Security is and will continue to be a big issue in the sphere of IT, the growth of phishing attacks, and specifically those that distribute ransomware continues to affect schools right across our region and beyond.
In our previous articles Ransomware – don’t fall victim and Phishing – make sure you’re protected, we explored some key facts and actions that users can take to help keep themselves safe from attack.
We will continue to explore key user actions in more detail in this article series, and in this article we are focussing on password security.
If you just want to know the hows rather than the whys, go to the summary.
Hasn’t computer security got better?
IT and specifically the Internet, is still a very young technology, and this is the reason why it seems to be moving forward so fast, its huge potential is nowhere near being met, the revolution will continue.
But it is now mainstream with whole industries developing it, and this is why we are now seeing much broader scrutiny of the technologies powering it, some of which is used to improve security, and some of which is used to exploit it.
The race is on between the developers and the hackers to protect or hack into your data, and to a certain extent at the moment – the hackers are winning, this is evidenced by the success of Phishing attacks and people being held to ransom but encrypting their data and charging them to get it back.
So to answer the question, yes, computer security has got much much better, and whist no piece of software or system can ever be 100% secure or free of bugs, there is now much more awareness surrounding security of applications and data, which is baked into systems right from inception.
You are the weakest link
Awareness and available research and tools surround computer security has really got the stage where the weakest part of the security model is the user, we are all guilty of using passwords that are too weak, using the same password on multiple sites and not keeping them secure.
This is why one of the greatest tools in the hackers arsenal is the social hack. How do the hackers install malware on your computer? They trick you into doing it, either through a craftily crafted email, or a booby trapped web page, they are using their knowledge of human nature to coerce you into opening the door for them.
That covers the wider subject when it comes to phishing, malware and ransomware, but where do passwords fit into all this?
Again, it’s down to human nature, we remember things by association, so it is natural for us when we are thinking of a password to use the name of our pet, or set our pin numbers to our child’s date of birth. If someone can do some research on you, they have a much smaller selection of things you might use as your password, and therefore it is easier to hack into an account that belongs to you, and knowing us, once they have cracked one account, it is likely they will then be able to crack a range of other accounts, because you probably will have used the same or similar password in multiple places.
How secure is my current password
Depending on what information the person trying to attack your password has, will affect how secure your password is, but in a general brute force attack, you may be surprised at how quickly it could be hacked, just try this tool to see a rough estimate of how long this could take.
How do I make my passwords more secure?
It all comes down to how long it would take perform a brute force attack of your password, so any info that can reduce the range of characters or words you use in your password will reduce this time, this is why websites always say “use at least one uppercase character and one number”, because if we used only lowercase characters, then each digit of your password can only have 26 combinations, whereas with uppercase characters in the mix, it is now 52, plus 10 combinations for numbers, suddenly the number of combinations is much higher.
The number of combinations can be worked out now as N to the power of C, where N is the number of characters, and C is the number or characters that could be used. So the number of combinations goes up exponentially for each extra character in your password, which leads to only one conclusion:
Password length is the only thing that matters
Even if you password contained only lowercase character, as long as it is long enough, the number of combinations will be more than a shorter password using a greater range of characters.
Websites that tell you you must use at least one character and one uppercase letter for example is actually lowering security, because now the hackers know that every password will contain that pattern, and that lowers the number of possible combinations they have to search to crack a password for that site.
It still needs to be memorable
We also need to play to our own strengths when choosing a password, there is no point in choosing a huge long complicated password if it makes it an unbearable experience every time you want to access your account because you cannot remember it or you have to write it down somewhere (That reduces password security).
Correct Horse Battery Staple
I personally quite like xkcd’s “correct horse battery staple” which not only illustrates very clearly why your current password is easy to crack, but gives you a great method of creating a secure password.
The idea is that you take four unrelated words and put them together to form your password, but similarly you could use a famous quote, or a song lyric or any other sentence of your choosing, just make sure it is long, and remember where you used uppercase letters, spaces and other punctuation.
Remembering multiple passwords
We still haven’t solved the problem of not using the same password on multiple sites, and in reality there is not an easy solution to this without using some tech to do the donkey work for us!
Simple answer? Use a password manager such as keepass, or the password store built into your web browser, and then just generate random passwords for each site, try this great password generator, just make sure again that the passwords you generate are long and make sure to password protect the password store, with your easy to remember but long password, so you can access all your passwords.
One problem with password managers is if you need to access something when you haven’t got your password manager to hand, the solution to this is to use the password reset function of the website you are trying to access, which means that as long as you have access to your email, with a bit of effort you can access any of the accounts that you don’t know the password for.
Again just be sure that you have set a secure password that you can remember to access your email, as usually that holds the keys to the farm!
Summary and Other Tips
Make your password hard to guess
Avoid birthdays, quotations, your kids, pets, nicknames, common words and phrases
Avoid anything people associate with you
Remember easy passwords don’t get harder just because you’ve added a couple of digits to the end and a capital letter at the beginning!
Size is the only thing that matters
Make your passwords as long as you can (14 characters+)
Adding complexity will make your password more secure, but if you don’t think you can remember where you put the uppers, digits and symbols, make up for it with length
Make sure you can remember it
One password, one account
Don’t reuse passwords
Use a password manager and generate your passwords
Use a different password for each account so that if one account does get hacked, the others won’t be compromised
Keep your passwords locked away
Use a password manager to enable you to use more complex passwords and remember multiple passwords for different sites
Use a long secure password to access the password manager, do not use the password for anything else, and do not write it down unless it can be kept in a safe place (i.e. not on your computer or your dropbox)
Use random passwords with your password manager, and reset it each time for rarely used accounts when you don't have access, use a secure password for your email account
Take a look at song lyric to strong password in 6 steps
from BBC newsbeat, and for a more in-depth look at what ransomware is and the steps you can take now to protect your school network, take a look at the Whitepaper from Sophos how to stay protected against ransomware
Solutions to help keep you protected
We offer a range of high quality endpoint protection solutions https://www.phoenixs.co.uk/swgfl-sophos/.
If your email service is provided by SWGfL then please forward any instances of phishing emails to firstname.lastname@example.org and to talk to the tech team call 0845 307 7870