With all our personal data splattered across the internet in the hands of 3rd party companies, and hacks happening more frequently than ever, it’s a good idea to take some steps to minimise the risks. Here’s some things we recommend, that may seem daunting at first, but once you start implementing them, they will become second nature.
In case you weren’t already aware of the risks online, check out this article here. You know that malicious hackers exist, but many people are not aware of the extent to which their data is being used and can be accessed without much difficulty. Many people also subconsciously assume “it won’t happen to me”– well, remember the countries that thought the same about Covid? It can happen to anyone, anywhere. We are all connected to each other whether you like it or not. Here’s some habits you should adopt to minimise the risks of your data falling into the wrong hands, and why you should care if it does.
This article is divided into eight parts. First up, is PASSWORDS. Something we all have to use on a daily basis.
Passwords – how to choose a good one, and using 2FA
What you share – do they really need your real phone number?
Email accounts and phishing – divide your resources
Updates and patches – it does matter
Stop the “it won’t happen to me” mindset – take covid as an example
Browsing habits – cache and cookies
Mobile apps and securing your phone – good habits: RFID, NFC, bluetooth and wifi
Zero trust – and how to fix it
Whatever you do, do not use 123456, qwerty, your name, password, guest, admin, your birthday, or your dog’s name for your passwords! It never ceases to amaze us security analysts at how careless people are with choosing passwords. Mainly this is because people are not informed of how easy password cracking is. To understand the importance of good passwords, you need to understand how easily they can be broken. Now there are many ways to crack passwords, and you can read about them in more detail here in our technical article about passwords, but here are 3 main reasons why you need to choose carefully:
Hackers use sophisticated password cracking software that can cycle through thousands of combinations per second. For example it takes about 0.03 miliseconds to brute force the password ‘admin’ and 0.15 seconds to crack ‘Password2020’ (not that they would need to, since they are pretty easy to guess anyway!)
Hackers have vast resources of stolen password lists to use for dictionary attacks which cycle through combinations of known passwords. For example, a well known and easily available password list ‘rockyou.txt’ has over 14 million unique passwords to speed up the guessing process. Some of the more complete ones on the dark web have databases of more than 1.5 billion passwords and accounts. Of course it takes a fair amount of computing power to cycle through these as you can imagine – but hackers don’t use the full lists - they narrow it down like this:
Hackers use anything they can find on you online, such as pictures with your dog’s name posted on social media, birthday, anniversary, your country's national day, any extra detail that may hint to something that you might use as part of your password. They add this to a list containing the most used passwords to find likely combinations. This is known as a mask attack. You can read more about these in our main passwords article.
what are good habits to take?
While no password is uncrackable if the adversary has enough computer power, there are some simple things you can do (and mostly not do!).
Do not use a 3rd party password manager and do not let your browser store your passwords – I know these are extremely convenient and many are quite secure – but you are not in control of them, and they do not make it possible to add a ‘salt’ (see below) You are adding an unnecessary layer of trust. If you must use one, then only use one. Do not save passwords in Chrome AND Edge AND Firefox, AND a password manager, AND on your mobile phone. Pick one, and keep them all there (if you must). This reduces the attack surface.
Make your password as long as possible, never less than 12 characters, and 16 and above if allowed. The length of a password is far more important than the number of different characters, for simple reasons of mathematics. (You can read more in detail here about how passwords are cracked)
Hard to remember usually means hard to crack, but length is still more important. Since hard to remember is not very practical in real life, we’ll show you a simple trick how to make something that’s only memorable to you below.
Do not underestimate good old pen and paper! Store your passwords offline in a small dedicated notebook and keep it with your passport, or at least treat it with the same value. If you have to have some passwords that you take to work that are hard to remember, then make a separate note of them – do not take your personal ones with you! If you do want to have a copy on your computer or device, then make sure it’s fully encrypted and obfuscated (hidden).
Don’t be lazy – just because a website or service is less important to you, (for example, that netflix is less important than your bank) does not mean you should make a less secure password! This is how hackers escalate by attacking the weak points first.
Never, ever, ever reuse passwords! Ever. Not even twice. Just don’t.
Don’t use suggested passwords from your browser or Mac etc, as again you have no control over them – if their service goes down, gets hacked, or your computer crashes you’re screwed.
