20 tips for 2020: Be smarter with your smartphone

In the second blogpost of the two-part series we’ll suggest handy tips to help enhance the security of your mobile devices

Yesterday, we discussed bad cybersecurity habits you should avoid in 2020, especially where computers are involved. We’re not done yet. Some of the recommendations apply to both computers and smartphones, such as being especially wary when connecting to a public Wi-Fi network. Our upcoming cybersecurity tips are more smartphone-centric.

Authentication

You’d think that locking your phone would be a no-brainer, but contrary to popular belief, not all people secure their smartphones with an authentication measure. According to a report by the Pew Research Center, almost a third of Americans don’t use any kind of screen lock. You should always securely lock your device, period. And by locking your device, we don’t mean half-hearted measures like an L pattern or a 1234 PIN. Optimally, use a combination of a biometric feature if possible (fingerprint or face recognition) and a password.

Using the official store

As enticing as the prospect of rooting or jailbreaking your device might sound, most manufacturers advise against it. Not without good reason: it opens your device to unnecessary risks. It also sometimes adds an unofficial app store, which isn’t as strictly monitored as official stores. Apps aren’t curated on such alternative stores, nor do they go through an approval process, which means you could download an overtly malicious app that may wreak havoc on your device. You have probably surmised that it’s best to stick to official stores to minimize the risks.

Granting apps permissions

Apps request a variety of permissions so they can work appropriately. You usually just scroll over them absentmindedly and tap accept. As convenient as that might be, you should always peruse the permission list requested by an application.  If you accept them all you may be granting bad actors access to sensitive data or allowing them to scam you out of money, or even to spy on you. After all, does a flashlight app really need access to your microphone or camera?

Using security software

Most people underestimate the value of using security software to protect their smartphones, which is surprising, to say the least. The reasoning behind it may be that they still consider it to be a phone more than a pocket personal computer. Regardless of the reason, we have seen time and again that smartphones are susceptible to breaches and attacks the same way computers are. Therefore, reputable security software can spare you from a headache in the future.

Remote wiping

Expanding on the previous tip, the better security software providers offer the nuclear option of remotely wiping your device if it is lost or stolen. As radical as the idea may sound, it is a good option to have if you store sensitive data you don’t want anyone to see. Alternatively, you may be able to set up your device to wipe itself if authentication fails a certain number of times.

Encryption, backup, and patching

One rule all of us should always follow is to back up our data. In the event you become a victim of a malicious attack that may corrupt or lock your files, at least you’ll have a backup you can use for recovery.  Encryption is also a critical step you should not underestimate. Encrypting the files on your smartphone will give the bad actors a run for their money, making it harder for them to realize their malicious intent. To lower the chance of any of the mentioned things happening, you should always install the latest official updates on your device since they often contain security patches that help keep you protected.

Safe disposal of the device

You might want to pass along your device or even sell it, but that entails several steps you have to go through so that you dispose of it safely. Depending on the device, that might include anything from encrypting the drive before wiping it to logging out of all the services you use. Whatever the case, don’t underestimate the critical importance of conducting the process thoroughly so that your privacy remains intact.

Dodgy calls and phishing texts

Phishing scams take all kinds of forms and although email is the most popular conduit, by far it is not the only one. Scammers have been known to send out text messages that contain infected links that can contain all types of malware. Recently, bad actors have been engaging in more sinister attempts. You may receive calls from international numbers from countries you have never had any interaction with. By calling the number back you can be charged exorbitant prices, so if that ever happens think long and hard before calling back.

It can’t happen to me

Hopefully, you’ll never have to deal with the fallout of a security breach or of your accounts being hacked. But admitting that the possibility is always there can help you in the long run. Being prepared is by no means a bad thing. From securing your device, to having backups at the ready, or having the option to remotely wipe your device, you can reduce the damage to a minimum. If nothing happens great; if something does, you’re ready to face it head-on.

That sums up our list of 20 cybersecurity tips for 2020. We hope that these tips will help you in having a better, safer year with less to worry about and more to look forward to.

