Most popular passwords
Main article: Most popular passwords
User Password Security
2022
More than half of Russian users do not comply with basic password security requirements
On June 29, 2022, RTK-Solar presented the results of a study of the level of password protection from personal and work accounts of Russians. It turned out that domestic users do not comply with the basic requirements for password security and the rules for their reliable storage. Thus, 59% of respondents use the same passwords for different accounts, which, if at least one of them is compromised, can lead to hacking of all the others. In addition, it turned out that 53% of users change their passwords extremely rarely, and less than 10% of respondents use special programs for reliable password storage.
The study was conducted on the basis of the Yandex.Vzglyad service. The survey, which took place in March 2022, involved more than 700 people from all eight federal districts of the Russian Federation. 61% of respondents are people aged 30 to 50 years, 26% are under 30 years old and 13% are over 50 years old.
The study demonstrated that so far our to the country Internet users do not understand well enough the need to comply with the requirements for protecting their accounts, - said Lyudmila Sevastyanova an expert at the Solar inRights Product Center of RTK-Solar. - We recommend citizens to use a special ON one for password management, and organizations - be sure to consider the use of a password policy as part of a general access control program in the company. In addition, it is useful to introduce additional technologies identifications authentications and users, for example. And it is biometrics very important to regularly raise awareness of employees in the area by INFORMATION SECURITY conducting training and training on safe work with credentials. |
RTK-Solar analysts wanted to find out how reliable the passwords used by users are and their accounts are protected. 55% of respondents are confident that they comply with all three basic password security requirements. This is uniqueness, the length of at least eight characters, as well as complexity - the presence of letters of different case, numbers and special characters. Another 42% believe that they comply with two out of three requirements. 3% of users admitted that their passwords are poorly protected and meet a maximum of one security requirement. However, from the answers to one of the following questions, it turned out that only 41% of respondents do not use the same password for several accounts. Thus, not all of those 55% of respondents who said that they comply with three basic password requirements can be completely confident in the security of their accounts.
Study participants also answered a question about how often they change their passwords. It turned out that more than half of respondents do this not often enough to consider an account secure: 29% change their password only if they forget the old one, 18% - less than once a year, and 6% never change passwords at all. 28% of respondents change them once every six months, another 20% - once a year. However, cybersecurity experts advise changing passwords from all accounts once a quarter, and from critical services like online banking - every month.
As for storing passwords, the situation also does not look very encouraging. 41% of respondents replied that they just remember their passwords. This means that, most likely, such passwords do not meet security requirements, because the average person cannot keep many unique random combinations of letters, numbers and characters in his head. 50% of respondents use unreliable methods of storing passwords: write them on paper, remember them in a browser or store them in text files on the device from which they log into accounts. Only 7% of users use the safest way to store - password manager. This is a program that stores passwords in encrypted form, and to enter the vault and decrypt, you need to enter a master password. It must also be reliable and must be remembered.
In addition, RTK-Solar experts asked users if they comply with the requirements information security at the workplace. As a result of the survey, it turned out that more than 80% of respondents, according to them, never transfer their logins and passwords from work accounts to third parties, because this is prohibited by the company's rules. At the same time, 5% of users admitted that they often transfer their credentials to colleagues. data Another 14% do it sometimes. Such actions create the risk of compromising access to the account of an employee who shared his password with a colleague. Further transfer of access rights to this account is no longer controlled by the organization itself. And if in the end access is transferred outside the company, external attackers can use this to carry out an attack.
The only question on which the respondents showed unanimity and a high level of cyber literacy concerned behavior in the event of a call from a bank representative. Almost 90% of respondents said they would not name their login and password from an online bank to a caller who pretends to be a representative of a financial institution.
Apple, Google and Microsoft switch to password-free authorization
May 5, 2022, and Apple Google Microsoft announced that they are switching to no authorization on password all mobile, dextic platforms and in. browsers Messages appeared on the official websites of the American corporations. PIN The company plans to introduce a single authorization standard using a fingerprint, face scan or code from 2023.
Password-free authentication will appear in mobile operating systems Android and, and iOS, Windows , macOS browsers Chrome Edge and Safari. Login using a fingerprint, face scan or PIN code will be possible thanks to a token to cryptographic - the passkey, which is passed between smartphone and the site.
The Google website explains in detail how authentication will take place. To log application in on a smartphone, you just need to unlock it - the account no longer needs a password. The smartphone will have ones data stored FIDO that are used to unlock the online account.
To start working on a laptop, you also need to have a smartphone with you that will be offered to unlock for access.
With passwords on your mobile device, you can log into an app or service on almost any device, regardless of the platform or browser on which the device runs. For example, users can log into the Google Chrome browser that runs on Microsoft Windows using the passkey on an Apple device, the Microsoft website emphasizes. |
Leading engineer CorpSoft24 Mikhail Sergeyev explained that this is not about creating, but about using the standard that the FIDO Alliance has created and that has already been implemented on many devices.
