Passwords – Outdated and Dangerous, But Necessary?

Passwords – Outdated and Dangerous, But Necessary?

Passwords – Outdated and Dangerous, But Necessary?

Here’s a quick test – what do these seemingly random alphanumerical groupings have in common?

1.      123456

2.     password

3.     123456789

4.     12345678

5.     12345

6.     111111

7.     1234567

8.     sunshine

9.     qwerty

10.  iloveyou

That is a list of the Top Ten Passwords used in 2018. Recognize any of these? If you don’t, you’re not necessarily in the clear, but your chance of becoming compromised or hacked is far less than someone who uses one of these passwords. If you do recognize these, you’re certainly testing your luck.

These days, creating and remembering passwords has become increasingly more challenging. If we had only one device that required a password, we could probably manage it quite easily. But with every device we use, most programs we need to do our jobs, and sites that require you to change your password every few months, it is estimated that the average person must memorize up to 191 different passwords. No wonder we often choose to take shortcuts!

The problem is, over 80% of hacks are due to compromised credentials, otherwise known as stolen username and password information that are often traded on the dark web. In fact, in one month alone in 2018, Microsoft blocked 1.3 million attempts to steal password data, which would have led to dangerous phishing attacks, and other hacking attempts.

These harrowing statistics are why you hear the recommendations:

·       Never use the same password twice (IT Managers report 73% of all passwords used are duplicated in multiple applications opening up multiple avenues for attack)

·       Never write down your passwords

·       Never share your passwords with anyone else

·       Never use real words or known information about yourself in your passwords

·       Avoid commonly used passwords (50% of all attacks involved the top 25 most used passwords)

Pay attention to that last stat: 50% of all attacks involved the top 25 most used passwords. See what I meant when I said if you recognized anything on that list you’re testing your luck?

Following all these rules and regulations, you’ll end up with passwords that are about 16-characters long, impossible to memorize, and, unfortunately, are still completely hackable (much more difficult, of course, but where there is a will, there is a way). So, what do we do now?

Password Manager

The first shortcut is a password manager. You can store all your passwords in one place. This makes remembering all your passwords much easier, but there is one challenge. The password manager is also protected by a password. If you’re utilizing a software like this, make sure that this password is especially complex, so that hackers aren’t even tempted, especially in the case of a brute force attack. If possible, turn on multi-factor authentication, especially on your password manager.

Multi-factor authentication

Many sites utilize multi-factor authentication. This extra layer of protection connects to your phone, email, or other authentication source, rather than relying solely on a password. We recommend enabling multi-factor authentication wherever possible. Only caveat here is make sure your secondary authentication source is equally secured with a strong password. No sense in double protecting yourself with a wide-open source.

Random Password Generators

These sites come up with secure passwords for you, but are typically a random jumble of letters, number, and symbols that are darn near impossible to memorize. If you’ve got a strong memory, this might be a good starting point, but if you’re like most of us this may be more challenging than it’s worth.

How to craft the best password

Use a “Password Phrase” in place of random letters, numbers and symbols. Create something that’s easy for YOU to remember, but has no meaning to anyone else. For example I<3Fh@ck3rs43v3r!. Breaking this down, you get:

·       I –                  I

·       <3 –               Love

·       F –                 fooling

·       h@ck3rs -    hackers

·       43v3r -         forever

Easy for you to remember because you understand the phrase, but difficult for a hacker to decipher because it’s not real words. There’s no time like the present to get started and change your easy-to-hack passwords to something safer, because it’s always better to be safe than sorry.

Work at creating passwords that will be difficult to hack. Make sure to change them regularly. Never write them down, (especially on a Post-it Note stuck to your computer!). But most of all, make passwords an important part of your life. Don’t consider them a nuisance or a thorn in your side. Make a game out of creating passwords. Challenge yourself to be more creative each time you create one. Beat the hackers at their own game by making your password too time intensive to try and crack, and you’ll reduce your chance of your information showing up on the dark web. Worried about your information already being available due to past weak password use? Contact us. We’ll run a scan that reveals your vulnerabilities.  

What is the Dark Web and Why Should we Care?

What is the Dark Web and Why Should we Care?

You’re happily humming along on the Internet thinking you’ve got a pretty good understanding. You can navigate your way around Google, Facebook, Amazon, and news sites. You’re actually only visiting four percent of the Internet. There’s a whole world (96% of the Internet) hiding beyond these safe surface-level sites, known as the Dark Web. It’s a much less hospitable place.  

 

What exactly is the Dark Web?  

The Dark Web is a conglomeration of websites that cannot be found on search engines or accessed via traditional web browsers because their location and identity is hidden through encryption tools, like TOR. TOR was originally created to protect military communication but now has much broader utilization for both Dark Web purposes and for highly secure communication. You have to access Dark Web sites utilizing TOR, typically.  

 

People create sites on the Dark Web in order to hide where they’re operating from, as well as to remain anonymous (TOR hides all IP information, identifying information, as well as data transfers). Over half of the sites on the Dark Web are used for criminal activities.  

 

Why Do People Use the Dark Web?  