31 Dec 2019 – 11:30AM

20 tips for 2020: Mistakes to avoid

In this first instalment of the two-article series we will be looking at cybersecurity habits to avoid when using your computing devices

As we’re entering 2020, we’re also plotting out our New Year’s resolutions. Instead of suggesting what you should do next year, however, let’s have a look at some cybersecurity mistakes you should avoid for a more secure 2020.

Denying you are a target

You’ve probably already brushed off this possibility with contempt, thinking the chances are slim to none. To quote Dwight from The Office, “False”. When it comes to the internet, you cannot anticipate if a breach will directly affect you. New malware may appear or a service that you use may get hacked and your password can be leaked. All of these are probabilities that you should be aware of, and prevention can go a long way in securing your connected presence.

Clicking on suspicious links

Receiving spam has become a part of everyday life. Sometimes it’s just a harmless ad, but every now and then it can be something more sinister. You might get an email coaxing you to click on a suspicious link to claim a prize you’ve won. Or an offer that sounds too good to pass up might appear in an ad. Whatever the case, if you have even a shred of doubt about it: avoid clicking on it at all costs. The link just may contain malware that may wreak all kinds of havoc on your computer.

Failing to patch

Is your computer nagging you for the umpteenth time to install that pesky update? Perhaps the latest patch for your smartphone’s OS has been released. You’ve probably hit the postpone button more times than you’ve snoozed your alarm. We can’t speak to your sleeping habits, but you should always keep your devices updated to the latest version of software available. It will probably save you from a headache in the long run. The infamous WannaCryptor malware spread due to devices not being patched.

Recycling your passwords

To simplify the arduous task of memorizing scores of passwords, some people resort to recycling. This means that they reuse the same password or passphrase, perhaps varying a character or two or by adding upon it. This practice should be avoided. It allows bad actors to guess the rest of your passwords if they can figure out one.

Not using 2FA

Two-factor authentication (2FA), also known as multifactor authentication (MFA), is a simple way to add an extra layer of security to your accounts. The most common 2FA method used by popular online services is a text message with an authentication code sent to your phone. It is one of the most basic methods but use at least this one if you have no other option. If bad actors are missing one piece of the puzzle, they cannot get in until they overcome that hurdle, which might make them look for an easier challenge elsewhere.

Ignoring your router setup

When it comes to home interconnectivity, the router is the heart of your home. All your devices with an internet connection are linked to it, be it your smart TV, smartphone, personal computer or laptop. For convenience’s sake, a lot of people just go through the bare necessities when installing it or keep the default settings pre-configured by your ISP. You should always take steps to secure your router, so you can browse the internet safely.

Using unsecured public Wi-Fi

Most places like cafes, restaurants, and even shops offer complimentary Wi-Fi connections, which is a welcome alternative to using up your precious data plan. As convenient as such free connections might be, you should be careful what you connect to. An unsecured public Wi-Fi can lead to your private data being stolen or your device being hacked.

Disregarding VPN

Besides using a Virtual Private Network (VPN) to connect to your work’s servers, there are other security reasons to use one in private. You can use VPNs to access your home network remotely or to limit your ISP from seeing what you are doing, or to browse safely on public Wi-Fi. Depending on what you want to do, there are various types of VPNs you can choose from to protect your communication.

Skimping on security software

The internet is a useful tool, no doubt, but to paraphrase G.R.R. Martin, it can be dark and full of terrors. Granted, this leans towards hyperbole, but you should always use reputable security software to protect your data. Clicking on the wrong link might lead to malicious code making its way to your computer. Security software provides multiple layers that can stop these threats in their tracks. Prevention is the mother of security; athletes in contact sports use mouthguards as a preventive measure because fixing their teeth is more expensive than protecting them. The same goes for your data.

Underestimating backup and encryption

If, due to some unforeseen circumstances, your computer kicks the can, having a backup comes in handy. Always back up your sensitive data and things you have been working on recently; thus, if something does happen, you can continue unhindered by the unfortunate loss of your device. The same goes for encryption. Never underestimate the value of having your data encrypted: if you get hacked, the bad actor will have a tough time getting to your data; if your device gets stolen, you have an extra layer of security in place before you remotely wipe it.