{{quote 'It is a little like two-factor authorization, such as Yandex key or Google Authenticator, where for successful authorization, in addition to a password, you need to open the application on a mobile device and take the PIN code from there to enter it on the site, - explains the expert. }}
Companies explain such measures security concerns. The Google website notes that users are increasingly faced with phishing, fraud and password theft. The site reminds Microsoft that passwords are not only difficult to remember and track - they are gradually turning into the main gap in the protection of accounts from intruders.
Every second there are 921 password attacks in the world, and there have been twice as many in the last year, Microsoft experts say. |
Apple's website reminds that consumers often use the same combinations for different accounts, making it easier to steal data. In addition, almost every second sets phone numbers, initials, dates of birth in their passwords.
At the same time, not all cybersecurity experts are confident that the strategy of Apple, Google and Microsoft will really protect users from hacks by[1].
2021
Most Russians use the same password for personal and work electronic boxes
62% Russians use the same combination of symbols to enter personal and work electronic boxes, as well as when registering in. social networks This is the conclusion reached by the experts of the analytical center "." AlfaStrakhovanie 1.1 thousand respondents from all regions took part in the survey. countries This became known on November 18, 2021.
More than half of the companies surveyed admitted that working from home uses corporate devices for personal purposes. Under such conditions, it becomes increasingly difficult for the security services of companies to track and prevent cyber attacks. Often the culprits are the workers themselves, who do not pay enough attention to digital hygiene.
Thus, 62% of respondents do not see a danger in using a work email address for personal purposes, and 48% - a corporate mobile phone to obtain verification codes when registering on sites on the Internet.
Online stores became the leader among online resources with registration according to corporate data. 43% of respondents said that they used "working" means of communication for online purchases. Slightly fewer respondents - 40% - preferred corporate data to personal when issuing various services (delivery, taxi order, etc.). The top three are closed by instant payments. 17% of company employees said that at least once they confirmed transactions using a corporate phone number or email address.
Quite often, the numbers of employees of companies are in the public domain, so they become easy prey for. telephone scammers 68% of respondents at least once encountered unwanted calls to corporate phones, in 88% it was "- spam advertizing offers, information about promotions, etc. In 12% of cases, fraudsters were represented by employees or banks work colleagues. At the same time, the majority of employees (72%) who faced fraudsters decided to understand the situation on their own. Only 11% of those surveyed contacted their company's security service. The remaining 17% limited themselves to discussing the problem with colleagues.
When shopping on the Internet, it is extremely difficult to recognize an unscrupulous seller. Quite often, under the guise of a "good" site, a phishing resource is hidden, thanks to which confidential corporate data is at the disposal of cybercriminals. They get access to payment information, logins and passwords from banking applications, as well as to work servers. The result of such an invasion for business can be large financial and reputational losses. Ensuring the company's cybersecurity is a joint task of both its executives and employees. It is necessary to train personnel, conduct thematic trainings, and educate in the team a responsible attitude towards corporate digital resources. In turn, workers should not lose vigilance and separate "working" and "personal." After all, using the same password for all electronic boxes significantly simplifies the process of hacking them and obtaining all the desired data by fraudsters. A smartphone is enough to manage the company. It is enough to create many problems for business, - said Alisa Bezlyudova, director of the marketing department of Medicine of the AlfaStrakhovanie group of companies. |
76% of Russians remember their passwords
The National Payment Card System (World Plat.Form) on May 5, 2021 shared the results of a study on how Russians protect their data and handle passwords.
The study showed that the majority of respondents (76%) prefer to remember their passwords. 38% said they use password autosaving (in their phone or browsers). Slightly less (29%) write passwords on paper (password printing, notes, etc.). Some respondents prefer to save such data in text format on a phone, tablet or computer (18%), and also use special programs or applications (12%).
In addition to the method of storing passwords, respondents pay great attention to their use. Thus, 28% of respondents prefer to choose passwords unique to each resource. The same is a set of several combinations. And only 17% of respondents use the same password for most tasks.
{{quote 'Men, unlike women, are more likely to use special password storage apps. The same trend can be traced among respondents with an income of over 60 thousand rubles. As a rule, this audience prefers to use several passwords for data protection and demonstrates a higher level of digital literacy. People who are less aware of these issues are more likely to use the same passwords for most tasks. By the way, men are less likely to use the same password: 13% of male respondents do this against 20% of women surveyed, "says Irina Lobanova, head of the market research center of the National Payment Card System (World Plat.Form). }}
Artem Gutnik, head of information security at the National Payment Card System (World Plat.Form), notes that it is important to use different passwords. This way you can protect yourself in the event of a compromise of one of your passwords.
The results of the survey indicate that the majority of Russians use a fairly reliable method of storing passwords, says Artem Gutnik. However, a third of respondents who prefer to store their passwords on paper should think about a safer way.
