There are many aspects of cybersecurity that we have no control over, but our own password security is not one of them.
Your passwords are the gatekeepers to your personal information, your finances, and your private records. Today, they also offer inroads into your company data. The weaker your passwords are the more vulnerable you are as an individual, and the higher the risk to your company.
With so many teams working remotely it stands to reason that our personal and business security are intrinsically linked. What steps should we take to ensure that we are not the chink in the armour?
The Truth Behind Password Hacking
If you are of the opinion that a data breach or stolen personal records happen to someone else, consider this: In 2018, over 2.5 billion accounts were hacked, which equates to 158 accounts every second of every day.
The biggest vulnerability was cited as “human naivety.”
Before we look into how to protect ourselves, we’d like to explore the most common methods that criminals use to hack our passwords.
For most of us, this is simply a slightly scary word, but we have no idea where or how this dark web exists. Among other things, it’s the perfect place to buy and sell stolen data - notably usernames and passwords.
If you have had the same password on one of your accounts for some time, then there’s a good chance it has passed through a few hands. This doesn’t only apply to your email or banking accounts but can be employed on apps that you’ve downloaded, software that you use on your phone or computer, or even data storage accounts.
A good idea is to check on the integrity of your accounts and establish if they have been leaked or compromised.
Brute Force Attack
Sadly, the advancement of technology has also allowed for the development of some powerful hacking software. For example, back in 2012 one hacker developed a system that could crack any 8-character password in under six hours, even one made up of the required upper and lowercase letters, numbers and symbols. Basically, it achieved this by beating down the door, running through 350 billion password guesses per second.
These numbers are almost incomprehensible to most of us, and yet, these systems exist and get better every day.
The Dictionary Attack
As you would imagine, the dictionary attack method works on the assumption that you’ve selected a word or combination of real words for your password. The software then runs through all the words and word combinations until it cracks yours.
Single-word passwords are far more vulnerable than a random combination of several words.
Given that we’re likely to use passwords that we can remember, many of us choose to use the names of our children, spouse, or pet. Therefore, if you’ve been targeted by an unscrupulous hacker, they stalk your social channels to determine the names of the most likely candidates in your world to use as a base to hack your accounts.
In fact, there have been rumblings of social media pages that have “fun polls” to get you to divulge this information. Posts such as, “What was the name of your first pet?” or “What does your child’s name mean?” encourage people to post what they feel is innocent information with total strangers.
What is a Weak Password?
With pretty much everything going online, from banking to personal communication, we have to remember dozens of passwords. Cybercriminals know this and understand enough about human nature to draw some alarmingly accurate conclusions.
Passwords that lay out the welcome mat for hackers include:
- Simple, sequential numbers such as 123456
- Default passwords such as you’d find on routers
- The word “password”
- Short passwords under six characters
- Names of family members or pets
- Your date of birth
Best Practice for Enhanced Password Security
Outside of smishing, phishing scams or automated spammy phone calls asking for our personal details, we can remain a difficult target if we practice smart password security.
Stay Away from Personal Information
Many cyberattacks are blunt (albeit effective) instruments that run through the web looking for easy prey. However, there may come a time when you are specifically targeted for whatever reason, which means your entire life will come under scrutiny.
Avoid using your name, names of your family members, pets, schools or colleges, or home towns in your password. Your date of birth is another commonly used password, but also easily crackable.
Mix it Up and Make it Longer
Remember the brute force attack? While the system mentioned above isn’t freely available, there is still a frightening amount of software available that uses brute force to cycle through your password probabilities.
For the mathematicians, Scientific American offers more insight into the value of longer passwords.
The crux of the matter is that a 6-character lowercase password using only letters has the possibility of 266 combinations or around 308,915,776 choices.
In contrast, a 12-character password of mixed upper and lowercase letters, numbers and symbols result in a mind-boggling 7212, or 19,408,409,961,765,342,806,016 combinations. That number starts with nineteen sextillions… and goes from there.
Essentially, this changes the chances of your password being hacked from seconds into years.
Avoid the Obvious
We may think that we’re being pretty smart replacing letters with numbers and symbols to make up words, but hackers are already onto this. T#[email protected]_3*amp13 (This is an example)
It’s called Leet Speak and there are already dozens, if not hundreds of online translators that can quickly run through these cyphers and unpack them. A good idea is to mix up letters and numbers as well as symbols as randomly as possible.
Keyboard paths are another common fail when it comes to securing passwords. Qwerty, for example, may be a random word but is an easily cracked password.
Use Your Words
As we have seen, the longer the password the better. If you still want to use words to make it easy to remember one of your passwords, then again - keep it random to avoid the Dictionary Attack.
For example, a series of unrelated words such as VerdantChallengeLifeChicken is a better option than BlackCoffee. To add further to a hackers headache, add some symbols into the mix, for instance, [email protected]@llengeL1feCh1cken.
Avast recommends a method known as the Bruce Schneier Method or sentence method. They say, “The idea is to think of a random sentence and transform it into a password using a rule. For example, taking the first two letters of every word in “The Old Duke is my favourite pub in South London” would give you: ThOlDuismyfapuinSoLo”
Use a Password Manager
Password managers are a great way to keep track of multiple passwords and means you only have to remember one password - even though it’s going to be a crazy, long, complex one. Make use of one of the password generators available online too which spit out long, complicated password options.
Multi-Factor Authentication (MFA)
Not only is MFA brilliant to protect your passwords, but it also serves to notify you when one of your accounts is being accessed by, say, a prying ex.
MFA requires something more than a password before the user is granted access. This can take the form of a biometric scan, an OTP, or a token from an authenticator app on your phone. The Google Authenticator App is a great option that loads a new token every few seconds and offers a great added layer of security.
Securing Your Business
Your IT department will certainly do its best to keep your data secure, but it’s up to the individuals in your organisation to ensure that they are aware of the role their password security plays.
Yes, constantly changing passwords and updating security information can be a bit of a bore, but it’s good to remember that three short years ago, the world was experiencing 158 breaches per second.
We invite you to chat with our team of professionals to discuss your digital security and how we can add value to your business.