WITH HIS Twitter and Pinterest accounts hacked recently, Facebook CEO Mark Zuckerberg was the latest to fall prey to cyber crime. As per news reports, the founder of the world’s biggest social network had used ‘Dadada’ as the password for his two accounts, which were hacked by a group called ‘OurMine Team’. The group said it was just ‘testing’ Zuckerberg’s online security. The accounts were restored in no time, but the damage was done.
Zuckerberg isn’t alone in setting easy-to-crack passwords. As per experts, the most common password that people use is ‘password’. Then there is ‘123456’. Other popular contenders include ‘12345678’, ‘abc123’ and ‘qwerty’. These might be super easy to remember for a user, but for a cyber criminal, cracking such a password is a piece of cake. Sure, some hackers do it just for fun—as was evident recently when a Russian hacker traded more than 272 million passwords and other account details to a cyber security firm just for some social media praise and ‘likes’—but not every hacker’s intentions are harmless. Sometimes, the consequences can be catastrophic, especially for big organisations dealing with personal or financial data of millions of customers.
The biggest issue with passwords, as many would agree, is remembering them. In fact, that’s the main reason why people set easy passwords and often reuse them for a number of accounts—the two biggest mistakes, as per experts. Another reason why people repeat passwords are the stringent norms and requirements that prompt them to use ‘special’ characters, numbers, etc, which make it all the more difficult to remember. “These days, passwords have to be in an alpha-numeric format and should have special characters. Also, companies that handle payment card industry data and other critical information have to comply with a lot of security norms by virtue of international standards. These norms require the user to change their password, say, every three months. So it’s getting harder and harder to remember them. Companies are also imposing a lot of password policies, which lead people to set passwords that are easy to guess,” says a New Delhi-based security researcher with a leading Fortune 500 company, who didn’t want to be named.
Apart from websites, apps, too, need passwords these days. And if users deploy crackable passwords—such as ‘password’—their accounts become extremely vulnerable to attacks. “People are not aware of the risks of having simple passwords. So we have a set of guiding principles in terms of how you define a password: it’s got to be about eight characters, should include multiple characters, capitals, underscores, etc. The whole idea is to build a complex password, so that no one is able to hack it. But the biggest challenge is that you have to remember it yourself,” says Venkat Krishnapur, head, operations,India Engineering Centre, Intel Security Group, which provides virus protection and Internet security.
Users try every trick in the book to remember passwords—saving them in the browser, writing them on sticky notes and even sharing them with someone else—but there seems to be no respite. From keylogging (recording the keys struck on a keyboard) to phishing attacks, hackers’ arsenal keeps evolving at a frightening pace. “Password-cracking techniques such as a brute-force attack can run a combination of character sets or all the keys available on the keyboard. If the password strength is weak, that is, if it does not have a combination of capital letters, small letters, numbers and symbols, it can be cracked in no time,” says Rizwan Shaikh, a Mumbai-based ethical hacker, and information security and cyber crime consultant.
And if people reuse passwords for multiple accounts, the username and password combinations can be hacked in less than a minute due to their static nature. “Identity theft accounted for 53% of data breaches in the first half of 2015, as per the 2015 Breach Level Index (a database that tracks breaches globally). This shows that cyber criminals are becoming increasingly sophisticated,” says Atul Singh, regional director, India subcontinent, banking, transport and telecom solutions, Gemalto, an international digital security company. Below then are some ways you can enhance your security online…
ON AN individual level, one option for users if they want to stay away from the clutches of hackers is to regularly change passwords—it must be at least 10 characters long with a mix of upper and lowercase letters, special characters, punctuation, etc, say experts. Another option is to use poetry, as it’s easy to remember. Other ways include:
Password manager applications
When it comes to third-party help, one solution companies have adopted is the use of password manager applications such as KeepSafe, FlashID, Dashlane, among others. These password managers can either be desktop-based (passwords are saved on your system) or cloud-based (passwords are stored on a secure cloud server). “They are basically tools that store all your passwords in one place and are encrypted with one main password called the master key. An advantage of using password managers is that you need not recall all your passwords. Also, most of these tools come with cloud integration,” says the New Delhi-based security researcher.
But as with every solution, password managers have some downsides too. “The disadvantage is something we call a ‘single point of failure’. If a hacker or malicious software hacks your master key or if your system is hacked, then all your passwords are out in the open,” the security researcher adds.
A concept fast gaining speed, two-factor authentication has been implemented, most notably, for Net banking transactions. “It consists of ‘what you know’ (your password), ‘what you have’ (a one-time password or key sent to your device) and ‘what you are’ (the use of biometric scans or authentication using hardware). Two-factor authentication is the use of any two of these three parameters. Most companies are adopting ‘what you know’ and ‘what you have’ options because the ‘what you are’ option (using biometrics) is a costly affair,” says the security researcher.
Another easy-to-use method for authentication is Mobile ID. It puts the user’s digital identity on his/her mobile phone, and uses their mobile number as the username. A four- or five-digit pin, simple to remember, is the password. Mobile ID is based on Public Key Infrastructure (PKI), a two-channel authentication system, which makes this form of authentication extremely secure, says Gemalto’s Singh. PKI technology authenticates a user’s digital identity over a public and private network by associating a pair of public and private keys with the individual’s identity credentials. Mobile ID has already been implemented in countries like Oman, South Korea, Norway, Finland, Moldova, etc.
One concept that holds immense potential, especially in the online banking space, is dynamic CVV (card verification value). In November 2015, Gemalto introduced a dynamic code verification solution that replaces the static three-digit CVV pin at the back of your bank card with a dynamic one. This dynamic CVV, says Singh, changes at regular intervals, enhancing your security online. “Two-factor authentication, mobile ID and dynamic CVVs can be used almost everywhere. Enterprises can use it to fortify their already-in-use methods and ensure security against internal and external breaches. Banks and financial institutions can use them to ensure online safety of their consumers against phishing, thefts and breach of privacy,” says Singh.
Social login authentication
A lot of websites these days allow users to log in with their Facebook, Twitter or other social media accounts, which are verified through email and mobile numbers. The social login option, hence, eliminates the need to create different accounts for different websites.