Weak Passwords – Cybersecurity

Too Easy, Too Weak: Password Patterns Still Concerning

Weak password security is one of the main contributing factors to the current wave of cybercrimes sweeping the world. Despite repeated warnings from industry experts to choose more complex passwords, many users still fail to follow this advice.

Recent research shows that internet users continue to opt for passwords that are easy to guess or crack, leaving the door wide open to cyberattacks. Let’s take a closer look at this phenomenon and find out what organisations can do to strengthen their security.

Why are we still using simple passwords?

For many years, cybersecurity experts have been sounding the alarm about simplistic passwords that are far too easy to guess. Passwords like “12345”, variations on the word “password”, or even the user’s own name are still frequently chosen, despite the widely publicised dangers of doing so.

In fact, 2023 saw South Africans choose the password “admin” most frequently of all.

While some experts blame users for being lax or unoriginal, there is a possible psychological explanation for the simple passwords we choose: we believe that if we came up with them, they must be unique and impossible to guess.

This human tendency to overestimate our own ability at certain tasks is known as the Dunning-Kruger effect, a well-documented psychological phenomenon.

This effect applies to everything from our perceived ability to drive at high speeds, our competence at work, and even our attractiveness or social skills. Password creation is yet another area where we often think we are better than we really are.

Best practices for password creation

Unfortunately, cybercriminals are much better at guessing or decoding our passwords than we are at creating them.

To avoid this and secure crucial business data, team members in every organisation should be trained to apply best practices for password creation, which include:

  • Using a password length of at least eight characters: Longer passwords are harder to guess and cannot be easily cracked by automated password-cracking software.
  • Including numerals and special characters: This adds complexity to passwords, making them far less likely to be compromised.
  • Avoiding personal information: Don’t choose words related to your daily life, such as hobbies, interests, or your workplace. Cybercriminals carrying out social engineering attacks may have already researched these aspects of your life and could use them to crack your password.

Password security and secure cloud storage – key aspects of every cyber defence strategy

A strong password adds an extra layer of security to your data, especially as cyberattacks and ransomware incidents become more frequent, costing businesses millions of rand each week.

In addition to strong passwords, secure cloud storage featuring encryption technology has become a non-negotiable element of every effective cybersecurity strategy.

To learn more about these technologies and how they can benefit your company’s online security, visit our product page today.

Default Passwords | Password Security

Don’t default on your commitment to password security

What’s the one thing you must do to protect your cybersecurity, even though you hate doing it? If you answered, “creating a password”, you’re dead right. Passwords are an essential barrier against cybercriminals and believe it or not, they’re still extremely effective as long as they’re complex enough so that they can’t be cracked.

Unfortunately, many of us are still using easy to guess classics like 1234 or worse still, leaving our device passwords on factory default, potentially putting our valuable information at risk.

Let’s take a look at the risks involved in lax password management and find out how you can secure your devices.

Default passwords mean cybersecurity trouble

No matter how large your business, chances are good that you have a variety of devices – from routers to smart printers and of course, computers – linked to your network.

These devices probably came with a default password set by the manufacturer, and while this is convenient when you set up the device, you need to change it immediately to avoid compromising the security of your network.

  • Cybercriminals trying to gain access to a company’s network will often use a device with a default password as the first point of entry.
  • Once they’re in the network, they’ll scan other devices, looking for the same weakness.
  • Practically speaking, this means that just one device with a weak or default password on the network can compromise your company’s data security entirely.

To eliminate the weak link in your cybersecurity chain, you’ll want to do a password audit on all your devices to make sure that they’re difficult to guess. You can learn more about avoiding weak passwords on Soteria’s news page.

Cybercriminals use simple tactics to infiltrate passwords

With more than 93 000 attempts across Africa to brute force logins and passwords in 2022, the need for protection of devices is clear. A brute force attack is when hackers use trial and error combinations to guess login or password access.

