Jonathan Mizzi
32 Million, 100 Million, 360 Million… No, were not talking about money, but usernames and passwords.
It has been much more common of late to see a headline dominating the news about cybercrime and more precisely, about stolen passwords.
Large companies such as Twitter (the social media platform), VTech (the toy manufacturing company) and even banks, like Bangladesh’s Central Bank, have had their systems compromised. Most of the time, the hack involves the stealing of user information databases which contains email addresses and passwords. But, in the case of Bangladesh’s Central Bank, thieves made off with $81 million. Once the investigation has been finalised, it is usually concluded that the failure is attributed to a simple stolen password.
Much of our efforts in cyber security have gone towards building high, strong walls. In response, hackers have become extremely good at sneaking through the gates. Despite all our progress in building secure software to keep out malicious attacks, hackers repeatedly break into companies’ networks with stolen keys. The keys are compromised credentials or stolen passwords that end up in the hands of cybercriminals. Stolen passwords pose extensive security risks because attacks using stolen passwords often do not set off any alarms. The risk is by no means limited to highvalue targets like federal bank employees. A study shows that one in 10 employees have a stolen corporate password in hacker’s hands, representing 92 percent of large companies. The same research confirmed that the majority of the data breaches involved weak passwords.
So, what are “weak” passwords and why is their use not recommended?
A “weak” password is a password containing information about the user, or a common and often used word. Such passwords can be both easily cracked and determined by malicious users without using any special software.
A password is any valid sequence of characters, which is often the only means for a system or service to identify a user. Thus it is of utmost importance for it to be as secure as could be. This is due to the fact that any other person who knows the password can easily use it to login and enjoy all the permissions the user has. The password can be figured out by various methods. They include recognition (social engineering, key-loggers, spyware and various tracing methods); selection (according to a frequency dictionary or by syllables); and the brute-force method or exhaustive search.
Many users use their names or the names of friends, parents, or children, the nicknames of pets, or the names of memorials to create passwords. Often, one can collect such information and figure out the required password simply by trying different combinations. In addition, many internet services allow the user to the change a password using a special question with an answer specified during sign-in. In this case, one can learn the correct answer, for example, from a private conversation, and then change the password for the account without the permission and consent of its owner.
So, which are the best password practices and recommendations?
With “strong” passwords, that are created according to certain rules and are lengthy enough, the risk of an account becoming compromised is decreased. These are sufficiently crack-resistant and cannot be figured out by using only a frequency dictionary. If the password contains digits and/or special characters in the middle of the word, a dictionary search will produce no results for the hacker. Only searching for all possible variants of the password will help. This method is known as the brute force method. It guarantees the successful cracking of the password if you have enough time, but a strong password may take years of continuous searching. During this time, the user will change the password again and again and even if the hacker gets it, the password may turn out to be outdated by that time.
Creating and remembering a complex password could sometimes be a struggle. An equally good password option which might require less effort to remember is to use a passphrase instead. Passphrases are simple sentences that use length instead of complexity to make them secure. Companies that are security conscious implement policies that force end users to use a passphrase as their passwords with a length of at least nineteen characters or more.
In order to safeguard ones’ credentials, a user should try to follow a few basic guidelines which will make a hacker’s task that more difficult: • Do not use dictionary words or names in any form when creating passwords. Do not share passwords with anyone. If there is an issue that requires you to do so, remember to change the password immediately after the issue has been resolved. Never use the same password for work accounts as the one you have for personal use (banking, social networks, etc.) Do not write down passwords or include them in an email. Never use the “Remember Password” feature on any systems; this option should be disabled in systems where possible. • • • •
Jonathan Mizzi is Manager of the Alert Digital by Deloitte Data Center. For more information, please visit www.alert.com.mt