You’d be amazed at how easy it is to create a secure password in 2019 and yet so many people don’t!
Despite the increasing efforts that many websites put into security precautions, it’s a two-way street and users need to catch up and take responsibility too. Weak passwords are still a common way to hack someone, even in 2019.
The National Cyber Security Centre released a list of the most common weak passwords found by analyzing data from 100 million passwords leaked in data breaches.
The top ten weakest passwords are the following:
Other noteworthy entries near the very top include things like “000000” and “Iloveyou.” The primary spot has been held by “123456” for years now, however.
A Secure Password in 2019 Should Be Complex, Unique, and Random
The above-mentioned passwords don’t even meet the minimum requirements of what’s considered a safe password nowadays. Today, truly secure passwords will have:
A mix of upper and lowercase letters
Don’t think for a second that such passwords are bulletproof. They can also be cracked if you aren’t careful with how you create them.
Creating a Secure Password in 2019
The following ten tips will help you create a truly secure password in 2019 and avoid the most common mistakes that lead to breaches.
Avoid simple passwords like the ones on the list above
The fastest way your account will be compromised is by setting a weak password. While it’s bothersome to use all these safety measures like mixing cases and special characters, it’s more irritating to try to cancel credit card payments you never made.
Don’t use simple to guess data
Avoid putting your name, the names of family members, or even the names of your pets because this is a sure fire way to become compromised in record time. Also, never use your username as a password too. That’s another easy guess.
An easy way to recycle a password safely is to switch for a designated number of spaces on the keyboard. For example, if your password was “ThiSisS3cuRe” (This is secure), you can instead use the keys that are one space to the left. Instead of “T” you would use “R” and so on. This will get you what seems like a completely random sequence: “RguSuaA2xzEw.” And yet, you will know how you got it.
Change passwords regularly
Many people experience a breach because they never change their passwords. Passwords get outdated quickly, and as time goes by, what was once considered complex can now easily be cracked and guessed.
Some services prompt you to change your password regularly, which is not a bad idea, but many users then choose a simple password to get it over with. That’s a bad practice, and however annoying you might find it, every password change should have a complex password.
Top Tip: Change your passwords every 6 months and set a reminder on your phone to do it so you don’t forget!
Use a different password for each account
Never use a master password for all your accounts. That increases risk in case of a breach. Imagine your business email or banking information is suddenly jeopardised because you used the same password as on some random and less secure site. Each account should have its own password.
Use randomly generated passwords
Google Lock has a password suggestion mode that offers you to create a randomly generated password instead of thinking of one yourself. This is a convenient service, but it can be hard to remember all such passwords without a system behind them.
Don’t write down passwords
You might find it convenient to write all your passwords on a piece of paper, or in a notepad. Be aware that any type of data that’s not encrypted is not safe. Usually, it’s considered okay for home users to write down passwords on a piece of paper so long as they are kept out of sight (and not taped to the computer!), but never do that at work, or you risk someone using your workstation for malicious intent.
Find a password manager that suits your needs
If you find it hard to remember all passwords, use a password manager. These are pieces of software that remembers all your passwords so you don’t have to. There are free and paid options available, and some are online, others are offline. Go through reviews to find the best deal for you.
The point to note here is that you’re storing all of your passwords in one place, so make sure you pick an encrypted system that is extra secure! if you don’t have enough passwords to use a system like this, it’s best to avoid!.
Develop your very own system to encrypt your passwords. One good way to do this is to have a sentence that will remind you of a password. For example, you have a pet cat and wish to base your password off of it. Instead of using your cat’s name mixed with a few numbers, use a sentence such as:
“My cat Garfield loves lasagna.” and then encrypt each part:
My cat Garfield = McG
Loves = <3
Lasagna = LsgnA
So your password will be “McG<3LsgnA”
Use two-factor authentication
Reduce the risk even more and use two-factor authentication in addition to having a strong password. On the off chance that somebody manages to crack your super complex password, two-factor authentication will keep them from doing anything else.
