In the last part of the cyber-awareness series, I’ve talked about the most common types of attacks and some of the most seen types of malware (e.g., ransomware) – and I want to expand a bit on that and cover the other side of that same coin, from the user’s perspective; how we can defend, prepare, and what are some of the things you might see in your organization, or what you would use for as a private citizen to beef up your own security and protect yourself from digital harm.
I pay special attention to this topic because, as we all know by now, this is how it all starts in the real world! Thus, let’s try and see what you can do to protect yourself further.
Like it or not, we still haven’t escaped from password authentication, so, in my opinion, it pays to know a bit more about the topic. They are still following us on every step of our digital journey, and even though you might have other controls in place, like 2FA, it’s still vital to not create a weak/insecure password, and unfortunately, it’s very easy to do so.
Aside from the obvious stuff, like, for example, having a very strong password written on a post-it note that’s in everyone’s view, obviously defeating its purpose; the same goes for reusing the same password for different services.
What constitutes a strong password changes with time, and the best practices follow those changes. Let’s look at the password below:
The password above has all that we would like to see in a strong password:
- More than 8 characters – which makes brute-forcing virtually impossible
- Both lower and uppercase letters
- Special characters/symbols
- The owner has some specific knowledge about the creation of the password – i.e., its contextual
All of this makes it a strong password. However, the personal added details might weaken it because of social engineering that can be done on our owner of the password above. Detailed information gathering on them might help the attacker get their hands on the password.
Currently, should you research best practices on password creation, you might see that people recommend length over complexity. Something like:
Chicago has some, -very- lovely museums of modern @art@...
This passphrase is different from the traditional password as it’s much longer, keeping some elements that add to the complexity while not obscured as the conventional password. This also makes it easier to remember and is still virtually impossible to brute-force.
However, the best password is a long, completely random string of characters, something like:
These are the most secure passwords you can use. But, the obvious penalty here is that it’s not very easily usable nor practical; however, that can be avoided wholly by using a password manager – which in my opinion, is something you must use.
On the flip side, a weak password is one that uses a very predictable pattern that just barely satisfies the complexity requirements (if there are some) and is just a truly awful password:
At first glance, we have a special character, numerics, and lower and uppercase letters, but we still have a horrible password! Please, never do this!! Never, ever! And, don’t reuse passwords… especially ones like these! You should actually refrain from reusing even the most complex and secure password, because you are putting all your eggs in one basket – if it gets leaked somehow, even if it’s the most secure password ever, all the services you reused it on are equally compromised. Not to mention the hell you’d have to go through by changing them all.
One aspect of online services and passwords I haven’t considered is the service provider itself. Upon registering for their service, you are writing your password to their database, and its on them to store those passwords safely and securely. However, even though the industry standard is to hash passwords and store the hashes in the database, we can’t really know if that’s what’s happening.
This would help significantly in a case of a leak (say they get hacked) because the attackers would still need to waste time and resources to maybe crack the hashes. If they were stored in plaintext, well… it’s simple for them to take over those accounts. This is dangerous because it can be abused for credential stuffing, and if you reuse your passwords, this is how they would get to your other services and compromise them.
This is something we can’t control, but we can still do at least something about it. For example, you might want to subscribe to https://haveibeenpwned.com/ for their breach notifications. Also, if you’re using a paid VPN subscription or a paid password manager such as 1Password, Lastpass, etc., they also might have some sort of breach monitoring notification system you can subscribe to.
This is not some bulletproof defense, but it can warn you just in time, hopefully helping you avoid getting hacked!
A two-word explanation for these – Use them.
A slightly longer explanation stems from the fact that these specially crafted applications (be it a desktop client or a browser extension, or whatever) are made to store your passwords in a safe environment called vaults. Vaults are encrypted storage spaces where you would keep your passwords, either on your device itself (locally) or as a part of an online service.
Vault is accessed with a so-called Master Password that reduces all the clutter to one password you have to remember, or it can even be a biometric one, e.g., a fingerprint.
The more featured password manager services can offer you stuff like auto-filling passwords for other services, generating strong passwords, and even storing some other data like files or images. This reduces the complexity a lot while not compromising on security (in the vast majority of cases), so you can still have peace of mind, while not dealing with convoluted and off-putting ways to store and secure your important information.
Lastly, remember that everything about password managers is about that one Master Password, so make it as strong as you can so as to not defeat its whole purpose and, even worse – hand all of your passwords on a platter to your friendly neighborhood hacker.
I recommend KeePass, as it’s a locally hosted database that only exists on one of your systems. It’s open source, thus free – and once you get accustomed to it, quite pleasant to use. It also has cool plugins and features you can explore. However, there’s a multitude of options, and you should go for the one that best suits your needs.
A password manager in conjunction with an app-enabled authenticator (if you can, don’t do the one-time password with SMS messages) is a very good place to be, and you should invest a minimum of effort in that direction as the investment pays off many times over.
Cyber-awareness is not some buzzword, even when it’s unjustly used by your organization’s senior management, salespeople, or whomever.
It is a crucial part of your defense and is foundational in securing your systems from getting compromised. It’s fantastic to have a secure design, to secure those pipelines, and to have all of that fancy software, and it creates much more difficulty for the attackers.
Still, it also might make your organization take a proportionally large hit on its reputation should you get compromised through the good ol’ social engineering tricks.
I don’t even need to name here; we’re all aware of the latest security incidents that some big corps experienced.
Cover image by Max Payload
About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
TOPIA is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.