By Anton Scott.

The issue with universal passwords

We have all been there, midway through creating a new account for a streaming site, subscription service, or online store and have been met with the daunting “Choose a Password” screen, with an endless list of criteria to follow to ensure a strong password.  But you haven’t got time for this, so like 65% of all other people, you choose to reuse your universal password that has served you well for the last few years. Piece of cake you think. You know this password is ingrained in your mind because you use it all the time, you won’t forget it. You know it’s slightly risky to indulge in these lazy password practices, but you disregard your inner critic, after all, who would care enough to hack you anyway? You’re just being paranoid right? So you log in with ease and go about with your day.

The next week you wake to find that you cannot log in to your email, that’s odd you think. You retry your universal password numerous times with no avail. You send a reset link to your backup email; after all, you never bothered to set up 2 Factor Authentication (2FA), who needs that anyway? Attempting to login to this other email, you are met with the same message: “Incorrect Password”.

Now here is where you begin to get worried, you begin to put the pieces together and arrive at the conclusion that you may have a security breach. Hopefully, it is just your email accounts. But unfortunately, this is only the tip of the iceberg, for your online banking, online shopping, insurance and all other essential sites that you have used this favoured universal password for have been swiftly compromised. Your payment info has been swiped; your personal details have been extorted and are now in the hands of a cybercriminal who wishes to use these credentials for personal gain. But I suppose you were just being paranoid.

As unlikely as it seems, this is a very real threat that many of us face in the digital age and not enough of us are doing enough to ensure that our passwords are truly impenetrable. According to the NSA, there are 300 million hacking attempts per day, at this rate, it is sheer luck if you have not yet been targeted. With the threat on the rise, it is essential that we begin to implement more robust password practices.

Vulnerabilities & How to protect against them

A weak password falls vulnerable to brute force crackers where multiple combinations of characters are tested repeatedly until the password is cracked. The shorter and less complex the password, the faster the software cracks the credentials. A longer password can & will deter a hacker from using this type of attack as it will take an immense amount of time to crack. Lengthen your password.

A dictionary attack involves the program sifting through a preset list of common words frequently used in passwords. The more standardized the word ie. “ballistic” the more likely it is to appear in the wordlist and result in a crack. Therefore, diversify your use of characters: “Ba11i$tiC” would be a much more secure choice due to its blend of capitals, numbers & symbols.

Phishing attacks are common but easy to spot if you know what to look for. They often attempt to set a narrative such as “You are eligible for [Insert offer here]” or “There is an issue with your personal info that needs updating” or “You have won a [Insert valuable object]”. All with the intention of luring you in to enter your personal information. Steer clear of emails, texts or even letters like these; the only thing you will be eligible for is identity theft. Ensure you verify that your received communications are from a trusted & legitimate source and sever any correspondence with suspicious ones.

Here are some general principles that you can follow to ensure the security of your credentials:

  • Use a lengthy password with a diversity of characters, capitalization, symbols and numbers.
  • Do not include your names, birthdays, addresses or phone numbers in your passwords.
  • Use abbreviations for phrases e.g “I Would Not Like To Be Hacked” = “IWNL2BH”
  • Change your passwords regularly, every 30-90 days is good practice.
  • Do not share your passwords. Sharing creates more liabilities.
  • Educate yourself on what phishing looks like, and know how to avoid/deal with it.
  • Always use 2 Factor Authentication, this provides an additional layer of security in the event of a breach.
  • Use trusted password manager programs that store your passwords securely and auto-generate random & complex ones every time you create a new account. Examples include LastPass, DashLane & 1Password. Make sure your master password is the Fort Knox of passwords and follows all the above criteria or there is no point in using these types of software.

I hope that you have been able to draw some valuable knowledge out of this article and can work towards securing your online identity. Remember, if you ever doubt your credentials, that feeling alone is enough to constitute a reason for fortification. A little paranoia is good in the long run, your digital profile will thank you for it.

By Shameer Sabar.

As technology advances, and organisations incorporate more and more IT systems into their business in order to aid and facilitate their functions and processes, it becomes necessary for them to test the safety and security of these IT systems. Small and medium-sized enterprises also known as SMEs, are especially vulnerable to cyber attacks. According to the Cyber Security Breaches Survey of  2020, 68% of all medium size businesses in the United Kingdom found at least one cyber security breach or attack in the past 12 months. This is partly due to many SMEs not considering themselves targets and so many do not do enough to protect themselves, but even those aware of the risks usually do not have sufficient resources to defend themselves. This is not to say large businesses remain unaffected. The survey also highlighted that 75% of large businesses have also been affected.

Ethical hacking or penetration testing, allows organisations to seek out and correct vulnerabilities and flaws in the security and safety of their computer systems, networks and databases. While malicious hackers or black hat hackers penetrate databases and IT systems of an organisations with ill intent and personal gain, ethical hackers or white hat hackers are hired by the owner of the company and given permission to penetrate the network and computer systems using the same tools and knowledge of a criminal hacker but with the intention to determine vulnerabilities and weaknesses to the security of such systems and networks. Their work is conducted in a lawful and legal manner. by doing so, they can then recommend preventatives and corrective countermeasures to the organisation to prevent cyber attacks.

Ethical hackers use many methods of sourcing vulnerabilities. they use port scanning tools such as Nmap, Wireshark or Nessus to scan a company’s systems, analyse open ports, study the vulnerabilities of each port and take corrective measures. They also critically test patch installation processes to make sure no new vulnerabilities are introduced to take advantage of software updates and exploit them. Using the right tools, they also perform network traffic analysis and sniffing. Ethical hackers also rely on social engineering techniques to manipulate end users and find information about an organisation’s computing environment.

Like black hat hackers, ethical hackers look through activity on social media or GitHub, engage employees in phishing attacks through email or roam through premises with a clipboard to exploit vulnerabilities in physical security. However ethical hackers are given limitations restrictions to their social engineering techniques such as making physical threats to employees or other types of attempt to extort access or information in order to keep their hacking ethical and lawful.