Password Cracking and How to Protect Your Accounts

Microhills Password Cracking and Protection

Password Cracking and How to Protect Your Accounts

In the age we live in, it’s almost inevitable that you have multiple digital accounts across multiple platforms. You may have an email account (or several), social media accounts, online banking accounts, accounts to access online systems for work, etc. and all these need passwords to keep them secure.

Your passwords are your first line of defense against would-be hackers trying to get unauthorized access to your accounts. But passwords are not foolproof; there are ways that attackers can discover or break through your password to get at your most sensitive of data. This can result in thieves getting into your bank account, your identity being stolen, or a work security breach that can get you fired, just to name a few dire consequences.

But all is not lost. With robust password and account management, you can keep risks down to a bare minimum. To help you with that effort, we here at DigitalJTI have put together this post to guide you in keeping your accounts secure.

Choosing Strong Passwords

The first step in keeping your systems secure is to ensure the password itself is strong. You wouldn’t protect your home with locks made of paper, so why use weak passwords for your accounts? The first thing you should do before making your passwords is check your company’s password policy for work accounts, if one is in place, and check the password policy for the software or website the account is on. These policies are usually put in place by security experts to ensure a minimum level of protection for those accounts. Also, you will have to follow these policies anyways so taking them into account early is simply good sense.

Many people use simple and easy-to-remember passwords such as “password1”, “12345”, their name or names of their family members. Often the first thing hackers try is to guess common passwords or passwords that would be meaningful to the user. Even your name and family members can be gleaned from social media accounts, websites, or email signatures. Try to ensure your passwords are not obvious, personal to you or words that are easily viewed from your desk. And yes, “<child’s name>IsTheBest” or your child’s birthdate is obvious and that information can be found by a quick Facebook lookup or a carefully-worded call to your local school.

Another common strategy for hackers is to use a software algorithm to rapidly try every possible password or a large set of passwords in quick succession. This is known as a brute force attack. To defend against this, your passwords should contain a combination of lower-case, upper-case, numerical and symbol characters and you should opt for longer passwords. As you add more characters and more options for each character, the number of possible passwords rises exponentially, which means a password cracker would need to try more passwords to have a chance to get the correct one. The longer it takes to find the password, the more likely the hacker is to give up and move on.

An simple or obvious password can be found easily by a savvy hacker

You should also make sure to use different passwords for every account. The best password in the world isn’t 100% foolproof. There is also a chance that the website or app the account is on could be hacked. If you use the same password for multiple accounts then if a hacker does get that password, they could try to use the same password on other common sites and apps they expect you to have.

So, in summary we are recommending you keep many passwords that are each long, have a variety of characters and don’t have personal meaning to you. You are likely wondering how you can possibly remember all of them. The good news is you don’t necessarily have to.

Consider a Password Management Service

There are many apps that can be used to effectively manage your passwords. These password management services can store your passwords for all your accounts and most of them can create strong passwords for you. This allows you to have very strong passwords unique to every account without worrying about remembering them all. You only need to remember your master password to log into the password manager.

Many of these services have plugins for your browser that can even auto-fill your password when you visit a website, making them one of the few cases that are both more secure and more convenient. Most will store your passwords on their servers so they can sync across all your devices giving you convenient access to your accounts at any time. The passwords are encrypted, and the decryption key is kept on your device separate from the passwords to protect you even if their server gets hacked.

It can be difficult to keep track of many accounts. A password manager can help

You can find lots of password managers with a quick search in your favorite search engine. Many of them are very affordable and some are even free to use. We would recommend you look at reviews of each one to find one that is trustworthy and suits your needs.

Perhaps you don’t trust any password managers, you don’t want to install any software, or you don’t want to deal with software you don’t understand well. But you still want to have unique and strong passwords for your many accounts. There may be one alternative for you, with a few caveats.

A Low-Tech Alternative

It’s a bit controversial, but some security experts suggest that writing passwords in a carefully protected place can be a good alternative. The main benefit of this approach is that paper cannot be hacked no matter how good a hacker is. However, while this does protect you from remote attacks, it is more vulnerable to local intrusion if anyone gets their hands on your notebook.

The first thing you need to do is keep the record safe. Ideally, you should keep it on your person so the only way someone can get access to it is to take it directly from you. A notebook in your pocket, a card in your wallet or a piece of paper tucked into you shoe all allow you to personally keep your passwords safe. If you must store it somewhere, it should be somewhere no one would think to look or in a very secure location such as a lockbox. Never leave it somewhere someone can see it or look through it, such as on a desk or even in a desk drawer.

Write down as little information as possible. Ideally, even if someone gets your notebook, they shouldn’t be able to tell what password goes with what username and what account. If you must look at it in a not-completely-private location, including in the office, make sure there’s no one in a place where they could easily look over your shoulder.

