[BreachExchange] Lessons From Recent Hacks: Creating Strong Passwords

Audrey McNeil audrey at riskbasedsecurity.com
Tue Jul 19 19:40:00 EDT 2016


http://www.tripwire.com/state-of-security/featured/lessons-from-the-recent-hacks-creating-strong-passwords/

Breaches involving stolen credentials don’t surprise anyone these days.
Those of us in infosec know too well that it’s a thousand times easier for
the bad guys to gain access to a network and fly under the radar with a
stolen login—often obtained through social engineering—than it is to get
through cyber defenses. From the bad actors’ perspective, why pick the lock
and trigger the security alarm when with a little savvy, you can steal the
key and not raise any red flags for a long time?

Although the recent hack of Facebook CEO Mark Zuckerberg’s social media
accounts caused mostly personal brand damage, rather than a major data
breach, it was a good reminder about the importance of using cybersecurity
hygiene, such as strong passwords.

Two of last year’s major breaches are great examples of how dangerous weak
or stolen passwords can be. In the case of Anthem, hackers succeeded in
their attack after using the compromised credentials of several employees.
Similarly, a government contractor’s credentials were used to give
cybercriminals access to the massive database of the Office of Personnel
Management (OPM).

Since compromised accounts can have serious consequences—such as
multimillion-dollar losses to your company—and since many people use the
same passwords both for personal and company accounts, this is a good time
to review best practices for setting a strong password.

HOW HACKERS GET YOUR LOGIN CREDENTIALS

It only takes one breach at the right company for millions of user names
and passwords to become compromised. And we’ve seen plenty of those in the
last few years. Evernote’s 50 million compromised accounts and Adobe’s 38
million (or more) are just two examples.

Although a Russian crime ring that reportedly stole 1.2 billion logins is
likely using their haul to send spam and similar purposes, cyber thieves
commonly sell stolen passwords on the dark market. More recently, the same
security company that discovered the existence of that massive collection
found that a Russian hacker had access to 1.17 billion credentials (and was
willing to sell the whole batch for $1). Tens of millions of Google,
Microsoft and Yahoo email logins were among those records, according to the
firm Hold Security.

On the black market, stolen passwords are a commodity easily sold, bought
and traded, albeit you’re less likely to find them for the bargain of $1.
The reason they’re valuable is because cybercriminals know that average
users would rather reuse the same passwords on multiple sites—and
indefinitely—rather than try to memorize new passwords. So unlike credit
cards numbers, which are only valuable for a short time, the window of
opportunity with stolen passwords can stretch into years.

That’s how Zuckerberg’s Twitter and Pinterest accounts got hacked (his
password was “dadada”). The group that claimed responsibility for the hack
said it was the 2012 LinkedIn breach that gave them the way in. LinkedIn
recently confirmed that some email and password information available on
the dark web was linked to the breach, an incident which affected 117
million users’ accounts. Four years later, bad actors are still taking
advantage of that breach—and of users who weren’t diligent enough to change
their credentials on other sites.

Cybersecurity practitioners have been trying to solve the problem of
passwords with various tools and tech. One method that’s becoming more
common is to limit account logins to whitelisted IP addresses. It’s
especially easy to do if you use a vendor like Salesforce because many of
those types of cloud providers are offering built-in capabilities to do it.
And it’s effective since hackers can’t use the stolen passwords outside of
those IP addresses.

HOW TO CREATE A STRONG PASSWORD

The first rule for a secure account is to create a password that is unique
but memorable. While many people obey the latter, they disregard the
former. Consider the most popular passwords: “123456,” “password” and
“12345” are the top three, and others in the top 20 are “abc123,”
“princess” and “login.” While they’re certainly memorable, they fail in the
uniqueness category.

Some users think they are clever by adding variations such as substituting
the letter o with the number 0 (“passw0rd” is another popular choice), but
bad actors are just as clever and they’ll try multiple variations of
popular passwords. Unfortunately, they have various automated tools at
their disposal that makes the process of authenticating credentials very
efficient.

Here are some techniques you can use to create strong passwords:

Length: Many websites allow as few as five or six characters, but that’s
not enough. You need at least 12 for any account that has sensitive
information and at least eight for all others.

Variety: When allowed, use everything you’ve got—not just letters but also
capital letters, numbers and symbols. Each one of those categories that you
add to the mix increases the password’s strength exponentially.

Readability: If you can find the word in the dictionary, do not use it.
That includes compound words or combinations.

Personalization: Don’t use any names that can be associated with you, like
family, pets, or locations. It’s surprising how many people still ignore
this basic rule.

Recognition: Avoid patterns because that’s what bad actors will use to
crack passwords. The most commonly used patterns are an upper case letter
with six lower cases and two digits, an upper case with five lower case
letters and three digits, and three lower cases with five digits.

Once you’ve created strong passwords, add two more steps to your account
security process. One, use a secure and reputable password manager instead
of storing passwords in unsecured locations, including unencrypted cloud
drives. And two, whenever two-factor authentication is available, turn it
on. It may add a few seconds to your login as you wait for the
authorization code to be texted to you, but it’s the simplest way to add
another layer of protection to your account since chances of your mobile
phone falling into the hands of hackers are very slim.

Like anything else, changing habits can be hard, but when it comes to
passwords, you’ll be glad you did. Even if you’re not famous and the harm
to your reputation would be minimum if your social media account were
hacked, the consequences can be much more serious.

Don’t forget to change your passwords regularly, especially if the service
or provider doesn’t require it. Think of it like testing the batteries in
your fire alarm—you know you have to do it a couple of times a year, and
many people do it when they have to turn their clocks forward or back, so
it’s easy to remember. Create similar timelines in your schedule for
changing the passwords, and you’ll be all set.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160719/e5d7f317/attachment.html>


More information about the BreachExchange mailing list