To mark this year’s World Password Day – 5 May - The Cyber Resilience Centre for Wales’s Director, Detective Superintendent, Paul Peters takes us through the importance of having a password that no-one can break, ensuring you and your business stays protected.
“It’s true! Some people are still using the word ‘password’ as their own! How do I know this? I was speaking to one of our members and discussing the improvements they are now putting in place following the free meeting we offer all our members to discuss cyber security.
“As a result of this meeting, this organisation recognised that it had sensitive data and to protect that data the team implemented two-factor authentication and had an awareness drive on the risk of cybercrime.
“A policy was introduced where the staff were required to follow the latest guidance of three random words as a password. To back this up, a report was run to monitor the strength of individuals’ passwords and where these were shown as weak, the individual was asked to change it to a more secure password. During this process, someone had in fact revealed that they had been using ‘password’ as their password.
“If you look at a brute force password calculator, like the one shown below, this shows that the password ‘password’ can be cracked instantly, so providing no protection at all. A brute force attack (also known as brute force cracking) is the cyberattack equivalent of trying every key on your key ring, and eventually finding the right one. Yet in this case the attacker uses a computer to do the work – for example, trying different combinations of usernames and passwords – until they find one that works.”
Hive Systems made the colour-coded table (pictured), showing how safe users' passwords really are
Paul continues: “Then there are the data breaches that we hear about so often. How many of us have had our password compromised by these? Do you know if you have had a password compromised? Have you been using the same password for multiple accounts?
“I was talking to a colleague recently and they recounted the story about how they had used the same log in details and password for their Amazon account as their children’s online game account. The online game was hacked, and the account information compromised. My colleague then discovered that there had been a number of unauthorised purchases on his account, and with a bit of investigation realised that the compromise was because of the data breach.
“This is not an uncommon story, but what can you do? Well, check out www.haveibeenpwned.com. This is a website that provides the means for the general public to check if their private information has been leaked or compromised.
“Visitors to the website can enter an email address and see a list of all known data breaches with records tied to that email address. The website also provides details about each data breach, such as the backstory of the breach and what specific types of data were included in it.
“You can also sign up to be notified about future breaches. If you have a data breach linked to your email then make sure you are not using that password, if you are then change it, and make sure you use a different password for each of your accounts,” concludes Paul.
The WCRC offers a variety of support in the form of membership packages, starting with free ,membership as well as a number of additional services that offer companies training and assessments in cyber security.