Welcome

Practical insights from business, e-commerce and culture.

Cybersecurity: why ‘Password1’ is asking for trouble

Business · 6 min read

Cybersecurity: Why ‘Password1’ is asking for trouble

As more and more sensitive data is stored online, the threat of cybercrime grows more significant each year. 

Chin Kiat Chim, Chief Information Security Officer, DHL says, “Much like a tornado or a hurricane, there is really little you can do to completely stop cyberattacks – cybercrime has become much too complex. What you can do is prepare."

Passwords are critical gatekeepers to our digital lives, allowing us to access online banking, email and social media, yet the majority of passwords are vulnerable to hacking. 

Chim advises, “Information security specialists should learn as much as they can about a company’s business strategy and pain points. The chances are good that robust cybersecurity can protect operations that are critical to your business or prevent pain points from worsening should there be a cyberattack.”

Chim warns that whilst the threat of an earthquake and its potential consequences are easy to visualize, the impact of a cyberattack can be abstract. He says, “By framing the argument for increased cyber resilience as an enabler of business continuity – dispelling the perception of expensive guard dogs standing watch over a company’s servers – the shift from ‘reactive’ to ‘proactive’ cyber defense becomes an easier sell.”

A gathering cloud

Cloud computing continues to transform how organizations store and share data. It has also introduced a host of new security threats and challenges.

Poorly secured cloud service deployments, free cloud service trials, and fraudulent account sign-ups expose cloud models to malicious attacks. Contrary to what many might think, the main responsibility for protecting corporate data in the cloud, lies not with the service provider, but with the cloud customer.

Jay Heiser, Vice President and Cloud Security Lead at Gartner, Inc., says, “Enterprises are learning that huge amounts of time spent trying to figure out if any particular cloud service provider is ‘secure’ or not, has virtually no payback.”

To provide organizations with an up-to-date understanding of cloud security concerns, the Cloud Security Alliance (CSA) has created its latest report: Top Threats to Cloud Computing Plus: Industry Insights.

Great articles, direct to your inbox

So you want the best business tips and advice? You’ve come the right place. Get fresh insights direct to your inbox.

Thank you for registering

There was a problem

Please try again later.

When designing any server system, a simple architecture is easier to secure than a complicated one. The more complicated your server layout, the more difficult it is to secure. Always subscribe to the security mailing list for your setup and make sure that you prioritize patching servers as security vulnerabilities are announced. The more homogeneous your system environment, the easier it will be to keep up with different versions of software.

Make hacking low probability

Ensure that your web server is capable of running Secure Sockets Layer (SSL), as this is now the standard technology for keeping an internet connection secure, using Hyper Text Transfer Protocol Secure (HTTPS) connections. This protects data sent between two systems, preventing criminals from reading and modifying any information transferred, including potential personal details. 

To prepare a web server to accept HTTPS connections, the administrator must create a public key certificate for the web server. Web browsers are generally distributed with a list of signing certificates from major certificate authorities, so that they can verify certificates signed by them.

 

To increase personal security, create a secure password

To reduce the chance of letting your cyber defences down, make sure you follow these four basic password tips:

  1. Don’t use obvious words like your name, your home town or date of birth. 

  2. Don't pick a short password. Many companies require passwords to include a minimum of eight characters.

  3. Ensure that you use a variety of lower case letters, upper case letters, numbers, and symbols. Remember, you can also use spaces.

  4. Don’t use the same password everywhere. If someone gets hold of your password for one account, they can then gain access to all your accounts.

To strengthen a password, you could use a longer phrase instead. For example, think of a favorite song – choose a lengthy phrase, so that you can use least eight characters – and then take the first letter from each word in the phrase. You can further 'complexify' it by swapping 'A's for '4's and 'E's for '3's etc. You'll end up with something that’s much harder to crack, because it won't follow any common password ‘rules’.

“By keeping the business in focus – and not just the jargon-heavy world of cybersecurity – information security officers can build trust with business stakeholders, and make cybersecurity an integrated part of any business that extends far beyond regular reminders to change a password.”

Password 2.0: facial recognition software

Amongst other devices, the iPhone X now features Face ID, – Apple's most recent step to making passcode sign-in as convenient as possible – which looks set to supersede fingerprint recognition for device and mobile payment authentication. Touch ID is an active process, requiring you to physically touch a sensor, but Face ID is passive – you only have to glance at the phone, for maximum simplicity. The system uses Apple's machine learning algorithms and ‘neural engine’ hardware, which analyzes and recognizes your face. This includes keeping up to date with changing appearances, such as if you grow a beard, or wear sunglasses – the infrared light can actually see through sunglasses to detect your gaze, and the system will still recognize you if enough data points match.

Be a hard Phish to catch

The best way to spot a phishing scheme is to tune in your instincts and emotions as you read your messages. If you weren’t expecting an email from someone, or if you were, but their tone feels wrong, or they’re sending you an email when they usually send a Facebook message … if anything at all seems even slightly unusual, check with the alleged sender on another platform to confirm that they actually reached out.

Crane Hassold, a threat intelligence manager at the security firm PhishLabs, who previously worked as a digital behavior analyst for the FBI, says, “The thing I find fascinating about phishing is it’s really exploiting a very primal part of human behavior. It’s all about curiosity, trust and fear. Those qualities are really hardwired into humans, so a lot of protection against phishing has to do with conditioning yourself to look out for things that could be a red flag.”

Make sure you enable multifactor authentication – a second password sent to another mobile device that has to be entered each time you login – on every account that offers it. Set up a password manager to keep track of unique, robust passwords to help avoid security breaches.

A computer can crack ‘Password1’ almost instantly. For a secure password try this simple method.

1: Pick three words at random, e.g. ‘spoon’, ‘rat’, ‘blue’

2: Choose a date that’s easy to remember, e.g. ‘2020’

3: Put the words together, e.g. ‘spoonratblue’. You can test the strength of this example using this free online password check tool*.  Supposedly, it would take a computer about two years to crack this one.

4: Split the date and place at the beginning and the end, e.g. ‘20spoonratblue20’. It would take about six million years to crack this one.

5: Capitalise a letter in each word, e.g. ‘20SpoonRatBlue20’. It would take about 38 billion years to bust this code.

6: Add two special characters to the end, e.g. ‘20SpoonRatBlue20!!’. It would take a computer about seven quadrillion years crack this password.

*HowSecureIsMyPassword.net carries the following disclaimer. “This site is for educational use. Due to limitations of the technology involved, the results cannot always be accurate. Your password will not be sent over the internet.” Discover.DHL.com cannot be held responsible for any cybersecurity breaches that may occur due to the use of HowSecureIsMyPassword.net.

 

Chin Kiat Chim
Chin Kiat Chim Chief Information Security Officer, DHL

Similar stories