By Anton Scott.

The issue with universal passwords

We have all been there, midway through creating a new account for a streaming site, subscription service, or online store and have been met with the daunting “Choose a Password” screen, with an endless list of criteria to follow to ensure a strong password.  But you haven’t got time for this, so like 65% of all other people, you choose to reuse your universal password that has served you well for the last few years. Piece of cake you think. You know this password is ingrained in your mind because you use it all the time, you won’t forget it. You know it’s slightly risky to indulge in these lazy password practices, but you disregard your inner critic, after all, who would care enough to hack you anyway? You’re just being paranoid right? So you log in with ease and go about with your day.

The next week you wake to find that you cannot log in to your email, that’s odd you think. You retry your universal password numerous times with no avail. You send a reset link to your backup email; after all, you never bothered to set up 2 Factor Authentication (2FA), who needs that anyway? Attempting to login to this other email, you are met with the same message: “Incorrect Password”.

Now here is where you begin to get worried, you begin to put the pieces together and arrive at the conclusion that you may have a security breach. Hopefully, it is just your email accounts. But unfortunately, this is only the tip of the iceberg, for your online banking, online shopping, insurance and all other essential sites that you have used this favoured universal password for have been swiftly compromised. Your payment info has been swiped; your personal details have been extorted and are now in the hands of a cybercriminal who wishes to use these credentials for personal gain. But I suppose you were just being paranoid.

As unlikely as it seems, this is a very real threat that many of us face in the digital age and not enough of us are doing enough to ensure that our passwords are truly impenetrable. According to the NSA, there are 300 million hacking attempts per day, at this rate, it is sheer luck if you have not yet been targeted. With the threat on the rise, it is essential that we begin to implement more robust password practices.

Vulnerabilities & How to protect against them

A weak password falls vulnerable to brute force crackers where multiple combinations of characters are tested repeatedly until the password is cracked. The shorter and less complex the password, the faster the software cracks the credentials. A longer password can & will deter a hacker from using this type of attack as it will take an immense amount of time to crack. Lengthen your password.

A dictionary attack involves the program sifting through a preset list of common words frequently used in passwords. The more standardized the word ie. “ballistic” the more likely it is to appear in the wordlist and result in a crack. Therefore, diversify your use of characters: “Ba11i$tiC” would be a much more secure choice due to its blend of capitals, numbers & symbols.

Phishing attacks are common but easy to spot if you know what to look for. They often attempt to set a narrative such as “You are eligible for [Insert offer here]” or “There is an issue with your personal info that needs updating” or “You have won a [Insert valuable object]”. All with the intention of luring you in to enter your personal information. Steer clear of emails, texts or even letters like these; the only thing you will be eligible for is identity theft. Ensure you verify that your received communications are from a trusted & legitimate source and sever any correspondence with suspicious ones.

Here are some general principles that you can follow to ensure the security of your credentials:

  • Use a lengthy password with a diversity of characters, capitalization, symbols and numbers.
  • Do not include your names, birthdays, addresses or phone numbers in your passwords.
  • Use abbreviations for phrases e.g “I Would Not Like To Be Hacked” = “IWNL2BH”
  • Change your passwords regularly, every 30-90 days is good practice.
  • Do not share your passwords. Sharing creates more liabilities.
  • Educate yourself on what phishing looks like, and know how to avoid/deal with it.
  • Always use 2 Factor Authentication, this provides an additional layer of security in the event of a breach.
  • Use trusted password manager programs that store your passwords securely and auto-generate random & complex ones every time you create a new account. Examples include LastPass, DashLane & 1Password. Make sure your master password is the Fort Knox of passwords and follows all the above criteria or there is no point in using these types of software.

I hope that you have been able to draw some valuable knowledge out of this article and can work towards securing your online identity. Remember, if you ever doubt your credentials, that feeling alone is enough to constitute a reason for fortification. A little paranoia is good in the long run, your digital profile will thank you for it.

 

 

 

by Kate Dinnison

The Office for National Statistics estimates that there were 2.46 million cyber incidents and 2.11 million victims of cyber crime in the UK in 2015. There are simple ways to improve the security of your personal data and that of your business, from the mouth of industry and government experts.

Ben Buchanan, author of the Cybersecurity Dilemma and Fellow at Harvard University’s Belfer Center Cybersecurity Project told the War on the Rocks Podcast his tips for improving personal cybersecurity.

  1. Two Factor Authentication – a notification you receive when you log into your account from an unfamiliar device. He says, “John Podesta will spend the rest of his life wishing he had it.” Google already offers it on Gmail, but there are apps such as Duo and Entrust Identity Guard.
  2. Password managers like KeePass, Dashlane, 1password help you create unique, secure passwords for every website you visit on an easy, encrypted platform.
  3. Don’t open unfamiliar attachments, he lastly suggests, to . He says that even the most sophisticated, high-end attacks often begin with a dangerous email attachment. In our ever-connected world, “It’s an irony of international politics that one of the most powerful tools of statecraft is being able to write a message someone else opens,” he said.

Ciaran Martin, GCHQ’s director general of Cybersecurity told WIRED his top tips.

  1. Accept the inevitable“You need a playbook ready for how you will react when an incident occurs,” says Martin. “You may not be able to hold off a breach but, by having procedures in place, you can quarantine them, isolate the damage and keep the organisation running.”
  2. Guard your interior“Perimeter defence is just about rising the barrier for entry into your system so that you’re not an easy target,” Martin asserts. “You need both perimeter defence and active internal monitoring to look for spikes, or unusual patterns of activity.”
  3. Collaborate“There needs to be information sharing between companies who are normally competitors.” Martin contends. “The financial sector has made great strides because they face a measurable financial threat every day, so they’ve set aside commercial rivalries to pool their data.”
  4. Keep things human“System administrators are your key vulnerability,” Martin says. “If they’re compromised then systems like encryption offer no further protection.” Yet malicious insider activity is less of a threat than accidental breaches. Make the procedures for everyone simple and accessible to minimize this risk.

The National Cyber Security Center put together a comprehensive white paper outlining how to respond to and reduce the impact of common cyber attacks. Providing a simple lexicon for the types of actors and attacks involved makes their 10 Steps to Cyber Security an easy paper to understand vulnerabilities. The document states, “doing nothing is no longer an option; protect your organisation and your reputation by establishing some basic cyber defenses to ensure that your name is not added to the growing list of victims.”

Secrets Questions are often used for authentication purposes; but is there really any such thing as a secret..?