Using only the most popular login combos such as ‘administration’, ‘admin-admin’ or ‘guest’ variants, cybercriminals are intensifying their attacks by capitalising on the weak security of devices.

Match password security and secure cloud storage

Securing your devices using  advanced passwords is the first step, and a relatively simple step, toward uncompromisable data security – but it may not be enough to prevent a ransomware or cyberattack.

Secure cloud storage means your data is kept safe in the cloud in encrypted form so that you can always access and restore it if the worst should happen.

To start protecting your sensitive client and company data today, browse our range of secure cloud storage packages.

Secure your New Financial year | Digital Security

Start the new financial year digitally secure

The new financial year is a great opportunity to regroup and strategise for major business success in 2023/24.

With a challenging year ahead of thanks to load shedding and the ever-present threat of cyberattacks, companies will need to be extra strategic to safeguard their physical and digital assets this year.

When it comes to cybersecurity, the huge number of high profile ransomware attacks and data leaks at well-known corporates throughout the country have given the business community a strong message:

Investing in online security is no longer a nice to have or a grudge purchase. In fact, it’s absolutely essential.

Digital security can’t be ignored or underfunded

Businesses in South Africa are expanding online at a quickening pace with managers and owners eager to take advantage of the opportunities that exist in the global marketplace.

However, being online means exposing your business to an entire world of cyberthreats – and the skyrocketing incidence of ransomware and other attacks on local businesses prove that our cybersecurity measures are far from adequate.

  • Roughly 90% of businesses in South Africa are operating without proper cybersecurity measures, essentially leaving the door open for criminals from around the world to prey on them.
  • This vulnerability has resulted in annual losses in excess of $500 million, and the financial blues are likely to get bigger as time goes by.

Keeping your business safe online is not impossible, but it requires investment both in time and money to ensure that your data is kept safe at all times.

Some of the best practices to follow include:

  • Password security – Update passwords often and make sure they’re hard to guess.
  • VPNs – A virtual private network creates an extra layer of data protection.
  • A strict data privacy policy – You and your team should be highly vigilant about not sharing sensitive info online.
  • Updated software – Your firewall and antivirus must be updated at all times to shield your data effectively.
  • Secure backup – Encrypted secure cloud storage provides a copy of crucial data for fast restoration after a cyberattack or data breach.

If you’re doing business online without cybersecurity measures in place, there’s no time to lose.

Invest in secure cloud storage for peace of mind

Keeping your company data safe doesn’t have to be unaffordable. Our encrypted secure cloud storage solutions are ideal for businesses and households alike. To learn more, view our packages today.

LastPass Password Breach | Data breach

LastPass admits to August security breach of customer data

A weak password can seriously compromise your online security, but what happens when the online service that’s supposed to keep all your passwords safe in one place becomes the latest victim of cybercrime?

LastPass, an innovative tech business that prides itself on giving users peace of mind by taking care of all their passwords and letting them remember just one, found itself in a majorly embarrassing situation when its own cybersecurity was compromised last August.

If you’re a LastPass user or a web user in general, you’re probably worried about this development and how it impacts the safety of your private information. Let’s take a look at the Lastpass data breach incident in more detail and find out what your next step should be.

Cybercriminals turn a LastPass  into “lost pass”

There’s an app for everything nowadays, including keeping your password safe – or so we thought.

LastPass attracted millions of users by taking away the burden of remembering dozens of passwords and updating them every time you change them. The company’s unique selling point was its convenience and security: after all, asking users to trust you with the key to their most important online information is no small thing.

Last August, the unthinkable happened when LastPass found itself compromised in exactly the same way that it’s users were trying to avoid by using the popular online service.

According to a statement released by the company, an online security breach occurred and the following information seems to have been compromised:

  • basic customer account information
  • company names
  • end-user names
  • billing addresses
  • email addresses
  • telephone numbers
  • IP addresses

While the company insists that attackers will find it difficult to guess the passwords they were tasked with keeping safe, we would advise anyone using the service to change their passwords right away.

