I have lost count the amount of times I have walked into a company and seen somebody’s password on a post-it. In today’s digital world a password is what mostly protects us. Believe it or not 40% of internet users suffer a “security breach” each year.
However, because passwords and security is an intangible object, most of us choose ease over security. The same research showed that 47% of people haven’t changed their password in 5 years, while 21% of people are using a password that’s up to 10 years old. If all of that isn’t bad enough, the worlds top 5 passwords are 123456, password, 12345678, qwerty and 12345. Hardly rocket science to crack!
Most people like to take the easy road, and who can blame them? As our digital lives grow, so do the number of usernames and passwords we have to remember, so why not make it easy and the same across the board, but this makes you ideal targets for hackers.
Education is the key, if you can understand how hackers might break or obtain your password then you can take steps to avoid getting compromised.
Most people simply don’t understand the risks, take a real world example.
In February 2016, we had a new customer call us. All of their important data (including the directors files) had gone off the server. How had this happened?
A disgruntled employee had come in at the weekend, and knowing that the owner’s password was on (you guessed it!) a post-it, logged onto her computer and deleted all of the data from the server, including information that was restricted to the directors. In this incident we managed to recover all of the data and put a password policy in place.
How can hackers attempt to comprise my passwords?
The above example gets around many security stages as they had physical access and knew how the systems worked. Even so, the following types of attacks can be done from anywhere in the world, at any time
Brute force attacks – This is where you try every combination possible starting at 1 and working your way though, the aim is to guess the password by inputting all possible combination, these attacks are usually carried out by programs that can try millions of combinations a minute. This type of attack works well for simple, short passwords like as 123456 or abcde.
Dictionary attacks – A dictionary attack is similar to brute force, but makes uses of a “dictionary of passwords”. These lists normally contain single and plural words, as well as lists of common passwords which have been obtained from previous hacks and dictionary words.
Hybrid attacks – This is a combination of the above two systems. A lot of people will try to make a password more difficult by adding numbers to the end, like a pets name plus the year you are born e.g. skippy86.
Mask attacks – These work like a brute force but with restrictions on the password to help cut down the number of passwords generated. The hacker might know that the site they are trying to get into requires people to have a maximum of 8 characters with one capital letter in it. This can significantly reduce the time it takes to crack the password.
Phishing – This refers to a technique where you get sent a fraudulent email or directed to a copy site which looks identical to say your bank and when you enter the password it gets sent directly to the hackers. This is very effective as it makes the user do all of the work and requires much less time.
So what makes a good password?
Now you know how people try to break a password, here’s what you can do to help protect yourself :
· Avoid common password e.g. 123456
· Avoid common words such as dictionary ones
· Make it long - For each character over 8, a password becomes 75 times more difficult to break
· Add numbers, symbols and capital letters
· Don’t use personal information – somebody that knows you could easily guess this
· Don’t reuse passwords, try to keep a different password for each important site
What does it look like?
Well a complex password looks like zsDER:O^W£$%EYTGD>F
Have I already been hacked?
The dictionary lists we talked about earlier come from big website hacks, like LinkedIn or Adobe where millions of users passwords get released to the world and if (like most) you use the same password for a lot of different sites, its time to change ASAP!
Check out if your email address has been compromised by visiting https://haveibeenpwned.com/
If you are worried about password and general security for your company why not opt for a totally free security audit from Carden IT Services, contact us to day to find out more.