By Aaron Holmes for Business Insider US
The most effective way to protect yourself against hackers is to build good password habits, experts say.
Cybersecurity experts shared straightforward tips with Business Insider that can make it exponentially harder for hackers to break into your account.
There’s no reason that your password should be a single word – a “passphrase” consisting of multiple words is much safer.
If your password is one word, you’re doing it wrong – it’s time to upgrade to a multi-word “passphrase.”
Password strength is one of the most important pieces of online security. The vast majority of hacks result from phishing – the act of guessing users’ login credentials based on information gleaned from messages and online profiles – which stems from human error and is easily preventable.
Hackers are also developing increasingly sophisticated methods to track and exchange peoples’ passwords, making preventative action all the more crucial.
Business Insider spoke to cybersecurity experts, who outlined simple steps users can take to make sure their online accounts are secure. Here’s what they recommend.
“‘Password’ is a bit of a misnomer. What you should actually be using is a passphrase,” says Kiersten Todt, managing director of the Cyber Readiness Institute and a former cybersecurity adviser to the Obama administration.
“Make that passphrase as long and difficult as possible,” Todt added. Four words long is safe, and five is even safer.
Contrary to popular belief, it’s perfectly fine to use spaces in your password. Many major sites, like Google and Facebook, accept “space” as a valid password character.
A “passphrase” is stronger than a single password because it increases entropy, or the amount of randomness in a password, making it harder to guess.
The creators of ProtonMail, a security-minded email service, say multi-word passphrases are a solution to the problem that “we humans are bad at creating randomness, and we’re bad at remembering things.”
Unlike complex one-word passwords with lots of special characters, passphrases are easy to remember. If your ‘secure system’ isn’t easy to use, people won’t use it, negating the security benefit,” the ProtonMail team argues.
Even when using passphrases, it’s crucial to change your password: “The people who are getting hit by hacks are the low hanging fruit who reuse the same passwords,” according to Alex Heid, chief technology officer at SecurityScoreCard.
By Cheryl Kahla for The South African
The National Cyber Security Centre (NCSC), a UK cyber security watchdog, recently released their list of the most-used passwords on the Internet.
A quick look at the most common passwords is enough to know that a lot of work still needs to be done to educate computer users about cybersecurity.
The most common password was ‘123456’ which was beat out by ‘123456789’, ‘qwerty’, ‘password’ and ‘1111111’.
While these common passwords are incredibly problematic, the most pervasive problem for home internet users was a combination of these easily guessed passwords, and the fact they were being re-used across multiple sites.
Re-using passwords on multiple platforms
Password re-use is problematic as a security breach on one site could compromise a users security on every other site the password is in use.
NCSC technical director Ian Levy explains:
“We understand that cybersecurity can feel daunting to a lot of people, but the National Cyber Security Centre has published lots of easily applicable advice to make you much less vulnerable.
He added that re-using a password is a major risk which can be avoided because “nobody should protect sensitive data with something that can be guessed”.
Sports teams and first names are another common choices for passwords with ‘Ashley’ the most common name used as a password and ‘Liverpool’ the most common premier league football team name used as a password. ‘Blink182’ was the most common band.
“Using hard-to-guess passwords is a strong first step, and we recommend combining three random but memorable words. Be creative and use words memorable to you, so people can’t guess your password,” added Levy.
There are several password management tools available that can generate unique passwords and store them in a central place for users who want to take their online security to the next level.
By Alison DeNisco Rayome for Tech Republic
Microsoft is doubling down on its promise to rid the world of passwords and replace them with more convenient and secure options, the company announced in a Tuesday blog post.
“Nobody likes passwords. They are inconvenient, insecure, and expensive,” according to the post. The tech giant wants to deliver on two key promises: That end users “should never have to deal with passwords in their day-to-day lives,” and to replace passwords with “user credentials [that] cannot be cracked, breached, or phished.”
Microsoft first made a move to reduce password use with Windows Hello, introduced in Windows 10, which uses biometric sensors to verify a user’s identity based on a fingerprint or face scan. It has since introduced the Authenticator app, which allows users to log into their Microsoft account on their desktop using their phone. Finally, Microsoft is working with the Fast Identity Online (FIDO) working group to update Windows Hello with physical FIDO2 security keys that allow for more secure authentication.
The Windows Hello FIDO2 Security Key feature is now in limited preview, the post noted.
“At its core, our fundamental philosophy is simple: devalue the password, and replace it with something that eradicates its use for the end user and drains its value for an attacker,” according to the post.
The Windows 10 April 2018 Update includes the ability to do just that, the post noted: Using Windows 10 in S mode, cloud users (with Managed Service Account or Azure Active Directory) can use their PC without ever entering a password. Users can take advantage of this feature by setting up the Microsoft Authenticator App, installing the Windows 10 April 2018 Update with S mode enabled, and setting up Windows Hello.