Such authentication is bound to a token or a phone app that generates a random string of (usually) six numbers that rotate every 60 seconds, which are unique to your account. Without this second step to prove it’s really you, hackers won’t be able to access your account at all.
Cybersecurity Rests on You Choosing a Secure Password in 2019
With our increasing reliance on our phones, computers, and other internet-connected technology and accessories, security is more important than ever. To be able to recognise when our tech might be compromised can save you from potential catastrophic losses. It’s therefore important to be on the lookout for computer malware signs.
How often do you pay for something using your credit card or online wallet? How many passwords do you have saved or “remembered” so you can quickly log in? Hackers can gain access to your devices in numerous ways, but in many instances, it’s not immediately apparent.
In a business environment on a company network, this can give hackers access to the same shared systems and folders that your computer has access to, leading to a data breach with far-reaching consequences. All it takes is for a high-level executive, member of the C-suite, or HR personnel with access to sensitive records to click that infected email and it’s game over for some businesses.
Being aware of the dangers and spotting the computer malware signs is, therefore, more important than ever to prevent the disastrous effects of a successful cyberattack. These are the warning signs of a possible data breach and that your system has been infected.
20 Computer Malware Signs To Be Aware Of
Very often, malware and viruses will be disguised as regular notifications. Your computer will display the notification, often saying that your PC is infected and offering help to remove the threats. If you accept “help,” you will be prompted to visit a website and leave your credit card information to pay for the service of removing the threat. Even though such an attack pattern is not new and has been present for a while, people still fall for it very often. This is the most common of all computer malware signs.
2. Sudden Sluggish Performance
If you notice that your computer is slower than usual, the first thing to do is check the TaskManager. You can access it by simply writing “Task Manager” after hitting the Windows key on your keyboard.
Once there, check the Performance tab to see whether any of your hardware is being used too much: the CPU, memory, disks, or GPU. Chances are, your memory might be compromised by malware.
Some glitches in your system might appear like your computer has a mind of its own – usually a brief glimpse of a registry change or your mouse moving by itself. In most cases, these are just little glitches – a speck of dust on the mousepad, for instance. But this could also be one of the computer malware signs. If mouse movements are deliberate and make sense, like the mouse moves and opens or closes applications, then you are definitely dealing with a far more serious threat than a dusty mouse pad.
To disable this kind of remote access, the first thing you should do is disconnect your PC from the internet, disable network drivers so it can’t connect again, and make sure any connectivity options are disabled, e.g. Bluetooth. Then, you can start dealing with removing the issue.
Your computer might crash for no apparent reason. Often, software and hardware incompatibility are to blame, but if this is excluded, computer malware infection is a real possibility. To see what the crash was caused by, go to Event Viewer by hitting the Windows button on your keyboard and writing “Event” – it should be suggested as the first option. Once opened, go to Windows Logs and go through those that are marked as an error. This will give you more insight into what caused the crash and help you or your IT team find a solution fast.
5. Low storage
If your computer is suddenly running low on storage, it might be that you have not been paying attention to how much you have left. Some malware and viruses, however, are programmed in such a way that they replicate endlessly until they use up all the storage space you have.
Always ensure you know how much space you have left. If you know for sure that your hard drive partitions had more than enough, suspicious activity is to be expected.
6. You Don’t Appear to Have Security Measures Working, e.g. No Antivirus etc.
Your computer might notify you that your security isn’t working – that your antivirus has been disabled. If this is the case, check the status of your antivirus immediately. While this can be a system glitch while your antivirus is updating, it is often a sign that you were infected.
If you can’t get your antivirus software up and running, you will have to either install a new antivirus and antimalware software or, if you’re using a paid version, contact your antivirus manufacturer’s support and let them lead you through the recovery process.
Malware software can also cause pop-up ads, new tabs in browsers, or change homepages, and search engines, without the user’s consent. To get rid of these annoying pop-ups and ads, you will have to find the infected software and remove it from your device.
8. New Icons on Your desktop
If you notice a new icon on your desktop that you don’t know the origin of, suspect foul play right away as new icons are computer malware signs. Malicious software might be installed on your device, threatening to steal your credentials, cause havoc, or even lock you out. If this is your work computer, contact your IT department right away as it could have been installed on the network, not just your own device.