You also must be careful not to lose the paper or let it get destroyed. Forgetting it in your pants pocket on laundry day is a great way to lose access to all your accounts. You also don’t want to accidentally leave it somewhere anyone else could find it.

To be clear, a password management service would be more secure than writing the passwords on paper, but this method would be better than using weak passwords. If you want to learn more about the ways people can access your accounts through physical documents, check out this other article.

Beyond the Password

So now you know about creating strong passwords and how to keep track of your passwords. What else do you need to be aware of to keep your accounts safe?

First, you need to keep those passwords safe. If there’s ever a need for you to look at a password or to type it out, always make sure there’s no one nearby that could watch you and get your password. If you ever get the feeling that someone might have hacked your account or gained access to your passwords, immediately change the password to all suspected accounts and any accounts associated with them before any harm can be done. You should then check your account to make sure no changes have been made in the settings or the use of the account. Check your banking records for online backing, and your sent folder for email, etc.

Always make sure you log out if you have to leave your device unattended

Be wary of security questions or password recovery questions, such as “What is the name of your first pet” or “What is your mother’s maiden name”. These can undermine a strong password as this information can often be easily gained by a hacker such as through social media or casually talking with your friends or family. You can read our previous article on social engineering to learn more about how a hacker can piece together information to access your accounts. If you must use these security questions, you should always input your own question rather than use the default if that option is available. You should always choose questions you’re confident no one knows or can find out about you. Ideally, if you can keep track of it, you should give incorrect information as the answer to throw off savvy attackers.

If a hacker gets access to your personal computer, they likely will be able to get access to many or all your accounts from there. Even if they cannot immediately, they can install software that tracks what you do and captures your passwords as you type them. Never leave a phone, tablet, or laptop unattended in a public place, including your office. If you must leave a desktop computer unattended, make sure you log out and that a password is required to log in.

You should also consider two-factor authentication. Most websites and apps offer two-factor authentication in their settings menu. This handy security feature will send a message to your phone that must be responded to in order to gain access to an account. This reduces the chance of an intrusion as the hacker would need to get your password and have physical access to your phone. This feature is highly recommended.

Two-factor authentication requires multiple devices, making it much harder for an attacker to gain access to your accounts

Conclusion

As we have discussed here, simply having a password isn’t enough to protect against digital attacks. You must have a strong password and have a unique one for each account. There are methods to allow you to have many strong passwords without having to memorize all of them, especially password management services. There are also methods you can follow to protect your passwords and secure your account in the case of a stolen password, most notably two-factor authentication. By following this advice, you can protect yourself from all but the most die-hard attackers.

How to Protect Yourself from Ransomware

Microhills Ransomware Denied Access

How to Protect Yourself from Ransomware

Ransomware is a quickly growing form of cyberattack that can have devastating consequences for an individual or business. Ransomware is a type of malware, not unlike a virus, that infects a system and locks out access to extort money from the user or business. Losing access to data and software can be devastating to a business that relies on it and attackers make use of that to extort large sums of money from them.

There are very few options once your system has been infected with a carefully crafted ransomware attack. So don’t wait until ransomware becomes a problem to begin looking to defend yourself. There are several options you can use to prepare and protect yourself against ransomware attempts on your data.

Be Aware of the Common Methods of Attack

For malware to infect your system, it must get into your system. There are different ways that an attacker can accomplish this, but all of them are avoidable if you are vigilant and stay aware.

Emails and messages are likely one of the most common means of attack. Phishing emails pretend to be official emails that seek to get information or access to a system. If an email has an attachment or link, clicking it could install malware, including ransomware, onto your system. Once malware infects your system, it can use your contact list to send copies of itself to all your friends and colleagues. We’ve talked about phishing emails before if you want to learn more about how to identify them. In general, if you receive an email with a link or attachment, check that you know for certain that it’s from a trusted source. Look for any subtle mistakes or anything that seems off, especially with the sender’s address. If you’re uncertain at all, contact your IT department to be sure. All of this can apply to social media messages as well.

An artist’s depiction of phishing

Another source of malware such as ransomware is suspicious websites. Do not download anything from a website or click buttons, links, or popups unless you’re certain the website is a trusted source. Even if it looks like an official website, double check the URL and look for suspicious mistakes. If you’re uncertain or the website feels suspicious, leave the site immediately.

Attackers will also sometimes use harmless-looking devices to access your computer. Check out our previous article to learn more about these devices, but the important thing is to not connect any device to your computer if you don’t know where it came from. Even if it seems like a thumb drive that someone dropped, and you want to identify it to return it to the owner. Do not connect your computer to any unfamiliar Wi-Fi networks. Hackers can use these devices to install ransomware onto your computer.

