Arraya Insights | October 22, 2014
Earlier this month you may have heard the sound of millions of Dropbox users sighing in relief at the news that the popular file back-up and sharing site hadn’t become the latest victim of looting hackers.
Hackers posted online that they’d gotten ahold of the user credentials of seven million Dropbox users. The more Bitcoins that were donated to the hackers, the more log-ins they promised to make public.
This was definitely not music to Dropbox’s ears and after a little investigating of its own, it was able to emphatically state that it hadn’t been hacked and that users’ personal files were safe. Apparently the credentials that were being posted had been swiped during attacks on unrelated services and sites. Hackers were spreading the stolen info around so that it could be used to attempt to log-in to multiple sites – including Dropbox – just to see if anything worked.
Dropbox assured users it had protections in place to detect suspicious log-in activity and automatically change passwords if necessary. It also directed users to enable two-step verification to further defend accounts against attacks.
It’s good news for Dropbox that its servers weren’t hacked, but that doesn’t change the fact that nearly seven million credentials are still floating around out there, potentially giving cyber crooks access to an untold number of sites.
Tough to crack
Basically, the hackers in this case were counting on people breaking one of the cardinal rules of password safety: Don’t use the same one for multiple sites. That’s right there under using “password” as your password on the list of security never-dos.
What better time than National Cyber Security Awareness Month to share these six other tips you can share with users to help them create more secure passwords?
- Avoid predictable patterns. Research done for the Federal Defense Advanced Research Projects Agency (DARPA) at an unnamed Fortune 500 company found that nearly half of all users relied on one of five patterns for their passwords. The three most common patterns were:
- One upper case, then 5 lower case, then 2 digits
- One upper case, then 6 lower case, then 2 digits
- One upper case, then 3 lower case, then 4 digits
- Beware of personal info. Using the name of a favorite sports team as a password may make the password easier to remember, but it can also make it easier to guess or hack. For example, if your desk is covered in team pennants and banners or your Facebook picture is you decked out in team merchandise, sports team seems like a pretty good place to start guessing.
- Steer clear of real words. Certain password-cracking tools will guess their way through lists of known words. Inserting numbers or special characters in the middle of words is a good way to throw off those types of tools.
- The longer, the better. Longer passwords can make a hacker’s job difficult and, depending on the type of the attack and length of the password, it may not even be worth the hacker’s time to try. Most sites have a minimum requirement for password length, but it’s always a good idea to go a few characters beyond what’s needed, just in case.
- Keep it random (or close to it). Computers are pretty good at picking out patterns. This includes numerical patterns which resemble date. Research has shown patterns like day/month combos are particularly easy to crooks to break. Rather than taking on numbers at the end of a password, sprinkle them throughout it to make it harder to break.
- Use a password manager. There are plenty of reputable programs which will secure and encrypt your list of passwords. Having a program that will remember passwords for them can make users more bold and adventurous – and therefore harder to hack – when it comes to password selection. Instead of having to remember dozens and dozens of separate passwords, you only have to remember the password for your password manager.
To celebrate National Cyber Security Awareness Month, Arraya will be posting a series of tips you can pass along to users in order to ensure your company’s data stays safe. In part one of this series, Arraya reviewed email best practices.
Be sure to check back soon for more National Cyber Security Awareness Month tips.