Wed, Feb 10, 2016

Problem Passwords: Tips to Safeguard Your Accounts

The list of the most common and therefore, worst passwords of 2015 has been published and demonstrates that our approach to password management has not improved. Once again, the top password is ‘123456’ and the second most common is ‘password’.

There are many problems with passwords, all of which add up to insecure online accounts. It is estimated that we have as many as 118 online accounts and trying to manage so many accounts induces poor password hygiene. The main problems with passwords are:

  • We use words and phrases that we think are unique, but are in fact terrifyingly common as Splashdata’s list shows. Even if your passwords do not appear in the top ten list, research shows that most people use a password from a very short list
  • Even if not using a word or phrase which is shared by many others, we all tend to go through a similar process when thinking up passwords, and that is to draw on things we feel passionate about.This may include names of loved ones and pets, references to hobbies and possessions, or places that mean something to us. Most of the information we draw on to inspire these passwords is available online, publicly shared in our social media profiles, which means it’s highly accessible to criminals
  • As well as being able to guess common passwords and determine personal ones based on your digital footprint, criminals also use password-cracking tools to brute force access to your accounts.These password-cracking tools plough through dictionary words to see if they open up your account
  • Many people re-use their passwords. The problem here is that once one account is breached, the re-used password will open access to all of the other accounts it is supposed to protect
  • People often write their passwords down or store them electronically in plain text. The vulnerability here is that a malicious actor gains access to the list and, so, to your accounts.

Why does it matter?

Access to your online accounts can essentially provide access to your life, for example your financial information, corporate data, personal information, and the ability to send, receive and intercept your communications. This can be used for theft, spear-phishing, as a route to your contacts and even blackmail.

Kroll has investigated many cases where poor password management was the root cause of the problem. For example, we were engaged by a hedge fund which had suffered the theft of its unique algorithm. This algorithm formed the basis of the fund’s trading methodology and yet was protected by a weak password. The password was cracked and the code was leaked causing the client significant financial loss during the five years it took to rectify the problem.

In another case, a Private Wealth Bank contacted Kroll after it had identified bogus money transfer instructions from an external wealth manager of one of its clients. By the time the bank realised it had been subject to a fraud it had transferred in excess of $1 million.

Kroll identified that the wealth manager’s email account had been compromised and email filters had been set to hide all messages from the bank and his client’s email thus allowing the fraudster to send the bogus instructions undetected. The fraudster had mimicked the language and instructions from the client’s earlier emails saved in the account. His password was his daughter’s forename which was readily identifiable through his public social media accounts.

What can you do?

  • Use unique, complicated passwords (not dictionary words or anything which could be deduced from your social media) with a combination of letters, numbers and special character
  • Strengthen the security of your online accounts by using two-factor authentication
  • Consider an assessment of your digital footprint, for an ‘attacker’s eye view’ of the information you share online and how a criminal could use it against you.
By Dr Jessica Barker, Senior Consultant in Kroll’s Investigations and Disputes practice based in London.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.