Sunday Independent (Ireland)
DENY HACKERS A FREE PASS
Password security’s not simple as ‘1-2-3’, Adrian Weckler,
IF ever you’re worried about your IT security habits, know that you’ll almost certainly never get caught in the spot an intern in the IT firm Solarwinds found themselves. The company, which has a European headquarters in Cork, infected hundreds, if not thousands, of large corporate clients when the intern posted the password ‘solarwinds123’ on a public messaging board.
Microsoft president Brad Smith described what followed as “the largest and most sophisticated attack the world has ever seen”.
An estimated 1,000 hackers got to work, with malware sneaked into Solarwinds’s system, which was then passed on to 18,000 big clients, including US state agencies such as the Department of Homeland Security, Treasury Department and Department of Energy.
Even though Solarwinds has a substantial Munster presence, it hasn’t yet listed any Irish-based clients as victims.
But CEO Kevin Thompson publicly tried to shift at least some of the blame on to a single intern, saying the person had wrongly set a key password to ‘solarwinds123’ and then shared that on Github.
It would be understandable for anyone reading this to think: “There but for the grace of God.”
Who hasn’t set a temporary password at ‘password’ or ‘123456’ or ‘company-name’ at some point? Who hasn’t left at least one significant account with the same password for more than a year?
There is ample evidence many of us still do this. In December, the online security firm Nordpass analysed a list of 275m passwords that were obtained in a database of data breaches. It then ranked the 200 most common password examples. Top spot was ‘123456’, used by 2,543,285 of the 275 million accounts. ‘Password’ was the fourth most popular entry (360,467 incidences) with ‘111111’, ‘qwerty’ and ‘abc123’ all high up, too.
Helpfully, Nordpass also showed how long it takes to hack such passwords. In almost all cases of the 200 lazy passwords highlighted, hacking time was under one second.
Stupid passwords aren’t the only risk. Keeping the same one for too long — even if it’s a nice long one with plenty of different letters and numbers — is also a significant threat to your IT security.
Similarly, using the same one for multiple online services or platforms is also a shortcut to attracting online problems.
One quick way to give yourself a wake-up call on this is by checking haveibeenpwned.com, the longstanding online resource that tells you whether your email address has been part of any major data breach. If you still use the same password for a breached email account, or you use that password for other services, at least you know you’re skating on thin ice.
For example, last week I inputted one of my email addresses on haveibeenpwned.com.
“Oh no — pwned!” it informed me. It then helpfully told me about two specific breaches.
“In July 2018, the sales engagement startup Apollo left a database containing billions of data points publicly exposed without a password,” it said of one of the breaches.
“Compromised data included email addresses, employers, geographic locations, job titles, names, phone numbers, salutations, social media profiles.”
While it repeated Apollo’s claim that “the exposed data did not include sensitive information such as passwords”, I was left wondering about various bits of spam and phishing attempts I have received over the last two years.
I also embarked on a fresh round of password changes for about a dozen accounts I use.
There are some advised techniques on choosing relatively secure passwords.
One is to pick a phrase you think you’ll remember. Then use the first letter of each word and at least one number, observing capitals for proper names, too. For example, you might pick the phrase ‘my first cat’s name was Basil’, which becomes m1cnwB. If you want to vary this, it could change by service, like m1cnwBNetflix or m1cnwBGmail.
An arguably more secure way is to use a password manager, like 1Password or Lastpass. These essentially work with your web browser or your smartphone, using long, secure strings as passwords. All you need to do is to remember your own master password for the password manager itself.
Unfortunately, few of them are free any more. Lastpass is just about to close its free option (unless you implausibly only ever use one device to access your services) and joins 1Password in offering only a premium version from €2.70 per month.
One free alternative is Bitwarden. Others, of a sort, include Google and Apple, both of which offer password manager or ‘keychain’ services.
“Many passwords managers are free, so start using them,” says Joseph Carson, chief security scientist at Thycotic.
“Use unique long passwords such as passphrases. Do not ever reuse old or similar variations of passwords.
“If you continue to reuse old passwords it is like leaving your front door open and inviting cybercriminals into your home.”
For businesses, he adds, it is also important to move even beyond password managers and “start a journey to protecting privileged access with a privileged access management solution”.
The IT industry has wrestled for years with the notion of doing away with passwords as we know them, replacing them instead with biometric logins such as fingerprints or retina scans.
Unfortunately, there are still quite a few uneasy qualms about this — only smartphone makers have really managed to convince us to replace passwords with biometrics as an accepted part of everyday life.
Otherwise, the near future looks set to remain vulnerable to bosses blaming interns for setting ‘company123’ as a gateway into the inner chambers of your corporate data.