{{quote "By far the safest way to store passwords is to remember them. However, this method also has drawbacks - you can simply forget the password. Using password storage applications will help solve this problem. At the same time, it is important to choose reliable solutions and download such applications from reliable sources, otherwise you can lose access to all accounts. Using auto-save in browsers and on your phone is safe if you exclude the possibility that someone will gain access to your device, where there is no lock password or it is known to a stranger. Storing passwords on paper is the most unsafe option, since the information recorded on it is the easiest to gain access to third parties. It is not uncommon for people to put a sheet with recorded PINs in a wallet with bank cards, which in no case needs to be done, "explains Artem Gutnik. }}
The majority of respondents (44%) set medium-complexity passwords. Only 1% of respondents reported using very simple passwords. A very complex password is most often created by young people from 18 to 30 years old, the opposite effect is characteristic of an audience from 46 to 65 years old.
The vast majority of survey participants (71%) use. two-factor authentication This is for the most part the case for the higher income group of respondents. The older age group uses two-factor authentication mainly on sites, and banks young people in and. social networks cloudy storages
A personal survey of respondents was conducted by questionnaire, a representative All-Russian sample was 1205 people.
2017: Millennials don't like strong passwords
Great Britain Conducted at the company, Experian the results of which it published on August 3, 2017, revealed a growing generational gap in how people manage their accounts. Millennials are at greater risk of identity theft by putting convenience over security. Different age groups behave differently in: Networks some are ready to experience inconvenience, but feel protected, others neglect safety measures, not wanting to leave the "comfort zone."
The Experian study once again demonstrated that people of different generations have their own characteristics of using the Internet and managing accounts, passwords and logins, - said Natalia Frolova, director of marketing at Experian in Russia and the CIS countries. - The younger generation prioritizes convenience and, as a rule, has no more than 5 unique passwords for all its accounts. In addition, such users usually log into multiple accounts using the same social network login . At the same time, they probably do not realize that the desire for convenience puts their personal information at risk. There is a rapid increase in the theft of personal data, the victims of which are representatives of this particular age group. |
According to statistics from the Hunter system from Experian, in Britain every year the number of victims of personal data theft among users under the age of 30 increases by 5%, and those who live in different types of hostels, where several people constantly use one device to access the Internet, are especially vulnerable. In Britain, every third fraud involving theft of personal data is committed against this group.
The older generation chose the opposite line of behavior. Representatives of this category are much more likely to create a separate password for each account, taking care of data protection, even to the detriment of their convenience. One in four Britons reported using 11 or more passwords.
Of course, this amount of information is difficult to constantly keep in memory, noted in Experian. Unsurprisingly, a significant proportion of over-55s are forced to make great efforts to remember their registration data. This overvoltage of memory is a growing problem: 4 out of 10 respondents admitted that they are forced to use the password storage service so as not to forget anything. Constant reminders that passwords are better not written down, but remembered by heart, contribute to increased vigilance, but, at the same time, increase stress. More than half (55%) of respondents use the same password for multiple accounts.
Experian's research also found there was confusion in understanding what an account was - with one in three respondents (31%) admitting to not knowing it and another 61% choosing different definitions. Three in five Britons (61%) do not always understand what they agree with, ticking the box when registering a new profile on the Internet, and every ninth (11%) never understands this.
A typical Briton has an average of 26 accounts, or logins, and from 6 to 10 regularly used passwords, added Natalia Frolova. - Today, convenience is of paramount importance for users. Therefore, the familiar and often annoying password recovery process, in which several "secret questions" need to be answered for authentication, may lose relevance. We may have already reached the password limit. |
To prevent identity theft, Experian recommends:
- Do not respond to phone calls and e-mails from unknown persons.
- Create separate passwords for different accounts - especially for e-mail and Internet banking.
- Come up with strong passwords consisting of three arbitrary words - you can compose them by adding numbers and characters, as well as upper and lower case letters.
- When using public Wi-Fi networks, do not go to sites where you need to enter a password (for example, your bank, social networks and email) and do not enter personal information such as bank card details.
- Always download the latest software to your phone, tablet, or computer. This will increase your malware protection.
2016: Passwords are like lingerie - change them regularly and don't show them in public
- Create different passwords for different accounts. If you use the same credentials to log into different accounts, unauthorized access to even one of them puts everyone else at risk.
- Don't tell anyone your passwords. A password is a secret word or phrase by definition, so think well before passing it on to anyone.
- Change passwords regularly. Even if you use a strong password, change it regularly. You may not immediately notice unauthorized access to your account, so change your passwords regularly, or rather, create a schedule to change them so as not to forget about it!
- Do not use information related to your identity in passwords. A lot of strong passwords are hard to remember. To make it easier to remember passwords, many users use meaningful names and dates in them. However, criminals can use your publicly available information and social media accounts to obtain this data and solve passwords.