If you just counted ten tips and not twenty, you would be right. So stay tuned, as tomorrow we’ll continue with tips that will be geared towards smartphones.

30 Dec 2019 – 11:30AM

Prison surveillance footage posted on YouTube

It’s not a stretch to surmise that the incident was enabled by poor security settings

Law enforcement in Thailand is looking into an incident that resulted in the streaming of live surveillance footage from a local prison on YouTube, according to a report by The Bangkok Post

The feed, which gave a glimpse into inmates’ daily lives in crowded cells, contained materials from several locations within the facility. The footage was aired on the video-sharing platform for several hours on Tuesday and was leaked by an as-yet unknown attacker on a YouTube account named ‘Big Brother’s Gaze’ after he compromised, apparently on Monday, the CCTV system of the Lang Suan prison in the southern part of the country.

The cameras were connected to the internet so that authorized individuals, notably prison and other law-enforcement officials, could keep tabs on the situation in the prison from any smart device. The CCTV system was taken offline in the wake of the incident.

The authorities didn’t say what opened the door to the intrusion, but the attacker himself did give more than a hint: “When installing video surveillance change the standard passwords,” reads a message in the ‘About’ section of the said YouTube channel. According to the Associated Press, the account previously contained footage from security cameras at a Thai company’s office, street views of Salt Lake City, an office in Australia and a café in Amsterdam.

Poor password practices, along with vulnerable embedded firmware and the absence of patches, are just some of the main problems that plague all sorts of internet-connected things, including, somewhat ironically, security cameras.

As one might have expected, this was not the first time that an unauthorized party has remotely tapped into a CCTV feed and streamed it online. For example, in early 2018 live footage from surveillance cameras in four British schools was put online. The incidents were also caused by poor password hygiene.

In another highly publicized case involving CCTV systems, two-thirds of public-space cameras in Washington, DC, were put out of action as part of a ransomware operation in January 2017.

27 Dec 2019 – 04:26PM

How to get rid of your old devices safely

Disposing of old tech isn’t a one-click solution; there are multiple things you have to consider before moving on to greener pastures

Black Friday, Cyber Monday and even Christmas are behind us. Which means some of us may have been fortunate enough to unwrap a shiny new laptop, smartphone or tablet. But what about our old devices?

Some of us keep our old devices as back-ups in case something goes amiss. On the other hand, the majority likes either to share the holiday cheer and gift their old devices or sell them. Whatever the case may be, there are some things you should do before you can pass the device along safely.

Mind you, if you’re more of a video person, we’ve got you covered, too. Otherwise just scroll down to read the main part of this article.



General advice

The one rule you should always adhere to is back up your data. Usually, if it involves your smartphone, you can back up your data to the cloud or your computer. If it involves your computer, you can use a combination of cloud and external drive. Whichever suits you better, but just make sure you do it so you will not lose any sensitive data you may need in the future.

Computers

Most computer users think that formatting their hard drive means that they have wiped their data from the drive, which simply put, is untrue. The data is still recoverable from your drive even after you format it. Wiping the drive on your computer differs from operating system to operating system.

If you have a Mac, the process is quite simple and straightforward. You can use the built-in Disk Utility feature to wipe your drive; it even allows you to determine how thoroughly you want to wipe it.

If you are running Windows, there is no built-in disk wiper, but there are a variety of options you can use. You can browse the web for the best reviewed tool to fit your needs, but the free versions of some may only work with mechanical hard drives.

If you have a solid-state drive (SSD), then we suggest referring to the manufacturer’s website for their drive utility. If you want to go above and beyond, then there is the nuclear option of destroying your drive. If you’re comfortable and are well versed in how drives work, you can destroy the necessary components yourself.

The other option is visiting a specialist service that has machines, such as shredders or crushers to dispose of your disk. Fair warning though, not all computers have easily removable drives. Macs, for example, have SSDs soldered to their motherboards.

