Most people do not know that there are a number of very common techniques used to crack people’s passwords and a lot more ways we make our accounts more vulnerable by using simple and widely used passwords.
How people get hacked
Simple Passwords:
Don’t use personal information like your name, age, birth date, child’s name or pet’s name. Statistics that came out during a recent exposure of over 32 million passwords captured during a breach in the last few years had almost 1% of victims using “123456” with “12345”, “password”, “qwerty” and “abc123” not far behind.
Dictionary attacks:
Don’t use consecutive keyboard combinations— such as asdfg or qwerty. Don’t use dictionary words, slang, common misspelled words, or words spelled backward. Dictionary attacks rely on software that automatically enters common words into password fields. Cracking passwords becomes almost effortless when a tool is used like John the Ripper.
Social Engineering
An alternative to traditional hacking techniques, social engineering is the act of manipulating people in giving up confidential information or performing a set of tasks that lead to a comprise in access or systems.
Cracking security questions:
Many people use names as passwords, usually partners, kids, relatives or pets, which given the prevalence of social media these days only takes a little bit of research to find. When you click on the “forgot password” link on a website, you may be asked a question or series of questions, with the answers freely available through your social media profile.
Reuse of passwords across multiple sites:
The reuse of passwords across multiple sites like email, banking and social media can lead to identity theft. Studies carried out by Computer Scientists at Cambridge University as a result of 2 large security breaches suggest that 31% of users across both services had reused their passwords.
17 Tips to Strengthen Password Security
- Change passwords at least every three months for non-administrative users and 45-60 days for admin accounts.
- Use different passwords for each login credential.
- Avoid reusing an old password for at least a year.
- Be sure no one watches you enter in your password
- Don’t tell anyone your password
- Always log-off or lock your computer when you walk away from your desk.
- Avoid generic accounts and shared passwords.
- Conduct audits periodically to identify weak/duplicate passwords and change as necessary.
- Pick challenging passwords that include a combination of letters (upper and lower case), numbers and special characters (e.g. <$>, <%> and <&>).
- Avoid personal information such as birth dates, pet names and sports.
- Use passwords or passphrases of 12+ characters.
- Use a Password Manager such as LastPass where users need just one master password (though obviously this master password needs to be highly complex as well)
- Don’t use a browser’s auto-fill function for passwords.
- Use comprehensive and up to date security software to avoid malware and keyloggers.
- Don’t write your passwords down on sticky notes and leave them on your desk or computer screen.
- Avoid entering passwords when using unsecured Wi-Fi connections at the airport or coffee shops.
- Avoid entering passwords on computers you don’t control i.e. computers at an Internet café or library which may not have security in place or contain malware that can steal your passwords.