Table of Contents

1. Introduction
2. Introduction to Cybersecurity
3. Cybersecurity Threats
   • 3.1 Social Engineering
   • 3.2 Malware
   • 3.3 Malicious Websites
4. Personal Security
5. Password Security
6. Secure Online Communications
   • 6.1 Secure your Instant Messaging Apps

5. Password Security

Passwords are used to log into most systems and applications. With increasing number of online accounts, people have a tendency to use simple and easy to remember passwords that are shared among these sites. For instance, you will find someone using the same password for both gmail and facebook. Cyber attackers will try common password phrases in an attempt to crack your password. If correctly cracked, the attacker has access to all the sites that this password is used, especially when multi-factor authentication is not enabled.

How are passwords discovered?

1. Interception - Passwords can be intercepted as they travel over a network.
2. Brute force - Automated guessing of billions of passwords until correct one is found.
3. Dictionary attacks - Avoid consecutive keyboard combinations— such as qwerty or asdfg. Don’t use dictionary words, slang terms, common misspellings, or words spelled backward. These cracks rely on software that automatically plugs common words into password fields.
4. Key logging - Installing a keylogger to intercept passwords when they are entered.
5. Shoulder surfing - Observing someone typing in their password.
6. Manual guessing - Information posted online such as dates of birth or pet names can be used to guess passwords.
7. Cracking security questions - When you click the “forgot password” link within a webmail service or other site, you’re asked to answer a question or series of questions. The answers can often be found on your social media profile.
8. Phishing and coercion - Using social engineering techniques to trick people into revealing passwords.
9. Data breaches - Using the passwords leaked from data breaches to attack other systems.
10. Stealing passwords - Insecurely stored passwords can be stolen, such as ones written on sticky notes and kept near(or on) devices.
11. Stolen hashes - Stolen hash files can be broken to recover the original passwords.
12. Password spraying - Trying commonly-used passwords to access a large number of accounts.

Passwords can only do so much. Even when implemented correctly, passwords are limited in helping prevent unauthorized access. If an attacker discovers or guesses the password, they are able to impersonate a user.

What makes a password strong ?

Strong passwords are hard to guess. Characteristics of a strong password include:

1. At least 12 characters—the more characters, the better
2. A mixture of both uppercase and lowercase letters
3. A mixture of letters and numbers
4. Inclusion of at least one special character, e.g., ! @ # ? ]

Avoid the use of predictable passwords such as your name, date of birth, pet’s names etc. Through social media, attackers can collect this kind of information and thus make it easier for them to compromise your password and access your accounts.

How to make your passwords secure

1. Make sure you use different passwords for each of your accounts.
2. Be sure no one watches when you enter your password. Always watch out for shoulder surfers.
3. Always log off if you leave your device and anyone is around—it only takes a moment for someone to steal or change the password.
4. Check your password strength. If the site you are signing up for offers a password strength analyzer, pay attention to it and heed its advice.
5. Avoid entering passwords on computers you don’t control (like computers at an Internet café or library)—they may have malware that steals your passwords.
6. Avoid entering passwords when using open/unsecured Wi-Fi connections (like at the airport or coffee shop)—hackers can intercept your passwords and sensitive data over this unsecured connection.
7. Use comprehensive security software and keep it up to date to avoid keyloggers (keystroke loggers) and other malware.
8. Separate personal from work. Use separate passwords for personal and work accounts. In case attackers compromise your personal accounts, your work accounts will be safe.
9. Depending on the sensitivity of the information being protected, you should change your passwords periodically, and avoid reusing a password for at least six months.
10. Don’t tell anyone your password. Your trusted friend now might not be your friend in the future. Keep your passwords safe by keeping them to yourself.
11. Do use at least twelve characters of lowercase and uppercase letters, numbers, and symbols in your password. Remember, the more the merrier.
12. Don’t bunch up your special characters. Put your digits, symbols, and capital letters spread throughout the middle of your password, not just at the beginning or end.

It’s important to always use Multi Factor Authentication(MFA) on all of your accounts. MFA is a method to double check whether it is you trying to access the account. Other than the password or passcode, another factor such as a security token or a smartphone can be used to validate that you are who you say you are online. An example is when you log into gmail and a verification code is sent to your mobile phone.

Password managers

You can use a password manager to store your passwords for you. The major browsers all have password storage systems, while cloud options like LastPass work from any computer with internet access.

There are pros and cons to this method.

Pros

1. Humans can be unreliable as they can come up with bad/weak passwords, forget their password, or are genuinely disinterested in their own security. With a Password Manager there is no need to worry about remembering all your different passwords.
2. Using the same credentials for each account is dangerous as it creates one point of failure.
3. Good password managers encrypt all your personal data in case someone hacks the PM software directly; the hacker might get your passwords but they won’t know who the passwords belong to.
4. Password Managers can keep you up to date with the latest breaches and advise you if any accounts may have been affected/hacked.
5. Can use offline password manager (not stored on the web/not a web browser plugin like KeePass

Cons

1. Single point of failure - if someone gets hold of your master password, they have all your passwords.
2. Password manager programs are a target for hackers.
3. It’s not easy to login using multiple devices.
4. If the main password is used/typed/saved on a computer with malware, your main password can compromise all your other passwords controlled by the Password Manager - all your passwords are only as secure as your master password.
5. Not all PM’s are adequately encrypted which can render the whole process of setting one up useless.

Perhaps the simplest advice we can give, is to have Two Factor Authentication(2FA) when possible. Two factor authentication is a two step verification that along with your password and username, requires another level of authentication. Hence, if someone gets hold of your password, they won’t be able to proceed without entering the next level of authentication.

Activity

• Take participants through identification of weak and strong passwords.
• Participants to set up their own password vault using Docker

Resources

• You need a password manager
• 7 Password Experts on How to Lock Down Your Online Security

Next > 6. Secure Online Communications