1. Beware Social Engineering and Phishing Scams

Phishing scams are a significant source of compromised credentials.  These scams are a form of social engineering attacks used to trick the unsuspecting user into revealing account information. These scams can occur by phone, email, or text. 


Most commonly, a phishing scams are initiated by an email that has the appearance of official business and request that you perform an urgent action, like logging into your account.


Sometimes emails contain links to spoofed login pages, where your credentials are captured, or they take you to a web page where malicious code is silently installed on your system.


2. Set Strong Passphrases

Dictionary attacks are a technique of breaking into an account by guessing a passphrase from the dictionary or a list of commonly used passwords.  Also know as a "brute-force attack", passphrases that are poorly generated are the most susceptible (e.g., passphrases containing common words, pet's name, etc.).


3. Check for Secure Sites

When logging into websites, email, or other services, check that the site is secure and your credentials are encrypted. A secure URL for a website starts with "https://" and your browser will display a lock icon in the address bar.


Also, be sure that the site is authentic. Be wary when the browser displays a red slash through the lock icon or gives certificate warnings and know that your passphrase could be intercepted if the website does not offer a secure login.


4. Avoid Public Kiosks or Untrusted Devices

Your credentials are especially at high risk when you enter them on untrusted devices like:

  • Public kiosks or terminals (e.g. hotels, libraries, airports, coffee shops)
  • Borrowing a friend or colleague's computer or mobile device

These untrusted devices may have already been compromised by malware installed to capture your credentials.  And if you forget to properly logout and close the web browser, someone can hijack your account afterward.

5. Know How Attackers Work

Your credentials may be compromised via many methods. Shoulder surfing is a technique where an attacker watches someone while they type in their passphrase.  Shoulder Surfing is especially prevalent in libraries, computer labs, airports, and other public areas. Attackers will also try to use successfully stolen credentials on multiple sites, exploiting the fact that many victims reuse passphrases across multiple accounts.


Additionally, credentials may be intercepted through unencrypted network traffic (also known as "sniffing"). This happens most often on open wireless networks and when credentials are sent in cleartext through email or unsecured web connections (e.g., URL links beginning with http:// instead of https://).