Poor password hygiene makes you a soft target for hackers

Multi factor authentication and encryption are most effective hacker obstacles

This article first appeared on Business Standard on August 26, 2017

Remembering and changing passwords regularly is the top source of cyber fatigue for users and also the easiest vulnerability exploited by hackers, says the Thycotic Black Hat Hacker survey report 2017. Consequently, using multi factor authentication and encryption can be the biggest barrier against attacks, said the same report.

“Determining and remembering strong and unique passwords for multiple accounts can be difficult, many users tend to abandon safety for convenience. Poor password hygiene makes accounts vulnerable to takeover attacks. These attacks can be eliminated with the use of single-sign on and multi-factor authentication technologies,” said a Symantec spokesperson. Important passwords, such as those with high privileges, should be at least 8-10 characters long (and preferably longer) and include a mixture of letters and numbers, said Symantec.

Thycotic also noted that it is equally important to secure our social network accounts as hackers can use social network accounts to infiltrate work computer and emails. This may be due in part to what researchers are calling “security fatigue,” whereby users feel overwhelmed with security warnings and revert to habits they are most comfortable with, but which may put their organizations at greater risk of a breach said the report.

“An average Internet user today has many online accounts. To keep it simple, users typically re-use same passwords across multiple accounts. One way to solve this problem is to use password managers/ vaults. These are simple password management tools that store your password in an encrypted fashion on your laptops/mobile and makes it easy for you to retrieve passwords when you need it,” said Gautam Kapoor, Partner, Deloitte Touche Tohmatsu India LLP. Enabling two factor authentication or out-of-bank authentication is also a must with any online email accounts today offering these services, he added.

Thycotic noted that 53 per cent cyber security professionals haven't changed their social media passwords in more than a year while 20 per cent have never changed the passwords while also using birthdays, addresses and pet names among others in the passwords which make them easier to hack.

Using or not changing default passwords on your systems can leave people at a higher risk of data heist, says Symantec. The most commonly used password by attackers is ‘admin’ (37 per cent), tried by more than one third of attackers, followed closely by ‘root’ (16.3 per cent) said the company.

According to Symantec’s recent Internet security Threat Report in the last 8 years, more than 7.1 billion identities have been exposed in data breaches. Strong security products can verify users with a wide range of multi-factor authentication methods including push, risk-based, hard tokens, SMS, biometrics etc. Organizations can easily integrate two-factor authentication with all their corporate resources like VPNs, applications, and encrypted data files.

Default passwords are also the biggest security weakness for Internet of Things or IoT devices. Attacks using IoT devices also lower the barriers to entry for cyber criminals. There is much less security for attackers to overcome when trying to take over an IoT device. Unlike a desktop computer or laptop, which will typically have security software installed and receive automatic security updates, an IoT device’s only protection may be an easily guessed default user name and password. To prevent passwords from continuing to be a security weak point, changing the default credentials on devices and using strong and unique passwords for device accounts and Wi-Fi networks must be enforced.

* Make it long, a phrase is better. Longer the password, the more difficult it would be for an attacker to crack

* Always use Capital letters, numerals and a special characters to make the password complex

* You can check your password strength online with tools where you can test how long it will take to crack your password. Use that as a barometer for your online password strength.

* Never use same passwords for multiple accounts. If one gets compromised, others will follow.

* There are many creative ways to keep complex passwords. E.g. keeping a phrase from your favorite song and working on it to make it complex. E.g. ‘Aye Mere Vatan Ke Logon’ can become ‘Ay9&Mer3v@$anKeL9g9n’

·*  Don’t keep your name, surname or DOB as password/pin, they are predictable.

Source: Deloitte Touche Tohmatsu