Many individuals look upon the requirement to use and change passwords regularly as an evil inflicted by the Information Technology (IT) industry. What users should be aware of is that a password is no different than the combination to a safe and should be protected in the same way. Although you may believe your company and personal data would be of little or no interest to hackers, this often has no bearing on which sites are targeted. A large percentage of hackers are opportunists out to create petty vandalism and cause damage. Other hackers may be more interested in using your site to relay emails (spam) or viruses to others, thereby protecting themselves and implicating you. These are good reasons for making passwords difficult to crack or guess. This will make your site much less interesting to casual hackers and much harder for targeted hackers to infiltrate and abuse your computer systems.

Best Practice

There are many ways to crack or break passwords. For this reason it is essential all passwords be chosen with care and changed regularly. There are a number of industry ‘Best Practices’ which can help ensure the safety of the organisations data.

• All passwords should be at least 6 characters
• All passwords should contain at least one number
• Passwords should be changed regularly (at least every three months).
• Passwords should not be in the dictionary, names, dates or phone numbers
• Each password change should introduce a new password, which should be substantially different from all previous passwords (e.g. the password should not remain the same and just have a new number tagged on the end)

If possible these rules should be enforced by software to ensure compliance and the security of the organisation.

Do

• Use a password with mixed-case characters (e.g. aLEx54)
• Use a password with non-alphabetic characters, e.g., digits or punctuation.
• Use a password that is easy to remember, so you don’t have to write it down
• Use a password that you can type quickly, without having to look at the keyboard. This will make it a lot harder for someone to steal your password by watching over your shoulder

Don’t

• Use your login name in any form
• Use your first or last name in any form
• Use your spouse’s or child’s name
• Use other information easily obtained about you. This includes license plate numbers, telephone numbers, the brand of your car, the name of the street you live on, etc.
• Use a password of all digits, or all the same letter. This significantly decreases the search time for an intruder
• Use a word contained in (English or foreign language) dictionaries, spelling lists, or other lists of words.
• Use a password shorter than six characters

Some Selection Ideas

Often when people choose a random password it is then easily forgotten, although passwords can usually be easily reset, this can cause an overhead on the system administrator and waste valuable time. One popular way of choosing passwords that can be remembered is for the user to select a two syllable word, divide the word in half, reverse the order, and insert a number. For instance, the word SUMMER and the number 2 become MER2SUM. This becomes an easily remembered password (all the user must remember is SUMMER 2 and the rule), while still being difficult to crack or guess.

Switching letters for numbers is also a good method. Start with a normal word, say ‘computing’ and replace the i’s with 1’s and the o’s with zeros, so the password would become ‘c0mput1ng’. Use word abbreviations to create small simple phrases that are easy to remember. For example, “you too can be safe” would turn into “u2canbsafe”.

Taking a short phrase and using the first letter of each word can also be a good method. For example, ‘I like the beach in the summer’ would become ‘iltbits’.

Summary

The basic key with passwords is after avoiding all the common mistakes like using your name etc. It must be something you can remember. If you can’t remember it then you will write it down which is a big no-no. Second to remembering it is: the password should be easy to type.

So if you’re in need of some help with passwords, or even just some free friendly advice, get in touch with us on 0800 878 878

Sign 1: Does that link really go where it says it does?

More often than not an email fraud message will ask you to click a link to verify your account or some other call to action. A quick way to spot a scam is to hover your mouse over the link and see if it really points to the site in question.

In the below example I have an email purportedly from Kiwibank who want me to verify my account details. As you can see when I hover over the link it does not link to Kiwibank at all but to another much less inviting URL. If you see this click delete on the email and carry on your day knowing you’ve saved your credentials from another devious attack:

However the correct web address will always show the banks name first, for example:

Sign 2: If you didn’t expect it is probably Fraud

A common way to get people to enter their information into a web site is to claim you have a package waiting, or some money to claim or any number of other options. Sure it might be a nice thought to think this is the case, but to this day I have never known UPS to want someone details via an email link for a package they were not expecting. If in doubt, delete it. If someone really does need those details they will make a concerted effort via phone to talk to you.

Sign 3: Is it too good to be true?

“Hi, I am Suzie Gorgeous-Pants, and I need a companion in your area to give me a better life….”, Sound familiar? It is easy to get sucked into such things.. But in the end it’s all a scam, we hear of people sinking hundreds or thousands of dollars into getting a companion who didn’t exist in the first place… DELETE

Sign 4: Can that official email editor speak English correctly?

“Kiwibank needs you verify your account in the immediacy”, It might not always be this obvious, but if you read the email thoroughly and find bad spelling, grammar or it just doesn’t make sense then it’s time for the quick DELETE. If that email really was from a bank, IRD, UPS or any other official channel it will have been vetted thoroughly for errors before being sent

Sign 5: The easiest one to spot

This is not always the case, but often while the name of the person sending to you might be Kiwibank for example, their actual email address may be Iamabigscammer @ nigeriantheft.com or something equally ridiculous. If you see this sort of thing in the from area of the email then DELETE, quick simple and effective

If in doubt call us on 0800 878 878. We’d prefer to spend 2 minutes advising you beforehand than 2 hours helping you fix it once it’s too late

Rule 1: Think before you Click

Phishing or social engineering attacks are increasingly being used by cyber criminals to trick internet users into revealing sensitive information – website login details, bank account or credit card details or personal data that forms part of your identity.

Phishing emails (note the ‘ph’) are designed to look official and may use an ‘urgent security alert’ or other reason for you to immediately visit a website to confirm your personal details.

Misspelt website addresses or URLs can be bought and set up to look similar to your bank website with copied logos and login forms the added touch that aims to convince you to enter your account login information.

Rule 2: Beware the friend in need

A friend’s hacked email address can now be used to send highly convincing – but fake – appeals for emergency help or direct you off to ‘interesting’ video or photo content, perhaps involving a celebrity sex scandal.

Click the link in the email though and you may end up on a website designed to infect your computer if you haven’t fully patched the operating system and all software on it, particularly Java and Adobe Flash.

Even social networks have been affected by spam or malware links added via rogue apps or compromised accounts.

How to avoid getting Phished

• Learn about the various phishing species that try to hook you and reel you in
• Be careful when you receive emails requesting urgent account verification
• Don’t download and open unexpected attachments
• Curiousity killed the cat – avoid clicking on video or photo links posted on your newsfeed
• Don’t respond, download files or click on links to websites you’re suspicious of
• Investigate any online offers carefully that appear to be too good to be true

To discuss how Tech Solutions can help your business call Nick on 0800 878 878 or email nick@techs.co.nz