More blog items

Make Password Security Your New Years Resolution

The massive growth in people working remotely from home, alongside cloud computing services, have made poor password management a significant risk for businesses and individuals. In this post we encourage readers to make password security a high priority in 2023.

Passwords aren’t a new phenomenon. The Romans referred to them as ‘watchwords’ and they are referenced in the biblical book of Judges where they were used in military applications.

The first computer passwords are thought to have originated in the mid-1960s at the Massachusetts Institute of Technology. Their Compatible Time-Sharing System (CTSS) was a very early pioneer of many of the IT systems we are familiar with today including e-mail, instant messaging and file-sharing. Password protected accounts were used to enable individual users to use various terminals to log in and make use of the system.

But there has never been a time when ordinary people were ever required to establish and manage as many passwords as we are today. The average person today has around 191 services for which they need to manage login credentials. 

Common Password Attacks

Cybersecurity threats are a significant and growing concern for both organisations and individuals. Our daily lives involve multiple accounts, from banking to online shopping and streaming services. And cyber criminals know that many organisations don’t adequately prioritise password security. Here are some of the most common methods they use to steal passwords and personal credentials.

Phishing or Social Engineering Attacks

Phishing is a fraudulent practice in which targeted victims have their personal details stolen. This is typically achieved by sending messages, possibly via email or social media, that appear to be from legitimate sources but in fact contain malicious links which, when clicked, enable criminals to elicit personal information such as credit card numbers.

Brute Force Attacks

A brute force attack is a well known hacking technique that uses trial-and-error to effectively guess login credentials. Cybercriminals are able to purchase extensive lists of compromised account passwords from the Dark Web, which is effectively a hidden aspect of the internet. Automated software hacking tools quickly work through these lists and often include clever password guessing algorithms that can enable passwords to be determined.

Targeted, Surgical Attacks

In targeted attacks cybercriminals identify specific people whose login credentials they want to acquire. They then investigate their social media accounts and all other aspects of their online activity and presence to determine their birth dates, addresses, information about other family members and any other personal details. They know that people tend to use memorable information such as their children’s names, previous addresses or birthdays to create their passwords.

SIM Swapping

SIM swapping is also known as SIM hijacking, SIM jacking, SIM splitting or a port-out scam. It’s a form of identify theft in which criminals exploit the mobile phone service provider`s ability to seamlessly port a phone number to a device containing a different subscriber identity module (SIM). This mobile number portability feature is normally used when a phone is lost or stolen, or a customer is switching service to a new phone. But fraudsters can exploit this service by convincing the service provider to port the victim’s phone number to the fraudster’s SIM. This is achieved by collecting enough personal information on the target to enable the criminal to appear to be legitimate to the mobile phone service provider.

Password Security is Essential

A recent Verizon Data Breach Investigations Report shows how personal credentials are the main method used by cyber criminals to hack into business and organisational IT systems. Around 61% of business security breaches have been attributed to stolen credentials and insecure password practices are recognised for being responsible for 81% of worldwide cyber attacks.

By following some basic password security best practices the risk of having login credentials stolen by cybercriminals is massively reduced.

Password Security Best Practices

It`s vitally important to overcome the: ‘It won’t happen to me’ mindset when it comes to cybersecurity, because it will. Cyber security complacency is what cyber criminals exploit so it`s important to overcome any reluctance you might have regarding your password use and security.

One of the most common password security failings is using the same password for multiple accounts. As noted, we all have numerous accounts and login credentials to remember so it`s inevitable that many use the same passwords, often for both personal and business accounts. But this practice is obviously fraught with risk.

Another common password security failing is making passwords overly simple with very few characters. While this can help make them memorable it also makes them far easier to guess and hack.

Follow these actionable best practice now to make certain you are prepared for 2023.

• Use unique passwords for each account.
  • This is possibly the most important password security recommendation. While it can be very difficult to remember all of the passwords used, especially when they are complex, there are password management tools that can help (discussed below). Using unique, complex passwords for each and every account is essential.
• Never use personal information in a password.
  • As noted, cyber criminals will often research personal information to determine what someone might have used for their passwords. Birth dates, children’s names, anniversary dates, previous addresses and pet names are all examples of what people often choose to use for their passwords as they are easily remembered. But cyber criminals know this and their software tools will churn out password possibilities based on data they`ve collected.
• Always assess your password strength.
  • When creating accounts or changing passwords the proposed password is generally assessed and the strength is reported. It`s important to pay attention to this assessment as it indicates whether the proposed password is likely to be hacked. If a password is indicated to be weak, strengthen it.
• Make passwords long and complex.
  • Assessments show how longer, complex passwords are far more secure. Generally passwords should be over 12 characters in length and include both upper and lower case characters as well as numbers and special characters. Make certain the account password strength assessment indicates your chosen password is strong.
• Enable two factor authentication (2fa).
  • Multi factor authentication requires people to verify themselves both via their normal login credentials (user name and password) along with a second verification factor. Almost every online service from banking to online shopping offers the option of adding a second stage in the verification process. This should always be enabled and used. Even if a cybercriminal has somehow determined your login credentials 2fa will protect your account.
• Routinely change your passwords.
  • It`s important not be complacent about password security which is why passwords should be regularly changed and updated. Some recommend that passwords are changed every quarter and in some organisations fresh passwords are required every month.
• Use a password manager.
  • While many are talking about passwordless cyber security, these systems are not likely to become common for some time. Until then we all face the challenge of managing dozens of unique, complex passwords. Keeping these in a filed list may be convenient but it presents a very significant security risk. Password manager applications such as LastPass, RoboForm or NordPass provide optimum password management solutions.
• Keep devices and software up to date
  • We all use multiple devices to access online accounts including smartphones, laptops, tablets and even gaming platforms. These devices host and run a huge variety of both operating systems and software applications for which updates are routinely released. To prevent vulnerabilities in these platforms and applications from being exploited, all of this software must always be kept up to date.
• Beware of phishing communications
  • Phishing is a scourge we all need to be aware of. Scammers use email, text messages, social media and telephone calls to elicit personal information that can enable them to criminally access accounts. Phishing emails and messages are often designed to prompt the recipient to urgently click a link or open an attachment. For example, fake emails from a recognised organisation telling the recipient they need to update their payment details or account information.

Risk awareness is an important factor in establishing reliable cyber security for both organisations and businesses. Cyber criminals and scammers are continuously developing and refining their techniques which is why we all need to take steps to bolster our online security wherever we can.

If you have any questions about your home or business security, or if you have any special requirements, remember that we are here to help. Give us a call on 01273 475500 and we’ll provide you with free, expert advice.

This message was added on Thursday 29th December 2022