Monthly newsletter time again! Well it’s nearly the end of 2021 and what a year it has been! So much has happened over the last twelve months and not all good things, however at Re-solution we are grateful for all of the great things and people in our lives! Christmas is just around the corner & New Years Eve! So Happy Holidays and a very Happy New Year to you all! To be in with a chance of winning a £50 Amazon voucher – scroll down!
This month we are going to discuss why having strong, secure passwords is extremely important in your organisation and at home…
Did you know that 74% of people use the same password across all of their accounts and log ins? Many of those people think that their password cannot be hacked…
The truth is they are more likely to be hacked!
Firstly, what is the most important password for almost everyone in the world? Simple. Your email account that has all other accounts (such as online banking, online shopping sites, social media platforms etc) tied to it. If a hacker has this main password, they can reset ALL passwords for ALL accounts linked very quickly without you even knowing and cause major damage.
How do hackers hack passwords?
Hacking is not about typing in a few random magic words with one hand on one keyboard and the other hand on another keyboard. Hacking is difficult and usually takes careful planning and a fair amount of time. Stopping malicious hackers can be even more challenging.
Attackers use a variety of techniques to unveil passwords, exploiting a range of social and technical vulnerabilities. These include:-
- Tricking someone into revealing their password via social engineering (including phishing and arm-twisting)
- Using passwords that have been leaked from data breaches to attack other systems where users have used the same password
- Password spraying (using a small number of commonly-used passwords in an attempt to access a large number of accounts)
- Brute-force attacks (the automated guessing of large numbers of passwords until the correct one is found)
- Theft of a password hash file, where the hash can be broken to recover the original passwords
- ‘Shoulder surfing’ (observing someone typing their password)
- Finding passwords which has been stored insecurely, such as sticky notes kept close to a device, or documents stored on devices
- Manual password guessing (perhaps using personal information such as name, date of birth, or pet names)
- Intercepting a password as it is transmitted over a network
- Installing a keylogger to intercept passwords when they are entered in to a device
So how can we reduce the likelihood of this happening to our organisations or ourselves personally?
One of the most effective ways of adding additional protection to a password protected account is to use MFA (Multi-factor authentication). Accounts that have been set up to use MFA require a second factor, which is something you (and only you) can access. This could be a code that is sent to you by text message, or that is created by an app, so even if an attacker discovers a password, they won’t be able to access the associated account without also compromising another factor.
Introducing Cisco’s DUO – making 2FA (two-factor authentication) simple, easy and effective!
DUO supported applications? Everything. Seriously!
Fits seamlessly in to your network taking a minimum amount of time for admins to set up and endpoints to use.
DUO is a non evasive app which means no one will have access to your phone!
What’s even better – we offer FREE trials of DUO! Click here to set your trial up!
Some other tips are the following:-
- Use account lockout or throttling to defend against brute force attacks
- If using lockout, allow users between 5 and 10 login attempts before locking out accounts
- Consider using security monitoring to defend against brute force attacks
- Password blacklisting prevents common, guessable passwords being used. Ensure that all corporate web apps requiring authentication use HTTPS
- Protect any access management systems you manage
- Protect access to user databases
- Prioritise privileged and vulnerable accounts such as administrators, cloud accounts and remote users
- Change all default passwords
- The endpoints are likely to choose new passwords that are only minor variations of the old
- Stolen passwords are generally exploited immediately
- Resetting the password gives you no information about whether a compromise has occurred
- An attacker with access to the account will probably also receive the request to reset the password
- If compromised via insecure storage, the attacker will be able to find the new password in the same place