How good is your account lock?  [photo: Henrik Hemrin]

Introduction

This article is about do what you can to protect your login credentials to keep your accounts protected. It is relevant for any type of computer; desktop, laptop, tablet or a smart mobile phone. And don't forget your router, switch and other connected devices. When I write about accounts, I mean all like Google, Microsoft, Facebook, Elgiganten, Adlibris and so on.

"Nobody gets hacked. To get hacked you need somebody with 197 IQ and he needs about 15 percent of your password." Said President Donald Trump in a 9 s video clip linked on Twitter. Forbes has published a related article; Trump ‘Nobody Gets Hacked’ Video Goes Viral written by Kate O'Flaherty, Oct 20, 2020. The article clearly states the President is wrong.

Techcrunch reported 22 October 2020 in the article President Trump’s Twitter accessed by security expert who guessed password ‘maga2020!’ A Dutch security researcher accessed Trumps Twitter account by guessing his password, only a few days after Trumps speech. The article tells his Twitter was also hacked in the same manner in 2016, when a hacker tested "youarefired". This was a Trump password on LinkedIn, which had been exposed in a data breach back in 2012, and apperently he reused it on Twitter. At the Twitter hack now in October, Trump did not use a two-factor-authentification (2FA).

Use two factor authentication (2FA) whenever possible

The first factor is the password. A password is a knowledge you have in your brain, or anywhere else. It is a soft code, and static. The second factor is in addition to the password and requires a physical device to access or generate a second code, which is dynamic. One common method for the 2FA is a code via SMS. Another method, more secure, is a code generated by a special application you have in your phone or other device.

The book Hacking Multifactor Authentication by Roger A Grimes was released in October 2020. When I (hopefully) have read it, I may have to alter what I write here and now.

Change password as soon as it has been leaked one way or another

As soon as someone know your password, you can take for granted it is known by the whole world.

Use same password only once

Do not re-use a password on multiple accounts. Once it has been broken on one of your accounts, assume it will be tried on other accounts as well. To minimize damage, have a unique password for each login. If you do have same password, you should change it at all places immideately after it has been revealed at one of your accounts. But it may take some time until you know it has been exposed, so eventually someone already has walked into your other accounts. So, act now instead of waiting for a problem! I would add recommendation to not use your e.g. Google or Facebook account to login to other accounts.

Avoid the most stupid and simple passwords

Do not use "password01" as your password, your name and other very simple or stupid words.

The data base at "Have I Been Pwned" stores information about data breaches of user accounts. Those data breaches are generally not our fault as end user, but we get affected. Breaches are numerous, almost countless. Those breaches origins from that someone has gotten access to the data bases where registration is stored. Have I Been Pwned started to collect those breaches after the famous breach of Adobe.

Regarding relatively simple passwords, for fun I check some simple passwords to find out if they have been exposed in a data breach. It gives a hint how many persons that use the same password (same person can have been exposed multiple times in different data breaches). The result page, beside the number states "Oh no — pwned! This password has been seen [number] times before This password has previously appeared in a data breach and should never be used. If you've ever used it anywhere before, change it!"

harrypotter 54 198
kalleanka 4 195
stockholm 6 320
gnaget 2317
bajen 437
bajen123 299
mamma 20 739
pappa 2650
maga2020 60
youarefired 17

 

In the Have I Been Pwned data base, it is also possible to check if an e-mail has been part of a data breach. e-mail is as you know often used as the identity in registrations. To play, I insert the (assumed) company e-mail address of the former Ericsson CEO; Den här e-postadressen skyddas mot spambots. Du måste tillåta JavaScript för att se den.. Have I Been Pwned answer:

"Oh no — pwned! Pwned on 9 breached sites and found 1 paste." Then follows a list of where those breaches happened. Remark: Hans Vestberg is no longer working at Ericsson, he currently is Chairman and CEO of Verizon.

A CEO as well as you and I can have breaches of our accounts at one or many sites. Me included.

Use long and random passwords (at least if you have a Password Manager)

I believe long and random passwords helps to protect my accounts. Like this one: "gErv.azZZZzs@e4*KdzUfrL_nHzDrhK6JGk4WQpDY.8dTE".

The technical article Your Pa$$word doesn't matter, published 07-09-2019 08:58 AM, by Microsoft staff Alex Weinert at a Microsoft Techcommunity site concludes to use only eight characters long passwords. This conclusion bothered me. 

But when reading the article more in detail, I understand this is a pragmatic view considering normal human behaviour and considering the methods that accounts are hacked. The article states 2FA as far more important to activate than having longer passwords. But the article also states that long passwords generated by a Password Manager adds an extra level of security. So I still recommend long and random passwords because:

  • It is something I can do to add protection of my account
  • Not all registrations allow 2FA
  • The article is written out from Microsoft products experience and to administrators of them. Database extraction and cracking do indeed occur, as can be seen from all data in Have I Been Pwned
  • A Password Manager is in any case a good and useful tool

Software (don't click)

I should mention briefly the probably most important advice in keeping the accounts protected. Think twice or more before you click on a link, open a document or something else - sent to you by e-mail, at a web site and so on. Those have a risk to include something that one way or another will harm you. Of course, we must click and open many things, but think first if you believe it is a risk, even if it comes from a person you trust. An anti-virus software can help to protect. Also, as a general rule, keep all your software updated.

Password Manager

I use a Password Manager. You can read how I started to use a Password Manager in the article How I handle Passwords

Disclaimer: I am not an IT Security expert. I am a daily internet user trying to understand and share knowledge from the best I understand the topic.

Henrik Hemrin

12 November 2020

 

 

Comments powered by CComment