The Ultimate Guide to Password Security
Security for Everyone
In our age where digitalization is increasingly accelerating, the services provided by states, organizations and companies are also being transferred to the virtual environment. We can now easily carry out our banking transactions thanks to the mobile applications we download to our phones. We can follow the news and get information about the weather, traffic and stock markets. We can also watch movies and TV series, listen to music and play games via the internet.
The platforms that provide these opportunities are personal and an account must be created. For example, platforms generally use a person's e-mail address and password for verification so that a person can access his or her social media account and make transactions. At this point, password information is important to prove that the account belongs to you. Password use is one of the main issues that are tried to be exploited by cyber attackers today. For this reason, ensuring password security is becoming increasingly difficult for every person who uses information technologies.
There are best practice practices for platforms to store passwords, but it is not possible for the user to determine whether the platforms comply with this. They must keep their members' usernames and passwords in a database to verify them. Platforms, on the other hand, use one-way mathematical functions called hashes to prevent the passwords of all their users from being disclosed when they are exposed to any cyber attack. The hash of the passwords is stored and no one who obtains this data can find the password. The platform calculates the hash value of the password and compares it with the information in the database to verify the user. Users cannot know that platforms use this secure storage method. Additionally, there are many methods for cyber attackers to obtain user passwords. For this reason, the first precaution that can be taken by end users is;
Use different passwords for each platform.
Another method used by cyber attackers to obtain users' passwords is the brute-force or wordlist method. In this method, the attacker tries to find the password of an account whose username is known. Since many platforms today use extra verification techniques after a certain password attempt, attackers try to guess possible passwords rather than using all password combinations. For this reason, precautions need to be taken by end users;
Don't use guessable passwords.
For example, your password should not contain predictable information such as the name of your loved one, your pet's name, or your school number. However, using long and complex combinations is the healthiest method. It is recommended that passwords contain at least one lowercase letter, at least one uppercase letter, at least one number and at least one alphanumeric character and be at least 12 characters long. However, keeping these complex passwords in mind for each platform creates problems for end users. To solve this problem, the precautions that should be taken by end users are as follows;
Use a password manager.
Applications specially designed to store passwords can store all your other passwords with a single master password. Thanks to browser add-ons, they can fill out forms automatically. In this way, you can create complex passwords and ensure your password security without having to remember them.
Another method that cyber attackers use to obtain users' passwords is to organize a Man-In-The-Middle attack. Although there are many techniques to implement this method, the attacker's main purpose in applying this attack is to monitor data traffic by intervening between the user and the platform. In this way, they can extract the username and password from the data traffic. The first precaution to be taken to protect against this attack is;
Do not use unsecured internet protocols.
Nowadays, there is a method that encrypts communication between the user and the platform. With the use of SSL-TLS, platforms can encrypt traffic with their users. When connected to platforms that provide this security, a lock sign appears next to the address bar in users' browsers. In a Man-in-the-Middle attack, when trying to access a platform that uses SSL-TLS, the user cannot see the lock sign next to the address bar of the browser, because the intermediary point must have an authorized certificate. For this reason, another precaution to be taken is;
In cases where SSL-TLS certificate verification is not performed, terminate the connection immediately.
Not seeing a lock sign when connected to platforms that show a lock sign when connected under normal conditions is one of the indicators that you have been subjected to a cyber attack.
One of the methods by which cyber attackers try to obtain users' passwords is phishing. In this attack method, cyber attackers apply social engineering to make users click on the fake links they create. Although this method has more than one technique, in some cases they can direct the user to a fake panel and ask them to enter a password, and in other cases, they can capture the login information of a previously logged-in platform as soon as the link is clicked without the need for this. The precautions that need to be taken by end users to avoid being affected by such attacks are very simple;
Do not click on any link that you are not sure is legit.
In addition to all this, there is a security measure in accessing accounts that prevents anyone from accessing your account even if your password is known;
Use two-factor authentication.
This method is not supported by every platform, but we recommend that it be used on every platform that supports it. This method is implemented by using a different verification technique, providing an additional layer of security after username and password verification. For example, when you type your username and password to log in to your account, you will be asked to enter a numerical code sent by the platform via SMS as an additional verification method.
It is common for cyber attackers to use social engineering techniques to try to get the security code from users by deceiving them with lies such as "Your account has been compromised, tell us the code sent to verify your identity." Therefore;
Do not share the security code with anyone.
In such cases, immediately hang up the phone and call the known number of your bank or the relevant platform to confirm the situation. However, no matter what - even if you are called from your bank's number - do not share your security code or password with the person calling you.
Secure password use is important not only in accessing platforms but also in applications you manage. When you install Internet-facing applications, products are often created with a default username and password, which the user is then expected to change. However, upon inspection, it is very common to use a default username and password in on-prem applications, and cyber attackers first try to log in with the default username and password when attacking these platforms. For this reason, another precaution to be taken is;
Do not use the default username and password.
In one step of the vulnerability analysis provided by the Securityforeveryone platform, it is checked that the default username and password are used in your applications. To check the security of your digital assets, become a member of S4E today and be protected from cyber attacks.
As a result, the importance of using secure passwords is increasing day by day for end users, and cyber attackers are trying to take over accounts with new methods. Digital opportunities are increasing day by day, but risks are becoming more destructive. By applying the precautions mentioned above, you can ensure safe password use and be protected from destructive cyber effects.