9. Corrupted folders or Missing folders
If you get a prompt your file is corrupt or you realise some folders are missing from where they are supposed to be, it could be an infection. Some malicious software will not be after your credit card data – the intent can simply be to erase all your data from your drives. While this is less of a threat today than it was before thanks to various online storage solutions, not all your data is stored online. If you have lost files, a system restore might be a way of getting them back.
Some malware acts as a simplified version of ransomware by locking you out of your computer until you pay. But, unlike hardcore ransomware, there are some things you can usually do to unlock it.
Using Windows safe mode might do the trick. Once you have booted Windows that way, you can run a virus scan and remove the ransomware. There are also dedicated ransomware removal tools from established antivirus brands, and even Microsoft itself has tools available. Another option is to use System Restore to restore your computer to a version that wasn’t infected yet.
11. Errant Messages
Your system might notify you that an application requires permission to do something, for example an application trying to change something on your computer or connect to the network. This usually happens when you start up, update or install a new application. However, if none of these have happened recently and you’re still getting the messages, your PC might be infected.
12. Redirecting Web Browsers
If you notice that your browser started redirecting you to random sites, you might be dealing with a browser redirect malware, whose aim is to use these redirects to artificially boost traffic to such sites, gather search data, or to try to scam users and steal their personal data. Search for suspicious programs on your device if you suspect this to be the case.
13. New Home Pages
If you open your web browser and your homepage is changed, you need to check which program might have caused this. Usually today, a lot of software will come with additional taskbars or options to change your homepage while you install them. You can opt out of it easily during installation, but many people oversee this. While such changes and additions might not be viruses themselves, they often lack proper security and can easily be used as a point of entry.
14. You’re (Not) Reaching Out
You might find that new conversations are popping up in your email inbox or social media that were started by ‘you’, but you can’t recall starting them.
These spam messages encourage your contacts to click on links that will then infect them. A popular scam is the malware will send an SOS email or message saying you’re stranded and need cab money or a train ticket. It might not seem like a lot but if every one of your friends and every one of their friends become infected, it’s a lot of potential.
15. BSOD – Blue Screen, Will Not Boot
If your computer suddenly becomes unresponsive and you see the dreaded blue screen of death (BSOD), it could be malware.
However, BSOD often happens after you install new software or hardware. Check whether you have the latest drivers installed for all your components and search for possible incompatibility between programs and hardware you are using.
If this is not the case, you will have to consult the Event Viewer again to see what exactly caused the BSOD.
16. Credit or Bank Purchases
If you get notified that there were purchases made with your credit card, or money was taken from your bank account but you didn’t do it, ask your bank to verify how payment was made. If it was done using your card (not in person) it means it was an online transaction. This can mean your device is compromised and they’ve taken the details, particularly if you have them saved e.g. Google online.
Cancel your cards, disconnect from the internet and do a thorough sweep of your devices to make sure that the breach didn’t come from them.
17. You can’t login to your accounts
If you can’t get access to your account because your password suddenly isn’t working, there’s a good chance you’re dealing with a case of account theft. This is already one of the serious computer malware signs. Always have a fallback option for such cases – a way to reset your password via your phone number, for instance. To minimise such a risk, have two-factor authentication that will request a code sent to your phone or a generated code from an app installed on your phone.
If you get a notification from your authenticator, for example, a code on your phone but you’re not trying to log in, check your system for malware and change your passwords immediately. It could be someone with a keystroke logger.
18. Your Hard Drive Appears to Be Constantly Working Even When Doing Nothing
Erratic and sluggish operations can be caused by a lot of software and hardware issues. To see what is happening, you will have to open your Task Manager by hitting your Windows key button and typing “task manager” for it to appear on the list. Once opened, look at the performance of your hardware. If you see that your disk is on ‘100%’ most of the time, you will have to check which processes are running and might have caused this. Note that certain Windows processes might cause this from time to time – recently microsoft.photos.exe, a legit Microsoft application, was causing this issue for some users.