- Use. two-factor authentication Although creating strong passwords is the best first step towards security, adding an additional layer of protection in the form two-factor authentications will never hurt. In this case, the password is supplemented by another condition. Often, this is a security code sent to a user's mobile device, and without this code it is impossible to log into the account, [2]
2014
Passwords compiled according to grammar rules are easy to crack
Researchers from Carnegie-Mellon's university developed the experimental algorithm of selection of the password using grammatical rules and checked its efficiency on more than 1400 passwords of 16 and more symbols. About 18% from these passwords were made of several words united by rules of grammar in a short phrase. Though it is easier to remember such passwords, existence of structure significantly limits number of possible combinations and facilitates as well a problem of breaking, researchers specify.
The length of the parolya alone cannot kharakterizovat its nadezhnost. The complexity of breaking of two passwords of identical length can differ much depending on their grammatical structure. For example, it is less pronouns in language, than verbs, adjectives and nouns and therefore the password Shehave3cats beginning with She pronoun is much weaker, than Andyhave3cats beginning with the name Andy.
Researchers considered well-known opportunities of replacement of letters with similar figures, changes of the register and addition at the end of punctuation marks. They too not so considerably increase reliability of passwords, according to some, authors consider.
For most sites, it is better to use simple passwords
We have all heard more than once that unique and complex passwords should be determined for any account using a special utility to store them. However, researchers at Microsoft Research concluded that this approach may not be correct (data from the summer of 2014). At first glance, generally accepted recommendations look quite logical.
When using long and complex passwords for each site and service, consisting of random combinations of characters, the likelihood of hacking them is sharply reduced, and if the password is compromised, only one account is at risk. It is quite difficult to remember a random sequence of 10-20 characters, and here password management utilities come to the rescue, allowing you to store them all in one place. It's simple. In practice, most people ignore complex passwords, not to mention using a unique password for each site and service. With large-scale leaks, we see that few people follow the recommendations for choosing a password. The attitude towards password management utilities is also very skeptical. After forgetting the password from the utility, you lose all your passwords at once, and when you hack the corresponding program or service, the attacker gains access to all your information in full. Therefore, the researchers propose to use simple passwords on sites where data that is not of particular value is stored, and leave complex passwords for bank accounts. It's up to you. If, contrary to the recommendations of security experts, you continue to use simple passwords all the time, it may make sense to take this approach.
Password Persistence Criteria
Based on the approaches to conducting an attack, you can formulate the criteria for password resistance to it.
- The password should not be too short, as this makes it easier to hack it completely. The most common minimum length is eight characters. For the same reason, it should not consist of the same digits.
- The password should not be a dictionary word or a simple combination of them, this simplifies its selection by dictionary.
- The password should not consist only of public information about the user.
As a recommendation for compiling a password, you can include using a combination of words with numbers and special characters (#, $, *, etc.), using words that are not widespread or non-existent, and maintaining a minimum length.
Microsoft conducted a security study in the summer of 2014 and found that it is best to use short and simple passwords for sites that do not store personal information. Long and complex passwords should protect your accounts on web resources containing bank data, names, surnames, passwords, etc.
Password reuse has been taboo for security professionals in recent years after a huge number of cyber-breaches and personal data breaches. The recommendations of specialists seem quite logical.
Hackers, with email addresses and passwords, could use these credentials against other sites to gain illegal access to them. In turn, password reuse on sites with a low degree of protection against cyber intrusions is necessary so that users can remember the unique codes chosen for more serious resources. Microsoft experts still recommend that users use simple passwords on free sites that do not contain important information. Best of all, IT experts say, 'hold' long and unique passwords for banking sites and other repositories of confidential information.
Zyfras and case do not make password more reliable
A scientist from the University of Glasgow with his colleague from the research laboratory Symantec found that the numbers and upper case characters do not make the password more reliable. The results were published in the fall of 2015 by[3][4] in the ACM CSS 2015 collection.
The researchers used intelligent algorithms that were previously trained on a database representing 10 million passwords available on the network in clear text. Next, they checked the effectiveness of algorithms for 32 million other passwords. It turned out that numbers and uppercase characters do not make it difficult for the password. This effect can be achieved by extending the password or using special characters.
Researchers say people typically use uppercase characters at the beginning of their password and numbers at the end. According to the authors, to make the password more reliable, you need to lengthen it and add special characters.
Methods of protection against attack
Protection methods can be divided into two categories: ensuring resistance to breaking the password itself, and preventing the implementation of an attack. The first goal can be achieved by checking the password to be set for compliance with the complexity criteria. For such verification, there are automated solutions, usually working in conjunction with password change utilities, for example, cracklib.
The second goal includes preventing the hash of the transmitted password from being captured and protecting against multiple authentication attempts in the system. Secure (encrypted) communication channels can be used to prevent interception. To complicate the selection of an attacker by multiple authentication, they usually impose a limit on the number of attempts per unit of time (an example of a means: fail2ban), or allow access only from trusted addresses.
Comprehensive centralized authentication solutions, such as Red Hat Directory Server or Active Directory, already include tools to perform these tasks.
