We will discuss how sharing certain pieces of information can lead to breaches using passwords and other online credentials.
Previously we discussed the risks associated with the different types of phishing attacks and how to look out for them. In this issue, we look at some of the other personal cybersecurity considerations.
To begin, we start with the assumption, that your email is on a company website or is likely to be a combination of your name:
This allows an attacker to try a combination like this and then attempt to guess the password to log into any accounts you may have. It could then cause further damage, data theft or cyber exploitation.
So how do you protect yourself against password attacks?
We all know we shouldn’t re-use passwords and the use of previously compromised credentials is another common attack method. Typically, people are very predictable and tend to start passwords with a capital letter then finish with a number and a special character; Password1! Is a common example.
However, remembering lots of passwords is hard and you can make your life easier by using ‘password managers’.
Password managers can be found as applications for mobile devices (which also have the benefit of being locked with biometrics such as fingerprints and facial recognition) or those built into web browsers. Dedicated password managers allow you to copy your passwords out when needed. The key with password managers is to use a strong unique password to protect them. Most also have useful features such as generating strong random passwords.
Combining a password manager with multi-factor authentication (MFA) such as from an authenticator app further increases security if your password is breached and could alert you against lost credentials. MFA requires an extra step for attackers to access your accounts. It can be implemented in a variety of ways such as through an authenticator app on a digital device, an email to a secondary email account, SMS message or even a physical token.
How do you create a strong password?
The National Cyber Security Centre recommends 3 random words such as Pioneer Mouse Lamp. It is important that the words are random and the method to remember them is to create a little story. The Pioneer and his Mouse took a lamp on a walk. It’s a hard password to guess but easy to remember. If you wanted to be even more secure you could still make the password stronger by adding special characters and additional numbers %3Pioneer%7Mouse%9Lamp%.
Just don’t add the extra characters all at the end!
Social Media and cybersecurity
Staying safe on social media is nothing new, but it is surprising how often we will share personal information whilst not thinking of the consequences. Especially when that information is found to be the basis of passwords. However, it can also be used in phishing attempts,
A method we use in our cyber testing services is to scrape information from social media pages and then use that in targeted spear-phishing (targeted personal emails). This makes the email personal to you and therefore you are more likely to click on any malicious link.
Rather than the password method mentioned above, people typically use information such as family names, dates and locations. Consider some of the following examples and ask yourself if you use these pieces of memorable information and whether you have shared them anywhere on social media.
- A birthday picture often with a family members age and name
- An anniversary picture with your partners name and giving the date (or the date being worked out backwards, e.g. 40th wedding anniversary)
- Telling people you are on holiday and at your favourite restaurant (but also identifying your house may be unoccupied)
- Social media quizzes such as those that use your mother’s maiden name and the name of your first pet as your “spirit name” (maiden name and pet names were traditional memorable questions for account resets)
Finally, are your personal accounts open or are they restricted – all the information above may be visible to everyone on an open profile.
Being aware of what we post, where we post and who can see it reduces the information which can be used in generating password lists but also in crafting believable phishing campaigns. Take a moment to consider whether you want this information public and if the information is used in your passwords. Simple changes can have a large impact on your cyber security.
If you would like to discuss further how we can help with your cyber security then please get in touch by clicking the button below. One of our specialists would be delighted to help and will be in touch shortly.
Get in touch