Password security: no laughing matter

Clive Taylor, lead on Cyber-security Quiss Technology

Password security – don’t fall victim to hacking attacks
With so much publicity given to serious data breaches and the devastating effect a hacked password can have for individuals and businesses, the most recent report from the National Cyber Security Centre (NCSC) makes for worrying reading.

The report highlights that 70% of those asked, believe they’ll fall victim to a cyber-crime within the next two years. The NCSC breach analysis found 23.2m hacked accounts of victims worldwide used 123456 as the password, which is unlikely to take a sophisticated hacking app long to ‘guess’.

As businesses continue to ignore the most basic security available to them in the strength of their passwords, it seems there is still a lack of understanding about the nature of modern hacking attacks.

NCSC report findings
Taking the lead on cyber security-related issues within the UK, the NCSC uses its own research and findings to deliver practical guidance to businesses of all sizes.

Responding quickly to security incidents and protecting companies from serious harm, the organisation draws on industry and academic expertise to improve security measures and safeguard public and private sector networks.

The report delivered by the NCSC is based on data compiled from telephone interviews and shows 37% of respondents agreed losing money or personal details over the internet has become unavoidable.

Ironically, the same report reveals a serious disregard for password security, with many individuals setting weak or predictable combinations that make it easy for hackers.

With freely available programmes designed to run automatically and try millions of combinations, simply setting your password to ‘Pa55word’ will no longer suffice.

Creating a strong password
When it comes to protecting your data, information or money, the only way to make a long-term difference is by changing your attitude towards password security.

Although it may sound straightforward, the first step is to stay away from obvious passwords that you’ve trusted in the past. This includes sequential numbers or letters, birthdays and especially the word ‘password’.

Not only will these be cracked in seconds, but hackers will recognise you probably use it for other accounts and target all your other password-protected assets.

Instead, it’s important to make passwords longer, aiming for at least 15 characters where possible, using a combination of upper-case and lower-case letters, while throwing in numbers and symbols for good measure.

Alternatively, a word combo can be extremely effective, using a combination of random but memorable words that make it almost impossible for hackers to guess. An example of a word combo could be ‘FootballDogYellowRibbon’ – the more ridiculous the better.

Sophisticated methods
Although changing your attitude towards password security is an important first step, that won’t necessarily help you spot an incoming threat or identify the points of attack.

The most common method used by hackers remains brute-force, which despite its name, can be technically effective for those looking to breach an already weak security system.

Brute-force attacks will often use a password dictionary, containing millions of words and numbers that can be tried in combinations to discover the correct password. This can take minutes, hours, days or even years – the programme has enough patience.

Once a hacker has set the programme running, passwords will be tried systematically, delivering a successful hack if the dictionary contains the correct password.

Internal threats
While outside hacking attacks can be difficult to prevent, there are other routes into secure networks and accounts, which typically involve the actions of individuals granting access.

Some cyber-criminals will try to trick, intimidate or pressure an individual into giving them what they want, otherwise known as phishing, when attacks are personalised to target a specific organisation.
Typically, the phishing email explains that a receiving bank account’s details have changed or there is something wrong with an account, prompting the recipient to click a fake link to resolve the issue.

This same approach is used regularly by cyber criminals, targeting businesses, law firms, banks and anyone with valuable data or money moving through their accounts.

Securing the future of your business…
While password protection isn’t new within the world of online security, research shows that individuals and businesses are not treating it seriously enough.

It may be tempting to create a relatively straightforward password that is memorable and quick to type, but hackers now have the power to test millions of combinations and breach your account within minutes.

Although opting to use a selection of upper-case and lower-case characters isn’t always efficient, doing so can help secure your account from would-be hackers.

Remember, cyber-attacks are becoming more sophisticated over time, so it is important to regularly update your password and other security measures, ensuring you stay one step ahead of criminals.
If you’re unsure about the next steps, contact an experienced managed service provider and begin securing the future of your business.