PDF Version

Do’s and Don’ts of Password Security

 

It goes without saying that weak passwords are a fundamental aspect of digital security breaches which are not going away any time soon. And as phishing attacks become more sophisticated, victims’ passwords are getting hacked more often after they unintentionally give clues to their supposedly secret sets of letters and numbers when baited to reveal them in such attacks.

Modern algorithms used by cyber criminals are also incredibly efficient at guessing passwords, to the extent that a single modern computer can crack a simple 8-character password in just 2 days. Botnets, on the other hand, can crack the same password, ‘creation’ for example, in under 2 seconds and can only take up to 4 hours to crack a far more complex 8-character password such as ‘CR3aT10N’. A complex 10-character password such as ‘(R3a[10N&I’, on the other hand, would take botnets about 3 years to crack – but even this timeframe is reducing with the continued advances in computing power. “No password rule system or algorithm – especially one stored inside a human head – can beat software that’s churning through tens of thousands of password combinations every second”, comments F-Secure’s cyber security expert Janne Kauhanen. “If you can remember your passwords, then they’re weak”, he adds.

One also shouldn’t use the same password for different logins because once one has been hacked, the others with the same password are also then vulnerable. Ideally work and home passwords mustn’t be the same either as one shouldn’t let a compromise at the one location affect the other. If a hacker has taken the time to try and hack your password, you can be assured that they are likely to be aware of the different banking institutions that you make use of. Remembering long and complex passwords is a challenge on its own though. The solution to this problem is to make use of a password manager as you will then only need to remember one master password, which you can change often.

Cyber criminals also see value in ignorance. It doesn’t matter what position a person holds in an organisation or how much they earn – the criminals can potentially use a breach of one person’s account to gain access to another’s. What matters to them is how they can use one person’s lack of security awareness to execute a breach. Family, friends, colleagues, associates and clients can all potentially also be at risk depending on which accounts gets breached.

Two-factor authentication of passwords has gained a lot of press recently and although it certainly improves the security of transactions, even this process can be breached. SMS text messaging and emails are typically used for this type of authentication and while they may not be 100% secure (the hacker may have access to your stolen phone or computer) they do add an extra layer of protection against password breaches. Text message codes entered on the same login page used to enter credentials can also be captured by a criminal faking that website page, and then while a fake error message cons you into believing that the service is temporarily unavailable the attackers could be continuing with the real session after logging into the genuine site with your details. Then there is multi-factor authentication, which while it may not be perfect yet adds other layers of complexity to a login which improves its security.

Given the option, one could utilise 3rd party authentication applications like those offered by Google or Microsoft’s Authenticator for mobile devices. These authenticators generate random 6-digit pins, changing them every 30 seconds, which they synchronize with the compatible application login. Each time you log in you will enter a random code to confirm your identity. With it being a 3rd party application on a separate device, hackers have a difficult time breaching such logins.

Social media companies such as Facebook have recently been in the limelight for data breaches and exposure of their customers’ information and passwords. And while internal investigations by these organisations have had them categorically stating that the information was neither accessed nor misused, you need to check this for yourself. This can be done by using investigative websites like HaveIBeenPwned that help you determine if any of your accounts have been breached and whether your credentials are floating around in cyberspace. Depending on what is discovered using such sites, one needs to then take the necessary actions to rectify any compromises that have been suffered, before there are any detrimental consequences.