Smartphones

Smartphones have their own utilities that are implemented in the system to make the process as streamlined as possible. If you’re getting rid of your old iPhone, first sign out of all your services such as iTunes, iCloud, App Store, etc. Then go through your Settings, enter the Reset menu, and tap on Erase All Content and Settings.

If you’re planning on passing along your Android device, the process may vary a bit from manufacturer to manufacturer, but the procedure should be roughly the same. Start by removing the security measures like the Lock screen, then move on to removing the accounts you are signed in with. To go the extra mile, encrypt the data on your phone and after that’s done run the Factory Data Reset on your phone. If you’re using an SD card, don’t forget to pop it out.

Recycle

Be environmentally responsible. If you plan to dispose of the device, don’t just throw it away. Look for places that recycle used electronic devices. They contain valuable resources that can be used in manufacturing future devices. If you’re not sure how to go about it, you can check with the manufacturer’s website or your government should have reasonable advice.

If you are not planning on handing a still functional device on to a relative or friend, consider donating it. One person’s trash is another’s treasure and after all, it is the season to be jolly, so why not share the cheer with someone less fortunate?

27 Dec 2019 – 11:30AM

How to secure your digital Christmas presents

What are some of the key things you should do with your shiny new device as soon as you unbox it?

It’s that time of year again, and chances are that new tech will be one of the gifts tucked under your Christmas tree. Whether it’s a smartphone, laptop or, say, an Internet-of-Things (IoT) gadget, there’s a number of things you should consider even before you begin to use your new device. Ensuring that your new tech is properly secured is more important than ever. Here are a couple of questions you should answer:

How should you lock it up? How do you ensure that your personal information remains secure even if your device is lost or stolen? Why stay current with regular security updates? Why should you plan for how to back up your data? How can dedicated security software help? Why should you take the time to read privacy policies?

Watch the video to find out.



23 Dec 2019 – 11:30AM

Week in security with Tony Anscombe

ESET’s free BlueKeep vulnerability checker – Dangerous PayPal-themed scam – This year’s worst passwords

ESET has released a free utility to enable users to check if their computers running Windows are susceptible to the BlueKeep vulnerability. Also this week, ESET researchers published details on an ongoing phishing scam that impersonates PayPal but preys on more than users’ login credentials to the payment service. Also this week, a list of this year’s worst 200 passwords was released. All this – and more – on WeLiveSecurity.com.

Ambitious scam wants far more than just PayPal logins

An ongoing phishing scam uncovered by ESET researchers seeks to wreak havoc on your money and digital life in one fell swoop

ESET researchers in Latin America have spotted fraudulent websites that impersonate PayPal and attempt to trick users into handing over considerably more than ‘only’ their access credentials to the payment service.

The ruse

As is commonly the case with phishing campaigns, the attackers use scare tactics that encourage you to take immediate action. The ploy here involves a spammed email alert of ‘unusual activity’ on your account, prompting you to secure it and avoid financial loss.

Figure 1. The phishing spam email bait

Should you click on the link in the phishing spam message, you are presented with a PayPal-branded page reiterating the claimed account compromise.

Figure 2. The page you’re presented after you take the bait

The manufactured sense of urgency is not the only telltale sign to tip you off that something is amiss. Other giveaways include the odd URL (though partly obfuscated here for security reasons), substandard English, chopped-off letters, and the use of a CAPTCHA.

If you do fall for the ploy, however, you’ll be taken to a login interface that was created to look the part of the genuine two-step PayPal login process.

Figure 3. The first part of the legitimate-looking, but nonetheless fake, login process

Figure 4. The second part of the login process mimicking PayPal’s

Once you’ve supplied your username and password, you’re asked to ‘verify your account’ by providing additional personal information.

Figure 5. The prompt asking you to verify your account

By this stage, you have already handed over your PayPal login credentials; nevertheless, the scammers attempt to collect far more than that. As Figures 6 to 9 show, in a series of steps you’re asked to surrender a range of sensitive information, including your credit or debit card data, access credentials to the bank account linked to the card and, lastly, the login to your email account.

