Other issues in this category (75)
Total recall: How not to lose a strong password
Wednesday, May 26, 2021
Users usually need to create a login and password to register an account. Inexperienced users use standard credentials that go unchanged for decades, or even worse, they use the same data for different sites. Such an approach reduces one’s information security. If an attacker gains access to your email address, and its password is the same one that you use for all your other accounts, and you’ve never enabled two-factor authentication, you can say good-bye to your profiles on social networks. In this Anti-virus Times issue, we’ll discuss where and how to safely store all your passwords.
To help prevent hacking, make it a practice to use strong passwords. Combinations like qwerty and 1234 are too popular, so they become an open door for a thief. Alternately, you can use a long meaningful phrase as a password. Such a combination is easy to remember but difficult to crack.
Even if a code word is sufficiently complicated, don’t forget that there is the risk of entering it on a fake page. The next time you order a delivery or sign in to your favourite social media account, look at the domain of the site where you are entering your data. For example, instead of the usual drweb.com, there may be drwebbcom.com. This is a fictional example of a phishing site that attackers can use to steal personal data. Anyone who uses their actual login and password on such a site is falling for a fraudster’s tricks. But worst of all is when people enter the same password for multiple services. In this case, the user must change their passwords for all their accounts, which could be compromised after such a leak, and not forget to enable two-factor authentication. Remember that weak passwords are like bait for attackers, and that means you’ll soon have to say good-bye to your vulnerable account.
Create different passwords for commonly used services. However, if your memory accumulates over a dozen unique code words, it becomes much more difficult to remember new ones. And a logical question arises: where should I store them? One simple but insecure method is to create a text file called "Passwords 2021" and keep it so it’s visible on your desktop. This is a bad option: an open folder or a file that’s not protected with a password is an unreliable way to store important information. Another bad idea is to write down your key on a sticker and stick it on your monitor. Then, anyone who wants to will immediately get the needed data. In addition, you should not keep your personal information in unencrypted notes on your mobile device—you risk having your personal information stolen by malicious apps. If an infected smartphone stores photos, documents, user names, and passwords in plain text, you can be sure that attackers will want to use this data.
Perhaps, the most secure solution is password managers. These are programs that store passwords for sites, systems and programs. However, this method is also vulnerable. Password managers solve a number of cybersecurity issues but potentially create a new one—the need to ensure the confidentiality of the master password that opens access to the manager itself. In addition, the created or generated code word should be changed from time to time to reduce the chances of it being cracked.
Password managers are not a panacea for yet one more reason. In April, attackers distributed a special malware update for Passwordstate (a local solution for managing a company's passwords), and as a result, all users of the program were at risk of having their accounts stolen. After news of the hacking appeared, the developers began to restore lost accounts by emailing instructions, and cybercriminals took advantage of that—they sent the same emails but with the recommendation to install a "modified patch file" that was actually a malicious update.
The Anti-virus Times recommends
- Do not use the same passwords. A separate code word should be created for each service you access.
- Create strong passwords. Remember: if you were born on 03.12.1985 and your name is John Smith, the password should never be anything like 12031985john, johnsmith or 12john03.
- Do not store logins, passwords, scans of important documents, etc., in plain text. The desktop, an unencrypted folder, and a text file are the worst places to store sensitive information.
- If you are using a password manager, you should remember its code word, and do not forget to change it every 2-3 months. That way you can be sure that your data won’t get hacked.
- Try not to use an online password generator—their principle of operation is usually not transparent. For example, they can save all generated data or create non-cryptographically strong passwords.
- Use two-factor authentication. Additional confirmation by phone or within an application will help protect valuable data from intruders.
- Cybercriminals have an arsenal full of tricks, so you should be vigilant: don’t follow links from messengers sent by unknown senders, check a site's domain before entering your personal data, and don't fall for scammers' tricks.