It is really important to understand why you need secure passwords. There are a variety of reasons why someone may want to gain access to your online accounts but ultimately hackers want to gain access to your system and block your access until a sum of money is paid (ransomware) or sell your passwords on. Those that want to buy them only do so for illegitimate reasons.
How are passwords compromised?
Your password could be obtained via a brute-force attack. For example, the automated attack might try all the words in a dictionary, or most commonly used passwords, or a combination of letters and numbers. A vast number of people still choose to utilise their partner/child/pet name as their password, the word ‘password’ or even ‘123456789’. It is estimated that 20% of people use these easy to crack passwords and often duplicate the same password for ALL their accounts including their business accounts. To put this into perspective, it would take less than 5 minutes to brute force a password of 5 letters in lowercase, not featured in the dictionary. Imagine how much quicker that would be if your password is in the dictionary.
Your password is released by hackers via a data breach. 4 years ago, popular professional site LinkedIn was compromised and a huge 117 million logins and passwords were released. At that time, only 6.5 million passwords were posted online. However, on 18 May 2016 more than a 100 million were posted online. The news site Motherboard who first reported on this issue were able to confirm that the data released in the breach contained still actively used passwords confirming this posed a considerable security risk.
You are the victim of a spam/phishing/malware scam. This is one of the biggest threats to enterprises now and can take the form of Cryptolocker which is propagated by infected email attachments encrypting files which are considered unfeasible to unbreak without backups or by paying a large ransom usually in bitcoins. SAMSAM is a fairly new type of ransomware variant known to encrypt files including backup data via compromising servers and then moving vertically across the network to compromise machines as well.
You think you should be safe when using public Wi-Fi right? Wrong. Sniffers or MITM can intercept any information including usernames and passwords sent from your device to the router without you having any idea. They might not even be in the same room as you. How are you sure you are connecting to a valid and trustworthy source? You could be connecting to a rogue hotspot setup to look like it’s genuine. Common places for being hacked in this way include hotels, coffee shops and even hospitals.
- Encrypt your connection with a Virtual Private Network (VPN)
- Ensure your antivirus is up to date, we recommend BitDefender, contact us for a quote
- Use a firewall.
Do you ever use pubic workstations? Then think again. There have been instances of keystroke logging software being installed on public internet terminals. This type of software is invincible stealth type that enables the hacker to see Every. Single. Keystroke. entered into that device thus gathering user account details and passwords from unsuspecting users.
Our best advice is to not use public workstations at all but if you must:
- Do not access any critical accounts.
- If possible, scan for spyware
- Delete your files and cookies and remove your browsing history
- Delete any documents
- Empty the recycle bin
- Consider changing any passwords used once you are back on a secure private connection
How can I create a good password?
There are many password generators available online such as this one but it can be tricky to remember them in which case you may wish to consider using a Password Manager to store all of your passwords for you. We suggest Dashlane.
Another method often used is to use a memorable phrase for example – “Roberto di Matteo appointed Aston Villa manager from May 2016!” could be changed to “RdM@AVmfM2016!”. If you can go a step further and change letters to symbols such as an ‘a’ to ‘@’, then all the better. This is particularly useful when setting a master password (for example to access a password manager).
What constitutes a strong password?
A strong password should consist of minimum of 8 characters but ideally 12 including a mixture of upper and lower case, numbers and symbols/non alphanumeric characters. It should not contain a dictionary word, name or company name.
Hello2u! is not strong because it contains a complete word. H3ll02u! would be a better alternative because it contains upper and lower case, symbols but it not a complete word.
Golden Rules when creating passwords
- You MUST have a unique password for every service of site you use. If you use a single password for all accounts and a hacker discovers it, they then have access to the rest of your accounts. Don’t make it easy for them!
- Enable two-step verification where possible
- Create and remember a STRONG master password, do not write it down or record it
- Consider using a password manager secured with a master password as point 3 above
- Don’t share your password and don’t store them on your devices, especially those they are designed to protect
- Change your password regularly
Finally….
Be aware of spam and phishing scams which can also compromise your sensitive data including usernames and passwords. See our guide on Avoiding email viruses and protecting against spam emails here
As always, if we can help you further please contact us on 01344 989 131 or email us on sales@ventrus.co.uk