Passwords are essential to online security. You know it, I know it, we all know it. But if you’re like the many people, you probably have dozens of passwords to remember. Almost every site or online account requires one and many have different requirements. It’s a lot. As a result, people tend to take shortcuts. Unfortunately, these shortcuts and taking advantage of this laissez-faire attitude is one way bad guys access your passwords.
Incredibly, there are still people out there using “password” or “123456” in their access credentials. In fact, these two have been the most commonly used passwords for the past seven years. One of the biggest reasons for this is people neglecting to change the default passwords on their devices. So, anyone can pick up a router, IP camera, or smarthome device look at the sticker identifying the password, and access that network/device.
So what can you do to prevent this from happening?
Step 1:
Avoid the obvious/default passwords! When you have to create a password, make an effort. When it’s time to update a password, do so. Steer clear of simple, easily guessed patterns.
It's also important not to use any personal information in a password. With a little bit of research about you online, cyber criminals can make some pretty informed guesses. Common passwords include pet names, birthdays, and anniversaries. These are all easy to find via social media accounts or public record so avoid using anything like this.
Step 2:
Be careful what you do and share on social media! Don’t befriend strangers, as you are potentially giving them access to a goldmine of info for personalizing an attack on you. This goes hand-in-hand with step 1 and not using personal info in your passwords.
Also be aware of fake accounts set up by attackers posing as friends. An increasingly common method for cyber criminals is to pose as someone you know who "forgot their account" and created a new one. This of course is nothing more than a ruse to get you to add them as a friend thereby giving them access to your profile.
Step 3:
Use a complex password with numbers, letters, and symbols or a passphrase. A passphrase is typically at least 19 characters long but is more memorable, as it unique to you. Be sure to keep these phrases complex however.
Something criminals may try is what's called a brute force attack. In this attack, a criminal will script an automation bot to run thousands of password guesses until they get a hit. The software will try a long list of common passwords and run through dictionary words to gain access. If you do use a passphrase, try to avoid having anything that "makes sense". A phrase like "Crumble bear bottle White Outdoors" is a bit more secure against these types of attacks than something like "nebraska is a great state".
Step 4:
Use a unique password for each site. Each website should have it's own password that is unique to that website/account and is not used by, or remotely similar to any other password you use. The reason for this is to combat password reuse. If an attacker manages to steal one of your passwords, it's much easier to change the password on just one account vs every account that uses the same password.
Now I know that can be overwhelming to remember, but that's why you should be using a password manager. Using a password manager to keep track of it all for you helps relieve them mental strain of remembering lots of complex passwords or phrases. While they do take a little bit of work to set up. A well set up and maintained password manager can make life much easier for you.
Step 5:
Change your passwords regularly. Despite all of the scary sounding things I've written up to this point, the likelihood of being individually targeted by a cyber criminal is actually fairly low (it's possible, but not majorly common).
More commonly criminals will be working with info from a data breach. In early 2019, security researchers found more than 2.7 billion email/password pairs available on the Dark Web. Criminals accessing those databases will use the data as a starting point, as many people duplicate their passwords across accounts. Compromised public computers are also common. Bad guys may have installed a key logger on the computer which then records every key you press on the keyboard. Or they might have compromised a router or server to be able to see your information.
As a result, it's important to regularly change your passwords. This way, even if one of your passwords are compromised by a breach or something similar out of your control, the information the cyber criminal is working with will be outdated and no longer useful. Common intervals for changing passwords are 90, 120 and 180 days. At the bare minimum they should be changed at least once a year.
Step 6:
Pay attention to who is sending you email. Of course, there’s one more method of getting your password that we haven’t addressed yet: the phishing attack. Say you get an email that looks like it was sent by your bank. It's an urgent message and a link that directs you to what looks like a credible page asking you to log in. You provide your username and password and hit "log in" but nothing seems to happen. You may try one or two more times before giving up.
What actually happened though is much more sinister. You see, the website you were at was not actually your banks website but a convincing mock-up created by an attacker. By entering your credentials and hitting "submit", you just sent the attacker the login information he or she needs to access your actual account. This is a phishing attack and one of the most common attacks in the world.
There are a couple of ways to keep from being victimized by them. The first is to pay attention to where the email is coming from. In most email clients you can hover over the senders name to reveal the email address the message was sent from. If the address looks suspicious or out of place you may very well be dealing with a phishing attempt. Another thing you can do is however your mouse cursor over any links present in the email. Again, if they look suspicious they most likely are not legitimate and you should avoid clicking on them. Lastly, if all else fails and you are still worried about whatever account the email claims to be about, open up an internet browser and manually go to the accounts website rather than clicking the link. This guarantees you are going to the right place and most websites will have a notification system within the site itself to inform you if something is actually wrong.
Following these tips should help you to protect your valuable passwords. Should you need assistance with setting up a password manager, coming up with good passwords or amping up other parts of your internet security, feel free to give us a call.