Covid compliance forced physical shops to close and accelerated the use of technology to make purchases and communicate. Increased tech use can mean users get lax with their password security and either re-use their passwords or create insecure passwords.
Organisations such as Evil Corp (see resources below) exploit thousands of individuals and companies with poor security worldwide yearly, and they’re getting away with it. Once perimeter defences have been breached, many hackers will move laterally through companies systems due to inferior network segmentation, gaining access to sensitive data.
Having seen relatives become victims of cybercrime and seeing senior staff in previous roles get duped into handing over their work passwords to fraudsters, it’s essential to educate everyone on the simple steps to keep their virtual (and operational) security at the top of their list.
It’s Okay. I’ve Got Site Lockdown and CAPTCHA.
Many users assume that a mixed security approach of minimum password requirements, password failure lockdowns, and CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) diminish the threat against having their account hacked.
These techniques will help against brute force attacks (where a hacker will sequentially try thousands of password combinations starting at ‘a’ then moving onto ‘aa’, for instance), but more sophisticated attacks are now happening.
While site lockdown and CAPTCHA will help slow down attacks (site lockdowns will limit the number of attempts to log into a system), criminals are now targeting passwords.
The NCSC has published a separate analysis of the 100,000 most commonly re-occurring passwords that third parties have accessed in global cyber breaches, and an independent study amongst businesses found:
Organisations that had accounts with passwords that featured in the top 1,000 passwords
Organisations that had accounts with passwords that featured in the top 10,000 passwords
75% of the participants’ organisations had accounts with passwords that featured in the top 1,000 passwords
87% had accounts with passwords that featured in the top 10,000
Below are five simple steps to help combat being a victim of cybercrime. They’re simple, quick and worth sharing with your business network and family:
1. Passwords and Passpack
To help combat the issue of having to remember many secure passwords across numerous platforms commercially, when I worked in Rippleffect, we rolled out the use of Passpack.
Passpack, which is a password manager, described itself as providing:
“…the tools that teams and individuals need to securely organise, collaborate and store your passwords with strong encryption and administrative controls”.
In a business, it’s helpful to have the ability to allow or remove access to stored passwords when people come and go – but from an individual point of view, having a password manager allows for much more secure passwords without having to remember them.
Using a password manager means you need a very secure password for the admin access – Passpack will also not allow you to recover your secondary passphrase. Forget it, and it’s gone.
Another password manager I’ve also used is OnePassword, though I found the user interface a little more confusing than Passpack.
Most browsers now also come with an indigenous password management system to save passwords for specific sites.
These systems do work well, though the more advanced tools of third-party password managers may appeal more to those who have more in-depth needs (such as additional fields). The third-party applications can also be easily accessed if you don’t have the browser you’ve saved all the passwords on, though be wary of accessing password managers on public computers (which may have a keylogger installed) and over unknown wifi.
2. Increase Your Password Security
Technically speaking, the longer and more complex passwords are, the harder they will be to guess. For instance, having a random 20 character password including letters, numbers, and special characters will be hard to crack. But realistically, as a human, you’re probably going not to remember it, and if you do, you’ll use it for more than one platform to log into.
Having the same password across multiple platforms is a sure-fire way to let hackers move laterally from a low-security forum to hacking something more critical.
To try and find a happy medium between the two, the NCSC suggests using a password made up of three words that you can easily remember for a given platform. You’ll still need to comply with the minimum password requirements for the site you’re logging into (e.g. one capital letter and a unique character), but the three words should increase the security of your data and allow you to remember it. Failing that, if you’ve got your password storage set up as above, it won’t matter too much if you forget.
3. Use At least 2 Factor Auth / MFA Auth
This is one of my favourite ways to help protect your logins. As it suggests, two-factor authentication requires a user to put in their primary details (e.g. username and password) and a second factor.
The second factor can come in several forms. The most common is an SMS message to your phone which most banks now use.
Interestingly, Amazon Web Services (AWS) have changed the name of 2-factor to multi-factor, and they’ve dropped the use of SMS to secure their servers presumably because SMS isn’t as secure as the alternatives from the likes of spoofing.
AWS Identity Access Management (IAM) has stepped up their security on this; you’ll get a warning to add it to the Root account (the primary account you started with, which has access to all areas).
The options other than SMS come in the form of authenticator apps such as TWILIO. Here you associate your account with TWILIO, which generates a code to add in as your second authentication method.
Having these on apps is excellent as it makes it just as accessible as using the SMS method.
Some systems also need the user to have a separate piece of hardware – similar to those banks used to use, e.g. a tamper-evident hardware key fob device. These are generally used by higher security institutions such as enterprise-scale businesses and the government and have a more significant cost attached to their use.
The NCSC’s advice on MFA? “we strongly recommend that everyone switches it on for their email (if possible) and any other online service they care about.”
4. Have I Been Pwned (HIBP)
Head over to the HIBP website. Here Troy Hunt, who works for Microsoft (see the plug to Azure), has created a website that will help you see if your data has been taken from any breaches.
It’s an excellent first step to start securing your details, though there are plenty of caveats about how to use the information you get from it and its accuracy.
Take a look at the FAQ’s and if you feel it’s valuable, sign-up. It’s free, and the link is in the resources below.
So the first three points on this list are how to help secure your passwords and data. The fourth is a stepping stone to start checking where your data may have been released into the wild.
This last step is an absolute must to bolster your security profile.
As mentioned above, the NCSC has published this list of 100,000 most common passwords.
Use the password link here to see the passwords https://bit.ly/3eNbtQo.
After searching for your passwords (then looking up naughty words), you’ll notice that many of these passwords are pretty ‘secure’ in conventional terms, including the number of characters used and adding a “salt” to the password.
Because they have been used so much, hackers can bypass the usual need for brute force and concentrate on these; it’s especially worrying as users who do have a secure looking password may not have turned on Multi-Factor authentication because they think their password fits all the minimum security checks and is secure.
No way of working or system will be 100% foolproof to stop hackers; indeed, many items of site security are entirely out of your hands – which is why having secure passwords and limiting cross-platform password use is essential.
Using the steps below, though, should help decrease the probability of either a direct compromise to your account or in the event of a sitewide security incident.
- Make sure your passwords aren’t on the list – if they are, change them.
- Check the Have I Been Owned Link and act on the feedback.
- Ensure all apps and websites which have multi-factor authentication have it
- Check through your synced passwords on Chrome or Safari to see how strong they are, and there are no duplicates.
- Use a system like Passpack or 1 One Password to store hard to remember passwords (but make sure access to these systems has a strong password)!
Next steps? Share this article and shout about security with friends and family. If you’re interested in the details, check out the resources below for more information.
Security Article Resources