The month of May is a strong reminder for us to update weak or old passwords, due to World Password Day and the anniversary of WannaCry.
Cyber threats do not rest and they continue to evolve with new attack techniques. Good cyber security hygiene requires more than a strong password to avoid compromise.
The most important thing is to know exactly how cyber criminals may attempt to gain access to your data.
Also read: The cyber risks of online schooling
They will try the following techniques:
- Password spraying:
A form of brute force attack that targets multiple accounts in which adversaries try multiple guesses of the password on a single account that often leads to account lockout.
With password spraying, the adversary only tries a few of the most common passwords against multiple user accounts, trying to identify that one person who is using a default or easy-to-guess password and thus avoiding the account lockout scenario.
- Key logging attack:
By installing key logging software on the victim’s machine usually through some form of email phishing attack, the adversary can capture the key strokes of the victim such as their username and passwords for their various accounts.
Also read: Covid-19: Lockdown a ‘perfect tsunami’ for cyber criminals as more employees work remotely
- Man-in-the-middle:
The challenger inserts themselves in the middle of the user and the intended website or application, usually by impersonating that website or application.
The adversary then captures the username and password that the user enters into the fake site. Often email phishing attacks lead unsuspecting victims to these fake sites.
- Social engineering attacks:
Attacks such as phishing through emails and texts, where users are tricked into providing their credentials, clicking on malicious links or attachments, or going to malicious websites.
- Brute force attack:
An approach in which adversaries randomly generate passwords and character sets to guess repeatedly at passwords and to check them against an available cryptographic hash of the password.
Also read: Covid-19: Apps to get you through the lockdown anxiety
- Traffic interception:
Criminals use software like packet sniffers to monitor and capture the network traffic that contains password information.
If the traffic is unencrypted or using weak encryption algorithms, then capturing the passwords becomes even easier.
- Dictionary attacks
The attacker uses a list of common words, called the dictionary, to try to gain access to passwords in anticipation that people have used common words or short passwords.
Their technique also includes adding numbers before and/or after the common words to account for people thinking that simply adding numbers before and/or after makes the password more complex to guess.
It is necessary to have passwords that are impossible to forget and difficult for someone else to guess.
It might seem like a good idea to add numbers and special characters to words, but cyber criminals can leverage a number of attack techniques to crack this.
Fortinet recommends that you avoid using phone numbers, company information, birthdays, names, including movies and sports teams, and simple obfuscation of a common word (“P@$$w0rd”).
Also read: Covid-19: Make cyber security part of everyday life
Instead, use the following best practices to secure your information:
- Change your password every three months to decrease the likelihood that your account will be compromised.
- Leverage unlikely or seemingly random combinations of uppercase and lowercase letters, numbers and symbols, and make sure your passwords are at least ten characters long.
- Use a password manager to generate unique, long, complex, easily changed passwords for all online accounts and the secure encrypted storage of those passwords either through a local or cloud-based vault.
- Do not use the same password for multiple accounts, this increases the amount of information a cybercriminal can access if they are able to compromise your password.
As the pandemic is forcing us to increase the amount of time we spend online for work, e-learning and communicating with family and friends, cybercriminals ramp up attacks targeting users.
It is important to perform a security posture check across all accounts on updating weak and outdated passwords as needed.