Generating a password on Unix-like operating systems
Unix-like operating systems can use the pwgen utility. For example
pwgen 10 1
will generate 1 password with a length of 10 characters.
Password cracking
Password hacking is one of the common types of attacks on information systems using password authentication or a username-password pair. The essence of the attack boils down to the attacker taking possession of the password of a user who has the right to log in.
The attractiveness of the attack for the attacker is that if the password is successfully obtained, he is guaranteed to receive all the rights of the user whose account has been compromised, and in addition, logging in under an existing account usually causes less suspicion from system administrators.
Technically, an attack can be implemented in two ways: by multiple attempts at direct authentication in the system, or by analyzing password hashes obtained in another way, such as intercepting traffic.
The following approaches can be used:
- Direct bust. Search for all possible combinations of characters allowed in the password.
- Selection by dictionary. The method is based on the assumption that the password uses existing words of any language or a combination of them.
- Social engineering method. Based on the assumption that the user used personal information as a password, such as his first or last name, date of birth, etc.
Many tools have been developed to carry out the attack, for example, John the Ripper.
2022
Phishing tool that allows browser-in-browser attacks to steal logins and passwords
On March 23, 2022, lard was known that an expert safety known by the nickname mr.dox published on the GitHub code of phishing a tool that allows you to create fake windows. browser Chrome Its purpose is to intercept the details of access (login and password) to online resources. More. here
Named the main ways to steal passwords from Russians
On February 1, 2022, Piarhab reported that the databases of stolen data on the darknet already number more than 8.5 billion passwords tied to a specific user, and this figure continues to grow. Russia in 2021 took first place in the world in the number of password leaks per capita - almost 20 per person.
Together with the development malware malefactors , methods social engineering and peeping offline are used.
By accessing the account, attackers can:
- steal money from bank accounts, exchange accounts, cryptocurrency platforms and deposits in online stores;
- steal accounts in social networks and other personal accounts in order to turn scams aimed at users from the contact list;
- gain control over personal devices if the user uses the same password for all occasions.
Cyber specialists distinguish six main ways of passwords.
- Phishing. Attackers take advantage of the inattention and gullibility of people, masking malicious letters as mailing from well-known companies or messages from loved ones of the victim. When switching to fake sites from such emails and trying to log in, personal data along with passwords become the prey of scammers.
- Vishing (telephone fraud ). Swindlers call the victim, introduce themselves as employees of a bank, social fund or other organization. Under various pretexts, scammers are trying to extract confidential information.
- Virus software. There are many types of malware for stealing personal data, including keyloggers, user activity trackers, tracking screenshots, etc. Sometimes it is enough to click on a dubious banner on the Internet for the malware to hit the device. Often dangerous software is distributed through mobile applications, especially if they are downloaded from unofficial sources.
- Brute force (password selection). The abundance of accounts in various services provokes users to create simple insecure passwords or use the same keys. This plays into the hands of attackers, since it allows you to use the selection of combinations to guess someone else's password. Brute force is carried out in automatic mode, and templates from previously hacked accounts are used to speed up the process. In 2020 alone, 193 billion brute force attacks were carried out worldwide.
- Guessing. Sometimes you don't even need special software to crack a password, because you can just guess the password. The first password guessing since 2020 is "123456," followed by "123456789," in third place was "picture1," in fourth - "password."
- Shoulder surfing (peeping). This classic technique does not lose its relevance in the digital age. With the help of hidden monitoring of a person's actions in public places, you can find out not only the PIN code from the bank card, but also the password from the social network and other accounts. A more technological version of such an attack includes the "man in the middle" method, when an attacker intercepts confidential data when connected to public Wi-Fi. To do this, fraudsters create their own Wi-Fi network with the name of a shopping center or transport terminal.
To avoid password theft, you should:
- always use complex passwords with a large number of characters;
- never use the same password for different accounts;
- Enable two-factor authentication for all accounts
- use a password manager with a good rating for safe storages passwords and easy authorization;
- never provide credentials by telephone, even if the interlocutor is represented by an employee of a known organization and has personal information about the user;
- immediately change the password if the administration of the service informs that the data may have been hacked;
- use only sites that support protocol HTTPS enciphering data for authorization;
- do not click on links or open attachments in suspicious messages;
- download mobile apps only from official stores;
- Use proven antivirus software for all devices
- regularly update operating systems, programs and applications, as well as network equipment;
- beware of unnecessarily curious outside observers in public places;
- Do not log in when connecting to public Wi-Fi.
2021: A file with more than 8 billion passwords was posted online
On June 8, 2021, it became known that hackers posted a file with more than 8 billion passwords to the public. According to the profile portal CyberNews, the document has a volume of about 100 GB and contains over 8.459 billion lines, each of which is a separate password. This is the largest password leak in human history. Read more here.
2019: Number of users attacked by password theft programs up 72%
According to Kaspersky Lab statistics, in 2019 the number of users attacked by password theft programs increased significantly in the world - by 72%. Kaspersky announced this on January 28, 2020. In total, the company's products repelled such attacks on devices of almost two million users. Password theft programs are able to extract information directly from browsers. These can include logins and passwords for various accounts, saved payment card data and the contents of forms for autocomplete.