Secure passwords and secure backup: a powerful combo to keep hackers away

The LastPass breach is the latest in a long string of cyber security failures at large companies and tech providers. There’s a valuable lesson in this incident for all internet users.

No matter what convenient services you use, it’s essential to have an independent copy of your data backed up in the cloud with advanced encryption technology to keep it safe from cyber criminals.

Soteria Cloud’s range of backup solutions for households and businesses of all sizes is a powerful form of protection for your vulnerable personal and commercial data. We’d love you to visit our product page and select a package that suits your needs the best.

Weak Passwords Weaken Your Security | Password Security

Why weak passwords weaken your security – stop the blame game

When NordPass released its annual list of common passwords for 2021, that old staple of the lazy password maker, 123456, made it to the top of the list once again. If you’re shaking your head in disbelief or chuckling as you read this, take it from us: weak passwords are all too common, and they leave the door wide open to cybercriminals.

Let’s take a look at how weak passwords can weaken your security and how you can fix yours today.

weak passwords: who’s to blame?

Let’s be honest – we’ve all used easy to guess passwords before and who could blame us? They’re easy to remember!

Unfortunately, the entire cybersecurity community is blaming us. That’s because lazy passwords are also easy to crack –  and when a data breach happens, who’s to blame?

Instead of making fun of average Joes like us and the passwords we choose, a better strategy for website owners is to understand the importance of a strong password and how to help users develop one.

Users will naturally chose simple or funny passwords for the sake of convenience or to save time. As a site owner, you’ll need a system that filters out weak passwords and encourages users to make theirs longer – and not necessarily more complex.

But what does a good password look like in 2022 anyway?

what makes an iron clad password?

Whenever a user creates an online account, they’ll  go through a process of password creation – and somehow, the password they choose is never good enough.

We’ve all been there: either the password is too long or too short or doesn’t contain enough uppercase characters, symbols and other special characters…

A good site makes this process easy and even humorous but the site owner takes on the responsibility of putting a strong block on proceeding until such time as the user has chosen a safe password has been chosen.

Truth be told,  all this hassle is for a good reason. The more unusual your password is, the more difficult it is for hackers to crack it. At least that’s what we used to think.

  • Cybercriminals use a technique called brute force cracking to discover passwords.
  • This basically involves trying random numbers and letters together in sequence like the wheels of a slot machine until the password is cracked. The process takes time – and the longer your password is, the more difficult it is to crack.

A short password that contains special characters isn’t necessarily going to be more effective against cybercrime in 2022.

Instead, it’s a good idea to lengthen your password as much as possible and always use the maximum amount of characters allowed by the app or website you’re using.

keep the good stuff to yourself

You’d be surprised how many data breaches, hacking attempts, and cases of fraud have taken place simply because someone wasn’t careful enough about hiding their password.

  • It’s essential that you never share your password with anyone or write it down and leave it somewhere –  like on your desk where people with prying eyes can see it.
  • By taking a few simple measures, you can keep your password safe and effective and protect yourself from the rising threat of malware, ransomware and cyber crime in general.

take your data security to the next level with secure cloud storage

The safety of your data is one of the most important aspects of your company’s overall digital safety plan this year.

Our range of secure cloud storage solutions will help keep your valuable information safe in the cloud.

Have the Right Credentials | Ransomware Attacks

Do you have the right Credentials to evade Ransomware attacks?

Ransomware is a particularly nasty type of malware that’s used to hijack your important business data and – like the name says – demand a ransom in exchange for its release.

Attacks of this type have been rising in South Africa, with big names like Transnet and most major banks having been hit by wily hackers. Protecting your business from this type of crime is a major priority in 2021 and beyond.

The cost both to your company’s finances and its reputation in the wake of a ransomware attack can be huge, and like all unpleasant things it’s always better to prevent it in the first place.

