In another life I was a computer security consultant. It’s a funny world, computer security. It revolves around manipulating people’s (people here being non technical managerial types) fear, uncertainty and doubt, also known as FUD.
What FUD campaigns do in the case of computer security is make managers question whether the security measures they have taken are enough. You have a firewall? Oh that’s great, but it won’t protect you from intrusions. You need an intrusion detection system. You have an intrusion detection system? Yeah but does it save you from zero day attacks? And so on it goes. Always with one intent. To sell more product.
Meanwhile the basics are ignored. How do most viruses get on PCs? From free downloads usually. These days computing operating systems are quite secure. Most people have some kind of personal security on their home PC and their internet router usually also has protection. So the the easiest way for those strange people who get off on creating and distributing viruses to get one on your system is for you to invite them onto your system.
The other big basic that is ignored on a regular basis is passwords. You may have encountered it when you try to create a password for some sites where they have password policies in place. You try to put in your basic password (like your cat’s name) and it tells you you need to add uppercase and lowercase characters, special characters and numbers.
Recently the adultery site Ashley Madison was hacked. The most common passwords have been revealed. They are ridiculously simple. The top ones are “123456”,”password” and “qwerty”. These are ridiculously easy for a hacker to crack.
It seems rather strange to me. If you’re one an adultery website, surely you’re going to want to keep your account a secret. I guess it’s a case of “it will never happen to me”. Clearly when it comes to high profile websites these days, that is not a good way to be thinking.
I don’t know the motivation for the hacking attack. Was it a moral crusade by some hackers or was it ego driven? Proving that they could. It doesn’t really matter. The lesson to be taken from the incident is that you need a secure password.
Ideally a passphrase is a better idea that a password. The reason being that most password cracking tools work on brute force dictionary attacks. This is where the program runs through word list to try to guess your password. Clearly “password” is not going to last long.
A passphrase is something like “ILoveToEatNoodles”. You can add complexity to that by substituting numbers for letters – “1L0veT03atN00dl3s”. If you need to further complexity can be added by using special characters as well – “[email protected]tN()()dl3s”.
Whatever you do, take away a principle from this. If your data is important to you; if it will be disastrous for your account to be hacked, protect it. As the Ashley Madison hack showed, the “it won’t happen to me” strategy is not a winning strategy.