Poor Password Practices: Are you the Weakest Link?

Quite often, the biggest IT Security risk can be, well, you and I…

First things first, I wouldn’t actually make a good Anne Robinson! I’d feel the need to constantly reassure the contestants and remind them that the show is really just pointless fun.

However, sadly when it comes to IT security, the weakest link can be exactly what we are.

For the purpose of this post, what I want you to consider is your passwords, how you protect them and if you are guilty of the three senarios I have outlined below – I know I have been.

Every buzz word in the world of IT Security you might come across – key logging, phishing, malware to name a few – the intent is usually the same: to gain access to your systems and data.  One of the best ways to let them through the door?  Compromising your passwords.

Passwords have been in the news especially of late thanks to all the media hype around the now infamous Heartbleed bug. For a great, no nonsense run down of what you need to be aware of when it comes to Heartbleed, take a look at my colleague Mike Tudor’s blog from yesterday ‘Don’t Panic! Heartbleed bug Explained’ – he provides you with some top tips too.

There have been some conflicting reports about whether you should change all your passwords instantly as a result of Heartbleed, or whether this would do more harm than good on affected websites.

My advice would be to check to see whether the sites you have accounts with are affected first (check out https://lastpass.com/heartbleed/), make sure it has been fixed, and then change your password.

Ultimately however, we have so many different accounts and passwords now, that following the recommended advice to change your password regularly isn’t always easy for a lot of us. But it is important to take a rigorous approach to password protection, and yet sometimes our human behaviours can pose the biggest IT Security threat.

Because of the kind of access that can be gained if someone else does get hold of your password, to not do all you can to protect it is the IT equivalent of leaving your front door wide open.

Here’s three ways in which people compromise their IT system passwords…

[Disclaimer first though – before I accuse us all of being as useful as a chocolate fireguard when it comes to IT Security – why should we care?  Well, put simply, cyber crime is now more profitable than the drug trade (Have a look at the video of our COO Steve Cox talking about the rise in cyber crime).

Hacking isn’t the nerdy activity it once was – it’s incredibly big businesses now, and vigilance has never been more important.  Password protection is absolutely key, and the majority of this comes down to our human behaviours.]

Stealing the passwords via Phishing/Spear Phishing

Human Behaviour: People can be tricked into giving out their passwords via email/webform.

Problem: Hopefully everyone reading will know that a person claiming to be a Prince from a different continent isn’t really going to reward them with millions of pounds for helping them transfer money.

However, what if you get an email from an email domain similar to your bank, matching their look / feel, and you receive it around the time when you have genuinely made a change to your online banking – could you be duped responding to a link to ‘reset your password’?

That’s what phishing is, ‘Please reset your password because of x, y or z’, and they are praying on people believing it, or hoping some bad timing will go in their favour.

This one is especially relevant right now as many hackers will be looking to take advantage of people panicking about changing their passwords as a result of Heartbleed.  Someone pretending to be from a company you have an account with sends you a link to change your password, you click on it, and unfortunately it turns out the source isn’t entirely legitimate…

Take this a step further and you have ‘spear phishing’, this is phishing with some added insider information i.e the email appears to come from the correct person, at the correct time.  For example, it could be from your Banking Account Manager: “Hi John, following from our meeting on [date], can you fill out this form.” This relies on someone with information to assist in the fraud. These are much rarer, however they are also a lot more effective when they do occur!

Basic precaution: Really simple…if anyone ever asks you to share a password or make a change – phone them and ask to confirm (but don’t phone the number they give you in the email!) And if you didn’t request the password reset in the first place, always treat it with suspicion.

Also, never click on the link in the email if you do get sent something like this. Always go straight to the legitimate website.

Monitoring for password via Wi-Fi

Human Behaviour: We can be guilty of connecting to any Wi-Fi network that would appear to give us free internet access when travelling/shopping/socialising.  We also often don’t re-set or change our home Wi-Fi network’s default settings.

Problem: If you use an unsecured public network, someone could be monitoring your internet traffic – unfortunately this includes watching you type your now fantastically secure passwords! If someone breaks into your home wireless network, then some other ‘bad guys’ could start to monitor your traffic there as well, with the same outcome.

OK so I have a 30% success rate when trying prove this to friends, however don’t let my incompetence as an IT hacker fool you!

Paul Burns recently highlighted how easy it is to break-into home Wi-Fi if you don’t change your default settings in his blog ‘The Importance of Closing the Front Gate’. As Paul says, you can spend a lot of money on building the most secure environment possible, but if you leave the front gate unlocked, that can bring the whole thing down.  It’s the obvious things that we take for granted sometimes.

Basic precaution: Re-set your home network name (SSID) and password. Do not use free Wi-Fi unless it’s from a source you trust such as BT Openzone and even then, use additional security tools such as VPN, two factor authentication etc. (Our security partners Sophos wrote a great blog recently on how two factor authentication is raising the bar when it comes to password protection and how it may have helped in the Heartbleed bug).

Being told or guessing the password

Human Behaviour: Pretty obvious this one! We make our passwords so easy to guess or even worse, we write them down or tell them to friends or colleagues.

Problem: How many people have their now ex-girlfriend or ex-boyfriend’s details such as their pin number or email password? How many people tell their colleagues passwords or share passwords? I understand that you trust these people, but who do they trust to re-tell the password – and do you trust those people too?

Beyond telling people, and then people telling other people – we also make them very standard and very guessable either by making them generic e.g. Places, Names, Interests, Dates and then specific to ourselves e.g. “FootballTeam1”, or “date-of-birth”. Here’s a list of the most popular passwords we used in 2013.  I guess it should be some sort of triumph that ‘password’ has been knocked down to measly second place…behind 123456…

With the help of some basic password cracking tools, even ‘script kiddies’ have a decent chance of breaking basic passwords, never mind people who actually know a bit about you.

The problem is, break one password and you have a great chance of finding out the rest – either because you use the same password for everything, or via your email account, where you have access to the rest.

Basic precaution: Make them difficult to guess, make a plan to change them frequently and don’t tell anyone, ever!  Also consider making use of a password management system to help you keep track.

In summary, password protection is often the most overlooked aspect of IT security, and yet your password is exactly what the cyber criminals are trying to get at.  Apply rigorous processes to protect it and be aware of the vulnerable points which hackers will try to exploit to get your data.

For more on the human aspect of IT Security check out the ‘Week in the Life of a Hacker’ series which our COO Steve Cox wrote for Microsoft:

Day 1: Tape Gate
Day 2: The Case of Mistaken Identity
Day 3: I’m here to water the plants, honest…
Day 4: Social Engineering