One of the most prevalent uses of the Dark Web is buying and selling illegal goods, such as recreational drugs, weapons, fake identities, and organs. The proliferation of cryptocurrency, like Bitcoin, has facilitated these sales. People living within totalitarian societies that restrict communication also take to the Dark Web to share their thoughts freely.  

 

The most dangerous use of the Dark Web for businesses is the exchange of credentials (usernames and passwords) and identities. An individual’s stolen credentials can typically be sold on the Dark Web for the low price of $1 to $8. Hackers utilize these purchased credentials to: 

  • Gain access to important financial information and steal identities (access to a Bank of America account holding $50,000 can be purchased for $500) 

  • Access accounts for further phishing attacks 

  • Threaten people with exposure of sensitive information (Remember the Ashley Madison hack from a few years back? Those credentials were dumped onto the Dark Web and hackers leveraged them to expose users). 

  • Compromise other accounts using the same passwords and perpetuate the sale of personal Information 

 

What can you do about it?  

The average citizen will never have a reason to access the Dark Web, but their credentials could easily be floating around, endangering their offline livelihoods. Once your credentials are released on the Dark Web, there is precious little you can do to have them removed. However, you should, at the very least, know when you’ve been compromised; so that you can immediately act, like changing passwords and activating two-factor authentication.  

We recommend utilizing a full Dark Web monitoring service that alerts you if credentials appear on the Dark Web.  These services constantly scan the Dark Web for your information and alert you whenever something suspicious appears. These alerts don’t necessarily mean a breach has occurred, but they are very good heads up that something bad may be coming. You can then create a plan of attack before any damage is done. Granted, there will be your fair share of false positives, but we firmly believe in operating in the better safe than sorry camp.

How should you get started with Dark Web monitoring?  

Our team can run a preliminary scan of your domain revealing the likely breaches in the last 36 months. We’ll then review that report with you and come up with a plan of action to alleviate any major dangers. Click here to request that scan.  

Compliance is a Team Project

Compliance is a Team Project

With all the rules and regulations surrounding the compliance alphabet soup in play today, it will take more than one person to bring your company in line. We’ve laid out the multiple roles needed to up your compliance game, especially when it comes to HIPAA, PCI, and GDPR.

IT Team

Your first line of defense against compliance failures is the technology in use and the team you have to maintain it. Consult with your IT team to discuss:

  • Email Encryption: How are emails and files that go in and out of your office protected to avoid nefarious hands and revealing identifying information?

  • Data Encryption: How do you collect and retain credit card information? Are there any gaps where that information could be stored or released in an identifiable way?

  • Firewall: Are you protecting your company data and communications using a screen door that is easily opened by hackers, or are you using a multi-level security system preventing intrusions?

  • Backups: How often, when and where is your precious company information backed up? Can you test your backups to prove that they’re effective? Is your current backup plan compliant with regards to customer data?

  • Data Availability and Storage: Who has access to your data? Only certain individuals in your company should be able to access all data, like financial records or payment information. How are you restricting access on your network or within line of business applications to ensure safety?

  • Physical Access: Who can actually access computer systems and servers? Do you train your staff to lock their systems every time they leave their desks? Are you using privacy filters on appropriate screens to avoid wandering eyes?

Internal Compliance Officer

While this may not need to be a full-time role within your organization, you should have a compliance champion on staff. Your IT company can absolutely set you up for success, but they are not around to police your staff every hour of the workday.  

The Compliance Officer is responsible for ensuring that your staff follows important compliance policies, maintains vigilance surrounding compliance, keeps documentation up to date, and works with authorities if necessary. Specifically, they:

  • Watch for employees falling into bad habits, like leaving computers unlocked or sending credit card data willy-nilly throughout the organization.

  • Conduct/coordinate online or in-person training to keep compliance top of mind. We recommend quarterly training, at least, in addition to proper education as soon as a new employee comes on board.

  • Maintain all the documentation required for compliance, like backup plans and communication standards.

  • Liaison with federal and state regulators, as necessary to prevent or mitigate an issue (with the support of your IT Team and legal team).   

All Employees

You can have the best technology, the most intense compliance officer, and still completely fail at successful compliance if your employees are not onboard. At the end of the day, it comes down to successful employee implementation and clear communication. In order to get employee buy-in, here is what we recommend:

  • Gather everyone together: When you first make tweaks to your company’s security protocols to ensure compliance, explain why to your team. If they suddenly all need to remember 16-character passwords, replace those passwords every 90 days and have 5-minute time outs on their systems; they’d appreciate learning it’s not because you’re paranoid.  You can utilize your IT Team to conduct this meeting.

  • Send regular reminders: It’s simple to fall into what’s “easier” rather than compliant. Consider sending a weekly or monthly compliance tip to all of your staff to keep it top of mind. 

  • Conduct ongoing trainings: These trainings should be mandatory, involve your IT team, and vary enough to stay interesting. Quarterly should be sufficient unless some regulation change calls for additional meetings.

  • Multi-departmental planning: Different teams have different uses for data. For example, what makes the salesperson tick may make it impossible for accounting to operate within compliance. When it comes to collecting information that must be compliant, every department must be involved in process development to create smooth operation within rules and regulations.

Compliance is not a one-man game. It involves the whole company and IT team engagement to really be successful. Next blog, we’ll cover the processes necessary to build a compliance-friendly environment.