It only took a total of ten days for a cracking team, Cynosure Prime to decipher more than 11 million Ashley Madison passwords. The reason for such a quick turnaround was a programming blunder on the Ashely Madison side but what we will be talking about today is the importance of having a strong password. The top 30 passwords in the encryption have been released in a post which also highlights the number of users using these passwords. In the top five we find the usual culprits; 123456, 12345, password, DEFAULT and 123456789.
I’m not sure how many of us like complex passwords, multiple complex passwords, or the fact that we have to change them so often. Having your password cracked can have very serious consequences and that’s why we all need to take passwords so seriously.
The Centre for the Protection of National Infrastructure (CPNI), which is a branch within the UK government, has recently released a document full of advice about maintaining secure passwords. While the advice isn’t groundbreaking, when it comes to passwords every lesson counts, and it’s good to have a refresher every now and then.
The document starts out by stating one of the most important facts – never take passwords for granted. Change default passwords right away, especially if they are something like password123! We all know to not put our passwords on a sticky note, but they should also not be kept in a Word doc unencrypted.
For IT admins, always be careful who to give admin rights to. Not everyone should have keys to the kingdom, because if these accounts are cracked, the bad guys will also have keys to every system within the company.
As every IT pros knows, complex passwords are more secure, and easy to guess passwords such as the person’s name are too easy to guess. The one bit of info I found surprising was that changing passwords regularly isn’t always necessary. It may be better to have a complex password that is kept safe than constantly trying to come up with a new one which is then saved on the previously mentioned sticky note.
The e-mail problem
E-mail is the most compromised app of all. Sometimes it is through malicious attachments or phishing, but often passwords, if simple enough, are cracked. Once someone knows your e-mail password, it is incredibly easy for them to crack your other accounts since passwords are so often reused.
As CPNI noted, most passwords are too weak, even sometimes those used by IT itself. A survey by Ping Identity found that 83 percent of security pros use one password for different applications. People tend to choose passwords that are easy for them to remember, which means they are simple, common, and worst of all easy to guess – especially after a look at your social media account.
When accounts are shared, such as certain admin accounts used by IT, passwords such as “password”, “admin”, or admin123 simply won’t do. While it is convenient to have one password for multiple apps, if a hacker gets it you are in trouble. Mix it up at least a little, but make sure to keep track of all these passwords by putting them in a safe place. A well-hidden hard copy version or an encrypted file that only you can decode.
E-mail is particularly tied to other apps through its integration with social media such as Facebook and Twitter, eBay, LinkedIn and Amazon. This makes identity theft child’s play and a hacker can easily ruin your life by pretending to be you and committing nefarious acts.
A report by security consultancy Trustwave, had examined millions of passwords that had been hacked, discovering that most passwords were weak. Nearly 90 percent of the passwords had no special characters and according to Trustwave the most popular password today remains “Password1”, which is almost as bad as “admin” or “guest”.
It’s worth keeping in mind that email is a gateway to your other accounts and many times passwords to other services can be reset using someone’s email address. Luckily, many email services are now equipped with 2FA or two-factor authentication which adds a strong layer of security.
The two-factor solution
One answer to password hacks is to use two-factor authentication, which means you need to prove your identity through two steps; usually these are a password and something that only you has access to, such a text message which is sent to your phone. If you really care about keeping your account, secure 2FA is the way to go. It might be hard to set up at first, because of all the different devices we access our accounts from but the peace of mind it offers is truly worth the hassle.