Always, always change the default password that you are given for anything! Many routers still come with ‘admin: admin’ as the default (why? we honestly don’t know, but it’s still the case)
Avoid creating passwords for sites that blatantly don’t care about your security. If you happen to stumble across a website that only lets you use lower case, upper case, numbers and no special characters, has a maximum size of password of 8 characters for example, then question do you really need to use that site? Websites like this frustrate security experts because it means the developers were lazy when they built the site. They clearly do not care about your security. Not allowing special characters or long strings is a good way to avoid what’s called ‘cross-site scripting’ attacks, but this does not need to be applied to a password box if the back end (server side) programming is properly written to prevent this type of attack. Simply not allowing certain characters and lengths compromises the security of users, just because they couldn’t be arsed to write a few more lines of code. Avoid them where possible (unfortunately many government and medical sites are still like this, which is one of the reasons why they keep getting hacked… duh)
Never use full words that would appear in a dictionary. These can be easily guessed or cracked in a ‘dictionary attack’.
Likewise, never include anything personal in a password, eg. favourite football team, dog’s name, birth year, or anything like that – a hacker can easily find these with a Google search.
Change your passwords from time to time. A lot of people recommend doing it every couple of months, but from our research we’ve found this actually makes it less secure, since changing them all the time eventually results in ‘password recycling’ or ‘password fatigue’ meaning that people tend to simplify them over time, since they get fed up of changing them. We recommend twice a year to change them, and if you haven’t changed them in over a year, then definitely do so now. You can always check https://haveibeenpwned.com/ to see if your accounts have been in a data breach.
how to create strong passwords
So, now you know you need a password that’s very long, doesn’t contain words, is easy enough to remember yet hard enough to guess, and only stored offline or in one place. So how do you make one that’s actually practical?
Let’s look at some examples. Remember, if your password has less than 8 characters, it can be cracked in minutes (or seconds). Length and salt are the two biggest things you can do to make your passwords more secure.
You want a nice easy password, so you do this:
Length is ok, 14 characters, but it contains a dictionary word and no special characters. So it’s pretty useless. We could try this:
It now has special characters, and is an improvement, but can still be guessed, since hackers know that people substitute common lookalikes – like ‘a’ with @, ‘e’ with 3, etc.
So let’s continue:
Already it’s more secure, has 16 characters, but again not entirely impossible to guess. So what about this:
At 20 characters, this is pretty secure, but could still be better. So how do we do that? You should add what’s called a ‘salt’ in cryptography – an additional part of the password that is stored separately or never written down. And this is the most secure way you can do it, since even if someone stole your notebook, or hacks your computer and sees your passwords, they can’t use them as they are missing part of it, and at this length it becomes way to computationally difficult to brute force or guess the rest (we’re talking thousands of years for a computer to ‘brute force’ it).
But we want that salt to be easy to remember since you’ll never write it down anywhere, ever. The advantage is that you can add this to all your passwords (making it easier to remember anyway) without having to worry too much.
Perhaps something funny, like:
So the password is now:
At 28 characters long, lots of letters, numbers, upper and lower case, special characters, this would put off most determined hackers. You can always take it further of course. It’s still fairly easy to remember, and is good enough for most purposes.
Another good way to create a long password is to come up with random (ish) phrases that only have meaning to you, such as:
and then add your salt of course:
You will find at the beginning when you start doing this, it will be a bit tricky to remember at first, and you might end up having to reset passwords a few times (we all do) until you get used to thinking in this manner. But once you do it for a week or two, it will become second nature, and become easy to create long, complex passwords. It’s much better to have to reset it because it’s too difficult than to have someone else access your data! We also recommend changing passwords twice a year anyway.
If you want to check if your email (and therefore probably also password) has been in a data breach, go to https://haveibeenpwned.com/ (at the time of writing there are 10 billion accounts that have been hacked – so a good chance you’re on there). If so, change your passwords immediately. You should also probably stop using that email, but you can read more about that in our emails post here.
Other steps you can take:
• If you have the option, always add 2FA (two factor authentication), using an app like Authy or Google Authenticator. However, do not bother to add 2FA if text message (SMS) is the only option, since SMS can be hacked by your grandmother (seriously, SMS is NOT secure – police have been using it for decades to catch criminals, and hackers use the same tools). If there is no option then you can add SMS 2FA if you want, since it will add an extra step that might put of a junior hacker, but just be aware that if a hacker has your phone number they can read your SMS anyway.
• Always add fingerprint or biometrics if you have the option inside apps on your phone, since that makes it much, much harder for a hacker, since they would need access to your fingerprints (which is still possible, and iPhones have been hacked using a photo of a fingerprint in the past, but it certainly lowers the chances)
• Always lock the screen of your phone (especially) and laptops / computers, even when in a trusted area, and definitely while at work – you don’t know who’s snooping (maybe that office cleaner also has a night time hobby...)
We hope that you will take this advice seriously, and use it and make your life more secure! This may seem like extra effort, but I can tell you once it becomes habit, you’ll quickly get used to it.
If not, carry on using ‘admin’ and we’ll just thank you for keeping us security experts in business!
Next Article in this series:
Part 2: Email and phishing - divide your resources