PASSWORD SECURITY IS VITAL, BUT HARDER THAN YOU THINK.

 

Written by:   Matthew Hahn, Head of Sax Technology Advisors

 

Did you know that 73% of small businesses have been victims of a cyber-attack?  Passwords protect against unauthorized access, like your house keys, and is an important key to your overall protection.  However, password security is harder than most think. Unfortunately, most technology cannot differentiate you from anyone else. So, someone getting your password allows them access to your data and information as if they were you.

This applies to your password credentials that you use online to protect access to your applications, data or other resources. You need to ensure you are using the strongest passwords to protect yourself where it makes the most sense.

Let’s work to address this important barrier between you and the bad guys so you can protect your personal information, and the sensitive information of your company and clients.

 

It’s worthwhile to briefly explain how basic passwords work:

Instead of storing a user’s actual password, web sites, applications and devices store what’s called a “hash” of your password or in other words, encryption. The hash is a computed representation of your password.

When you choose a new password, the system takes your input and runs complex mathematical computations to get an equally complex string of characters that no longer resembles your password and may not even have the same number of characters. When you go back to that system or application later and give it the password you created, it runs the computation again and compares that to the hash.  The reason for this complex process is to prevent hackers from getting your password from the system you log in to.

 

Why is password security so difficult?

Hackers have evolved beyond someone at a computer typing in different password combinations. The bad guys have computers too, and they use complex computer programs to guess password combinations extremely fast. How fast? How about three hundred billion guesses per second using a high-powered computer. Get a few computers to work together and a 10-character password can be guessed in roughly 37 seconds.

Because password values are stored and computed using commonly acceptable mathematical practices, password values can be pre-computed by just about anyone. When hackers get unauthorized access to a website or a company’s network, they can then get everyone’s password very easily. They collect files or database records that contain hashed password values and match them up to a pre-computed list.

 

76% of business breaches were carried out by compromised user accounts.

Unfortunately, choosing a complex password is not enough when it comes to password security.  With hashing and encrypting becoming stronger, and users creating passwords that are impossible to crack, hackers also update their tactics to get through.

One way that hackers have stepped up their game is by using what is now called phishing emails. These emails are designed to entice you to click a link that brings you to a website that looks and feels like the real thing but is really a fake site that a hacker created to get you to type in your username and password. Once you type in your information, the fake site may redirect you to the real site so you never know anything bad ever happened. These emails are beautifully crafted and trick some of the best security minded people in the business.

Hackers have also developed ways of tracking keystrokes to obtain passwords as you type them. To do this, they design malware and viruses to infect computers with software looking for passwords (called Keyloggers). The malware could potentially search specifically for passwords to bank accounts, hotel and reward accounts, retirement funds, securities and trading accounts or any other accounts that have access to money that they can steal, use to purchase equipment or steal information to sell.

 

You don’t know where that password has been!

It’s unfortunate, but we can never be too careful with passwords. Users can’t always trust the system, website, or application they are using to keep passwords and information safe. Therefore, we must be very careful with how we use and reuse passwords. Once a hacker gets a user name and password combination they will try to use it everywhere. If you use the same user name and password combination for your email, banking, social media, and work computer then it only takes one of those resources to fall victim to an attack to be subsequently broken into all of your accounts.  With that, it is important to create a unique password for each account, so if one password is stolen, the rest will remain safe.

Only when using a secure computer connection is it acceptable to use password keepers or trustworthy applications to store your passwords. These resources can be installed on your smartphone, computer or even be a web-based application. Also, some services allow synchronization between all your devices.

 

WHAT CAN WE DO TO BEST SECURE OUR PASSWORDS?

 

Make it hard to crack.  A basic password that consists of only a combination of entries from a 26-character repertoire (a-z) is much easier to crack than if the range of characters of 52 (a-z and A-Z) or 62 (including digits too) is used. The higher range of characters make passwords more complex and much harder for high powered computers to figure out. Having complex passwords will significantly decrease a hacker’s chance of getting your password.

We encourage you to create a long (10+) character password using a combination of each of the following:

  • Uppercase characters (A through Z)
  • Lowercase characters (a through z)
  • Base 10 digits (0 through 9)
  • Non-alphanumeric characters: [email protected]#$%^&*_–+=`|\(){}[]:;”‘<>,.?/

Create a new method for generating secure passwords that only you know.  It’s not difficult to come up with your own system of creating complex and secure passwords that combines a variety of characters. One possibility is to start by thinking of a phrase such as: I Love 3 scoops of ice-cream. Then condense the phrase keeping capitals to: IL3SofIC. This gives you a nice complex password that is 10 characters, uses upper and lower-case letters as well as numbers and symbols. Want to make it even more complex?  Add a hyphen between the increment and use the phrase twice, for a complex 22-character password: IL3SofIC-1! Il3SofIC.  Now that’s a solid password.

Be aware of threats to your password security so you can combat them.  Remember, usernames and passwords are not just for accessing data, they’re also authentication mechanisms that identify you as an authorized user. You must maintain control over your data and information. To do this: 1.) Never click a link in an email that you did not expect or from someone you do not know.  2.) Never share your password with anyone. Not only does sharing your password violate the integrity of the authentication process, but also violates the terms and conditions of the services, company or application you are using. 3.) DO NOT send your password via e-mail or give it out over the phone to anyone, ever (even if they say they are from technical support)!

 

HOW CAN SAX TECHNOLOGY ADVISORS HELP?

A missing security patch presents a core reason for network security breaches by giving hackers access to password databases.  Sax Technology Advisors is your cyber security alarm system that expertly monitors your network, alerting you to intrusions or credible cyber security threats by providing fully automated network monitoring, threat detection, downloading and deployment of missing patches while keeping installed anti-virus software up-to-date.

We also emphasize the importance of educating ourselves and our business staff on security awareness – how to identify a phishing email, how to combat threats on a daily basis, and what to do if you are compromised.  We fix vulnerabilities before they are exploited and are the security experts at your side if incident response is needed.

 

For more information on password security, or anything related to cybersecurity overall, feel free to reach out to a Sax Technology Advisor at (973) 554-6050 or visit www.saxtechnology.com to schedule an initial network assessment.

 

Matthew Hahn is the Chief Technology Officer at Sax LLP and Head of the firm’s newest arm, Sax Technology Advisors – a Cybersecurity and Managed IT practice.  Matt has over 25 years of experience in the technology industry, and his proficiencies cover all areas of technology business solutions.  He can be reached at [email protected].