More

    Latest Comment

    The Crater Good on Front Page Discussion

    Comment Leaderboard

      #1 Zo 1,157
      #2 The Crater Good 284
      #3 Bodybagger 282

    Share

    Comment

    Bad Passwords EXPOSED: How To Create SUPER Passwords That Stop Cyber Attacks

    We hear continually about the importance of password security but what’s the real lowdown?  Is it a big deal?  Is there an easy way to maintain a complex password?  Is there a safe way? 

    How To Become Bankrupt in 3 Simple Steps 

    Picture this scenario: you are the director of a large construction firm.  You are expecting a series of payments from the local government for a large project you have undertaken on their behalf, you also regularly pay subcontractors for jobs you have ordered.  You walk into the office and the financial director casually mentions that they are sorting out that urgent payment you emailed them about for the completed contract and should be transferring the money in the next hour. 

    But! You never emailed them about paying any contracts so you ask them “What email?”, they show you and sure enough there is a legitimate email from your account requesting a payment of €5,000 to an international account of someone you have never heard of.  You tell the financial director you never sent the email, hold that payment! – You call in an IT consultant to find out what is going on.  

    The IT consultant traces the email back to your cloud-based email (Microsoft 365 or Google G-Suite) account but from a logon in a different continent.  As he digs deeper, he sees that there was also a hidden sequence of emails from the financial director to the local government to change the account they pay into.  The IT consultant asks you to phone the local government immediately – you do and they happily tell you that the early part payment of €900,000 you requested is due to transfer in the afternoon. 

    This is not fiction; it is a true horror story from my many years of professional IT consultancy and cyber-security analysis.  I am that IT consultant.  The director instructed the local government to stop the payment and, while the IT investigation and the securing of the email infrastructure was ongoing, to verify all payments via telephone with the financial director.  Had this scam succeeded the company could have gone bankrupt with the loss of tens of jobs and the end of a lifetime of building a business.  This all happened because of poor password security and some other simple security settings which were left at default or even loosened for “ease of use”. 

    This company was not specifically targeted but was caught in more of a “drive-by” opportunistic probe, which only worked as the “hacker” or “phisher” guessed the password, based on the company name (step 1), of one of the marketing users who was responsible for the company’s social media advertising and thus had a public email address (step 2) and then using that account to leverage (step 3) into the financial controller and director’s accounts. 

    Passwords Matter  

    As we have seen, simple passwords are a liability. 

    Excessively complex passwords are also a liability because the user tends to write them down and keep that conveniently close to where they will need the password, since they tend to be very hard to remember.  Add the requirement to rotate passwords every 30 – 90 days and this increases the risk of passwords being written on a post-it note stuck to a monitor or the underside of a keyboard.  The Emergency Management Agency of Hawaii had a scandal in 2018 over a photo showing a password on a post-it recorded in a publicly available high-resolution photo. (source

    What Is A Mere Mortal To Do?  How To Walk The Razor-Sharp High-Wire Of Complexity Versus Ease Of Memory? 

    There are some simple mechanisms that can be used to create very complex passwords that are simple to remember.  It has been documented that rhyme and meter are excellent memory aides (source 1, source 2) – just think how many advert jingles you can still remember from your childhood as an example.  We can leverage these natural memory techniques to build complex passwords and also help to memorise scripture if you like. 

    TheoNerds_VPN

    Psalms, Hymns, Spiritual Songs 

    For example; the first 4 verses of Psalm 2 (ESV) contain 58 words:

    Why do the nations rage and the peoples plot in vain? The kings of the earth set themselves, and the rulers take counsel together, against the LORD and against his Anointed, saying, “Let us burst their bonds apart and cast away their cords from us.” He who sits in the heavens laughs; the Lord holds them in derision.’ 

    This would make a very long password, however, we can use the first letter of each word to give us a 58 character password: add in punctuation and you get 68 characters 

    Wdtnratppiv?Tkotest,atrtct,atLaaHA,s,”Lubtbaacatcfu.”
    Hwsithl;tLhtid. 

    Maybe you don’t need such a complex password but you DO need at least 20 characters with a mix of UPPER and lower case and punctuation/special characters.  I also use different types of brackets for specific emphasis of phrases or words: {}, [], (), <> – you can develop your own rhyming/meter scheme.  We could also alternate case to add meter and for additional complexity, instead of following standard capitalisation rules:   

    [WdTnR][aTpPiV][tKoTeSt] 

    If you remember the first one and a half verses of Psalm 2 you have a nice, 25 character, complex password that is easy to memorise and if you need to change it in 30 days you can take the second half of verse 2 and all of verse 3: 

    [AtRtCt][AtLaAhAs][LuBtBaAcAtCfU] 

    Experiment with methods that maximise your natural learning techniques, use psalms, hymns, spiritual songs or nursery rhymes or if you are desperate, even old adverts!  You can even use syncopation for the case setting, every even letter as uppercase instead of every odd.

    To infinity And… 

    With the increased use of machine learning and quantum computing capability increasing, even a 68-character password will soon be easily crackable and that is why we need to enable multi-factor authentication where possible.  Multi-Factor Authentication or MFA is where additional password(s) linked to your account are generated by a dedicated device or application like Authenticato‪r for iOS or Aegis Authenticator for Android.

    Come back to see my horror story article on Multi-Factor Authentication and where you can enable it today, how to do that and why you should.

    Share

    Subscribe
    Notify of
    guest

    0 Comments
    Inline Feedbacks
    View all comments
    Bodybagger
    Bodybagger
    The L33t Fr@gZ0r. This former fragging hero is a Quake vet who was spawned before the internet- if you can imagine such a horrible time. With a love for automation, some say he doesn’t even write for this site but has developed AI using corporate tech to postulate cohesive sentences for all your alternative tech news desires.
    spot_img

    Suggested

    0
    Would love your thoughts, please comment.x
    ()
    x