Despite the importance of password security being increasingly publicised, a recent UK study on behalf of the National Cyber Security Centre (NCSC) showed that 23.2 million of breached accounts were using “123456” as the password. “qwerty”, “iloveyou” and “password” are also near the top of the list of regularly used passwords.
With the ongoing digitisation of the legal sector, clients and law firms alike are moving into an increasingly cloud-based environment.
Whilst there are undeniable benefits in doing so, it’s now more important than ever to protect sensitive client and business data.
Cyber security shouldn’t just be treated as the concern of the IT department, it is the responsibility of everybody to ensure that access to data is controlled properly.
How a simple password can cause a breach
We recently read with interest a real world example which highlighted the importance of proper password security. It serves as a timely reminder of the consequences of using a weak password…
Example: How qwerty can lead to 500 fraudulent invoices
The business received a report of a compromised user account at the start of business on Monday morning. The IT department began an investigation into the breach and found that the user in question had been using “qwerty” as their password.
On the previous Friday, the attacker used what is known as a password spray attack to guess the correct password.
A password spray attack is an attempt to try commonly used passwords against a user or group of users. It puts users with weak passwords at great risk.
As a result of the user having a weak password, the attacker gained access to their account. They proceeded to use the user’s address book to send out 500 fraudulent invoice emails to customers over a handful of hours.
The seriousness of this attack cannot be underestimated.
The recipients of the emails believed that the sender was a trusted source and not a spoofed email address. This can lead to more people falling victim and further dire consequences for the business.
Access to the user account was restored on Monday morning when the user alerted the IT department.
However, this was three days after the attack and gave the attacker time to set up rules to mark all incoming emails as read and then delete them permanently.
Tactics like this cover the tracks of the attacker and make it harder to identify where the 500 emails were sent.
This is just one example. Had the attacker gained access to a user with global admin permissions this attack could have been far worse and had longer lasting consequences.
Our Five Top Tips for password security
By following these tips, you can strengthen the security of your personal and business accounts and make it much harder for a potential attacker doing the same to you.
1. Create strong passwords
The NCSC recommend the use of three random words that are easy to remember but hard for someone that knows you to guess in 20 attempts.
Therefore, avoid using personal information in your password. Details like birthdays, family and pet names and even your favourite band can be obtained quite easily by potential attackers though social media or phishing attacks.
Most websites will now give you an indication of how strong your password is and require certain criteria to be met on password creation. The use of numbers, symbols and a combination of upper and lower-case letters can also be used to strengthen passwords. Try to avoid using numbers in sequence.
2. Separate your personal and work passwords
Do not use the same passwords for multiple accounts. This will reduce the impact of a personal account being compromised upon your work life and vice versa.
3. Protect your passwords
Considering the above advice, and given the abundance of personal and professional accounts many of us have, it can be difficult to remember all of these different passwords. However, do not write your password down on a post-it note and keep it on your monitor or under your keyboard: this is well known and will easily be found by an attacker.
Password managers can be an ideal solution but ensure you do your research first as there are benefits and disadvantages to these services.
4. Two factor authentication
Many websites and services now offer the option to enable two-factor authentication (2FA), which provides a way of double checking your identity and preventing unauthorised access to your accounts. Sometimes this works by sending you a secret code to your mobile device as well as asking for your username and password.
Using 2FA is vital on services that contain sensitive information, especially email services. If a potential attacker gains access to your email account, it will give them the opportunity to gather information about you, and could potentially give them an avenue to access more accounts through resetting your passwords.
5. Be aware of your environment when entering your passwords
It’s essential to always ensure you are on a secure network when entering your password. If you are on a hotspot then use a VPN to secure your connection to prevent others from capturing your information as it’s sent.
If you don’t have a VPN service use your phones 4G connection or wait and find a secure connection elsewhere. Be careful when entering personal information in public environments; prying eyes could be close by and you should exercise the same amount of caution you would when entering your pin number at an ATM or card terminal.
For more information on Cyber Security visit the Nation Cyber Security Centre website which contains information and guides for all sets of users from Individuals to Enterprise level business.
The NCSC has published a list of the top one hundred thousand compromised passwords.
Have I Been Pwned is an excellent resource where you can check whether any of your accounts have been compromised in a website breach.