Figure 6. The attempt to steal your home address

Figure 7. The fake form created to steal your credit/debit card data

Figure 8. The fake form asking for more details about your PayPal account

Figure 9. Purloining the login credentials to your email account

In the end, you’re told that access to your PayPal account has been restored. Nothing could be further from the truth now that a big chunk of your (digital) life is in the hands of the criminals, who can use it for identity theft and all manner of fraud, both on and off the internet.

Figure 10. The plot is consummated

The domain name

Despite being clearly distinguishable from the impersonated service, the names of the malicious websites seen in this scam seek to give a sense of being an actual touchpoint for PayPal users who are experiencing problems accessing their accounts. Several such fake domain names have been used – this discussion will focus on the first we saw and from which the screenshots here are taken.

Additionally, the presence of the green padlock to the left of the URL bears witness to a recent trend, where countless phishing sites use authentic SSL (Secure Sockets Layer) certificates in order to boost their aura of legitimacy. As shown in Figures 11 and 12, one of the domains hosting the scam was registered and received a valid SSL certificate earlier this month.

Figure 11. The domain’s SSL certificate

 Figure 12. Details on the domain’s registration

Conclusion

Much like other threats in cyberspace, phishing attacks come in various shapes and sizes and continue to evolve. As the example shows, however, social engineering tactics remain at the heart of such scams. After all, by preying on human weaknesses, cybercriminals usually take the path of least resistance. For the victims, even a momentary lapse in judgment or a short moment of distraction can have far-reaching and deleterious consequences.

It’s worth noting that we’ve found no evidence that this campaign results in the installation of malicious software on victims’ machines. And, as this scam starts with a phishing email, the usual precautions will go a long way towards helping you stay safe.

For starters, you should treat with utmost caution any out-of-the-blue notifications to input your sensitive information, and resist the urge to click on links or download attachments. Watch out for any irregularities in the URL where you enter your sensitive data. Indeed, for added reassurance, it never hurts to type the website’s name into the browser manually, or use a previously saved bookmark.

For more thorough takes on how to avoid falling victim to phishing attacks, please refer to these articles:

Phish Allergy – Recognizing Phishing Messages
5 simple ways you can protect yourself from phishing attacks
Phishing unravelled

20 Dec 2019 – 11:30AM

38,000 people forced to pick up email passwords in person

Malware and legal requirements force academics and students to join a near-endless line in order to pick up their passwords

Usually, if you forget your password or need to change it for other reasons, getting a new one is a straightforward process that involves a few clicks. Now imagine you would have to prove your identity and retrieve your password in person. Don’t rush to laugh this off as a bizarre fantasy, as thousands of students and faculty members at the Justus Liebig University Giessen in Germany were unlikely to be laughing when they learned that they would have to do just that.

According to the institution’s statement, 38,000 students and academics now have to stand in line, ID card in hand, so that they can receive new passwords to their university email accounts. The distribution of new passwords was prompted by a malware incident detected last week, with the university’s network being offline since December 8th. As for the unorthodox way of issuing new passwords in person, the staff are citing the legal requirements of the German National Research and Education Network (DFN).

English version of #JLUoffline: pic.twitter.com/YrpgnDW69F

— Universität Gießen (@jlugiessen) December 9, 2019

Arguably, in a way the university can be lauded for its incident response. Since the incident was noticed, the servers and machines were taken offline. USB flash drives loaded with security software were handed out to faculty members, institutes and departments to carry out scans of all machines connected to the university’s network. The devices that passed the first wave of checks were labeled with green stickers.

A second wave of scans then followed, and included, to use the university’s own words, a “specialized scan for the new virus type”. A total of 1,200 USBs were prepared for the second wave, which has been underway since December 18th. Computers that passed both scans are immediately cleared for use. Students were assured that their private machines were free of any risks since they use a separate university network to the one that was compromised.

