Did you know the average internet user has 25 accounts to maintain? Despite this, people only use an average of 6.5 different passwords to protect them.
With identity theft and data breaches an ever-growing problem, it's important to not only have a different strong password for each account, but to make those passwords easy to remember and hard to guess.
Types of Password Threats
Implementing security measures starts with anticipating security threats. There are four main ways that attackers attempt to obtain passwords:
- Capturing passwords
- Guessing or cracking passwords
- Replacing passwords
- Using compromised passwords.
An attacker can capture a password through password storage, password transmission or user knowledge and behaviour. Operating system (OS) and application passwords are stored on network hosts (a computer connected to a network) and used for identification. If the stored passwords aren't properly secured, attackers with physical access to a network host may be able to gain access to the passwords.
Never store passwords without additional controls to protect them. Security controls include:
- Encrypting files that contain passwords
- Restricting access to files that contain passwords using OS access control features
- Storing one-way cryptographic hashes for passwords instead of storing the passwords themselves
Hashes are the end result of putting data, like passwords, through an algorithm that changes the form of the original information into something different. For example, the password ‘default’ could be mapped as an integer such as 15. Only the network host knows that 15 stands for the password ‘default’.
Using hashes allows computers to authenticate a user’s password without storing the actual password.
Even when passwords are protected with hashes, an attacker can still uncover them via transmission. When a user enters a password into a computer, the password or hash is often transmitted between hosts over the network to authenticate that user. This transmission action is vulnerable to attack. You can reduce this risk by encrypting your passwords or the transmissions containing the passwords.
You can also avoid transmission risks by storing passwords on paper. Such papers should be physically secured in a locked safe or file cabinet. Be sure to properly discard any password-containing papers by shredding them.
However, storing passwords on paper cannot protect against means of capturing passwords that rely on user behaviour such as malware. For example, Trojan horses and keylogger malware observe user activity, such as which keys a user presses, to discover his or her username and passwords. Mitigate these threats by regularly scanning your computers with antimalware and antivirus software.
Users can also endanger password security by responding to phishing attempts, which relocate a user to a malicious website posing as a legitimate one that asks for sensitive information such as usernames and passwords. Caution against downloading files from unknown sources.
Common Types of Social Engineering Hacks
Password Guessing and Cracking
Attackers attempt to discover weak passwords through guessing, and recover passwords from password hashes through cracking.
Guessing is simple: An attacker attempts to uncover a password by repeatedly guessing default passwords, dictionary words and other possible passwords. Anyone who has access to the authentication interface can try to guess a password.
That's why strong passwords are necessary for cyber security. Never pick a password that someone could easily guess, and make sure to reasonably limit the number of authentication attempts to prevent unlimited guessing.
Cracking is a little more complicated. Attackers gain access to password hashes and attempt to discover a character string that will produce the same encrypted hash as the password. If the hash algorithm is weak, cracking is much easier.
Hash functions should be one-way, meaning passwords only go from original to encrypted, not vice versa. Hash functions make it nearly impossible to derive the original text from the character string. As with guessing, cracking can also be prevented by choosing strong passwords and periodically changing them.
When users forget their passwords, they have two options: reset the password (change it to a new one) or recover the password (get access to the current one). If your identity is not properly verified in a reset or recovery request, an attacker could easily pose as you, gain unauthorised access to the system, application or data and provide a password that only they knows.
This replaces your original password with something unknown, barring you from the system.
All attempts to reset or recover a password should start with a rigorous verification process. Verification should not hinge on information that can be easily obtained, such as birth date, employee number or mother’s maiden name. Instead, consider personal or subjective information that only the user knows.
When an attacker compromises a password through any of the previously mentioned methods, that attacker will have unauthorized access until your change your password. For this reason, many organizations use automatic password expiration measures to ensure no password remains valid forever.
Yet password expiration is futile if the root cause of a compromised password is not fixed. For example, if an attacker uses cracking to obtain a password, automatic password expiration will not solve the security problem because the attacker can simply use the same process again. If you use automatic password expiration, make sure you have a plan in place to secure your system and reset passwords in the event of a security breach. When one password is compromised, reset all passwords just to be safe.
Scrivens has the following strong password rules you can set in place to help protect your identity and keep your data safe:
8 Strong Password Rules to Protect Yourself Online
- Don't use names of spouses, kids, pets, etc. All it takes for a hacker to crack passwords that include these things is a little research on social media sites like Facebook and Twitter.
- Don't use passwords that include bank accounts numbers, credit card numbers, or birthdays. Not only could hackers use these passwords to gain unauthorized access, they could use these to empty your bank accounts or charge thousands of dollars to your credit cards.