Keep Your Software Up to Date

Your computer and network’s security software helps keep you safe even if malware manages to slip onto your system. Sometimes you may miss something or an attacker uses a new avenue of attack you didn’t expect and some ransomware manages to get onto the system. Your antivirus, anti-malware and firewall systems are your next line of defense to catch the malware that squeezes through.

Remember to update often

An up-to-date security software system can regularly scan for and detect suspicious activity and isolate it before it does any damage. These systems usually work by recognizing patterns of code or behaviour associated with malware, but attackers are constantly trying to change their method of attack to get around these systems. For that reason, the makers of anti-malware software are constantly releasing updates to stay ahead and keep your system safe. Make sure these updates get installed so your system is not vulnerable to attack from new techniques.

Attackers also regularly look for flaws in your systems and software to find a new method of attack. Whenever software companies become aware of a vulnerability in their system, they create an update or patch to fix the issue. You also want to make sure your systems and software is always up-to-date, especially your operating system.

DigitalJTI offers system maintenance services so we can keep all of these systems up to date for you. Allow us to make sure your computer isn’t vulnerable to attack.

Keep Your System Backed Up in Case of Emergency

Even with all of the above advice, some especially slippery ransomware from an especially clever attacker may still slip through. If you are properly prepared, these attacks can become no more than a minor annoyance. If you keep your system and files backed up on a separate platform, in the event of a ransomware attack taking away your access, you can simply wipe your system and restore it to regain access.

If you would like help maintaining system and software backups for your computer, we offer backup and recovery services that can get you up and running in minimal time in the event of a ransomware attack.

Conclusion

Ransomware attacks can be devastating to individuals and businesses, costing large sums of money and loss of business. But if you know what to look out for and are prepared, you can reduce the threat significantly. Don’t let your system be held ransom, be aware.

5 Business Security Tips to Protect Your Workplace

Microhills Security Tips to Keep Your Business Safe

5 Business Security Tips to Protect Your Workplace

In the digital age we find ourselves in, security is more important than ever before. Keeping customer and employee personal information, sensitive business information and assets out of the hands of would-be attackers requires cooperation from every person in a business. All it takes is one person thinking a suspicious situation is harmless to result in an attacker gaining access.

For many, the very word “hacker” draws to mind a mysterious figure in a hoodie sitting in a dark room and typing furiously on a keyboard. It seems to be all about password cracking and creating backdoors into systems. Either they’re too good to be stopped or a good enough firewall will keep them out, right? However, while there are some brute-force ways to attack a system the reality is that most hackers operate more like con-artists and scammers; piecing together pieces of information from discarded documents and gaining the trust of unsuspecting employees.

This approach to beating security is known as social engineering and it is one of the most insidious weapons in an attacker’s arsenal. It takes advantage of the fact that people tend to let their guard down when everything seems normal and safe. Even the most level-headed and reasonable person can be fooled by social engineering if they don’t have reason to believe the behaviour is suspicious. We at DigitalJTI have compiled a list of 5 security tips that you can use to identify suspicious behaviour so you can help keep your workplace and your personal information safe from attack.

#1 Do Not Leave Sensitive Information Where Others Can Find It

This one seems deceptively straight-forward, but it can take a lot of awareness and discipline to keep information from slipping into the wrong hands. Desks and garbage bins seem like they’d be safe from intrusion, but they’re favored places for information gathering for attackers. You should be careful to file and dispose of documents, even informal ones, properly.

Beyond the obvious, you should pay special attention to business information such as names and personal information of employees and customers, internal phone numbers, dates and times of meetings and other internal events and anything else that’s not publicly available. This sort of information can help an attacker gain access to the system or provide a lead to where they can get that access. If you’re uncertain, it’s better to treat the information as sensitive.

Documents should be carefully organized and stored to prevent unwanted access. Sticky notes with reset passwords or a business card with a colleague’s personal email should be carefully tucked away in a secure place if still needed or destroyed if not. If left on a cluttered desk, even for a few minutes, they can be easily viewed by someone walking by or quickly searching your desk. Sensitive documents should be filed away somewhere that can’t be accessed quickly and easily by someone looking. If they must be stored on the desk surface, keep them organized and stored in a way that they can’t be easily identified at a glance. The more time it would take for a would-be attacker to find something, the less likely they will be to take the risk of being caught. A clean and organized desk goes a long way towards this and allows you to quickly recognize if something sensitive goes missing so you can report it.

Documents with sensitive information to you or the business that are no longer needed shouldn’t be simply discarded in the trash. Hackers have been known to dig through garbage bins and dumpsters to find sensitive and useful information. Sensitive documents should be shredded or thoroughly torn up to ensure they cannot be read by anyone getting them. A general policy of shredding all discarded documents would be even better to ensure nothing slips through.

