Would you lock your house and leave the keys hanging in the keyhole?  Would you just leave the keys lying around where it could easily be stolen?  No, you wouldn’t.  Yet, there are those who would leave their passwords exposed for anyone to see, share their passwords, or even worse, have weak passwords and use the same password more than once for different logins. 

It has been reported that the days of passwords are numbered; that we will see the ‘death’ of passwords as technology will afford us other methods for logging on to a website.  Until that day comes (if it comes at all) let’s keep our feet grounded in the present.  Passwords are still the order of the day.

Security experts have been reminding people that they may not be managing their passwords properly, but theirs words are sometimes not heeded.  I guess it’s like parents advice: how often do we take it even though we know that they are right?

Old habits die hard!  You would rather be in your comfort zone and retain the same password for various logins, than to have separate and strong passwords for each different logins.

It is highly risky to use weak passwords or the same passwords being used repeatedly for various logins.  Here are some facts to consider:

• 55% of internet users use the same password for most, if not all, websites – Naked Security by Sophos
• In 2013, 13% of breaches was a result of weak passwords – 2014 Trustwave Global Report
• The used of brute-force login attempts increased 3 time in 2013 and they collected almost 9 billion credentials (username and password) as a result of these attacks – Cisco
• Top 5 passwords used are: 123456, 123456789, 1234, password and 12345678 – 2014 Trustwave Global Report

Is it a wonder why cybercriminals are able to capture login credentials that in turn leads to loss of money, photos, loss of personal information, data breach, etc?  The implication of this in organizations is critical to say the least.

How do cybercriminals attempt to break passwords?

Here are some methods that they use:

1.  Phishing – the crooks try to gain your trust by posing as a trustworthy entity in emails or other means of communication such as the phone.  One common tactic is to send emails that is purported to be from a bank that request you to update your banking credentials.

2.  Brute-force attacks (see Definition) – cybercriminals will systematically check all possible keys or passwords until they find the right one.  They resort to using algorithms that can try many combinations at superfast speed (one brute force password cracking software is reported to crack passwords with 8 million guesses per second).

3.  Database hacking – your organization’s database, which stores hundreds or thousands of customer’s credentials, is hacked.  Such attacks are on-going.

4.  Keylogging (see Definition) – a method where cybercriminals capture your keystrokes in order to capture your login credentials.  If a keylogger is installed in your system without your knowledge, your credentials can be easily captured.  Imagine if you are logging in to your online banking account.

5.  Social Engineering (see Definition) – one of the most common methods that cybercriminals use to manipulate people into divulging personal or confidential information that includes passwords.

In conclusion, passwords are still relied on and will be around for a while.  Until new innovative ways to replace passwords are accepted as the norm and they become a thing of the past, we will continue to be dependent on them.  So guard your passwords well and keep them safe.

 

Recommendation

1. DO NOT keep your passwords in a text file, spreadsheet, and plain text or in an unprotected document.
2. DO NOT use the default password sent to you by a service provider.
3. DO NOT use weak passwords such as 123456, birth dates, name of someone you know, pet name or even words that can be found in a dictionary.
4. DO NOT use the same password for a long time.  Change it after a period of time.
5. DO NOT use the same password twice.  This is critical.
6. You may use a password generator, such as, Random Password Generator or Norton Password Generator which can be found online.
7. Store passwords using a password manager application.  You will only have to remember one password that allows you to access all the other passwords stored in the password manager.  Here are a few to consider: LastPass, RoboForm, KeePass or Dashlane.
8. Use a combination of upper & lower case letters, numbers, symbols and words.
9. Password length should be a minimum of 8 – 11 characters.
10. If two-factor authentication is available, use it.  This is important when it comes to critical accounts, such as your bank account.
11. Here is a site to check your password strength, https://howsecureismypassword.net/

 

Definition

1. Brute-force login – a trial and error method used by application programs to decode encrypted data such as passwords or Data Encryption Standard (DES) through brute force.
2. Social engineering – to manipulate people to divulge confidential information. The criminals impersonate somebody that they are not in order to get their victims to reveal the confidential information.
3. Keylogger – a type of surveillance software that has the capability to record every keystroke you make.  A keylogger can record instant messages, email, and any information you type while using your keyboard.

 

Source

Heimdal Security.

 

The Week That Was

1. Evasive malware – it hides its true malicious nature from traditional sandboxes (a separate environment in a computer where testing is carried out, so if errors or security issues occur, it will not spread to other areas in a computer).  The number of evasive malware samples doubled from Jan 2014 to Dec 2014.
2. Sony Documents – WikiLeaks publishes archive of leaked Sony documents, which were exposed after the breached of Sony Pictures Entertainment last year.
3. Blind Hashing – TapLink has introduced a new technology that prevents offline password attacks by making databases impossible to steal.
4. New Dark Web marketplace opens – For years hackers have sold secrets of zero-day exploits in the underground Dark Web marketplace.  Now, there is a new marketplace that offers anonymity protection to its sellers, called TheRealDeal, which focuses on selling Zero-Day exploits.
5. Banking Botnets – Banking botnets continue to persist despite takedowns.  Attackers targeted more than 1,400 financial institutions in more than 80 countries.