In addition, in 2019, the number of phishing attacks increased significantly, during which attackers, as a rule, try to get personal and payment data of users. During this period, Kaspersky Lab solutions prevented an average of 38 million attempts to switch users to fraudulent sites every month. Fishers closely monitor the news agenda and use the public's interest in various major events and celebrities, inventing official-looking decoys and cunning to force a person to click on a malicious link or leave personal data.
The amount of data generated by users is constantly growing, as is its value for attackers who, in particular, sell someone else's personal information on closed forums. Various methods are used to gain access to assets, including password theft programs and phishing. If you find that your data from any service has leaked to the network, you should immediately change your password to log into your account. There are also basic rules, compliance with which helps to reduce risks from possible leaks and malicious use of data, comments Tatiana Sidorina, senior content analyst at Kaspersky Lab
|
To protect confidential information, Kaspersky Lab recommends that users:
- do not follow suspicious links in social networks, instant messengers and mail;
- install a reliable security solution, such as Kaspersky Security Cloud, which has an account verification function and notifies if data flows into the network;
- come up with reliable passwords for all their accounts (from 12 characters, with letters in different registers, numbers and special characters) and change them about once every three months, as well as store passwords competently - not write them on a leaflet or on a phone, but use special password managers;
- where possible, enable two-factor authorization;
- before installing the program, familiarize yourself with the user agreement - it contains information about how the application will handle personal data;
- provide applications with access to only those features that are actually required. If, for example, a flashlight application requests access to a microphone or camera, this is an excuse to be wary;
- try the online tool Privacy Checker - a site that contains descriptions of privacy and privacy settings.
The cost of passwords in the hacker market
Main article: Prices for user data in the cybercriminal market
Password Transfer Methods over the Network
Easy Password Transfer
The password is transmitted in clear text. In this case, it can be intercepted using simple means of tracking network traffic.
Transmission over encrypted channels
The risk of intercepting passwords over the Internet can be reduced, among other approaches, using Transport Layer Security TLS, which was previously called SSL, such functions are built into many Internet browsers.
Hash-based
The password is already sent to the server as a hash (for example, when sending a form on a web page, the password is converted to an md5 hash using JavaScript), and on the server the resulting hash is compared with the hash stored in the database. This method of transferring a password reduces the risk of obtaining a password using a sniffer.
Multivariate (two-factor) authentication
Шаблон:Main 'Multi-factor (two-factor) authentication
User Password Management Rules
Common methods for improving the security of password protected systems software include:
- Limit the minimum password length (some Unix systems limit passwords to 8 characters).
- Requires the password to be re-entered after a certain period of inactivity.
- Requires periodic password changes.
- Assigning strong passwords (generated using a hardware source of random numbers, or using a pseudo-random number generator, the output of which is processed by persistent hash transformations).
For your own security, the user must take into account several factors when compiling a password:
- If possible, its length must be more than 8 characters;
- There should be no dictionary entries in the password;
- Not only lower but also upper registers shall be used;
- Password must consist of numbers, letters and characters;
- the password must be different from the login (username);
- password must be changed when registering for each new site
2020: Rostelecom: 80% of Russian companies do not comply with basic password requirements
On June 4, 2020, Rostelecom-Solar reported that according to the results of the study, about 80% of companies do not comply with the basic rules of password protection. At the same time, in almost every tested corporate network, security analysts managed to obtain administrator privileges. This would allow a real cybercriminal to secretly develop an attack that is likely to lead to the theft of funds or confidential information.
Experts warn: password flaws can lead to complete compromise of the internal network and leakage of sensitive data critical to the organization. It is especially dangerous that the exploitation of such shortcomings does not require special technical means from the attackers and allows them to remain unnoticed for a long time inside the corporate network.
The Roste lecom-Solar study was based on data obtained by the company's experts during cyber exercises, penetration tests and projects to analyze the security of customers from the banking sector, production, information technology, information security and others. Imitation of attacks involved two scenarios: penetration into the corporate network from the outside, as well as imitation of the actions of an internal intruder.
The most common error detected during external penetration testing turned out to be default passwords, weak and easily matched passwords of user accounts (for example, "admin/admin," "admin/12345," etc.), as well as the absence of account locks, which allows you to carry out attacks on password matching.
The main drawback discovered during internal penetration testing is the use by employees of the same passwords of accounts with different rights. For example, for security reasons, system administrators are usually given two accounts, a user account in which it works by default, and a privileged administrative account used as needed. However, often administrators in both cases set the same passwords, which negates the security measures taken. Such shortcomings are exploited by Rostelecom-Solar experts in most of the corporate networks under investigation.