If you find any other applications that are unfamiliar to you and are using your disk fully, terminate the process by right-clicking on it and selecting the “End Task” option. Find which program the task belongs to in order to see whether it’s a real malware or virus issue or just an incompatible program.
19. File Names Change or Are Missing
Any changes to files – either the names or the location of the files – should immediately be attributed to malicious software activity. A deep scan with a dedicated software will be needed to find the infection. Any files that were affected – renamed, deleted, or removed – might be beyond saving, so always make sure you have your data securely backed up online.
20. Unusual login pages
Any changes to login pages you often use – either for work or personal – should be deemed suspicious. Usually, changes like this are announced in advance, so check for news about the changes before you log in. Any pages that require your work, Google, or social media account credentials (both username and password) for login should also be avoided as these might be phishing sites that are trying to steal your credentials.
If you’ve navigated to the page through an email, close the tab and go to the company you’re trying to login to directly. If you don’t recognise the site, NEVER give your credentials away!
It’s important that if you feel there is something wrong with your computer, particularly if you are on a company device or part of a shared network that you report it! Small and subtle changes can lead to big data breaches and catching malware early is key.
We’d all like to think that hackers are spending weeks on end planning their every move to attack a business but the truth of it is nowhere near as exciting. Although this could happen to a big target, for most people it’s a lot more boring and they get ‘accidentally’ caught in the net as hackers looking to make a quick buck send out malware or ransomware hoping someone will fall into the trap.
That doesn’t mean the effects aren’t any less devastating!
So, to make sure you can protect yourself, let’s look at the various different tactics hackers use to try and steal your business’ data.
1. Relying on Human Error
We’re sorry to say that lack of education in businesses and human error by employees account for a large portion of breaches in our experience. For example, employees attempting to access internal systems from unsafe locations, using personal (infected) devices on the network, or clicking malicious links in an email. Hackers cast their net far and wide, and the likelihood is someone will click something and open the door. And that’s all they need.
Hackers also pray on the lack of oversight from business owners on their employees. According to Keeper Securities’ State of Cybersecurity in Small & Medium-Sized Businesses (SMB) report from 2017, 59% of small businesses do not have insight into the types of passwords employees use. This means that although the company is liable for a breach, they aren’t enforcing or even aware of the security standards of the passwords in use.
Phishing is one of the most common tactics hackers use. This is usually in form of an email that is spoofed to look like it’s coming from another sender, like your bank, or ISP. It will urge you to act immediately or you might lose your account, money, or face infractions. 48% of hacks on companies last year found that phishing or social engineering were the result.
Here are the warning signs you need to look out for in a phishing email
3. Public/Free Wi-Fi
Public computers and Wi-Fi networks are notorious for being plagued with malicious software that “sniffs” for data packets while you are using them. You risk losing your account data as soon as you type in your password.
4. Phone Calls
Surprisingly these still work and is still one of the tactics hackers use! Hackers have been known to ring you claiming to be your bank or an organisation you’re affiliated with and ask you to confirm details over the phone. For example, banking pins or passwords as well as talking to you about family data or information, like your mother’s maiden name to get the ‘security question’ answers or take a stab at your password. If you feel a phone call is suspicious, never hand over your data, simply tell them now isn’t a good time and hang up.
5. Weak Passwords
Lazy, generic and consequently weak passwords are the easiest way for hackers to get access to your accounts. Many small business owners admitted that, while they still have password strength policies, 68% do not enforce them. A generic or commonly used password like 12345, makes it easy for hackers to gain access to your email or computer.
Check out our article below on protecting your password from hackers:
6. An Out-of-Date OS
While nobody likes how long OS updates take, they exist for a reason: to address flaws within the code that can potentially be exploited. Without regular updates, you enable easy access to hackers who are aware of the weak points.
7. Infected Attachments
It’s not just the links you should be wary of in an email. Masked to look like images or documents, they often carry viruses, malware, or spyware, like a keylogger that will install to your device and record your every keystroke to get your passwords that way.
