords that follow a popular formula.
While hackers still find it difficult to create profitable attacks to exploit weak passwords, you still don’t want to make it any easier for someone to gain unauthorized access to your account. It’s important to understand not only how strong a security strategy is, but also how common it is. If a strategy (or a password construction) is common and predictable, it’s a dangerous choice because it’s easy for a hacker to exploit.
5. Sites don’t do enough to protect your accounts and data
Everyone knows that it’s important to create strong, unique passwords to protect online accounts and data from hackers. But even if you use a password manager and choose a complex password for each of your accounts, that’s still not a guarantee that you won’t be hacked. Robert McMillan reported a couple of years ago for Wired that “a complex password isn’t necessarily a secure password.” That’s because while there are some situations in which a complex password can help you, there are other situations in which the strength of your password is irrelevant.
For instance, if the company that holds your password stores it in plain text, without encryption, it’ll be easy for a hacker to access. And some passwords that seem complex can actually be pretty easy for hackers to guess. So if an app or website simply requires you to create a long password without any password rules that actually ensure you’ll create a strong password, you may not be as secure as you think you are.
It’s been proven time and time again that humans are very bad at creating random passwords — which is exactly what you need to do to create a strong password. “So,” McMillan posits, “maybe we should just expect our passwords to suck, and concentrate on protecting accounts in other ways — like with two-factor authentication, where you have to use a password in tandem with something like a fingerprint, a text message, or a random number generated on a device you lug around.”