- Passwords should be easy to remember but hard to guess. Passphrases are more effective than passwords; think of an important event that has happened in your life and make a sentence out of it. Then, remove the spaces, turn a word or two into a shorthand or intentionally misspell a word, and add significant numbers if there are none in the sentence (ie. if you adopted two golden retrievers in 2007, you might end up with "2goldenretreevers07").
- Change your passwords every 60-90 days. This may seem like a hassle at first, but hackers have a better chance at cracking your passwords if they never change. Also, don't reuse passwords.
- Passwords should be at least twelve characters long. Generally, the longer a password is, the harder it is to guess.
- Don't use the same password for each account. Hackers target lower security websites and then test cracked passwords on higher security sites. Make sure each account has a different password.
- Include uppercase letters and special characters. Special characters include symbols like "#", "*", "+", and "<". Be c.r!ea^ti%e!
- Make your security questions just as secure. When you click "Forgot password", most sites simply require the answer to a questions like "Mother's maiden name". Typically, these answers are much easier to crack than passwords. Make sure your answers are as hard to guess as your password.
Many apps and websites are beginning to take the security of their users serious and provide added protection. Always take advantage of these added features, including: multi-factor authentication, biometric security (ie. fingerprint), code generators, etc.
To protect yourself even further, consider personal cyber insurance. In Ontario, t's often added to your home insurance or condo insurance as an endorsement.
Speak with your Ontario insurance broker today to see if personal cyber insurance is an option for you.
Is your password on this list of the most common passwords in 2021?
Despite the amount of awareness and data to back up the risk of using "easy" passwords, they are still being used in 2021. Check the list below to see if any of your passwords are one of the most common passwords:
On-going password management will help prevent unauthorized attackers from compromising your password-protected information. Effective password management protects the integrity, availability and confidentiality of your passwords.
Integrity and availability should be ensured by typical data security controls, such as using access control lists to prevent attackers from overwriting passwords and having secured backups of password files. Confidentiality, on the other hand, is much harder to ensure—it involves implementing diverse security measures and making decisions about the nature of passwords themselves.
For example, you should use long, complex passwords with a mixture of numbers and letters. However, complex passwords are harder to remember, which means you're more likely to write them down and subsequently endanger your system’s security. This presents a dilemma in which one security measure (choosing a long, complex password) conflicts with another (never writing down your password).
Protecting Your Passwords
You can help resolve conflicting security measures by implementing the following security recommendations:
- Create a password policy that specifies all of the organization’s password management-related requirements.
- Protect passwords from attacks that capture passwords.
- Configure password mechanisms to reduce the likelihood of successful password guessing and cracking.
- Determine requirements for password expiration based on balancing security needs and usability.
Managing your password security risk can be a difficult process—threats are unrelenting. Contact the insurance professionals at Scrivens for more information on mitigating your cyber risks and protecting your assets.
The Importance of Two-Factor Authentication
As cyber attacks become more and more common, protecting your data is increasingly difficult. In fact, a study from Juniper Research found that by 2023, cyber criminals are expected to steal an estimated 33 billion records.
In light of the growing number of cyber attacks, many people are turning to two-factor authentication (also commonly called 2FA or multifactor authentication) to enhance their cyber security.
While no cyber security method is foolproof, using two-factor authentication can add an extra layer of security to your online accounts. So how exactly does two-factor authentication work?
What Is Two-factor Authentication?
While complex passwords can help deter cyber criminals, they can still be cracked. To further prevent cyber criminals from gaining access to your accounts, two-factor authentication is key.
Two-factor authentication adds a layer of security that allows you to protect against compromised credentials. Through this method, you must confirm your identity by providing extra information (e.g., a phone number or unique security code) when attempting to access applications, networks and servers.
With two-factor authentication, it’s not enough to just have your username and password. In order to log in to an online account, you’ll need another “factor” to verify your identity. This additional login hurdle means that would-be cyber criminals won’t easily unlock an account, even if they have the password in hand.
A more secure way to complete two-factor authentication is to use a time-based one-time password (TOTP). A TOTP is a temporary passcode that is generated by an algorithm (meaning it’ll expire if you don’t use it after a certain period of time). With this method, users download an authenticator app, such as those available through Google or Microsoft, onto a trusted device. Those apps will then generate a TOTP, which users will manually enter to complete login.
Why Two-factor Authentication and Password Management Is Important
In its password guidance for secure digital services, the federal government recommends using two-factor or multi-factor authentication whenever possible to prevent cyber attacks. Ongoing password management can help prevent unauthorized attackers from compromising your password-protected information.
Effective password management protects the integrity, availability and confidentiality of your passwords.
Above all, you’ll want to create a passwords that specifies all of the requirements related to password management. This means you should change their password on a regular basis, avoid using the same password for multiple accounts and use special characters in your password.