Passwords, a perennial problem
People still don’t take passwords seriously even though they are the first line of defence against cybercriminals.
EVEN in the 18th century folk-tale of Ali Baba, the forty thieves used a simple password like “open sesame” to guard their treasure vault. However, even then Ali Baba managed to “hack” his way in!
Such a password would be of little help today. A check on password strength analyser, Have I Been Pwned (HIBP), revealed that the password “opensesame” has been exposed 25,334 times in data breaches.
Australian cybersecurity consultant Troy Hunt said he created HIBP as a free resource for anyone to quickly assess if they may have been put at risk due to an online account of theirs having been compromised or “pwned” in a data breach.
“One of the biggest things that has resonated with me in running HIBP is how much impact it’s had on changing user behaviour.
“Seeing either an email address or password compromised has a way of making people reconsider some of their security decisions,” he said.
The database now has 613 million compromised passwords, as compared with August 2017 when it launched, and only had 320 million.
Using passwords exposed in past data breaches puts an account at an even greater risk.
Cybersecurity company LE Global Services Sdn Bhd (LGMS) CEO Fong Choong-fook warned that hackers tend to use a list of previously compromised passwords when they attack an account.
They employ programs that allow them to log in to accounts millions of times a second to try out different passwords, including commonly used ones.
One too many
The Lasspass Third Annual Global Password Security report found that the number of passwords people are expected to remember are increasing at an alarming rate.
It attributed this to the adoption of Cloud and mobile apps, and handling different technologies at work.
The report found that employees of small businesses had to manage more passwords than those working in large companies.
This is because big businesses use single sign-on solutions enabling employees to access multiple apps with one password.
“Some industries may be more likely to readily adopt more technology and apps. Some sectors may naturally manage more accounts, especially media and advertising firms that may be working with many clients and managing multiple accounts for those clients at any given time,” it said.
The report warned that having more accounts and passwords to manage led employees to reuse passwords more often – on average it found a password was used 13 times.
This trend was most prevalent with smaller organisations: companies with fewer than 25 employees reused passwords on an average of 14 times, while companies with more than 1,000 employees reused passwords on an average of four times only.
A survey by independent research agency Toluna – based on a pool of 15,002 people across 23 countries – found that 83% of respondents did not rely on password management tools.
To memorise their passwords, respondents used various methods including memorisation (55%), writing it down in a notebook (31%), saving it on a document in their computer (19%), storing on the browser (18%) and jotting on a sticky-note left near a computer (15%)! (As the respondents were allowed to select more than one answer, the total percentage exceeds 100%.)
Cybersecurity Malaysia CEO Datuk Dr Amirudin Abdul Wahab said a password manager is one of the safest ways to keep track of passwords, as it enables users to use strong passwords without having to memorise anything.
A password manager is a program that helps users store all their online credentials and passwords in an app that’s locked with a master password or biometrics like fingerprints.
“Cybersecurity experts generally recommend using password managers to keep your data safe and private,” he said, adding that users should choose highly recommended software that had been vetted on markets like Google Play or Apple App store.
They can also help generate strong passwords using a random combination of letters, digits and symbols instead of using words from a dictionary.
Most of the apps are not only available for multiple devices but can autofill the username and password, saving users time.
This also means that a user will only have to remember the master password to access services on almost any device.
Many browsers and operating systems also have a native password management system.
Google has a Password Manager for its browser Chrome which works across PCS, Androids and IOS devices, and Apple’s Keychain works on Macs and IOS devices.
However, Fong recommended against such software, saying it’s akin to putting all of one’s eggs into one basket.
He said he prefers to memorise his passwords, adding, “That way I don’t have to worry when moving between devices or having to install password managers everywhere.”
Password managers can be hacked too, he cautioned, suggesting that users only resort to them for non-critical accounts.
The passwords for important accounts such as for banking are still best committed to memory, he added.
“People should learn password best practices. Once they do, there’s no need to struggle with complicated passwords or rely on software,” he said.
Using the basic idea that a password should always be “easy to remember but hard to crack”, he advised against using common dictionary words.
Fong said it’s best to think of an easy to remember phrase and then convert it to digits and symbols.
Say, for Gmail, he would start with “I love G-mail” and then convert the vowels to numbers and spaces to the underscore key so that it becomes: “i_l0v3_g-m@1l”.
However, Kaspersky South-east Asia general manager Yeo Siang Tiong, who recommended passwords should be a minimum of 10-12 characters, said substituting “o” with a “0” may no longer be good enough.
He said hackers now code common substitutes into their software, suggesting users come up with their own logic such as replacing the first two letters of each word with numbers and symbols.
Passphrases are also more secure when used with unexpected words, he added.
“Even if you are using common words, you can arrange them in an odd order and make sure they are unrelated.
“Will you remember it? Use something that makes sense to you but will be hard for computers to guess. Even random passwords can be remembered by muscle memory if they are understandable.
“Remember that if your password is convenient for you, it’s probably convenient for hackers too. Complex passwords are the best way for you to protect yourself,” said Yeo.
CSM’S Amirudin cautioned users against using words or terms related to themselves like birthdays or names.
It’s also best to change passwords every three to six months, and have a unique one for each account, he added.
Extra effort
However, even strong passwords won’t work if a user falls for other forms of cyberattacks.
In a post, Microsoft identity security director Alex Weinert listed the most common ones: phishing
where a user is tricked into revealing the password, keystroke logging where a hacker monitors the password being typed, and local discovery where the hacker finds the password written down, say, on a paper.
Microsoft, which faces over 10 million username-password pair attacks every day, encouraged the use of multi-factor authentication (MFA).
Based on its studies, an account is more than 99.9% less likely to be compromised if MFA is used.
The US National Institute of Standards and Technology defines MFA, also known as two-factor authentication, as a security enhancement that requires two types of credentials when logging in.
It elaborated that credentials fall into three categories: something you know (password or PIN), something you have (smart card), or something you are (biometrics like fingerprints). Credentials us sed in MFA must come from tw wo different categories to e nhance security. “Activate two-factor authentication for all your most valuable accounts. It keeps crooks and prying eyes out of your account even if your password has been stolen,” Yeo said.