Secure passwords are the backbone of internet security, however everyone is guilty of using the same password over and over, for emails, Facebook, LinkedIn. The lot. But why should your password be different for each service, and what’s the best way to manage them? Hint: It’s not writing them down on paper!!
Many people have their website hacked, but cannot find any trace of an intrusion. Why? The “hacker” has simply logged in with your username and password. Oh, you’ve not told anyone your logins? You think you had secure passwords? Strange… Or is it? Let’s introduce you to the basics of website security.
The strange thing is most end users are tunnel visioned, not aware that something they do on one website could affect another. For instance, you log into a website happy as Larry, with “[email protected]” and “password123”. You do what you need to and log out. Cool. No problem, all is good right? Wrong. That website has just been victim of an SQL injection attack, and someone now has all the emails and passwords of all members of that site.
On top of that, said website wasn’t hashing passwords, so they’re all in plain text and human readable. (Note that this doesn’t mean sites with encrypted or hashes passwords can’t be exploited, it just makes it harder. High level hackers can get any information they want if they try hard enough).
Password encryption and hashing is the process of making a password unreadable by humans but processable by computers. While encryption can quite easily be reversed, hashing is a one way process and cannot be reversed into its original form.
The user has your email and password, but how do they know you’re the admin of yoursite.com? Well, there are numerous ways such as doing a Google search for your email address, or doing a whois lookup to see if you’ve registered any domain names. The list goes on. But don’t be fooled. It’s not just exploits which can leak your password.
Have you ever received an email from someone like PayPal, or Apple saying your account has been locked due to suspicious activity? Well, it could be a phishing email. A phishing email is designed to look authentic, but capture your information. It does this by looking like an official Apple.com email, however the “Unlock my Account” button, goes to a fake website, built to look like Apple.com.
You’re unaware so fill out your username and password and hit submit. The hacker has now been emailed with your logins (In plain text, un-hashed), and you’re redirected to the official Apple.com website login page.
It’s that easy. Once your password is exposed, it’s game over for you, your accounts and more importantly, your business website security. You must also be aware of social engineering. Here’s a video which shows it in my favourite TV show, Mr. Robot. This is how it works. But more on that in another post 😉
How do I know if my password is exploited?
A website security expert, Troy Hunt has built a system which can tell you if your passwords have been exposed. He runs this by acquiring hacked information from the dark web and allowing people to do a lookup on all the lists he has. From here you can see how many times your password has been exposed. You can also see if your email address has been involved in a hack.
So how can you keep complex, secure passwords?
There are tons of ways! I personally and through work use 1Password. It’s a password vault which stores all your password encrypted, in a secure cloud. You log into it with, funnily enough, 1 Password. Which is why this single password (Which gets you access to all your other passwords) should be long, secure and unique. Not dog123, but something around 16 characters long, with numbers, special characters and mixed case letters. Who thought having secure passwords could be so easy eh?
Once you’ve learnt how to use 1Password, you will very quickly be securing everything from Facebook to your internet banking! You can generate secure password on the go, save them into your 1Password account, and use them from the off. I use a family account to help my folks stay secure online.