FREE PASSWORD ESSENTIALS DOWNLOAD
Say hello to better passwords
Why you need a strong password
Whether you’re logging into Office 365 at work or signing into Amazon, Netflix or Facebook, passwords are an essential part of daily life in the digital age.
Passwords exist to protect valuable information stored on personal and company devices. Passwords also protect the computer systems of companies you do business with from organised gangs looking to profit from your valuable data.
Data such as user credentials, bank details, personal addresses and passwords have become a precious commodity to online fraudsters looking to profit from the trusting nature of honest, hard-working people.
The number of logins we now have to deal with every day also means we’re more likely to re-use the same password for multiple sites – a dangerous tactic that potentially lets criminals penetrate multiple sources of information at once.
Recent hacking incidents aimed at high-profile companies such as Equifax, British Airways and Dixons Carphone have highlighted a very real need for businesses to take online security much more seriously. The companies mentioned, as well as many small, less public enterprises, are counting the cost in lost profits, reputational damage and loss of consumer trust.
Methods used by hackers to guess your passwords
Brute Force Attack
A brute force attack is a systematic and sustained attack where a hacker will use software in an attempt to guess every character of your password using hundreds of thousands or even millions of attempts.
Brute force attacks are time-consuming and easily preventable with account lockout policies, similar to the ones implemented by Network ROI. You should choose a long and non-guessable password to slow down any possible brute force attacks.
A dictionary attack is a method of password guessing based on trial and error. Unlike the brute force attack, dictionary attacks use a list of common words used in passwords. Every time a dictionary attack is successful, it adds the cracked password to its own database.
Dictionary attacks guess passwords much faster than brute force attacks because they are targeting a smaller amount of commonly used passwords. Account lockout policies provide a degree of protection against these types of attack.
A hybrid attack is a method used by hackers to guess passwords using a combination of brute force and dictionary attacks.
By guessing each character at the beginning and end of a dictionary word, this highly effective attack method enables an attacker to guess passwords that include a dictionary word and characters at the beginning or end such as upper-case letters, numbers or symbols.
People typically use a capital letter at the start of a password and a number or symbol at the end. To reduce the risk of a successful hybrid attack, avoid using upper-case letters at the start of a dictionary word-based password.
Password Spraying is a method of breaking into a computer network based on guessing the username with a commonly used password. Password spraying works against lockout policies by limiting the number of attempts to break into the network against any single account. Password spraying usually targets thousands of user accounts at once.
Phishing – still a danger
Phishing can be an attempt to steal sensitive information such as usernames, passwords, and credit card details by tricking users into clicking a link in an email or on social media and entering their details on a fraudulent web page. Having a strong password will not help you avoid a phishing attack. User awareness is one of the best ways to prevent this type of attack.
Attackers may also use phishing methods to install malware on a users device. Once the malware script is running, the attacker can run ransomware, steal user credentials, install key-logging software and many other nefarious activities. Once the hacker has your information, they can then use your details to commit further acts of online fraud which will affect you personally and may affect your company.
Spear phishing is a form of phishing that targets specific users or organisations and normally requires the attacker to carry out research using social media and other online sources prior to the attack.
A whaling attack is a form of spear phishing where an attacker pretends to be a senior member of an organisation. The attacker will usually ask for a large amount of money to be sent quickly to a bank account. Attackers use high pressure tactics and will usually target users in positions of financial authority such as CEOs, MDs, FDs or other senior staff members. A whaling attack commonly occurs after the targets email account has been hacked.
Make weak passwords history
Strong passwords are often the first line of defence against
Get in touch
Password best practice
- Never use the same password for important accounts examples include: email, social media, banking and work logins
- Use a mixture of upper-case letters, lower-case letters, numbers and symbols
- Use three random words with a mixture of characters or symbols that join them together
- Invest in a reputable password management software
- Never share your password with other people
- Use multi-factor or 2-factor authentication where available
- Choose longer passwords for increased security
- Don’t change a strong password as you have done previously. Doing so could reduce its effectiveness.
Here are some examples of both good and bad passwords. The trick is to find something that is both memorable to you, but difficult for a machine to guess. The example at the bottom of the list below will be tough for a machine to decipher, but also difficult for you to memorise.
Never use the actual examples shown in any password resource as there is a good possibility they have been added to a password dictionary.
- Any variation of the word password e.g. Pa$$word
- Any common short phrase or slang e.g. Letmein
- Any obvious keyboard combination e.g. querty
- Sporting team, celebrity or child’s name e.g. Liverp00lFC
- Numerical string e.g. 123456
- Company name or line of business e.g. NetworkR01
- Three unrelated words in a random order e.g. 9Case Lion Rover
- A randomly generated password e.g. jYE9Al#@lGS3v7Y7t
- A phrase memorable to you e.g. my son plays 2 violins
More about Identity Access Management
Identity Access Management (IAM) is the industry term that covers password managers, multi-factor authentication and single-sign-on solutions. These types of products are designed to simplify the login process while maintaining a high level of security. At Network ROI, we have strong relationships with many IAM providers that allow us to tailor solutions to your needs.
We highly recommend investing in a reputable enterprise-level password manager or IAM solution to protect your network. The beauty of these solutions is that they can be used to generate very complex passwords, often removing the need to know or remember passwords – particularly useful when staff leave your organisation.
To learn more about IAM solutions or to find out how Cyber Essentials can improve the security of your organisation, contact Network ROI and speak to one of our security experts.