There’s not a week that goes by without seeing someone posting on social media that his or her account is ‘hacked’. In this article we will discuss what you can do to improve all your accounts’ security while just making a small sacrifice in usability.
First of all, let’s tell you about some of the means hackers have at their disposal. The two most commonly used tools are: social engineering and brute force attacks. Sound complicated, it is not actually. Let’s dive in.
Social engineering
Social engineering is a method that is geared around the weakest link in the chain in IT: the user, yeah right: you and me!
What an attacker might do in this case is impersonate a person or a company that you already trust. It could be someone from the IT department at work, somebody from your bank, even someone in the street that tries to help you or big tech companies like Microsoft or Apple for example.
Why would the IT guy at work ask me for my password? Would he use it for some shady activity? Probably not, but then again, this hacker is acting like is from your company, but in reality he is not.
Brute force attack
As the name implies during this attack the hacker will only use force and not intelligence. During this attack, the attacker will simply try all (usernames)/passwords possible until he or she finds the right one. In an application that only uses password authentication this attack (almost) always succeed, BUT there has be a lot of effort that needs be put in. It’s not manpower but it will just take a lot time depending on the password requirements.
What are a few simple ways that you can use to limit the risks of either one of those 2 methods being used to compromise your accounts?
Social engineering is really difficult to mitigate as it can come in so many ways or forms but this list can help you to spot some red flags:
- Tech companies like Apple and Microsoft will NEVER call you because they have seen that there was a problem on your computer!
- Banks DO NOT CALL their customers to verify details: if you are in doubt call them and use the number that you have in your phone and not some number that appears in an e-mail, because you might calling the attacker himself.
- In e-mails you will often find one or more spelling mistakes.
- Verify the sender e-mail address.
- Verify links BEFORE clicking them. (just hover over them)
Brute force attack are a little easier (from a IT tech’s point of view) but asks for some sacrifices to be made to usability.
- use complex passwords: attacks often use dictionaries to carry out a brute force attack. Dictionaries are nothing more than lists of possible passwords that he or she could try.
- Make sure that you do not use words from a dictionary.
- Make sure your password is long enough: 16 characters or more: I will explain why in one the next section
- Don’t reuse passwords. Pick a different one for each application.
- use multi-factor authentication (MFA, mostly known as 2FA referring the number of methods you use simultaneously being 2 in this case.
Why passwords have to be complex and long?
Think about this: unless you, from a user perspective will not be able to stop a brute force attack. So what we are trying to do by choosing a complex long password is wasting the attacker’s time. After all, in the hacking business ‘Time is money’ is also their motto.
Let’s say that our password is encoded in ASCII, which means that we have 256 possibilities (ASCII will contain, the alphabet in upper and lower case, 0 to 9 and all symbols)
When we add one more character to our password the attacker has 256 x 256 (65536) possibilities to try to guess your password.
When we use a 8 character password, the number of possible passwords will increase to 18446744073709551615.
For a 16 character password the number will be astronomical (2560000000000000000) which even with today’s computational power will take a while for the attacker to ‘guess’ your password.
But how can I remember all these complex passwords?
The answer is NOT to put them on a post-it attached to your screen 😉
There two possible solutions to this problem:
- When you choose a password you pick a passphrase that you can remember, meaning a real phrase, or just the first letter of the word in that phrase. E.g. Why do people throw sausage pizza away? can be your passphrase for 1 and only 1 application or just the first letter of each word: Wdptspa
- A far easier way to remember passwords is to put them into a password manager. I will list a few here but there are others (I am not making any money if you choose for any of the products in the below list)
Password managers allow you to save all your passwords and even multi-factor authentication keys to be stored in there. This makes sure that all your passwords are stored behind one, hopefully complex enough password that you can easily remember and some form of multifactor authentication.
These password managers will alert you if you store a weak password in them or when you are re-using an old password.
Just that extra layer of security … MFA
Multi-factor authentication is an authentication process where you need 2 or more different ways of authentication at the same time. In most circumstances it is something you know (like a password) and something you have, like a token as many people log in to their bank.
Other example of MFA are:
- when you log into your G(mail)/oogle) account, you get asked for your username and password. After successfully completing this step, you get a prompt on your phone.
- When you login to an application and after entering your username and password correctly you get an SMS on your mobile phone OR you are get a automatic phone call where you will hear a code that you need to enter on the website
- A door is operated by a lock and an iris scan
What can application owners do to protect their systems so your account is safe?
For application owners there are various measure they can take so that brute force attacks do not occur.
Below you will find a list with a few ideas which already exist in many of the applications of today:
- Lock accounts after a certain number of unsuccessful attempts
- Introduce a delay for each failed attempt
- Support multi-factor authentication (more on that in the section below)
- Support of very complex/long passwords
