Tuesday, 25 February 2014
63. Why You Should Take Your Passwords Seriously
I have touched on this subject in previous articles but make no apologies about repeating it. YOUR PASSWORDS ARE OFTEN YOUR ONLY SECURITY ON SENSITIVE SITES SUCH AS BANKS AND INVESTMENTS. Read the article and take note. Even after banging on about this aspect of security for a long time, my own “very secure” password was compromised on my email account a couple of months ago :-
Unfamiliar messages. Passwords that no longer work. These are just two of the many clues that cybercriminals have gotten a hold of your password and broken into your account.
With the password compromised, the first step is to regain control over the account by changing passwords and checking configuration settings to make sure nothing has changed. However, if the root problem (how the passwords were successfully stolen) is not fixed, then the accounts will just get compromised again and again. That’s why it’s important to take your passwords seriously and to make sure they are strong.
Passwords are immensely valuable, whether they are for email, e-commerce sites, or even “just” a social media platform. Criminals aren’t after your Spotify passwords because they want to see who your favorite artists are. They are banking on the high likelihood that the same password will unlock your email, retail Website, or even your work network. Considering the number of people who re-use their passwords across multiple sites, there is a good chance that someone’s Twitter password is the same as that person’s online banking account.
This is why it’s important to have a unique password for every account and service. If attackers do manage to steal one password, at least the damage is limited to just that site, instead of impacting multiple services. It’s also important to recognize how cybercriminals steal the passwords in the first place and avoid those scams from the start.
How Cybercriminals Steal Passwords
Cybercriminals employ several methods to steal passwords. They can use stealthy malware, tricky social engineering techniques, or just plain brute-force to guess the password. Whichever method they use, the goal is the same: gain access to as many user accounts as possible.
Malware:
All it takes to infect a computer with malware is one person opening a specially crafted attachment, or clicking on a booby-trapped link in a spam message. Cybercriminals send out spam messages promising special deals on luxury goods, offering exclusive details on current events, or the latest gossip on celebrities to trick people into clicking on links. Or they craft emails using basic social engineering tricks to convince users the emails are legitimate, such as pretending to apply for a job, sending delivery notification messages, or even using data mined from social media sites and pretending to be an acquaintance.
The malware likely installs a keylogger component on the computer, which captures every keystroke typed, whether it’s an email message or every single login credential for every single site the user visits. Once the keylogger is installed, the criminals can easily harvest every password ever entered. This is why it is important to keep the security software regularly updated and to scan the computer regularly for malware.
Phishing:
Phishing is a form of social engineering that is very effective. Attackers craft a message that appears to be from a legitimate brand, such as your bank, or well-known sites such as eBay and PayPal, or even a corporate site. When the user clicks on the link, they see a Website which looks like the real thing—maybe the logo on the page is the same. The user thinks it is a real site and enters their login credentials. All the information typed on the bogus site goes directly to the criminals, and the user often has no idea that the password, and now the account, has been compromised.
This is why it is important to be wary of messages in the inbox, to avoid clicking on links in email messages, and to scrutinize all sites to make sure the site is real. Checking the URL carefully is a good way to screen out bad sites, such as www.fcebook.com.
Password Cracking
Cybercriminals may just try to brute-force the password, operating on the assumption that the password is not so complicated. Many users still make the mistake of selecting simple passwords, such as ’123456′ or ‘password.’ If the password is a common word that can be found in the dictionary, or a simple sequence of numbers and letters, there are cracking tools that can figure out the actual password. This is why it is important to select unique passwords that are complex, such as having both lower case and upper case letters, symbols, and numbers. Passwords should also be long, to make it harder to crack.
Attackers will continue to employ various techniques to try to get their hands on user passwords. By employing better password hygiene, users can protect themselves from attack, and to minimize the damage even if the password does get compromised. Passwords aren’t perfect, but unless something better comes along, make sure your passwords are all unique, complex, and long.
Reproduced from the Zone Alarm Blog