8. Dodgy Devices
Be wary of those free devices being handed out to you as “freebies” in many cases, hackers can load malware or keystroke loggers on them so that when they are entered onto the computer they immediately infect it.
9. Pineapples – Spoofed Wi-Fi Points
A Wi-Fi pineapple is a fake Wi-Fi access point that has been purely set up to steal your data but it masks as public Wi-Fi. From the hacker’s point of view, they have multiple programs and software running to gain access but to the unsuspecting user, they just jump on as usual and voila, instant access to your data.
10. Unsuspecting Accessories
Your new smart lock, phone controlled thermostat, camera that is enabled to a network, card reader or any other online accessory all have access to your network. Hackers can use these as easy points of entry if they aren’t protected correctly to access your network and get to your data that way!
Unfortunately, we’ve only just scratched the surface of tactics hackers use to access your data and your files, and this is why we are firm advocators for using file protection as part of your cyber security strategy. That way, hackers can’t access the data from your files once you’ve been breached, therefore protecting the data stored within them.
To get automatic file and email encryption for small businesses using Microsoft’s Azure Information Protection, click the image below to get half off our course on udemy:
As IT guys, it’s very easy to blame users for data breaches but it’s not always just their fault. Sometimes, data breaches aren’t users’ fault.
Sure, they need to update their passwords, stop giving things out and clicking on the suspicious email links. But, the buck stops with you as their IT professional. We thought these statistics from the IS Decisions’ research into IT Security managers in both the UK and US were very enlightening.
It shows that, compromised credentials are one of the main causes of data breaches and we must remember our users are human! It’s up to us to help limit the risk by:
Forcing users to frequently change their password – even if they hate us for it
Making sure policy dictates a different password for each program or part of the system
To give regular training on Phishing or data security that affects them – and stop assuming they will know something is off when they see it
To be approachable so that any issues are quickly reported
Doing these small things can make a big difference in data security and protection to minimise the risk of a breach due to compromised credentials. Here is the infographic and statistics below with some interesting results:
*This article originally appeared here on LinkedIn* How Easy It Is To Steal Your Outlook & 365 Password
During a penetration testing project, I was working on finding the weak spots in the IT system of the company and finding the best solutions to patch them up.
The client had most of the traditional security solutions such as firewalls and external penetration was not useful / efficient.
But when we did an internal penetration test I saw something very disturbing in the way that Outlook works, and how due to poor design in Outlook’s security warning it’s easy to obtain a user’s password.
The same method allowed us to obtain outlook password outside the company perimeter as well.
It’s quite easy to steal your Outlook & 365 password.
· Windows 7 Pro computers
o Tested on Windows 10 Pro as well
· Outlook 2016 connected to Microsoft 365
o Tested on outlook 2013 connected to Microsoft 365 as well
We used a classic “Men in the Middle Attack” between the client and the gateway, see Diagram 1.
Outlook’s behavior was very problematic,
Once we started poising the ARP the following Prompt, (See prompt 1) was shown to the user:
The advanced users who decided to push the “View Certificate” have seen the following screen,(prompt 2.)
The “injected certificate” is an outlook.com which is not trusted but to most users outlook.com is “good enough”
Most of the users didn’t give this small prompt a lot of thought and pressed YES to proceed:
This caused outlook to send information on a non-encrypted method and any sniffing tool instantly showed us the Outlook password(Which is also the main active directory computer/domain login)
This exercise was done within the company network, later we decided to follow one of the users to a meeting at a coffee shop where is connected to a public WIFI which we have also joined, and we managed to do the same process outside the company perimeter.
1. Outlook’s security prompt is very small, hardly noticeable, none alarming and doesn’t deliver the severity of the issue
Compare it with the prompt the Google Chrome provides when you try to send information at a non-encrypted method – the Google Chrome is “Scary” and makes the users stop and think
2. Most of the users don’t understand the security prompt at all
3. Most of the users will automatically press yes on this prompt to continue working
Is it a user behavior error – No! – the security prompt is poorly showed that only IT users are expected to understand the severity
Resolving the issue:
1. We implemented a GPO settings that doesn’t allow outlook to work on non-secure layer at all
2. We did user awareness cyber security training to show to the users how risky this little prompt is.
3. We reported this vulnerability was reported to Microsoft – Microsoft responded that it isn’t a real vulnerability because the user gets a prompt!, i think the prompt itself is not designed correctly and allows a big room for user error.
