One thing that is true and we can’t help as humans is the fact that we have Emotion, and that emotion is what derails security policy and practices, by leading us humans make an exception to the rules for what they believe is a good reason. Commonly exploited simple emotions, and an example of how each is exploited, include:
- Greed: A promise you’ll get something very valuable if you do this one thing
- Lust: An offer to look at a sexy picture you just have to see
- Empathy: An appeal for help from someone impersonating someone you know
- Curiosity: Notice of something you just have to know, read, or see
- Vanity: Isn’t this a great picture of you?
These emotions are frequently used to get you to perform a seemingly innocuous action, such as logging into an online account or following an Internet URL (link) from an e-mail or instant messaging client. The actual action is one of installing malicious software on their computer or divulging sensitive information.
Of course, there are more complex emotions exploited by more sophisticated social engineers. While sending someone an instant message with a link that says “I love this photo of you” is a straightforward appeal to their vanity, “Click on this link to get 5 times richer while working from home” is an appeal to their greed.
No matter what emotional button the attacker is attempting to push, the premise is always the same: the intended victim will not sense the risk of their action or guess the real intentions of the attacker until it’s too late or, in many cases, not at all.
An obvious fact among us all is our usage of password, it will possibly be the name of our girlfriend/boyfriend, your first child, your best friend in any of your school days, your favorite food, our most imagined place for holiday, name of your hometown/village, birthday, etc. The possible guesses goes on and on.
Recently a lot of individuals have fallen victims of this possible guesses and have landed themselves into the hands of the attacker, which might have resulted in identity theft(the attacker takes over your account implying that all your contact list, friends, private messages are at his/her mercies) or patiently keep listening to your account (pray you’re not a celebrity, politician, or even a public figure) for months before you find out. Sometimes we might be smart enough not to use these kinda passwords, but our accounts possibly end up hacked. One begin to wonder what exactly might the problem be or where the problem came from. Our account get hijacked from SOME of the scenarios listed below
- Phishing: the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication.
- Password cracking: the process of recovering passwords from data that have been stored in or transmitted by a computer system.
- Social engineering: to psychological manipulation of people into performing actions or divulging confidential information.
- Network Sniffing: Cyber criminals use these as hacking tools to sniff, intercept, and steal private information such as user identities, passwords, login credentials, card details, emails, instant messages, data, and also for spoofing data.
After reading all these possible scenarios, you’re tempted to feel maybe I need to change my password as often as possible, as it was sometimes regarded sometimes ago as the best security practices. But again funny as it might sound, that seems to be another giant factor that might end your new/recovered account hijacked again.
So, really, changing all your passwords every 30 or 90 days (as it was/is many organization’s policy) isn’t very worthwhile and isn’t likely to increase your security. That’s a good thing, because many of us would rather walk from New York to Mexico than change our passwords.
A Carnegie Mellon computer science professor—Lorrie Cranor recently outlined, the weight of recent research agrees that when people are forced to change their passwords on the regular, they don’t put a whole lot of mental muscle behind it. Instead, Cranor notes, according to one of his study, people;
“tended to create passwords that followed predictable patterns, called ‘transformations,’ such as incrementing a number, changing a letter to similar-looking symbol (for example changing an S to a $), adding or deleting a special character (for example, going from three exclamation points at the end of a password to two), or switching the order of digits or special characters (for example moving the numbers to the beginning instead of the end).”
Admit, that sounds familiar, even to you IT specialists, right? If not, you are a password hero, worthy of praise and emulation. For the rest of us though, it’s an all too familiar way to survive the regularly scheduled slog. It’s also perfectly understandable, given how our brains work.
I would add you might consider regularly changing passwords for communication-type sites that don’t have two-factor authentication: Email, especially, and things like IM or conferencing services. These are more snoop-friendly services where your attacker might listen in for months before you find out. (On the other hand, you really should be using an email service with two-factor authentication, since it’s a goldmine for hackers if they can get into it. It’s probably the most important account for you to secure, along with your password manager and computer account.) Some services, including Gmail, Facebook, and Dropbox, show you active sessions, so as a general security precaution, you can check those to make sure no one else is logging into your accounts.
The big question running through your mind now will be HOW THEN CAN I SECURE MY ACCOUNT?
