However, in that time, smartphones have made all company employees carry a part of their job security with them. Before, when they left the office the risk ended; With the use of smartphones all day and everywhere, the part of security that corresponds to each employee multiplied to infinity.
Without going any further, the most recent studies, cited by ZULA, the modular security company for companies, reveal that 90% of hacked companies were hacked because the attackers managed to breach the password of one of the employees. That usually ends up being the gateway for cybercriminals.
Gifted keys
It is so easy to steal passwords that, according to a report by IT Governance, there are currently records of 10 billion compromised passwords. Faced with this, there are common errors that are very easy to correct and recommendations to make the job more complex for attackers.
To begin with, the most vulnerable keys are those that do not have complexity, those that do not offer combinations. For example, those that are made up only of numbers or those that have only lowercase letters or those that are very short. Many people use nothing more than numbers and, in some extreme cases, correlative numbers, such as 123456, which is the most obvious but according to ZULA specialists it is observed with some regularity.
The other common mistake is using commonly used words combined with simple numbers. For example Tuesday1. Many users, when the system asks, for security reasons, to update the password, appeal to the continuity of said logic, and then change it to Tuesday2 and so on.
The other common mistake, which allows passwords to be easily stolen, is using personal data: name of the cat, dog, family members, representative dates, etc. The attackers, very prepared in the matter, look for the information on Facebook and by knowing the person they have a high chance of being able to guess the password they use.
“This is called ethical hacking: they investigate the person’s behavior to then be able to steal their password,” said Alan Burastero, systems engineer and CEO of ZULA.
Without going any further, according to the company’s records, a very high percentage of men (over 70%) use their soccer team as a key, while, on the opposite side, a large part of women choose your pet’s name when setting the password.
So what to do?
Faced with this complex panorama, in which attackers have more and more tools and tactics of deception, and users have more and more cell phones and hours of screen use to be violated, there are some simple recommendations that can, at least, make it quite complex. the task of cybercriminals.
The main recommendation is to use mnemonic rules and modify some of the words. For example, if while we read this we have a cup of coffee with a spoon and some papers in front of us, we could use the three words, changing a letter for each one and putting, for example, a dot in the middle.
The other central aspect, beyond how we create passwords, is how we save or store them. The truth is that many of the passwords are stolen because they are easy, as we said, but others because the attackers enter the computer and extract the file where we have them saved.
This is where the so-called “infostealers” enter the scene, specialists in stealing passwords stored in flat files. What they do is give you something you want (a video, a file, anything), but what they are doing, through what you download, is stealing things from your computer (for example, your passwords).
How to save passwords
Returning to the previous point, and given that today we have and continue to generate hundreds of passwords for any action that we want to do through a site or app, the first recommendation is not to save them in a flat file, one of those that information stealers can steal easily.
There are, for both business and common user use, products that store passwords in a secure and encrypted manner, including backup and strict access control.
“In the case of companies, today 80% of them do not have a system to store these keys,” said Alan Burastero. The truth is that they are usually saved on a person’s machine, as a flat file, which is exactly what should be avoided.
What would be appropriate, especially for companies, is that these passwords are not only encrypted but also stored in “envelopes” or “chests” that can only be accessed with strict prior approval. You can, at that point, have control of the flow of approvals, to be able to track, in the case of a key theft, who has used it.
The ideal, or more recommended, is to use systems that allow for secure and encrypted storage, with a track record of the flow of openings, approval criteria, traceability and audit records. And avoid, in turn, manipulation of the password itself, which often allows it to be leaked (that is, using the password without having to know it).
In the case of people, it may not be necessary to go that far. But yes, at least, use words that are not your loved ones, your club and that also combine letters and numbers, with some type of combination and complexity.
Source: Ambito
