Importance of strong passwords and practices
We all know that passwords is the base for all cybersecurity, but do we really understand their importance? Your password is the keys to your digital kingdom, whether it is for a personal account or a work account. Your accounts are a repository of your sensitive personal and business information so in essence, passwords should be given as much care, if not more, as the keys to your home.
How are passwords breached?
Some of the ways people gain unauthorised access to passwords are very simple, while others are very complex. Some are very easily preventable, and others are more difficult to detect.
A person looking at someone’s screen or at their keyboard to see what the person is typing when entering a password is known as “Shoulder Surfing”.
Keylogging is performed by malicious software that records what a person is typing and sends the information back to an attacker. This software can be installed remotely through malware or a backdoor network connection or can be installed on a computer through a physically connected device, such as a USB Flash Drive or specialised device.
Password guessing is possible where common passwords are in use. Some of the most commonly used passwords for 2020 were:
· 123456, 123456789, 12345678, 1234567890
· picture1
· password, password1
· 111111
· senha
· qwerty
· abc123
· iloveyou
Information obtained from https://nordpass.com/most-common-passwords-list/
Another common way passwords are breached are the result of people writing down their passwords on papers, sticky notes, in notebooks or by storing them in in plaintext (unencrypted) files on their computer. Occasionally, some applications or cloud services also store passwords in plain text which is more difficult to detect for general users.
Accidental disclosure of passwords or answers to security questions by way of social engineering is also common. Social engineering includes Phishing attacks but can also occur in person or on social media. An attacker manipulates the narrative or conversation that encourages a user to either disclose their password verbally or enter their credentials into a spoofed or malicious web page.
Brute force attacks can be conducted in various ways, but the basic premise is that an attacker attempts to discover a password by trying commonly used passwords and combinations of dictionary words, symbols, and numbers to compromise and account. These attacks can be automated which allows them to be performed “low and slow” to circumvent detection mechanisms by using a bot who tries passwords at a specified interval, rather than in rapid succession to avoid triggering suspicious behaviour alerts.
Hash cracking is a form of interception or data exfiltration attack. In an interception attack an attacker steals a password has while in transit or during and authenticated session through a session cookie or similar. A data exfiltration attack is carried out as a part of a larger attack where an attacker has compromised a system and managed to locate password hashes within that system which are stolen and sent back to the attacker’ to begin cracking. Cracking is performed by a specialist software tool – some of which are freely available on the internet which attempts to decode the hash that has been stolen. Cracked passwords can be sold on the DarkWeb, allowing attackers to purchase passwords that someone else has done the legwork in discovering.
How can I protect my password?
To prevent Shoulder Surfing attacks, there are a number of things you can do. Cover your hands when entering a PIN number or using a pattern unlock. Ensure there are no cameras with visibility of your screen or your keyboard. Where possible, enable password hiding on your screen and only view the entered password in plain text if you need to confirm what you have entered or check for mistakes.
Preventing keyloggers from recording your keystrokes can be as simple as checking your computer for suspicious connected devices and removing them or running endpoint protection on your device. Endpoint Protection or Next Generation Anti-Virus (NGAV) on your device will detect suspicious programs or processes running and quarantine them, preventing them from operating and stealing your keystroke and typing behavioural information You can also use on-screen virtual keyboards to prevent keystrokes being recorded.
For 15 years the NIST standard dictated that passwords should consist of 8 characters and should include numbers, special characters, and capital letters. This is no longer necessarily the case and NIST have now expressed that a longer password is better. Using a passphrase – something that is long but easy to remember for you like a short sentence, provides greater assurance as it will increase the time it takes for an attacker to crack the password and makes them more difficult to guess. It can take as little as 8 hours to crack a password that consists of 8 characters and contains capital letters, numbers, and symbols whereas it may take 23million years to crack a password that only contains lowercase letters but is 18 characters long.
Making passwords unique and hard to guess for each account is of paramount importance. Never use common dictionary words on their own or personal information in your passwords like birthdays, family or pet names etc. This makes passwords too easy to guess. Having unique passwords prevents an attacker from accessing multiple accounts if they manage to get hold of a password, as they are likely to try re-using your password to access any other known accounts.
This presents another problem in itself – having to remember all those unique passwords. You can use a password manager to store all your passwords and there are a range of options available - some are even free for personal use. This means you only have to remember your master password for your password vault and some allow access through a PIN or biometric fingerprint or face recognition access. It is a good idea to find one that offers an encrypted backup so that if you lose access to the application (your device breaks or is wiped) you can restore your password cache from you backup. It also eliminates the problem of having to write your passwords down to remember them, as they are stored on your device in an encrypted (not readable to a human or a computer without a key) format and can only be viewed if the user is authenticated. We recommend getting rid of any password that are written down anywhere immediately.
Enabling 2FA or MFA (Multi-Factor Authentication) on your accounts adds another layer of protection alongside your password. Using MFA means that even if an attacker manages to get hold of your password, they are still required to enter a One Time Password (OTP) or a token/application generated code to access the account, making a password on its own useless.
You may be faced with a scenario that seems suspicious or like an attempt at social engineering. The easy answer to this is to never disclose your password to another person. Your password should be kept confidential at all times. Never let someone else use your account or web session for any activity – no exceptions. Log out of your account when you finish using the website, application or device before closing them and don’t use the feature on the web browser that allows you to save your password - often these can very easily be breached.
A less obvious way to protect your password is to be careful when you are browsing the internet. Only visit known sites and never access sites that have highly sensitive personal information on them, like internet banking or similar, by clicking on a link in an email. Instead, it is best practice to enter the correct URL into your browser search bar to ensure you are accessing the legitimate site. Any time you are asked to enter your access credentials when attempting to access a website from an email link should also be treated as highly suspicious as well. Check for the padlock at the beginning of the address bar of your web browser and that the site begins with https to ensure the site you are visiting is encrypted. This means any information intercepted while you are interacting with the site will be unreadable. It is also a good idea to check URLs for small differences such as spelling mistake, letter replacements or grammatical differences which indicates it may be a spoofed website. An example could be that a W has been replaced with two V’s (VV).
Takeaways:
This is a lot of information to digest so here’s a brief summary:
Be aware of onlookers when entering passwords or PINs to prevent shoulder surfing
Use NGAV on your devices to detect keyloggers and prevent malware
Use long passphrases to make your passwords strong
Use unique passwords for every account – use a password manager to help remembering all of them and store them safely
Turn MFA on all accounts you can
Never share your password with anyone and always log out when you’re finished
Only visit trusted websites and check for the padlock or https in the browser address bar to make sure the site you are using is encrypted. Verify the URL before interacting with the website.
This article is also published on Cyber Tribe’s website - Another Capacitate Group Company - you can view it on their site here.