We get asked all the time about passwords. With a huge shift to working from home, so to has security incidents spiked significantly. IT Support teams are struggling to keep up with the sudden demand to work from home.
Home IT Security is often overlooked in favour of simplicity and fast setup.
Fun Password Facts
The most popular passwords are extremely easy to guess. A GitHub page for OWASP’s SecLists project shows the top five most popular passwords across the globe are:
- 123456
- Password
- 12345678
- qwerty
- 123456789
If you use one of these passwords, probably a good idea to change it! A couple more facts:
- 59% of people use their name or birthday in their password. There are only so many different combinations this creates, which a machine can compute and try in less than a second.
- Employees will use the same password on average 13 times.
- 81% of hacking related breaches are linked to passwords.
Ok, enough fun. Down to business.
One step you can take is to setup a Password Manager.
There are plenty of password managers on the market.
Of course, there are plenty of options. Rather than diving into brands and prices – let’s look at what features you need to remain secure.
- Ensure the software fully encrypts the passwords, and uses two factor authentication (or MFA as it’s known). MFA systems are not all created equal, but anything that is not your email is a good start. SMS, Google Authenticator, Duo, Authy, YubiKey – these are great options.
- Use strong, unique passwords for each account. You should rarely have to type this in (should be able to copy and paste the password) so make these strong and unique
- Make sure there is an extension for your favourite browser. This will allow you to auto-fill when browsing to your favourite websites. This is a great protection mechanism, because it will match the website address. If it doesn’t match, it might be a dodgy website trying to get your password!
- Make sure that it has a mobile version so you have access to your passwords on the go!
- Only change passwords when you have been compromised. This may be contentious, but it’s about taking small steps. Some password managers have a feature built in to notify you of a breach, otherwise if you want to check manually – check out https://haveibeenpwned.com/ and put in your email address.
Sounds like a lot of effort…
Sure is! But less effort than dealing with a breach, and the uncertainty of what has been done to your computer, email and bank accounts. A couple more fun facts:
- Only 45% of people change their password after a breach. This is understandable if you use the same email address/password combination everywhere. Using a unique password for each website or service will make this a breeze.
- 53% of people rely on their memory to manage passwords. Haven’t we got enough to think about these days? Password fatigue is a real. Setting up a password manager, creating a single, strong password to that application, will reduce password fatigue greatly.
Still not convinced? Here are some of the ways a poor password can be easily used for nefarious means:
- Phishing – usually social engineering via email. A carefully crafted email that captures your login details in a dodgy website that is made to look like a legit website.
- Brute Force – using a program to try thousands of combinations a second to see if it can guess the right one
- Dictionary Attack – Cycles through different passwords built from a dictionary of words and variations (including the standard substitutes like “4” for “a”
- Keylogger – an infected computer can have a keylogger installed that will take a copy of everything you type.
- Password Spraying – trying thousands or millions accounts at once for different password AND username combinations to maximum effect
- Credential stuffing – getting a copy of account details from a previous hack of legitimate websites (e.g. LinkedIn or Dropbox) and trying those credentials in many other services that you may have re-used those details
- Rainbow Tables – last (and most techy) relates to hashing of passwords – kind of like a cipher or a code, mathematically converting a password into “random” characters to be decoded at the other end. Rainbow tables have a whole lot of pre-computed hashes with the answers for a lot of password combinations for common ciphers/algorithms. Yikes.
There are two types of people in the world. Those who have been hacked, and those that haven’t been hacked YET. It will happen in some fashion. It may already have happened, and you have been lucky. Either way, things change.
$116,575,264 is the amount lost to all scams in 2020 to date in Australia.
People. Businesses. That could be your money. The best cure is prevention. Check out the latest stats here – https://www.scamwatch.gov.au/scam-statistics
IT Security is a continuous improvement process, much like exercising.