As a usual myth, never write down passwords. When you’re been attacked most times, the attacker most times ‘stole’ the password file remotely, they did not physically enter and take the contents of a your desk, wallet, home, dairy, etc. I will love to advice something on the contrary from the long accepted myth, I encourage to create strong passwords, and to write or record them somewhere you feel is secure enough for reference. That belief that you must or have to always have your password stored only in your brain might only result you in create a weak password. but I advice that you get rid of the anxiety you have of holding all this bunch of passwords in your heads, and you’ll get strong passwords. In as much as I’ll advice you write down your password, please NEVER leave your password on a sticky note on your computer or under your keyboard! NEVER!!!
Quit a number of times we get sick of having to wait for Google to send us that verification code most time we login on a new device, but I can dare you that you need it and it’s for your own protection.
As part of a major question from Federal Trade Commission (in there article titled: Time to rethink mandatory password changes,) when should passwords be changed?
” So, should you ever change your password? Well, sometimes. If you have reason to believe your password has been stolen, you should change it, and make sure you change it on all of your accounts where you use the same or a similar password. If you shared your password with a friend, change it. If you saw someone looking over your shoulder as you were typing your password, change it. If you think you might have just given your password to a phishing website, change it. If your current password is weak, change it. If it will make you feel better or if you just feel like it’s time for a change, then by all means go ahead and change your password.”
How often you should change your password also depends on the way that they use the Internet. It is best for people who habitually use public computers to change their passwords often. In fact, these people may need to come up with a strong password/change certain ones much more frequently than people who use personal computers and private Internet connections 100% of the time.
Regardless of why you are changing your password, choose a new password unrelated to the old one and don’t reuse a password from another account. Under some circumstances there may be other steps you should take as well to make sure your system or account has not been compromised in a way that will render your password change ineffective.
Some factors to consider when changing your Password.
Attackers attempt to determine weak passwords and to recover passwords from password hashes through two types of techniques: guessing and cracking.
Guessing involves repeatedly attempting to authenticate using default passwords, dictionary words, and other possible passwords.
Cracking is the process of an attacker recovering cryptographic password hashes and using various analysis methods to attempt to identify a character string that will produce one of these hashes, thereby being the equivalent of the password to the targeted system. Guessing can be attempted by any attacker that can access the authentication interface, whereas cracking can only be attempted by an attacker who has already gained access to password hashes.
- Password Strength: Having strong passwords helps mitigate guessing and cracking. Password strength is determined by a password’s length and its complexity, which is determined by the unpredictability of its characters.There are only 26 letters in the English alphabet. However, adding the ten numbers and the twenty to twenty-five non-alphanumeric characters, you have over sixty characters to use in creating your password. Your password is also case sensitive, so you can use upper and lower case letters too. This increases the security of your password tenfold and decreases the possibility of someone guessing it. An example of a password complexity policy is requiring that characters from at least three of the following four groups be present in every password: lowercase letters, uppercase letters, digits, and symbols.
- Chances of Cracking: Cracking involves attempting to discover a character string that will produce the same encrypted hash as the target password. The discovered string may be the actual password or another password that happens to produce the same hash. If the hash algorithm is weak, cracking may be much easier. Hash functions should be one-way, otherwise attackers that can access hashes may be able to identify passwords from them and successfully authenticate. Another example of a hash algorithm weakness is that some algorithms do not use “salting”. Salting is the inclusion of a random value in the password hashing process that greatly decreases the likelihood of identical passwords returning the same hash. If two users choose the same password, salting can make it highly unlikely that their hashes are the same.
Attackers using cracking techniques often employ rainbow table, which are lookup tables that contain pre-computed password hashes. These tables allow an attacker to attempt to crack a password with minimal time on the victim system and without constantly having to regenerate hashes if the attacker is attempting to crack multiple accounts. For instance, the attacker generates or acquires a rainbow table that contains every permutation for a given character set up to a certain length of characters.
If at all you most forget any part of these whole long talk, always remember that it’s much more important that you choose a unique password for all accounts, one as long as possible, if possible combine multiply language and not just an English word, and strengthen all your other security options (two-factor authentication, making your password recovery questions unguessable, and backing everything up), because, in the end, strong passwords aren’t enough—no matter how often you change them.