The University in Gießen, Germany had a security incident that required resetting the passwords of 38000 students. Students are lining up to get their new passwords on paper, after identity verification. More about the incident on the bottom of this page: https://t.co/uMBOi2MpJr pic.twitter.com/QEKcPMZ2Sk

— svbl (@svblxyz) December 17, 2019

Nevertheless, the university’s IT Service center decided to assign new passwords to everyone since they suspected that the malware hit their e-mail servers as well. The whole process was designed to be as precise and orderly as possible, and the students and faculty were separated into groups based on their date of birth and can pick up their passwords during allotted timeslots.

Prospective students were affected as well. The website through which they could apply is currently offline as well. This means that they will have to apply through more “analog” ways, such as submitting applications in person or sending them by traditional mail.

19 Dec 2019 – 04:12PM

It’s time to disconnect RDP from the internet

Brute-force attacks and BlueKeep exploits usurp convenience of direct RDP connections; ESET releases a tool to test your Windows machines for vulnerable versions

While the BlueKeep (CVE-2019-0708) vulnerability has not, to date, caused widespread havoc, and we will be looking at the reasons why in this post, it is still very early in its exploitation life cycle. The fact remains that many systems are still not patched, and a thoroughly wormable version of the exploit might still be found. Because of these factors, ESET has created a free utility to check if a system is vulnerable.

Sometimes, you have to say something about things that “go without saying” and it seems the best way to start this post is by mentioning just that, because this is not a subject I expected to have to write about in this day and age. Before we dive in, let’s begin by looking at an old maxim.

There is an old saying in the information security field that if an adversary has physical access to your computer then it is not your computer anymore. The reason for this is quite simple: once the attackers have their hands on a computer, they can change anything they want. Installing devices such as hardware keyloggers, removing disk drives and copying them, and otherwise deleting, altering or adding anything they want on the system all become exponentially easier when you can walk right up to the computer. This is not a particularly surprising turn of events, nor a particularly clever one. Rather, it is an unavoidable truth. For the adversaries, it’s just part of their job description.

Businesses and schools and all sorts of organizations are not blind to this, though. None of these kinds of places put their servers at the front desk in the lobby, reception area, visitor center, waiting room or other locations where the public or, conceivably, any employee, faculty, student, or staff may enter and gain physical access to them. Or, at least, no business that wants to remain in business allows this. Usually, there’s some separation of the servers, whether they be in their own dedicated room, or even tucked away in some back corner that is off-limits to most personnel.

Yet for all this common knowledge, the lessons learned about security in the physical world do not always transfer well (or correctly) into the internet world. There are a large number of servers running various versions of Microsoft Windows server operating systems that are directly connected to the internet with what amounts to little or no practical security around who can access them. And that brings us to the discussion of RDP.

What is RDP?

RDP, short for Remote Desktop Protocol, allows one computer to connect to another computer over a network in order to use it remotely. In a domain, computers running a Windows Client operating system, such as Windows XP or Windows 10 come with RDP client software preinstalled as part of the operating system, which allows them to connect to other computers on the network, including the organization’s server(s). A connection to a server in this case means it could be directly to the server’s operating system, or it could be to an operating system running inside a virtual machine on that server. From that connection, a person can open directories, download and upload files, and run programs, just as if they were using the keyboard and monitor connected to that server.

RDP was invented by Citrix in 1995 and sold as part of an enhanced version of Windows NT 3.51 called WinFrame. In 1998, Microsoft added RDP to Windows NT 4.0 Terminal Server Edition. Since then, the protocol has been a part of all versions of Microsoft’s line of Windows Server operating systems, as well as being included with all non-home user editions of Windows Client operating systems since Windows XP was released in 2001. Today, common users of RDP include system administrators doing remote administration of servers from their cubicles without having to go into the server room, as well as remote workers who can connect to virtualized desktop machines inside their organization’s domain.

What do attackers do with RDP?

