I recently went around the Texas and Oklahoma area performing Small Credit Union Workshops. During the first session, I was asked about passwords. I then immediately built password training back into my workshop because, even though they have been around a long time, many people are still unclear of what to do.
It reminded me of an article I read in Wired a couple of years back. Here are a few of points you should know from that article.
How Your Passwords Get Hacked:
- The simplest hack is guessing. Although people are told not to, they still pick predictable and common passwords. Yes, variations of the word P@$$w0rd as well as the actual word itself are still being used. Free software tools exist so that even the most non-technical person can hack a password.
- Password reuse. Once a password is compromised, it is dumped online for other criminals to use. So if you read about a hack with your LinkedIn account, and that password is used somewhere else, change the password on the other accounts as well.
- Phishing. Receiving an e-mail that gives links to spoofed sites are commonly used. For example, sending an e-mail with a link to a bogus e-mail site, the perpetrator can get the actual password, and then log into the account to learn behaviors, mannerisms, and how they access accounts, and which financial institutions they use.
- Malware. Hidden programs on your computer send data to the perpetrator. This is common in cyber espionage. “Hackers are increasingly going after small business,” says Jeremy Grant of the Department of Commerce’s National Strategy for Trusted Identities in Cyberspace. “They have more money than individuals and less protection than large corporations”.
Although a password hack may seem inevitable, there are some do’s and don’ts you can follow.
- Reuse passwords. If you do, a hacker who gets just one of your accounts will own them all.
- Use a dictionary word as your password. If you must, then string several together into a pass phrase. Cracking programs can go through a dictionary listing in seconds.
- Use standard number substitutions. Think P455wOrd is a good password? N0p3! Cracking tools now have those built in.
- Use a short password - No matter how weird. Today’s processing speeds mean that even passwords like “h6!r$q” are quickly crackable. Your best defense is the longest possible password.
- Enable two-factor authentication when offered. When you log in from a strange location, a system like this will send you a text message with a code to confirm. Yes, that can be cracked, but it’s better than nothing.
- Give bogus answers to security questions. Think of them as a secondary password. My first car? Why, it was a “Camper Van Beethoven Freaking Rules.”
- Scrub your online presence. One of the easiest ways to hack into an account is through your e-mail and billing address information. Sites like Spokeo and WhitePages.com offer opt-out mechanisms to get your information removed from their databases.
- Use a unique, secure e-mail address for password recoveries. If a hacker knows where your password reset goes, that’s a line of attack. So create a special account you never use for communications. And make sure to choose a username that isn’t tied to your name so it can’t be easily guessed.
It is not only important to protect your password, but also critical to train staff members at the credit unions on the importance of weak passwords. Keep in mind, your network is only as secure as your weakest password.
Source: Mat Honan, Wired