Protecting your personal credentials

Responsibility - The password to peace of mind

Data is the lifeblood of our business lives and is of paramount importance to corporations everywhere.

Yet, we have recently seen another set of personal information dumped onto the Dark Web. This time, it was 200 million Yahoo account profiles, which comes quickly on the heels of both the LinkedIn 2012 dataset and MySpace credentials that were also recently made publically available by hackers.

An internet criminal calling himself “peace_of_mind” is selling the Yahoo data for up to 3 bitcoins, which is just over $1,800.  There is an enormous market for stolen information. The reality is that data delivers dollars and the same is true for illegally obtained user details. To combat this problem, we need to make stolen credentials worthless to cybercriminals.

Unencrypted credentials

So, what happens when the bad guys acquire your credentials? You might think the password is hashed or encrypted and are therefore protected. In the case of LinkedIn 2012 data set, the SHA1 algorithm was used, which is now considered a broken hash and should not be used. To make things worse, the passwords were hashed without first being “salted” (i.e. adding more data to the password to hide its true meaning).

A password recovery service organisation took this opportunity to test their offering and were able to crack more than 80 per cent of the passwords. The fact is that more than 1.1M people chose the password “123456” and nearly 190,000 people chose “password”. If people are using such configurations for LinkedIn, then there is a good chance they are adopting the same password on more sensitive sites, such as bank accounts, which might be more interesting to cybercriminals.

Protecting passwords

Most sites today require a combination of capital letters, numbers and occasionally a special character. However, there are common patterns that most of us tend to use, like starting with a capital letter and ending with a couple of numbers. If a special character is required, we typically place it on the end. The bad guys know this. With machines equipped with today’s off-the-shelf processing power, even these seemingly complicated passwords are cracked in relatively short time. So, what is the answer?

Organisations need to do much more than just bolster their security with a firewall. In fact, our recent research showed that as many as 61 per cent of UK consumers believe that businesses are not doing enough to protect themselves and their customers against cyber-criminals, with better investment perceived by respondents as the best way for this to be remedied.

However, users must take some of the responsibility themselves. Worryingly, our research also showed that eight per cent of UK consumers haven’t changed their passwords after an account they have an account with was hacked. Cybercrime rings hire armies of people whose sole job is to try and hack into the sites that are essential to our daily lives. As users, we need to be more innovative with our password selections. Not using a Password Manager is tantamount to leaving your credentials unprotected.

A management tool automatically generates passwords and allows you to select the level of complexity, pattern type and length. The real value though is that you do not have to remember them all. The Password Manager stores them, enabling you to copy the password into the log-in field of the website, while some will also store the website URL to automatically populate the field for you upon access.

The caveat to this approach, of course, is that the entry must be very complex to protect this account. The advantage is that the password to the management tool is the only one you need to remember.

Taking responsibility

In summary, your personal data is valuable. Cybercriminals spend enormous effort trying to access your information for unscrupulous commercial gain. By adopting best practice and investing in personal security, your vital credentials will remain encrypted, which means that should a hack take place then you automatically devalue the stolen data for the cybercriminal.

Don’t ignore the dangers of the Dark Web - cybersecurity is all of our responsibility. Stay safe.

Michael Brown, Systems Engineering Manager, F5 Networks

Image Credit: Christiaan Colen / Flickr