Password Configuration – A Key Component to Cyber Security
For a moment, think about all the different online accounts you have. The accounts probably cover social media, shopping, banking, and your home security cameras, just to name a few. Each one requires a password for access. Now think about the horrific damage one could do if they had your passwords and sinister motives. That is why I've devoted a post entirely to helping you configure solid passwords, and check if hackers have compromised your current passwords.
If you missed my last post about cyber security titled Cyber Security Basics You Should be Using Right Now, consider checking it out. In it, I explain the principles of managing your personally identifiable information (PII).
Password Configuration —
Password configuration is always a fun topic because, no matter how many teachers and industry experts lecture and write about it, horrible passwords remain an issue. Bad actors have several methods of getting a password and compromising an account. Here are some methods used to steal your password:
Dictionary attacks —
A dictionary attack attempts to crack the password by guessing over and over until it cracks the password. As the name implies, a dictionary attack works from a database containing a dictionary. It is important to note that the dictionaries used are usually not monolingual. Instead, the dictionary contains words from many languages and usually includes slang terms or alpha-numeric substitutions (ex: 1=I, 2=Z, 3=E, and so on).
A type of spyware called a keylogger allows an attacker to keep track of each key pressed and makes password theft easy.
Shoulder surfing —
This is the low-tech technique of looking over a user's shoulder as they input a pin or password. Shoulder-surfing is simple but effective.
Phishing emails are another common technique bad actors use to steal passwords and PII. Phishing emails may appear legitimate, but most of them are easy to spot. They often contain grammatical and spelling errors and other telltale signs of fraud. If you receive an email with the subject line “review your amazon purchase now,” but you've not made a recent purchase there, you can be sure it's a phishing scam. The attacker is hoping you'll click the link, attempt to login and, in doing so, give away your username and password. If you don't recognize the sender or just think something seems “off” don't even open the email. Mark it as spam, flag it, or report it, and move on.
Never respond to an email asking for your password. Organizations will never ask you to give them your password in an email. Another thing you can do to investigate if an email is legit or not, is hover your mouse over the link before clicking it. Somewhere in your browser window (usually on the bottom) the URL of the website the link is directing you to will become visible. If the link doesn't look like it is directing you to the actual business page, don't click it. If you're ever in doubt, don't click any links.
Don't feed phish.
This article from CBS News explains a bit about how people used phishing to get emails from Hillary Clinton.
Choosing a password or passphrase —
Anyone who's experienced a compromised account will tell you it can be a nightmare. But imagine if a hacker gets into many of your accounts. This can happen easily if you use the same password for multiple accounts.
Using the same password for your online banking as you do for your email could lead to more than someone locking you out of your own email account and spamming and/or phishing your contact list. A hacker with the right credentials and a relatively minimal amount of knowledge could destroy your finances. This example alone should be enough to stress the importance of using different passwords for different accounts and devices.
However, it's not enough to just use a different password. You must choose a strong password.
And while we're at it, let's abandon the concept of password and aim for the stronger passphrase. A passphrase will be longer than a password and require more time and resources to crack. If you're not on board with the passphrase plan, then at least observe some of the following rules for creating a solid password.
- Never use common or easily found personal information. Dog's name, anniversary date, birthdays, your kid's name, your address, etc. All of those are terrible passwords you should avoid using at all costs.
- Use at least one upper case
- Try to make the password or passphrase as long or complex as you can make it
- Include special characters (#@!Q$^&*,/?/)
- Don't use the same password or passphrase more than once
- Strength test your password or passphrase (Use this website to test your passwords)
Bad passwords have been a source of comedy (and tragedy) for decades. Here's proof:
If any of your passwords or phrases don't align with the best practices mentioned above, change them ASAP.
Do you find these posts about cyber security helpful? We think being safe online is important as part of an overall strategy to mitigate risk and stay out of trouble. As we move through the different aspects of cyber security, feel free to ask questions or request that we cover a specific topic.
‘Oh bother’, said Pooh bear….