For the past couple of years, ESET has seen an increasing number of incidents where the attackers have connected remotely to a Windows Server from the internet using RDP and logged on as the computer’s administrator. Once the attackers are logged into the server as administrator, they will typically perform some reconnaissance to determine what the server is used for, by whom, and when it is being used.

Once the attackers know the kind of server they have control of, they can begin performing malicious actions. Common malicious activities we have seen include:

clearing log files containing evidence of their presence on the system disabling scheduled backups and shadow copies disabling security software or setting up exclusions in it (which is allowed for administrators) downloading and installing various programs onto the server erasing or overwriting old backups, if they are accessible exfiltrating data from the server

This is not a complete list of all the things an attacker can do, nor is an attacker necessarily going to perform all of these activities. Attackers may connect multiple times over days or just once, if they have a predetermined agenda. While the exact nature of what attackers will do varies greatly, two of the most common are:

installing coin-mining programs in order to generate cryptocurrency, such as Monero installing ransomware in order to extort money from the organization, often to be paid using cryptocurrency, such as bitcoin

In some cases, attackers might install additional remote-control software to maintain access (persistence) to a compromised server in case their RDP activity is discovered and terminated.

We have not seen any servers that were compromised both to extort via ransomware and to mine cryptocurrency, but we have seen instances where a server was compromised by one attacker to mine cryptocurrency, then later compromised by other attackers who changed the coin

The worst passwords of 2019: Did yours make the list?

These passwords may win the popularity contest but lose flat out in security

Year after year, analyses show that millions of people make, to put it mildly, questionable choices when it comes to the passwords they use to protect their accounts. And fresh statistics for the year that is drawing to a close confirm that bad habits do die hard and many people willingly put themselves in the firing line of account-takeover attacks.

Drawing on an analysis of a total of 500 million passwords that were leaked in various data breaches in 2019, NordPass found that ‘12345’, ‘123456’ and ‘123456789’ reigned supreme in order of frequency. Between them, these numerical strings were used to ‘secure’ a total of 6.3 million accounts. It doesn’t get much more optimistic further down the list, however, as these three choices were followed by ‘test1’ and, the one and only, ‘password’.

Somewhat predictably, the chart is overall replete with many usual suspects among the most common passwords – think ‘asdf’, ‘qwerty’, ‘iloveyou’ and various other stalwart choices. Other supremely hackable passwords – including simple numerical strings, common names, and rows of keys – also abound. Much the same picture is painted annually by SplashData’s lists of the most-used passwords, such as last year, the year before that, and so on.

The entire list of the 200 most popular passwords is available in the linked blog post, but here’s at least the top 25. Let that sink in.

Rank Password 1 12345 2 123456 3 123456789 4 test1 5 password 6 12345678 7 zinch 8 g_czechout 9 asdf 10 qwerty 11 1234567890 12 1234567 13 Aa123456. 14 iloveyou 15 1234 16 abc123 17 111111 18 123123 19 dubsmash 20 test 21 princess 22 qwertyuiop 23 sunshine 24 BvtTest123 25 11111 Eerily familiar?

If you recognize any of the above as your own, then fixing your passwords is almost certainly one of the things that deserve a place on your laundry list of New Year’s resolutions. For starters, fixing here means not having the exact same idea as millions of other people when you’re signing up to a service and are asked to create your password.

One way to go about this is opt for a passphrase, which, if done right, is generally a tougher nut to crack as well as easier to remember. The latter is especially useful if you don’t use password management software, which, somewhat unsurprisingly, has been shown to benefit both password strength and uniqueness. Yes, that passphrase should, of course, be unique for each of your online accounts, as recycling your passwords across various services is tantamount to asking for trouble.

You may also want to watch out for password leaks. There are a number of services these days where you can check if your login credentials may have been caught up in a known data breach. Some of them even offer you the option to sign up for alerts if your login information is compromised in a known breach.

In fact, as ours is an era where login data are compromised by the millions, why settle for one line of defense if you can have two? At the risk of repeating ourselves, two-factor authentication is a highly valuable way to add an additional layer of security to online accounts on top of your password.

16 Dec 2019 – 05:36PM