Shredded Document
Properly Disposed Documents

#2 Do Not Put Sensitive Information Online

This is another one that appears simple on the surface. Anything that gets put online can have a traceable record and can be potentially accessed by anyone from anywhere. This can be as simple as sending the password to access the online store in an email to a coworker or posting on Facebook to complain about a meeting you must attend this weekend.

A savvy hacker can potentially breach a less-secured system or monitor wireless signals to steal data as it is transferred. You should be especially careful of anything posted publicly or used in a public place such as a coffee shop. Some hackers use devices known as packet sniffers to snatch signals such as emails through a network which they can then access if they’re not properly encrypted.

Even basic information that seems harmless can be used by attackers. Good social engineers can piece together shreds of information from multiple people. A Facebook post with a couple employee names here, a Tweet about a meeting there, and an attacker can build up the information necessary to launch their intrusion attempt. If it’s information the business doesn’t actively make public, it’s best to avoid putting it in a public place just to be safe.

#3 Be Wary of Unknown People Even If They Seem Like They Belong

Social engineers are good at pretending they belong and coming across like they know you. You likely believe that you’ll immediately recognize a would-be intruder as suspicious, but it’s not as straight-forward as we tend to think.

A regular businessman looking regularly impatient
Is he a rushed coworker or a potential hacker? How could you tell?

Consider this: have you ever had someone come up to you who knows you by name and is friendly, but you don’t remember them? Maybe they were introduced by a mutual friend or they met you at an office event. Likely you didn’t want to admit you didn’t remember them and chose to be friendly back. Chances are they were who they said they were, but this is exactly the kind of situation where social engineers shine. This is also where the information from tips #1 and #2 can be useful to attackers. They can make their presence in the company seem more authentic if they can show they know your name and face (which they got from a document in the dumpster) and can recount a funny story from the recent office Christmas party (which they saw you post about on Facebook). If you don’t remember them and they can’t prove their identity, don’t trust them with access to the office or documents.

A common trick for social engineers is to act like someone official who just needs their password reset or access to an area to do their job. They make you feel sympathetic to put you off guard; they’re in a hurry, their boss is breathing down their neck, and they were so flustered they forgot their password, couldn’t you just help them out? Even if they seem like they belong and you feel like you should give them a break, don’t help them if you don’t recognize them and can’t confirm they should have access. Instead, find someone who can confirm their identity and access such as an administrator or the IT department to help them out.

#4 Do Not Interact with Suspicious Messages

Another common tactic for would-be hackers is trying to get information electronically, especially via email or social media. This is known as phishing and can be as insidious as the methods mentioned in tip #3. We’ve all probably seen obvious phishing attempts: poorly worded messages requesting banking info or password resets. It can be easy to conclude that phishing messages are easy to identify, but this is not always the case. Some attackers use carefully crafted emails that look nearly identical to official emails sent by a company.

Another risk from messages is malware: dangerous software meant to harm or steal from your computer, such as viruses. A message may contain an official-looking link or attachment, such as what appears to be a Word document from your department head. Clicking on such an attachment or link can give the malware a chance to install itself on your computer where it can damage the system or even copy files and data to send back to the hacker.

If you receive any emails or social media messages that appear official, but request sensitive or personal information, or have attachments or links, take a moment to confirm the email is from a trusted source. Look for small mistakes in any images, logos, or titles, and confirm that the sender name and email is correct. Mistakes and misspellings, especially in the sender name or address, can indicate a phishing message. If you’re uncertain, contact your IT department for advice.

#5 Beware of Suspicious Devices

Our last tip for today covers a couple seemingly-harmless devices hackers can use to trick people. If you find a lost USB thumb drive, do not use it. It may seem like someone forgot it on a table or dropped it on the floor. You might think you should plug it into a computer to see if you can identify who it belongs to so you can return it. However, while most thumb drives are simply a storage device for files, a hacker can set one up to automatically access your system when plugged in, stealing the data on your computer, or creating a backdoor access for them. Then they just have to leave it somewhere where it looks like it was forgotten. If you find a thumb drive or similar device, instead ask around to see if you can find who lost it or turn it over to your IT department to deal with.

A regular-looking thumb drive
This could harm your computer

Another device some hackers use, sometimes called a pineapple, appears like a regular Wi-Fi router. However, it can track any data sent through it by computers that connect to it. They’re often named in ways that seem sensible. If you notice a new open Wi-Fi network appears near your workplace, or the coffee shop you’re taking your lunch break in has a second Wi-Fi network with the same or similar name, do not connect to it.

Conclusion

Attackers have a wide range of subtle techniques for getting access to sensitive information. But they can be stopped if we all remain aware and vigilant. You should always be careful with how you manage sensitive documents and information and destroy them properly when they’re no longer needed. You should be careful of people and messages who can’t be identified, even if they seem legitimate. You should be careful of unfamiliar digital devices even if they appear innocuous. Security starts with the individuals and so long as we’re all alert and careful we can keep our businesses safe.