Another common error is storing credentials on public resources on the corporate network or on the PC itself. For example, passwords in group policies or passwords recorded by an ordinary employee in text files on workstations. In such a situation, even an accidental hit of malware on the machine of one employee becomes a critical threat to the security of the entire organization. If an attacker hits a user's machine and finds such a document, he instantly gains control of privileged accounts, penetrating deep into the company.
Some organizations have identified shortcomings in password policies for corporate accounts. In particular, employees are not required by the length of passwords created and the presence of special characters in them (lowercase and uppercase letters, numbers, characters). A number of disadvantages are associated with the frequency of password changes: there is no such requirement in some companies, and in others it is overly strengthened (for example, changing the password every month), which usually provokes employees to use too simple combinations of characters and write them on unreliable media.
"The main reason that leads to such shortcomings is the human factor. Employees of companies often have insufficient cyber literacy and, as a result, try to either simplify passwords, or store them in the public domain: in a file on a computer or on a sticker next to the monitor. On the other hand, system administrators themselves sometimes do not sufficiently monitor how credentials are stored, or allow users to create weak passwords. Often, when new accounts are established, a simple default password is set in them by default, which is then not changed for a long time, " noted' Aleksandr Kolesov, Head of Security Analysis at Rostelecom-Solar |
According to the company's experts, it is possible to solve the problem by introducing two-factor user authentication. However, due to the complexity of the organization and the high cost of the service, many companies do not do this. A more affordable option is to train employees on the basics of cyber hygiene: explaining the rules for creating strong passwords and storing them securely, including using special databases and programs.
2014: Password theft is the main security risk for corporate data
Research shows that about 40% of all users choose passwords that are easy to guess automatically. Easily guessed passwords (123, admin) are considered weak and vulnerable. Passwords that are very difficult or impossible to guess are considered more durable. Some sources recommend using passwords generated on persistent hashes such as MD5, SHA-1 from ordinary pseudo-random sequences.
Password theft is the main security risk for corporate data. Experts from the antivirus company ESET (Slovakia) warn about this in the summer of 2014. 76% of network attacks on companies became possible due to unreliable or stolen passwords (Department Great Britain for Business, Innovation and Skills and PWC). The average loss of information depends on the type of attack and current data protection legislation and reaches 199 euros per account. At the same time, such parameters as staff downtime, reduced productivity, reputational losses and loss of assets, including intellectual property, cannot be calculated (Ponemon Institute: 2013 Cost of Data Breach Study: Global Analysis).
The focus of cybercriminals is small and medium-sized businesses. They are not always the primary target, but are often targeted due to existing security breaches. According to some reports, 67% of cyber attacks are directed at small companies, while 76% of attacks are unplanned. 75% of attacks are carried out by criminals for financial gain (Verizon Data Breach Report, 2013).
66% of company security breaches can go unnoticed for months, putting corporate information at risk. Among the most common security holes are password problems: 61% of users use the same password, and 44% change the password only once a year (CSID Customer Survey: Password Habits 2012).
What you can use instead of a password
In 2004, Bill Gates predicted the death of password protection, and from that time its coverage began to gradually weaken. Despite the fact that passwords are known as one of the oldest security tools in the world of software and the Internet, they are increasingly failing users, failing to ensure the security of the most valuable information. The weak link of password protection is poor manageability, people are simply tired of it. Almost each of us has many online accounts - banking, medical, for online stores and social networks. On average, there are 40 accounts per person. It is almost impossible to remember different passwords for each of them, and therefore people resort to all kinds of tricks[5]
Numerous types of reusable passwords can be compromised and have contributed to the development of other methods. Some are becoming available to users seeking a safer alternative.
- One-time passwords
- Biometrics
- Single Sign-on Technology
- OpenID
Iris scanners
The next step in the development of iris recognition software is a gesture recognition system. It will allow users to unlock phones or log into bank accounts, focusing on eye movement. One element of the pattern that it will take into account is the blinking of the eye. In the future, this biometric password can be deployed on all mobile devices and computers.
Brainwaves
Instead of asking for a password to enter, the computer could measure the user's brainwaves by pairing with a wearable electroencephalography device. The sensors will scan brain activity, which can then be used to trigger a specific software action, such as unlocking a mobile device.
The fact that password protection is already outdated is the subject of active discussion over the past two decades, however, it has always had not many alternatives. However, today, at the dawn of contactless authentication, there are fewer and fewer reasons to return to protection with static passwords that are easy to find. There are more options for this than ever before - from two-factor authentication to biometric and hardware keys that help protect your company and valuable data.
Patterns of heart rhythms
The researchers invented a way to apply the resulting heart rhythm samples for safety. Tracking is done with wearable devices that capture people's heart rhythms and turn an electrocardiogram into unique keys that can unlock phones or open apps.
Hardware keys
Switching to offline authentication using a physical key may seem outdated, but something else is important - it provides reliable protection against hackers. Hardware security keys with USB, NFC or Bluetooth connectors can be used to switch securely and securely between smartphones, laptops and computers. The FIDO (Fast ID Online) security tokens work as follows: users connect them to a computer to authenticate their account, and then they can be disabled. This is a convenient solution for employees who work with devices not only in the office, but also at home.
