AdobeStock_290011860.jpeg

PASSWORD SECURITY

A good password will protect our devices or our online accounts from the malicious actions of a cybercriminal.  They are literally, the keys to the kingdom.

WHAT YOU SHOULD DO:

 

3 RANDOM WORDS: You could try to use 3 random words, separated by a symbol or a digit. The science says this acts as a passphrase so it's easier to remember e.g. monkey*Girdle*biscuit.  Use 3 random words on any account you deem critical​, such as your email account or your laptop. This solution works well providing you can remember multiple passwords.

USE YOUR BROWSER: Alternatively, you can use your browser to store your passwords. The best thing about this is that you don't have to remember them and your browser will autocomplete login pages. Awesome!  Since the browser is doing all the hard work, you can also create huge, unique passwords for every single account. They can be a combination of symbols and digits as well as upper and lower case letters.  

USE A CREDENTIAL MANAGER: Of course, the problem with the solution above is that you are dependent on the security of your browser and in particular, how it stores the passwords.  A better solution, therefore, is to buy a password manager (or credential manager as it is commonly called) from your app store. This will

  • Automatically generate complex passwords for you

  • Auto-complete login forms for you

  • Store passwords in an encrypted vault for additional protection

  • Be available on multiple devices such as your phone, laptop, desktop or digital pad.

AND FINALLY - USE 2 FACTOR AUTHENTICATION (2FA): Most websites allow you to set up 2 factor authentication. For example, as well as requiring a password to log in, you will need a pin sent to your phone. We strongly urge you to use this security feature for all your critical accounts. That way, even if your password is compromised by a cybercriminal, your account is still safe. To read more about how to set up 2FA see NCSC guidance here.

WHY YOU NEED A STRONG PASSWORD

Ok, so the picture here might overstate our case - but not by much. For example:

WHY YOU NEED A STRONG PASSWORD ON YOUR DEVICES & YOUR HOME WI-FI

if someone can crack your home Wi-Fi or device password, they might be able to:

  • Install software that forces your computer to attack other machines.

  • Turn your computer into a web server for hosting illicit content that will get traced back to you.

AdobeStock_106363880.jpeg
  • Plant cryptomining software on your machine and syphon off any earnings.

  • Steal the product keys or serial numbers of your software and sell them online.

  • Extort money from you by raiding your webcam, audio, saved photos or documents​.

WHY YOU NEED A STRONG PASSWORD ON YOUR EMAIL

If someone can crack you email password, they might be able to: 

  • Commit identity theft such as setting up a credit card or apply for a personal loan in your name.

  • Harvest your contacts and phish your family, friends or business associates - after all, the emails will appear to be coming from you.

  • Access your other online accounts. This is possible because, people tend to use the same password for everything.  Alternatively, I could use your email address to reset your account password - effectively locking you out.

WHY YOU NEED A STRONG PASSWORD AT WORK

If someone can crack you work password, they might:

  • Steal company data.

  • Attack company machines.

  • Plant false flags - since they are using your account.

HOW DID THEY GET MY PASSWORD?

The most likely causes are:

  • YOU HAVE BEEN TRICKED INTO REVEALING IT: Fraudulent emails will con you into clicking a link. This redirects you to a bogus website. When you enter your credentials into the website, they are harvested by the hacker. It's not just fraudulent emails either, fake text messages and even bogus phone calls can attempt to manipulate you into revealing such secrets.

  • YOU WROTE IT DOWN: That small yellow sticky note slapped onto the side of the computer is still one of the most common causes of a data breach in many organisations.

  • YOU PICKED A WEAK PASSWORD: Quite often people will choose a password which can be determined by looking at their social media profile.  Far more likely, however, is that they just opted for a bad password because it was easy to remember. Bad passwords tend to be short, use common words and limited character sets such as no digits, or symbols for example. 

  • THE ORGANISATION IS VULNERABLE TO ATTACK: Some companies will do a poor job of storing passwords or protecting those systems that are designed to hold them. Alternatively, the hacker is very skilled.

AN ILLUSTRATIVE EXAMPLE:

One common way that online accounts are breached is through password spraying. It works like this:

  • STEP 1 - Get a list of the top 1,000 passwords used (easily found on the web).

  • STEP 2 - Download a hacking tool that tries - perhaps 3 different password per account.

  • STEP 3 - Wait whilst the software does its thing.

These attacks work because there are always some people who will use a very common password.

The NCSC recently conducted a research study which showed:

  • 75% of company accounts use a password which features in the top 1,000 passwords.

  • 87% of company accounts use a password which features in the top 10,000 passwords.

Whilst account lockout policies limit attackers trying multiple passwords against a single account, the account lockout counters usually reset over time, allowing persistent attackers to try hundreds or even thousands of common passwords.​

See something not quite right? Email: EMSOUCyberProtect@leicestershire.pnn.police.uk