Chapter 1:
How People Get Hacked

Locke Presents:

How to Not Get Hacked on the Internet

It might seem to you that not getting hacked is mostly luck. We all know someone who has been hacked while seemingly doing everything right. There isn’t a clear definition of what it takes to stay safe on the Internet.

The good news is that 95% of hacks stem from 2 simple and preventable attack vectors: passwords and social engineering ⬇️


How People Get Hacked

A Story of Passwords and Phishing

The problem with passwords is that even seemingly great passwords are easy to steal. Any castle is vulnerable if you have a key to the front gate. Instead of typing rapidly on glowing computer terminals with green text in order to “hack the mainframe”, these days hackers simply send out massive amounts of email and text messages to try and get you to give them your credentials.

Phishing is the most common form of social engineering since it’s ridiculously easy for hackers to do. They can send out massive amounts of emails every day for little cost. Even though the vast majority of them don’t get opened, it only takes a few unwitting people to click on them to make money.

The bad news is that even by simply clicking on a malicious link the hacker can steal your current login session for a particular account, and use that session to masquerade as you for a limited period of time. Even though the time period of a given session is limited, it’s typically enough time for them to change the password to the account, thereby locking you out and taking complete ownership. So, to be safe on the Internet do not click on malicious links. In fact, don’t even open suspicious messages. For examples of phishing emails and messages see our forum.

There are other avenues of social engineering as well. With the rise of AI hackers can even perfectly impersonate a person’s voice over the phone, assuming they can get the voice data. This is a new and extremely pernicious form of attack that is very very difficult to protect against and can be devastating for families. Imagine you get a call from an unknown number, on the other end is a voice that sounds exactly like your child and they’re asking you to wire them $10,000 for bail. The sense of urgency in the call makes you act, and few people would blame you for losing that $10k.

But it’s not all doom and gloom! Keep reading to learn more about what can happen when you get hacked and how to avoid it completely.


The Consequences

What’s the Damage Doc?

There are different levels of consequences depending on the type of hack that has occurred. There are a lot of different type of hacks, but for simplicity let’s classify three. In order of severity:

  1. Master password hacks
  2. Device hacks
  3. One-off hacks (session stealing & scams)

(1) Re-used or master password hacks are the worst hack by a large margin because it allows a hacker to fully impersonate you.

Let’s imagine that someone phishes your Gmail account. Well, now they have complete access to your email. You know, the account you use to reset all your other passwords! That’s what we refer to as a “master” account. A master account enables hackers to wholesale impersonate you with little or no recourse. This can result in bank fund withdrawals, new lines of credit in your name, and a complete stolen identity.

If you re-use the same password or a variant of that password everywhere, then you’re in bad shape since a (3) can instantly become a (1). Don’t think you’re fooling the hackers by adding a extra exclamation to your bank password.

(2) Device hacks are trickier because sometimes there isn’t much you can do to stop it. Anti-viruses and VPNs do nothing to help you these days, the only reliable method of stopping them is to keep all your devices up to date and keep your ear to the ground regarding new attacks (which you can do on our community page).

The consequences of a device hack can be drastic, though is usually more limited than a master account hack. In the worst case scenarios, a device being hacked may result in a master account being hacked meaning. You may even have to factory reset the device and lose unbacked up data in the process.

(3) One-off hacks are the least consequential but unfortunately the most common type of hack. A hacker can steal a password for a particular account, and as long as that password isn’t reused elsewhere, the damage is limited to that singular account. However the moment you’ve reused that password you’ve upgraded what should have been an isolated incident into a code red.


How To Not Get Hacked

It’s Not Luck!

In short:

  1. Use strong, unique passwords
  2. Don’t click on malicious links
  3. Be wary of the data you put out online

Accomplishing (3) is easy, simply make sure your social media profiles are private. If you have a lot of content of yourself out there just know the risk that entails and plan accordingly. With AI getting better everyday, deep fakes and AI voices are no longer science fiction.

Accomplishing (1) and (2) is far harder and are the very reasons why Locke exists today. Firstly, a truly strong password these days is far different from days past. 8 characters is simply not enough, even with symbols and uppercase and all the other esoteric password requirements in place. 12 characters is much better while 16 is the threshold to be truly secure and future-proof. The good news is that with a password manager you should only need to remember one 16 character password! We have a whole writeup on how to choose and remember a good password and it’s probably very different from what you’re expecting (all lowercase passwords are fine!).

Secondly, knowing what a malicious link looks is very difficult. Hackers are smart and they develop new ways to trick people everyday. The simplest way to avoid this is to stay educated on what malicious links look like and the patterns hackers use to make their websites look legitimate. Here is a link to some phishing examples. If you’ve seen or fell victim to a phishing attack recently, do your part to let other people know by adding it to our community list of phishing attempts.

Locke is currently working on developing a phishing filter machine learning model that can automatically protect you from malicious links. Stay tuned!

Shameless Plug

Locke Keeps You Safe on the Internet

Locke provides an easy interface to use strong unique passwords on every website. We also provide a secure way to share passwords with family members and a social recovery option that is far more secure than email password resets.

Any password you store on Locke is encrypted using the most secure encryption algorithm currently available: XChaCha20. On top of that, all sensitive operations such as social recovery and password resets are done with a post quantum secure handshake using Crystals Kyber. This advanced cryptography results in 3 layers of encryption, providing a future proof fortress for your passwords.

Get your entire family on Locke now for $18.99/month.

End-to-End Encrypted Password Resets

Locke uses Shamir’s Secret Sharing and Crystals Kyber to create a a complete end-to-end  secure environment to reset your password. This is in stark contrast to other password managers that either (a) don’t have a recovery mechanism or (b) keep a copy of your keys in order to provide recovery services. Locke’s social recovery feature is the holy grail of security, end-to-end encrypted and 100% recoverable.

Additionally, your recoverers receive absolutely no information about your password due to the information-theoretic secure properties of Shamir’s Secret Sharing.