Practical Guide to Computer Password Security
With recent news surrounding various high profile computer hacking scandals, here is a quick, practical guide on how to better protect yourself against various threats in our rapidly-evolving technology space.
Why Computer Protection is Critical
How various attacks are executed is discussed below. Let’s first talk about consequences of these attacks.
Once an account password is compromised, the attacker has limitless access to that account until you update your password. In a more serious attack on your computer, a back door, otherwise known as trojan virus, gives an attacker remote visibility and control of your entire compromised machine and data that resides, even temporarily, on that machine.
If the compromised account is your main email address, the attacker obtains full access to every single other account you have tied to that email by resetting passwords through the “forgot password” feature that utilizes the now-compromised email address as a verification step. This scenario is what you want to avoid.
Realistically, the consequences of an attack depend on the original intent of the attacker. If the attacker is spying on you, for trade secrets, communication, inside information, personal information or anything else you can think of, they will be careful about raising awareness of a successful attack, using the same back door or password over time to get an edge. If the attacker is in for a quick smash and grab, you will know instantly that you were compromised because your accounts will either be depleted or your personal information will be shared with the rest of the online world. Either of those scenarios are not favourable.
I think everyone agrees that being proactive in protecting yourself is much less stressful than finding out you have been compromised and your identity stolen, having to rebuild your life or your reputation, and wasting time and money on something that could have been potentially avoided.
However, if you are under an organized attack, it is very hard to defend yourself, especially if you are a high-profile individual such as an executive or a celebrity. The key is to be able to fend off 99.9 per cent of the threat, because the reality is that anything can be broken into, especially if there is any human element involved in the defense mechanism.
There are multiple ways of preventing your online accounts from being compromised. These are some of the first key steps:
Step 1) Making passwords unique.
A recently popularized method of increasing your password complexity while still making it easy to remember is using an internet language called “Leet.” Defined by Oxford as “an informal language or code used on the Internet, in which standard letters are often replaced by numerals or special characters,” Leet has become a requirement in many situations where security is balanced with usability. Key to using Leet is to make passwords unique to you as illustrated below.
Referencing an attached list, the word “password” becomes “P4$$w0rd.” Notice that capitalization mixed with special characters adds to the strength factor of the password. Do still be careful in using common phrases or words because someone would have already thought of it, and the password would already be included in the attacker’s dictionary. Instead substitute whole sentences like “this article is so awesome” turning it into “7#is Art1cl3 15 s0 AWESOM3.” The complexity is up to you, but vary it.
Step 2) Pillar your passwords.
A second level of protection is to use separate passwords for different groups of online systems, so that even if you are compromised, the attacker only obtains access to one set of your passwords. For example, use separate passwords for items for your work life versus your personal. So if your personal email gets compromised, your work email does not, and vice versa.
Here is a good balance of security and usability:
Category – High Complexity – All Unique: Banking
Category – High Complexity – All Unique: Email (Google, Yahoo, Outlook…)
Category – Medium Complexity – All the Same: Social Networking, Shopping, Streaming, Cloud
Category – Low Complexity – All the Same: Forums
You can customize this based around usability and what you stand to lose in each compromise scenario. This type of system prevents hackers from cascading your compromised information across other accounts you have. As an example, if your forum account password is broken, the attacker does not gain access to your cloud pictures or work emails.
Step 3) Two-step verification (TSV) or multi-factor authentication.
There are ways to enable two-step verification on multiple online services. This system ensures there are two checks performed every time you log in. The first check is typically your login and password and the second check is either a physical authentication stick, a phone authentication application or an SMS message sent to your phone.
Step 4) Strengthen Secret Answers
Apply the same Leet strengthening technique to your secret answers, or straight up lie on them to avoid social engineering. For example if your favorite colour is “green,” and you hate pink, use “pink” instead under your secret question answer. Alternatively, use “P1n[<”.
Step 5) Use protection
There are hundreds of tools in the online market that minimize your risk of being a target and a potential victim. Use them. Allocate a budget for security and pick an antivirus, password organizer and malware protector with online, offline and mobile versions that work for you. These tools are invaluable when it comes to preventing a good chunk of attack methods existing today.
Let’s look at what methods are typically employed in compromising account security and what can be lost from various types of attacks.
There are direct and indirect methods of compromising account security. Direct attacks target an individual, whereas indirect attacks target the business with which the individual has a relationship. Indirect attacks are much larger in scope – such as the department store chain attack – so I will not discuss that scenario in this article.
As for direct attacks, there are five major group types: 1) brute force/dictionary, 2) phishing/vishing/swishing, 3) social engineering, 4) trojan/malware/virus/key logger, and 5) password list attacks.
Brute Force, Dictionary Attack:
Brute force or dictionary attack is extremely common. It involves targeting an email address and using an automated tool to hammer a specific account login with a large number of passwords that are cycled through a massive list. This list is based on common passwords many people use, dictionary words and a combination of stolen passwords from larger indirect compromises. Essentially, this is an automated program that tries to log into your account repeatedly, with various passwords thousands of times until it finds a password match to your login.
Phishing, Vishing, Swishing:
Phishing is another very common attack type. This attack revolves around re-directing you to an exact replica of a website through an email you receive asking you to do something urgent. You see these emails all the time in your spam folder as companies have really ramped up automated protection against this type of an attack. However the odd ones still get through to your inbox.
Vishing is the exact same type of an attack but using the telephone. A person will call directly to your phone and pretend to be a representative of an institution, then asks you to confirm your personal information with them. Finally, swishing sends a text to your cell phone, with a link to a phony replica of a real website, asking you to enter your personal information or log-in information just as in a phishing scenario.
While this attack has been around for ages, it received the most notoriety with the recent iCloud scandal and various other Apple scandals. Social engineering uses charisma skills to fool the human element in any security system. The human element is usually the weak link due to weak security processes in place or weak training. This weak link, like a new employee, can be exploited at the lowest level of the security system, like a retail store, as a first step in the attack. Alternatively, targets themselves can be subjected to seemingly-random questions that target specific security measures they have put in place. One example of this might be meeting someone on the street who says “My goodness, you are so pretty, where do beautiful girls like you come from, what city were you born in?” Seems innocent enough at first but what just happened is you compromised one of three security questions you have listed on your password retrieval form.
Trojan, Malware, Virus, Key Logger:
Viruses, Trojans, Malware and Key Loggers are types of dangerous computer programs that hackers will try to plant on your computer as a tool to record your passwords or take control of your computer. Installing an Anti-virus software is your first line of defense against this type of an attack, but Anti-Viruses will not detect or protect you against custom attacks. A recent security conference conducted an experiment in which USB sticks with custom viruses were randomly dropped in a parking lot. Within hours that same day, the sticks were picked up by unsuspecting people and the creator was able to access numerous computers for his conference presentation. Now think; if you are an executive and you walk into your office and see a USB stick on the floor, will you plug it into your laptop?
Online environments do not all share the same security measures. A community forum is much easier to hack than a bank or an email provider like Google. A problem arises when victims share the same password between their forum accounts and their bank, email etc. This gives an attacker the ability to break into other online accounts with minimal effort. Password list attacks exploit the use of identical passwords across multiple online environments. Hackers share logins and passwords that were compromised at some point in time, then they pick a website, and hammer away at it with a list much like in a dictionary brute force attack. Just recently, a huge 50 million entry list caught media attention when it was released on Russian hacker forums.