Please note that comment moderation is being used on this blog. This means that you are free to comment on any posts, however they will be reviewed prior to being posted on the live site. We welcome any legitimate comments, but comments including links to your own sites (i.e. "link spamming" or "comment spam") will be marked as spam and will not be published. If you have comments that will be useful to other readers, feel free to post them, otherwise go spam someone else's blog!
Tuesday, August 06, 2013
Password Security, Think You're Safe?
Unfortunately this is how a lot of people think when it comes to creating a password. I read an article this morning about the most popular PIN numbers, and one statistic really surprised me: "DataGenetics says thieves can correctly guess more than 25 percent of PIN codes within 20 tries." This is because most people just don't want to be bothered with security, or have to remember more secure passwords/PINs. The effects of having this mindset can sometimes be catastrophic. I'll bet that when it comes to PINs for your bank card, more than half of our readers have a PIN that is either (a) their birthday, (b) a sequence such as "4567", or (c) some other meaningful numbers like their address or last 4 digits of their phone number.
Getting back to the password issue, we had one client earlier this year, let's call him "Bill", who had an email account compromised. Their password? Apparently they had simply set it to their last name. For those of you who weren't aware, someone hacking into email accounts isn't sitting at a computer with a large cup of coffee and continuously typing in new passwords. It's much easier than you think to use a "dictionary attack" which (through a program) guesses millions of passwords one after another. Use a simple password, and the likelihood is good that your account will eventually get hacked. In Bill's case, the hacker gained access to their email account and began sending spam messages out to thousands of addresses. Once we identified the compromised account, we changed the password to something more secure and informed the client of what had happened. We told Bill his new password and thought he understood the reasoning, but within a few weeks, Bill didn't want to keep remembering the new password so he changed it back to his last name.
I'm sure you can guess what happened next. The account was compromised again, and we changed the password again to a new randomly generated series of letters/numbers/characters. We also made sure our server required a higher level of security when changing passwords to prevent similar situations. Bill called us about two weeks ago requesting we change his password back to his last name, which of course in the best interest of our client we were unable to do.
There are several measures we can have in place to prevent some of the hacking attempts...firewall rules which block all activity from an IP after a certain number of failed logins, required security level for passwords, etc. These things are helpful, but at the end of the day, nothing is going to prevent unauthorized access to one of your accounts like a strong, secure password. Try to remember this next time you find yourself typing "Lucky123" when signing up for something online.