Tag: basic security

Security warning over data.gov.uk – time to change your password!

Have a data.uk.gov account? You should probably change your password.

The site that people can search for data published by the government has discovered, after a data security review, that some usernames and passwords were placed on a publicly accessible resource.

Following quote is taken from the BBC site: (http://www.bbc.co.uk/news/technology-40443601)

A GDS spokeswoman told the BBC that the breach had affected only data.gov.uk accounts, and people with separate accounts for other government websites were not affected.

She said only email addresses, usernames and hashed passwords were implicated, rather than personal information such as names and addresses.

Hashed passwords are not massively secure, but certainly more secure than clear text passwords. It all depends on the algorithm that is used. But the BBC site also reports that users will need to change their passwords next time they login.

The Computer Saint would also advise changing your password, if the same, on any other services. So if you login with the same details to Yahoo, Google, Hotmail, etc then you should change your password.

You should also keep an eye for fraudulent emails, if you suspect an email is fraudulent then you should contact the website in question and not via the email you’ve just got. Go to the actual website via a browser.

Passwords: Strong and weak. How to choose a strong password?

What is a weak password?

It seems obvious, but a weak password can be 1 word, or even 2 words. It could be a password that is your mother’s maiden name or something equally personal to you. For example, in the film War Games the password for a massive government machine was “Joshua” who was the son of the inventor of said machine. In the film, it’s fair to the inventor that he didn’t know the machine had been plugged into the Internet or was even being used.

If you used your wife’s name as a password, this is information anyone could ask you and just try to login any account. Email account, online storage, bank account, they don’t need to be at your computer. They can simply be at their own computer.

Don’t choose a password that is obviously personal to you and don’t use 1 word from the dictionary!

What is a strong password? And Methods for choosing a strong password

For this you need to understand there are 2 main ways to get around password security that are easy: Guess the password if this is someone you specifically know or targeting to get into their email account or some other account.

The other method for getting into a system is a brute force attack, this is where a system will have a list of words (from a dictionary) and then it will try each word in turn, so if your password is “Zoo” then it’ll take a while but you will lose your account security.

There are more advanced tools that hackers and crackers can use to break account security, so even by using 2 words like “ZooApocolypse” is better, still bad practice.

A strong password is something that can’t be guessed as it might look like a word, but it might not be a word. For example: “pa55word” looks like password (don’t use this as it’s a common password) but maybe take your wife name: Sophie and replace the letters with numbers, so “5oph13”

But it’s still just numbers and letters. To be sure no-one will guess your password you want to make it longer and adding some symbols. Maybe add another word onto the password, maybe your favourite kitchen appliance so “5oph!3Bl3nd3r”

I’ve added in an exclamation mark; this is to throw off any of the more advanced password creation and guess tools hackers have access to. With the more complex password, the more time it would take for an attacker to gain access to your system and if it is a secure enough password they’ll probably give up.

It’s best to add in a few symbols if your password allows it as well as numbers. If your passwords require to be changed every 30 days, 6 months etc, you could suffix or prefix your password with a number and increment or decrement that number in the password each time you need to change it, although this can be bad security practice only to do this. Maybe add an additional 16 to the number each time. This way you know the increment and it isn’t just a 1. It’s still best to change your password entirely however.

You should always change your passwords to each system you log into on a periodic basis, whether it be social media, email or an important company server with sensitive details, at the least every 6 months is a good plan.

Security questions

A lot of websites require security questions, such as “what town were you born in?” or “what was the name of your first pet?” These are good second stage security, after the password login, as they give that little extra security. This 2nd stage of security is good; however, you need to be aware of people that do and don’t know the information who are trying to access your system. A while ago there was stories of people who had their Hotmail accounts broken into as they had met some random person on the internet chat room. They then gave out information that Hotmail asks as a “recover account” option and this way the attacker could break into the account, with this they could send spam to your entire contact list and it appears the attacker was being a new friend, asking questions that made him or her seem interested in you.

The lesson here is you need to be careful of new friends especially and don’t give them too much information.

 

Disclaimer: This document isn’t a solution to password security. This advice is about how to better understand the risks and how to mitigate them. There will always be people / organisations who want to steal your data and break into certain systems. You must think of the possible security risks and mitigate these. From this series of security blog notices you’ll learn that there are more.

If you require security services, please contact us at sales@thecomputersaint.com