passwords
Jason Ross • May 29, 2019
protecting your information online
Passwords
are often the only security mechanism that protects our digital lives; for example, your password is the only protection applied to your email, banking or healthcare details. Good passwords are the crucial foundation component of your online security.
Unfortunately, people choose terrible passwords and hackers know this.
Why may you ask? Probably because good passwords are hard to remember and hard to type for many of us. Hackers know we often choose lousy passwords, as a result, they make use of freely available automated tools to "hack" your accounts.
Often these hacks or attacks are opportunistic, sometimes they're targeted.
There are several well-publicised examples where peoples social media accounts have been compromised. In some of these examples money has been stolen, often the attacker may try to embarrass you by posting inappropriate content to your pages, sometimes they may delete your account(s) that you may rely on for your business.
how they obtain your password
There are many ways your passwords can be compromised, here are three.
- A standard method is to send you an email that looks like it's from Facebook as just one example, where they'll say you need to update your account details. If you fall victim to this attack you may supply the attacker with everything they need to access your accounts and not just your Facebook account. This is called a Phishing attack, and it's a common tool in the hackers toolbox because they work. As the attckers evolve their campaigns they look more legitimate to most people, even experts like us.
- Sometimes the attacker may use a hacking tool to execute an automated dictionary attack of known or commonly used passwords. These tools, once setup will run until they obtain a result the attacker can exploit.
- Sometimes all the attcker may need to do is perform a search on Have I Been Pwned which may provide them with a valid password they can use. Why do they look for passwords from previously compromised sites? Becasue most people will reuse their passwords elswhere!
common passwords
Many sites on the Internet will often publish a listing of the top 10 or 25 passwords in use each year. When you look at these (below), you see many of these passwords use common keystroke patterns such as "qwertyuiop". Some examples of common passwords are:
| 123456 | 1234567 | 123321 | 555555 |
|---|---|---|---|
| 123456789 | password | 666666 | 3rjs1la7qe |
| qwerty | 123123 | 18atcskd2w | |
| 12345678 | 987654321 | 7777777 | 1q2w3e4r5t |
| 111111 | qwertyuiop | 1q2w3e4r | 123qwe |
| 1234567890 | mynoob | 654321 | zxcvbnm |
| 1q2w3e |
If you are using any of these passwords, you are at risk, we recommend changing your passwords immediately to something less predictable.
call us to find out more
what you can do
An excellent place to start is to try to understand more about passwords, and a good video is this one by The Checkout (ABC network, Feb 2018). A good thing to remember is never to use the same password on multiple sites. When a website hack occurs, its data is lost to criminals. The data will be sold or published so attackers can obtain the secrets it holds. Often attackers will look for passwords because it makes other attacks easier to perpetrate.
use a passphrase
We've created a page on passphrases to explain in more detail, but a passphrase is "The Quick Brown Fox Jumped over the Computer"
These are long, hard to guess yet easy to remember ways of logging into websites and computers. Where you can use passphrases we recommemnd you use passphrases.
use Multi-Factor Authentication (MFA)
A password is a single-factor authentication mechanism, using a token or app that generates a number every 30-60 seconds is a multi-factor (MFA) authentication mechanism. Often this will also be called a two-factor (2FA) authentication mechanism.
We recommend you adopt MFA authentication where it's available, we've provided more information on this page.
use a password manager
Password managers aren't perfect by any stretch of the imagination. They do provide an easy to use tool that will allow you to store and manage a different password for every site you use.
If you're looking for more information on password managers, we've provided more information on this page.
You might also like
expert tips
A next generation firewall (NGFW) is a security device that can monitor and control the traffic that comes in and out of your network. They are crucial in protecting you or your business from external threats, sitting between your internal network and the internet blocking malicious traffic, viruses and attacks. Using a NGFW can be a cost effective way for small and medium enterprises (SME's) to protect their business, with the majority of NGFW offering: • Intrusion provention systems – stopping attacks before they get into your network, blocking malware and Advanced Persistent Threats (APT) • URL filtering – a tool used to prevent employees from accessing sophisticated scams and threats • Comprehensive network visibility – giving you the ability to see which applications and websites are being used on your network and activity across all users and devices • Network sandboxing – a safe space to send any suspicious files for examination • Global threat intelligence and detection– this is a tool where threat intelligence is utlisied to automatically scan your network, applications and content to identify any new and unknown threats Contact us for more information about NGFW and how they can protect your business.
Unfortunately scammers in the digital age are becoming even more sophisticated in their attempts to get your small or medium enterprise business to hand over money or steal valuable information. The Australian Competition and Consumer Commission (ACCC) reported that in 2017, Australian business lost $4.7 million as a result of a scam, with smaller business being specifically targeted (ACCC, 24th May 2018). Online scams targeting SME businesses include: • Malware and ransomware – where scammers send emails, social media messages or file downloads like videos, files or games imbedded with a link to take you to a fake website. Scammers uses the links to infect your computer or network with software that can block access to your computer and demands a ‘ransom’ be paid. They might install software to watch what you are doing or steal your personal information and commit a fraudulent crime. • Phishing - this typically involves a scammer impersonating a bank, service provider, or government agency via email, text or voice calls. They usually alert you to a fake problem like ‘unusual activity on your credit card’ and ask you to verify who you are with your bank details. They will then use this information to steal money or commit other fraudulent crimes. • false billing – there are a number of types of false billing scams which send an unsolicited invoice for payment, renewal notice or subscription which you have not requested. There are also incidents where scammers impersonate your suppliers claiming “they have changed back accounts”. The good news is that you can take preventative action to protect your business from scams. 1. Awareness – be aware and alert. Know that scammers are out there actively targeting your business. Educate your employees and Subscribe to the ACCC Scamwatch radar alerts . 2. Keep your business information secure – never provide your information to anybody you don’t know or trust. look at using a NGFW and anti-virus endpoint protection keep your applications and software versions up to date encrypt your wireless network always use password protection, use strong passwords Back up your data Do not open or click on suspicious emails, texts or attachments –sometimes the fakes are very good. Learn how to spot a phishing email Know who your’e dealing with - never provide your information to anybody you don’t know or trust. Do your own research. Check out ASIC’s list of companies you should not deal with Learn how we can help protect your business from scams.