How to protect your outlook against this type of attack:
Let us start with a reality check – passwords get hacked and stolen all the time, this is a fact! So proactively protecting yourself from password hacking is a must!
Passwords are compromised when they are “hacked” by professional hackers, or exposed through careless user behavior, and even discovered by “password guessing”, which uses information readily available in social media and other sources, things like birthdays, names of children and relatives, pets, school names and so on.
Even if you are a careful and responsible user, choosing only secure and smart passwords, you can be under threat from a penetration from the server side, which is totally outside you control.
You need a password anyway – so choose it wisely:
Create a password which is not connected to yourself in any direct way. For example, you can always choose something suitable for the moment, or chose an object that is right in front of you
Create a smart password that includes letters, numbers and at least one complex symbol
Create different passwords for different sensitive accounts, for example – different and non-connected passwords for your bank, Facebook or eBay accounts, so that if one of the password is compromised, other accounts still remain protected.
You should be especially careful when working with systems that can cause significant financial damage, like banks, PayPal, etc
How can you protect yourself ?
You cannot depend just on your password, you also should use an additional authentication method:
Two-Form Authentication is based on the principle of using two verification stages in order to access the system:
Additional verification key, such as text message or a mobile app
Accessing a secure system must necessitate verification by both methods simultaneously, so that even if the password is lost or stolen, and comes into possession of an unauthorized persons, it will not be possible to access the system without the additional verification.
The Way It Works:
It can be seen using the example of Gmail: if you have a enabled a two-form verification function for your Gmail account, you will be required to type in your password, and straight after that to input a code that will be sent to your mobile phone by text message.
Why It Works:
Two-Form Authentication raises the level of verification for your personal identity and makes it much harder for a stranger to hack your account
In most cases, two-form authentication is based on using your mobile phone, utilizing text messages or dedicated applications.
Mobile phones and the text messaging tools are usually the more secure of most personal computer systems. They are very difficult for most hackers to be able to penetrate them, most of them just do not have the tools for that
Your mobile phone, together with its text messaging ability, is usually in your direct and personal possession, ensuring that an additional verification code will be delivered to you personally, checking your identity in order to be sure that you are the person trying to access the account
This way a two-form authentication system ensures that you are the person typing in the password, and not a wrongdoer.
Two-Form Authentication – two barriers for the hacker:
Two-form authentication forces the hacker to try and penetrate two defence barriers simultaneously. This makes the penetration process extremely difficult, and in most cases this will be enough to deter the wrongdoer from even trying.
Activating it – for a private user:
These days, most popular websites and applications, such as Gmail, Facebook and Dropbox, are equipped with integral built-in two-form authentication capability, you just need to activate it.
These days a business user cannot have any excuses for not securing his system, as the two-form authentication can be integrated in almost any business or office system.
Now it is possible to implement two-form authentication even for SSO (Single Sign On) systems, and obtain the management and security capabilities of Active Directory environment together with the protection given by two-form authentication.
Here is the list of business services that have the capability for integrating two-form authentication:
Active Directory (for accessing the operating system)
Outlook Web Access
All the AZURE/365 products, provided by Microsoft, have the capability for integrated two-form authentication solution
FORTINET offers integrated two-form authentication in most of its products, through the easy and effective use of their cloud network, which serves as a verifying tool, without a need to integrate a RADIUS server
Below you can see our demo clip for Secure Envoy application that enables 2FA in the full AD environment, describing access to a computer, terminal server and OWA
You’ll learn: The main vulnerabilities of a home or small office – including what to look for and how to combat them. Understand cyber security threats and what they look like at home. How you can make sure you’re GDPR compliant at home! How to protect yourself in the event of a breach
Privacy & Cookies Policy
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.