It starts with innovative password selections, says Martin Walshaw, senior engineer at F5 Networks.
Data is the lifeblood of our business lives and is of paramount importance to corporations everywhere. Yet, we have recently seen another set of personal information dumped onto the Dark Web.
This time, it was 500-million Yahoo account profiles, which comes quickly on the heels of both the LinkedIn 2012 dataset and MySpace credentials that were also recently made publically available by hackers. An internet criminal calling himself “peace_of_mind” is selling the Yahoo data for up to three bitcoins, which is just over $1 800.
There is an enormous market for stolen information. The reality is that data delivers dollars and the same is true for illegally obtained user details. To combat this problem, we need to make stolen credentials worthless to cybercriminals.
Unencrypted credentials
So, what happens when the bad guys acquire your credentials? You might think the password is hashed or encrypted and are therefore protected. In the case of the LinkedIn 2012 data set, the SHA1 algorithm was used, which is now considered a broken hash and should not be used. To make things worse, the passwords were hashed without first being “salted” (that is, adding more data to the password to hide its true meaning).
A password recovery service organisation took this opportunity to test their offering and was able to crack more than 80% of the passwords. The fact is that more than 1.1 million people chose the password “123456” and nearly 190,000 people chose “password”. If people are using such configurations for LinkedIn, then there is a good chance they are adopting the same password on more sensitive sites, such as bank accounts, which might be more interesting to cybercriminals.
Protecting passwords
Most sites today require a combination of capital letters, numbers and occasionally a special character. However, there are common patterns that most of us tend to use, like starting with a capital letter and ending with a couple of numbers. If a special character is required, we typically place it on the end.
The bad guys know this. With machines equipped with today’s off-the-shelf processing power, even these seemingly complicated passwords are cracked in relatively short time. So, what is the answer?
Organisations need to do much more than just bolster their security with a firewall. However, users must take some of the responsibility themselves.
Cybercrime rings hire armies of people whose sole job is to try and hack into the sites that are essential to our daily lives. As users, we need to be more innovative with our password selections. Not using a Password Manager is tantamount to leaving your credentials unprotected.
A management tool automatically generates passwords and allows you to select the level of complexity, pattern type and length. The real value though is that you do not have to remember them all. The Password Manager stores them, enabling you to copy the password into the log-in field of the website, while some will also store the website URL to automatically populate the field for you upon access. The caveat to this approach, of course, is that the entry must be very complex to protect this account. The advantage is that the password to the management tool is the only one you need to remember.
Taking responsibility
In summary, your personal data is valuable. Cybercriminals spend enormous effort trying to access your information for unscrupulous commercial gain.
By adopting best practice and investing in personal security, your vital credentials will remain encrypted, which means that, should a hack take place, then you automatically devalue the stolen data for the cybercriminal.
Don’t ignore the dangers of the Dark Web – cybersecurity is all of our responsibility. Stay safe.