Techies constantly preach about the importance of a strong password. If you knew why, you might not be so laid-back about the strength of your own passes. Grant McMaster explains…
Choosing a strong password for your online sites and secure logins is something that all the inhabitants of the Internet are advised to do. The bogeymen of the Internet, the hackers, crackers, phishers and pranksters are all waiting in the shadows, often with criminal intent toward the unwitting netizen.
Despite being told that these forces of mischief are laying in wait for the unwary or careless not much is ever said about why strong passwords are necessary.
Password cracking is a well developed and often quite sophisticated affair that has been going on since well before Matthew Broderick’s ‘David’ hacked into the fictional WOPR computer system in Wargames and asked to play a game.
In the 21 years since Wargames graced the screens of cinemas across the world some things have changed in the world of the hacker, and yet some things have remained more or less the same, albeit now occurring on hardware which gives even the simplest of hacking methods a powerful boost.
Here are a few of the hacking methods which give cause for a good password…
A brute force crack will basically try thousands of different password combinations, and it will keep going until it finds success. This is most effective when used against the inbuilt ‘Administrator’ account, but it is very time consuming and processor intensive for the hacking system.
Defend against it by choosing a strong alpha numeric password with special characters, but try to avoid easily remembered letter combinations, such as common words or names. You should also try to make your password at least 16 characters long.
This form of attack uses a list of passwords which are likely to succeed, unlike the brute force attack, which keeps going until something gives. It’s popular due to its speed, which is largely because people have a tendency to choose weak passwords.
Defending against it is the same as against the brute force method. Choose a long, random password consisting of capital letters, lower case letters, numbers and, if allowed, special characters.
A social engineering is the sort of scam that involves a hacker emailing or even calling you. In these calls or emails, they make you believe they are a trusted source – such as your hosting company or even bank – in order to manipulate you to get information.
You may think you’re immune to this if you’re a solo server owner or operator, yet it doesn’t take much for a canny cracker to work out who’s hosting your server and call you with those details.
The answer to this? Thank them for their time then hang up and call the company yourself on a number you already know to be legitimate. The chances are the company will want to know that someone is impersonating them and that one of their hosted boxes is under threat.
Check the access to your computers, and implement a checklist for anyone who has access to your server; ensure that their passwords are suitably complex and have no connection to personal or work life and are secure.
If someone knows you there’s a chance they can guess your password based on what they observe of you. Don’t chose obvious passwords such as your birthday, family, hobbies, interests, pets or any word visible in your office on the spines of books, certificates and the like.
Phishing is everywhere in online life. Whether it’s in spam e-mails appearing to be from major online retailers or your bank, or sites which lead to a fake page which seems identical to the original.
The scam occurs when you enter your login details. The phishing site stores and forwards those details to the hacker who can then use them to access your accounts and steal them. Sometimes this process is even automated, occurring as soon as you pass over your details.
The trick to avoiding these attacks is to always check any url before clicking upon it. If an e-mail from Google invites you to login, and doesn’t clearly show the secure (https://) header followed by the recognisable Google address you use, but instead looks like a plain ip, the chances are it’s a scam. Delete, report or just ignore it.
Key Loggers and Trojans
E-mails, pirated software and dodgy websites are the prime culprits for trojans and key loggers.
Trojans are small and often unobtrusive viruses which infiltrate an unprotected system and allow the hacker varying levels of control, ranging from the covert sending of e-mails through to full system control.
Many Trojans exist simply to install hidden key loggers, which record every letter you type and report it to the hacker, who is then able to use this logged data to access your secure accounts.
Fortunately, good antivirus software and a firewall on your PC will protect you against most of these, as long as they are up to date and enabled.
Many browsers store site passwords to save the user time and effort. This isn’t a good practice, especially with the appearance of the Heartbleed bug, which exploits well known security within the TLS protocols. You’ll be pleased to know the Heartbleed bug is under control now, but it’s a good example of a browser hijack.
These aren’t bugs you can directly prevent as a user, except by making sure that you use a different complex password for every site which you visit.
Viruses and scams can occur on all sorts of platforms – from Windows to Smartphones. However, if you take your online security seriously, you can protect yourself against most of them well enough.
Keeping safe from the nefarious denizens of the net doesn’t require an in depth knowledge of hacking methods. Just make sure that you have up to date antivirus running, windows firewall or a reputable third party firewall as well as a good malware suite such as ‘Spybot Search and Destroy.’ These tools, combined with a strong password and conscientious habits, will go a long way toward protecting you on the internet.
For extra security, you can download hacking and cracking tools from websites on the web, you can even get these tools for your smartphone.Installing script control, such as No-Script, and adblockers, like Ad-Block, in your browser, and restricting Java will also increase security and, if configured, correctly shouldn’t cause noticeable problems.