If I have this [marginally / mostly] right, in my own manner of trying to make the info simple . . .
Because some computer users choose weak passwords (and weak username and password combinations), and because network protection is weak for some networks that do not take precautions that would block external attacks . . .
A malicious hacker can take advantage of the weaknesses and succeed at gathering from a relatively exposed Windows OS computer, the username and password combination (credentials) of an account for, and access to, an Internet server of interest.
Then, the hacker proceeds to:
- collect other credentials (including digital certificates and cookies)
- collect the hash data for username and password combinations
- plant a (domain control media) script by which to assist with future access
Later and off-site, the hacker, with software that uses the stolen hash data and other credentials . . . is able to determine at least some additional username and password combinations.
The details:
Suggestions:
Choose strong passwords. Bare minimum of 14 characters, but longer are much preferred.
Use a unique password for each account.
Use a unique username for each account.
If the account requires an e-mail address for the username, then create a unique alias e-mail address (see instructions at your e-mail host).
Require a strong username and strong password for administrative access to any network router, modem, DNS server, and DHCP server.
And, require a strong username and strong password for administrative access to any network switch.
Another good security practice is to DISABLE outside (i.e., Internet) access to the management interface of any critical Internet-facing devices like routers etc. (You don’t really need to reconfigure your home router from your car, do you?)