To achieve a password-less future for all devices, Microsoft laid out a four-step plan:
1. Develop password-replacement offerings. This would involve replacing passwords with a new set of alternatives that retain the positive elements of passwords while also improving their shortcomings.
2. Reduce user visible password-surface area. Microsoft wants to upgrade all elements in the lifecycle of a user’s identity, including provisioning of an account, setting up a new device, and accessing apps and websites, to make sure they work with password replacements.
3. Simulate a password-less world. This means helping end users and IT administrators to transition into a password-less world easily.
4. Eliminate passwords from the identity directory. Deleting passwords from the identity directory represents “the final frontier,” according to the post.
It remains to be seen if other tech giants will follow Microsoft’s lead and eliminate passwords. With the rise of biometric security in a number of fields, the future for businesses could very well be password-less.
Small businesses and self-employed people are big targets for hackers, and the financial implications can be crippling. Gone are the days of thinking “It’ll never happen to us.” A total of 61% of all data breaches this year occurred in businesses with fewer than 1,000 employees, according to the Verizon Data Breach Investigations Report. So, if you would like to keep your workforce educated about potential cyber threats, schedule your employees for cyber security training for beginners.
Not only have hacks increased in frequency, but the impact on SMEs is getting much bigger.
But where do you begin? Many SMEs feel that being as secure as a big business is impossible. Corporations have large budgets, chief security officers and entire teams dedicated to cybersecurity. This perception stems from the impression that hacks are vastly complicated, and rely on a tireless horde of highly skilled attackers. Most hacks aren’t like that. The majority depend on poor passwords and a lack of awareness of what a hacker actually needs to compromise your systems — a simple phishing email or a leaked password and they’re in. It’s that simple.
Educating yourself and your staff is the only solution. Hackers always look for soft targets, so start with the basics. Here are some tips from Hightower Risk:
1. Get a strong password
A total of 80% of hacking-related breaches use either stolen passwords and/or weak or guessable passwords. Getting a strong password is the bare minimum. What’s more, it’s easier than you think. A lot of people don’t know that you can use spaces in your passwords, for example: “horse mug table” is much a much better password than “Horse123.”
2. Then make your password unique
Having a single strong password doesn’t count for much if that password then gets leaked. We’ve seen massive, trusted companies like LinkedIn and Yahoo leak millions of passwords over the last few years, which opens the door to wide-ranging cyber attacks. Password managers like LastPass and OnePassword help you generate and keep track of unique and strong passwords.
3. Know what to look out for with phishing
Hackers are constantly sending “phishing” emails, trying to get you to click on their website so that they can install malware or convince you to give them your password. Understanding what a hacker is trying to do and what to look out for is key. Poor syntax, incorrect spelling, or email addresses and links that include a lot of full stops (for example, amazon.getcode.tickets.phishingattack.com ) are all key warning signs to look out for.
4. Understand the information you’re already giving away
Phishing attacks rely on the amount of information we share about ourselves online. Famously the hackers behind the celebrity iCloud leak in 2014 used information they’d gained from public posts to guess the answers to user’s secret questions. If your secret question is “The city I was born in” and you post that information on Facebook, then hackers have an easy way into your account.
5. Pay attention to Web page URLs
When you see “http” in a web page URL that means your communication with that page is unencrypted. Any communication could be easily read by a hacker waiting on that page; “http” is a warning sign to look out for if you ever think you might have stumbled onto a phishing or generally suspect website. If you’re ever entering sensitive information like credit card numbers or personal details, make sure the website has “https” in the website url. That way you’re more secure.
6. Update your software
Software is updated for a reason. Usually companies like Microsoft or Apple will discover a vulnerability that might let hackers in, fix it, then offer an update. Always take them up on it. We saw with the WanaCry attack earlier this year what happens when organizations don’t install patches (updates bringing computer systems to the most up-to-date version) and security updates. Unpatched vulnerabilities offer gaps into your systems that hackers use to install malware and ransomware, or to just gain control of your systems.
7. Encrypt everything
Should a breach happen, you want to make sure whatever information hackers get their hands on is, at the very least, difficult for them to understand. Encrypting your hard drives and databases with a modern algorithm like AES256 is a key defensive tool to protect your data in the event of a breach. It’s quick and easy to do. For more info you can check out this post by FreeCodeCamp to do it in under an hour.
Knowledge is the key to cybersecurity, but it’s important to think about the underlying structure of your business and the way it handles data more broadly. Organization-wide controls and data-protection policies help define sound technological defense, and ensure you know how to respond in the event of a breach. Just remember that industry standards like an ISO27001 certification and SOCII are beneficial, but only when combined with education and good user behavior.
By Sam Nixon for CIO Today
MasterCard is trying out a new technology that lets online shoppers authorise a transaction with a snapshot of their face instead of a password.