Saturday, June 4, 2016

Reusing Passwords Will Kill Your Business

Do you reuse passwords? If so, it's just a matter of time before the bad guys break into your network, your laptop, your bank account, and your business.

Since computers were invented, we have had to balance use-ability with security. And business owners have always hated passwords. I can't tell you how many times I've been told that I should make a password easy to remember.

I'm sorry to tell you: Those days are long gone.

There are now literally millions of bad guys hacking and cracking into everything they can find. People with poor security habits have all kinds of juicy information on their computers (Social Security numbers, birthdays, credit card numbers, and of course password lists!).

Some of this information is used to break into accounts. Some is used to open new credit card accounts or redirect your tax return to a new address. Lots of it is sold in bulk to organized crime syndicates in other countries. And then the aggregated data is sold again and again to bad guys who want to generate fake profiles, credit cards, and more.

As you read about break-ins for large companies like Target, just remember that that are thousands of breaches that never make the news for every single breach that does. Most are never reported because it's not required. In fact, most are not reported even if it is required because there's no real enforcement.

Here are the most obvious things you can do:

1) Have good passwords. 
That means they are long(ish) and complex. Complex means that standard stuff you hear about all the time: Upper and lowercase letters, symbols, and at least 8-12 characters.

2) Never use a password that exists on any list anywhere. 
For example, if you use a single word that is found in a dictionary, it takes only a few milliseconds for a computer to guess your password because the computer has it's own "dictionary" that includes all the words in all dictionaries for all languages. It also includes all lists of all passwords that it has ever come across.

3) Change your passwords from time to time!
You don't necessarily have to change your password every 30 days - but it doesn't hurt. But you should change all your important passwords (bank, payroll, work) at least once every three months.

And here's one more thing that most people don't think about:

4) Don't reuse passwords. 

Consider this: You probably have passwords on dozens if not hundreds of web sites. I use a password manager that stores about 800 of my passwords. With that many accounts out there, it's almost guaranteed that one of those accounts will get hacked this year. So my username and password combination will now be out in the wild for the bad guys to buy.

Why is that valuable? Well . . . If I reuse passwords (as most people do), then that username/password combination will be guaranteed to work somewhere else. So now the bad guys have lists of all the passwords out in the wild, but they also have some known-good combinations.

Social media accounts are always under attack. Most recently, MySpace and Tumblr were hacked. If you have one of those accounts and use the same password for Facebook, LinkedIn, etc. then the bad guys have those passwords as well.


The bottom line: Some account you have somewhere will be hacked. With luck, it will be an unimportant account. And if you don't have the same password everywhere, then the damage will be isolated to that one account. But if you reuse one password all over the place, then the chances that other accounts will be hacked goes up significantly.


Action Steps:

- Contact your I.T. consultant and find out what they recommend for password policies and password management.

- Change your most important passwords right now - and make them all different!


Additional Resources

Here is a Google search for Password Managers. I use an off-line password manager so that it's not hosted somewhere and the focus of targeted attacks.

Here is a password testing tool. Set the year to 2020 and see how quickly your passwords can be cracked.

Just remember: Even if this password can't be cracked in a million years, a list of passwords that includes this one might not be as secure!

Finally, here are the 100 most popular passwords in the last year, in alphabetical order. You can be guaranteed that these will be cracked in less than one second.

1111
1234
2000
6969
12345
111111
121212
123123
123456
654321
666666
696969
1234567
12345678
123456789
abc123
access
amanda
andrew
asdfgh
ashley
asshole
austin
baseball
batman
bigdog
biteme
buster
charlie
cheese
chelsea
computer
corvette
cowboy
dallas
daniel
diamond
dragon
football
freedom
fuck
fucker
fuckme
fuckyou
george
ginger
golfer
hammer
harley
heather
hello
hockey
hunter
jennifer
jessica
jordan
joshua
killer
letmein
love
maggie
martin
master
matthew
merlin
michael
michelle
monkey
mustang
nicole
orange
pass
password
patrick
pepper
princess
pussy
qwerty
ranger
richard
robert
secret
sexy
shadow
silver
soccer
sparky
starwars
summer
sunshine
superman
taylor
test
thomas
thunder
tigger
trustno1
william
yankees
yellow

Source: http://www.passwordrandom.com/most-popular-passwords

Let's be safe out there!

:-)

2 comments:

  1. Great post. I have no issue with hosted password managers like LastPass. The password databases are encrypted using AES256 and keys are stored locally, not on the host. So even if someone gets past their security and steals the database, good luck brute forcing it.

    ReplyDelete
  2. Season and year is in all my dictionaries. summer2016 Summer2016 SUMMER2016 winter, spring.. etc etc... Also, pa$$w0rd, passw0rd, pa$$word and many other variants. You would be shocked at the successes I get as a security analyst with those. Passwords with no complexity but are greater than 15 characters will burn my time and I will move on. Thats a good thing. Add complexity and I would need a multimillion dollar super computer to brute force it. I don't have one and I don't have 90 thousand years for my Macbook to do it.

    ReplyDelete