When and Why You Should Consider Changing Your Passwords
Last week I got an email from a friend saying “I almost forgot to send you this picture.”
However, before I clicked on the file, I checked the address. The name was my friend’s, the address came from another continent. It turns out my friend actually was aware his email had been hacked, and had already changed it. But he could not stop his address book from being used to trick others.
All-in-all, it was a reminder that for all the benefits we get from it, the Internet is a “Wild West,” including more than a few bad guys.
WHEN ACCOUNTS GET HACKED
Much more seriously, this past year has seen several major companies hacked so badly, they effectively had to shut down their local area networks (LANs) for a week or more. As this is being written, another hack took down several network programs for as much as a week.
We will not name them here. That is not useful, other than to say everyone is in agreement that prevention is much better than the cure.
Passwords are not the only issue – careless opening of email or potentially dangerous websites an expose a facility to major problems. But passwords are where many problems start.
FIRST LINE OF DEFENCE
We have talked about this before, but perhaps it is a good idea to reinforce the message: Unless you are the only one who can access your computer/tablet/etc., yes, you should periodically change your passwords – and carefully.
There are some good reasons for this policy, and we will discuss a couple of them. The goal is keep thing secure, but not make everything so burdensome that staff will seek – and use – workarounds that end up making things worse.
What no one really wants to see is the forest of post-it notes with password strings written down to access the different account. Likewise, IT departments that make it almost impossible to download anything from the Internet can end up causing tremendous wastes of time and energy – and again, the tendency for staff to develop workarounds.
WIDE RANGE OF SOLUTIONS
As you might expect, you may not find the “one” solution that best fits your situation in this article. That is not really our goal.
What we want to do is help foster everyone to think about their security – from the part time weekend operator to the IT manager – and realize their part in the process of keeping things secure.
How often and how complex passwords should be changed is often a balance. But the part that really smarts is that with all the precautions, actions by an unknown someone far away can expose your best arranged password without you knowing it.
Personally, I always felt a good password was fine for a long time.
“Wannabuyaduck?” is not, and has never been, my password for anything. Nor has “There’s approx 1510 rocks in my head.” For a long time, a combination of words, numbers, and abbreviations fairly well secured your account, unless you gave your password to someone.
Similarly, using a password manager that generates passwords like 8e74T*55ck23hut! was considered a good practice that you do not even have to remember, so long as you have the master password.
That is no longer true.
HASHING IT OUT
Here is why.
Almost every system, user account, email address, etc. makes an effort not to keep passwords visible, even to IT personnel. The key is using an encryption program to create what is call a hash file. The program takes passwords and turns them into an unrecognizable string.
So far, so good.
But, while you are cautious, even creative in your password, far too many others are not. You have likely read how “password” and “12345678” are among the most common passwords used around the world.
And therein lies the danger.
HACKING THE PASSWORDS
In a two-step approach, bad guys may already have access to your password.
Step One: using the dictionary approach – and starting with “password” and “12345678” bots using brute force are constantly trying to break into accounts day and night. Once they find a “match,” they can quickly do anything from spoofing that person’s email address and sending trojan horse links to their friends to different types of identity theft where they take over credit cards, tax refunds or, worse, emptying bank accounts.
Then, Step Two is the one which puts you in danger.
WHAT DO YOU MEAN ME?
Recall the phrase “hash file.”
The really bad guys try to dig deeper into the server where the account is and try to breach its security in order to locate the hash file. Big deal? Is it not all encrypted?
Suppose you do have a strong password. Lots of letters and numbers and symbols. Yet someone else – someone with no relationship to you other than being a user of a web site you have signed onto – can cause your credentials to be compromised.
Here is how: Using the password they just “stole” or “matched,” the bad guys have ways to reverse engineer things. Perhaps you have read where this company or that was hacked and 75 million user accounts were possibly “taken.”
Now, let us say that firstname.lastname@example.org has an account at the Acme Parts Company, a place you shop. John has used “password” as his password. Dumb, right? No, dangerous. A hacker who breaks into the Acme Parts server can take records of thousands of accounts and passwords in an instant. And, here is the really frightening part: even though the passwords are encrypted, as soon as they locate John’s account, you are potentially compromised, too!
What happens is that John’s password may be encrypted to something like “K8*tg34S.” But the hacker knows it is really “password.” So the bad guys simply run a series of various decryption programs until they turn K8*tg34S back into “password.” Now they can do the same to you, decrypting your password with the same algorithm.
That means, they can find your password – even if you personally took every caution to heart. And … then they try any place you might have an account, hoping you use the same password, so they can break in there.
IS THERE ANY WAY TO PROTECT PASSWORDS?
Fortunately, there are some defenses you can put into action.
As many have suggested VPNs are a way to avoid others from “listening” to your WiFi and grabbing credentials. Others suggest – even mandate – Two Factor Authorization, where a code is sent to your smart phone. While hacked 2FA have been occasionally reported, by and large 2FA goes a long way to keeping you secure. It may be a pain, but 2FA is the answer for many users.
But since not all systems use 2FA, there is another step you regularly should be doing: check to see if your password (or phrase) has been compromised. And this is especially true if you use the same password on multiple accounts.
ARE YOU PWNED?
The word “pwned” seems to have come from a misspelled “owned” and refers to when someone has gained control of another’s account.
In practical terms, it means whether your email address has been found to be compromised in one or more data breaches.
A good, safe place to check is haveibeenpwned.com (HIBP). Adding your email address (or smart phone number) will result in either a list of places where your information has been potentially grabbed, or the pleasant note that it was not found! … that is at least as of today. The site will also display a list of recently acknowledged breaches. Plus, you can subscribe to notifications if your email turns up in data breach.
Additionally, the main browsers, Chrome, Firefox, and Edge now have built-in monitors, which can be set to alert you when a password is compromised – if you use their password storage systems.
If you learn that your email address has been grabbed, now would be the time to check for any evidence your accounts have been accessed.
If you find such evidence, consider changing your password there, or on any site that uses it. It would be good to avoid reusing that password in the future.
Do you need to change your username? That is a consideration, but could be a major one, if you use your email address, for example, on dozens of sites. The main thing is to ensure your password is no longer a hash file match on any site.
KEEPING EVERYTHING UP AND RUNNING
Just like a maintenance visit to the transmitter, it is important to ensure your various accounts are secure.
IT managers and their departments would do well to help staff make an effort to not only avoid those post-its or common passwords – or really anything that could be in a dictionary attack. It has been recommended to use a passphrase, perhaps with a slight change, an abbreviation, or a non-letter character. (Probably not anything related to buying a duck, though. Nor “resistance is futile.” It should be something familiar to you, personally, but changed a bit. Maybe “resistance is Ohm-like” would be a good modification…)
We hope you never get hacked. However, it is better for you to know the potential before emails start being sent to everyone in your address book directing them to a bad link disguised as a picture or query from the IRS, for example.
What is the phrase we are looking for? Work Smart, Be Safe!
– – –
– – –