Good News!

Researchers have discovered the biggest security threat to your online activities.

Bad news: it’s you.

When they think about ‘hackers’, most people imagine Igor in Russia, banging away at his keyboard and trying to guess what their password might be. The reality is very different. When you first sign up to a website, you’re asked to make up a password. The password you type in is turned into a unique number (a ‘hashed password’) which the website stores. Next time you log in, the same process happens and, if the two numbers match, the website knows you’ve typed in the correct password.

Most ‘hacks’ involve someone sneaking into a major company’s computers and stealing the entire database of customers’ detail, such as the three billion customers whose details were stolen from Yahoo in 2013. Those details “may have included names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers”, according to news articles at the time.

Hackers have computers running round the clock, typing in random passwords and listing the numbers they equate to, so that it’s possible to produce a list of the numbers and the corresponding words. In fact, even Wikipedia has a list of the top 10000 passwords. Particularly worrying is the fact that 91 per cent of all passwords used are in the top 1000 positions on that list.

So why does it matter?

These days, personal information is valuable: it allows you to prove you are who you say you are for banking, shopping, and all manner of transactions. So imagine the fun the crooks could have with the information stolen from Yahoo, which “may have included” everything you need to convince almost anyone that they were you, right down to your grandmother’s maiden name and the name of your first pet!

I’m regularly called out to help people who’ve been hacked or just forgotten their passwords. The phrase I hear most often is ‘I usually use…’ followed by a six-letter word and maybe a number. It’s the password they use everywhere. The world would be a simple place if we had one key that opened our car, house, shed, business, garage… Of course, if someone were to steal that key, suddenly you’ve lost everything. And yet three-quarters of the customers I visit use the same password or two on every website.

If someone breaks in to your email – and, in case you didn’t know, Yahoo ran BT email for years and in some cases still does – they can find out the banks you use, the companies you deal with, even what you’ve ordered recently. Your Amazon account reveals your postal address, phone numbers, email address and the expiry date and last digits of your credit cards. From your email, they can find out the banks and credit cards you deal with.

Put all this information together and it’s very easy to ring someone and pretend to be a bank with an urgent query – someone’s trying to break into your account and you must take immediate action – and relieve you of your hard-earned cash.

I’ll be talking about passwords and the like in more detail soon but, for now, it’s time for some homework. I’d recommend getting an old-fashioned address book – the one with A to Z tabs down the side. Grab all those post-its and bits of paper you’ve got in that pile and start writing them in the book. G – Gmail, Write down the password you use, in pencil so that you can change it easily, and the date you changed it last (or an educated guess).

When you’ve done that, we’ll have another look at passwords: what makes a good one, how to change them, how to massively improve your security, and other ways to avoid forgetting them in the first place.

This entry was posted in Security. Bookmark the permalink. Both comments and trackbacks are currently closed.