SMS
In the consumer sector, SMS is increasingly used as a form of verification for logging into online services. To do this, users provide a phone number that is usually pre-linked to the account. Immediately upon entering, they send their phone number and receive an SMS message, which they must then enter. No password is required.
Fingerprint Identification Technology
Touch ID technology has existed for several years, but it is still dependent on entering a password - after the timeout, access can be redefined to a pin code. It is possible that in the future, in addition to mobile phones, there will be other devices that can be unlocked using touches - laptops, computers, electronic cars and even entrance doors. By encouraging employees to use fingerprint identification technology more widely as part of multi-factor authentication, for example, together with a pin code, the enterprise will thereby provide greater security.
Digital imprint
An analysis of device characteristics can be used as a form of password, but provided that the behavior of the network, device and its location are regularly repeated. These characteristics create a "digital fingerprint," and if unusual activity is detected (for example, logging into the system from a place where the device should not be logically, or logging in from someone else's computer), access will be denied or a security check will be turned on for this account - the user will be sent by email a warning about logging into his account or push notification.
Signature recognition
Whenever you pay with a bank card or have to sign a digital screen with an electronic pencil, signature recognition systems are used to confirm your identity. In this case, the system compares your signature with the sample signature stored in the banking system.
However, this is not a simple comparison of the two pictures. A special security program not only places two pictures next to each other to check if they match, or at least if they are similar. In fact, the signature recognition system compares the method of creating these two images by searching for the same behavioral pattern.
Advantages and disadvantages
Although it may seem that it is quite easy to forge a signature, it is nevertheless almost impossible to repeat the speed of writing and the pressure exerted. So signature recognition systems using the most advanced technologies are becoming an ideal replacement for passwords in transactions, for example, with corporate bank accounts.
However, like all other identification methods, there are disadvantages here. One of the main disadvantages is that for a number of reasons, each of us can sign up differently, and this is a serious problem. For the system to be practical, it is important to be able to distinguish, for example, a slowly made signature as a result of some kind of injury or as a result of an attempt to forge it.
In addition, at least at present, this is not a completely effective way to access services. Indeed, when you sign something when you pay for something, this data is not used in real time. Instead, the data is sent to your bank, where they will be checked later.
However, the presence of flaws in signature recognition systems still does not close the doors to this technology. It is likely that future corporate banking operations will be resolved simply by signing on a tablet or smartphone.
Emoji-based passwords
According to the summer of 2015, the British company Intelligent Environments claims that it has invented a way to use a number of emoticons, pictures of expressing emotions, which will replace the digital PIN code on a smartphone so that our brain can more easily remember this sequence, because people more easily remember a conscious number of pictures. The use of an "emotional" PIN is based on people's evolutionary ability to remember images. In addition, the increased complexity of this method complicates the selection of the PIN code.
The traditional four-digit PIN is four digits from 0 to 9 with repetitions - 104 or 10,000 repetitions in total. The number of "emotional pictures" is 444 or 3,748,096, which, you see, is much larger.
It is worth noting that this technology is most likely the future, and quite distant.
Password history
Passwords have been used since ancient times. Polybius (201 BC) describes the use of passwords in ancient Rome as follows:
The way they ensure safe passage at night is as follows: out of ten manipulations of each kind of infantry and cavalry, which is located in the lower part of the street, the commander chooses who is freed from guard service, and he goes to the podium every night, and receives a password from him - a wooden sign with a word. He returns to his part, and then passes with a password and a plate to the next commander, who in turn passes the plate to the next.
Passwords were used in computers from their first days. CTSS from MIT was one of the first open systems, appearing in 1961. It used the LOGIN command to request a user password.
Robert Morris proposed the idea of storing passwords in hash form for. operating system UNIX His algorithm, known as crypt, uses 12-bit salt and binds to change shape with the DES algorithm, reducing the risk of dictionary brute force by a factor of 25.
See also
- biometrics
- authentication systems
- biometric identification technologies
- phishing
- trojan
- Cyber attacks
- Cybercrime in the world
- Information Security - Encryption Tools
- DLP - Data Breaches
- Regulation of personal data in the Russian Federation
- Personal Data Law No. 152-FZ
- Protection of personal data in Russia
- Protection of personal data in countries of the world
Notes
- ↑ Apple, Google and Microsoft are switching to authorization without passwords
- ↑ TeamViewer a provider software for remote device management and interactive collaboration, celebrates World Password Day (May 5, 2016) and shares simple and effective tips for protecting credentials. In addition to creating strong passwords, TeamViewer strongly recommends that users use two-factor authentication as an additional layer of protection against unauthorized access.
- ↑ Monte Carlo Strength Evaluation: Fast and Reliable Password Checking
- ↑ The Zyfras and register do not make the password more reliable
- ↑ Identification and access control: what methods will appear in the future?.