Having an excellent antivirus software, firewall and other data security measures in place as well as opting for secure cloud storage are all excellent ways to defend your business from ransomware. But here’s the thing: all of these great measures could still fail if you neglect a small but essential aspect of data security: secure user credentials.

make sure the authorised user is really you

One of the easiest ways for hackers and ransomware creators to access your data in the first place is by breaching the first line of defence. Yes, that’s your trusty old password.

  • AI-driven password cracking software is now capable of decoding an eight-letter password in a number of hours and a twelve-letter password in just a few days.
  • As the software advances, these processing times are likely to drop further, and that means one thing. The days of using a password as your only means of data protection are long over.

A password is a piece of information that you know – and that means that someone else can know it too just by stealing it. A better approach to data security is to use information like biometric data that’s a physical part of you.

New credential verification systems like those used by Microsoft and eBay are helping users around the world to go “passwordless”, separating identities and passwords once and for all.

keep your data safe with a cloud-based storage solution

If the headaches that come with securing your data on-site don’t seem worth it, it’s because they aren’t. Leave the security to us and opt for cloud storage for your enterprise. Contact us today to find out how.

Common Website Concerns | Cybersecurity

Common Website Cybersecurity Concerns

While you were sleeping … a thief gained access and stole your valuables. A statement many in South Africa are not unaccustomed to hearing. This time however, the thief didn’t gain access through a broken window or smashed lock, they simply logged onto their PC and found a way into your website. The valuables?  Your data, your server, and a massive cost to your business in downtime and revenue.

Losing sleep over cybersecurity concerns is the new ‘normal’ for business owners, especially with the pandemic and the increased number of people working from home.

Often, successful hacking attempts are a result of basic human error with poor password security, hosting accounts and the site itself. Unfortunately, these errors make it easier for hackers to attack and cripple your website. Phishing, malware, and DOS or DDoS attacks are just a few of the ways hackers can try to take over your website.

malware

Malicious files cause damage to your system, collect or destroy sensitive information and prevent access by locking you out of the system entirely. Viruses, spyware, ransomware, adware, trojans and worms are just some of the many common types of malware.

phishing

Hackers commonly use email or social media to pose as a legitimate entity such as a bank or government authority. There is usually an urgent request to update personal information on a seemingly valid page, but in reality, sensitive information is being harvested. Common phishing attacks come in different shapes and forms such as spear phishing, pharming and whaling.

DOS or DDoS attacks

Denial-of-Service or Distributed denial-of-service attacks are when the hacker uses one or more infected machines to send an overwhelming amount of traffic to the server forcing it to reduce its functionality and eventually stop working.

Other attack methods include SQL injections, whereby hackers use code to reveal both private and admin information. They can also use cross-scripting to mix legitimate content with malicious code, which causes the visitors’ browsers to become infected when accessing the website. And lastly, the hackers’ main form of cyberattack is still the age-old password attack.

People tend to use easy-to-remember words, phrases, or numbers that the patient hacker readily guesses. This attitude to passwords may be down to the sheer volume of passwords needed in our daily lives these days. However, this complacency is a hackers’ dream and gives them easy access to your data in no time.

how can you protect your cybersecurity before the ‘lights’ go out?

  1. Utilise a password management tool to manage employee passwords securely
  2. Use Secure software and plugins
  3. Optimise your website code
  4. Install a rigorous firewall
  5. Install two-factor authentication
  6. Update your admin username and login URL
  7. Utilise an online backup service to backup your data automatically

A successful web page comprises three essential elements: a website builder, a domain name, and a trustworthy web hosting service. A dependable web hosting service ensures you have additional security needed to prevent malicious cyberattacks by applying layers of security before accommodating your account.

last say on common cybersecurity concerns

By following the above recommendations and selecting a secure host, you can eliminate your cybersecurity concerns and catch up on some well-deserved sleep.

Spotify Users Taken for a Song by Credential Stuffing Op

If you’re a Spotify user and have experienced some disruption with your account access, you may have been taken for a song by credential stuffing op that was recently in full swing.

Not too long ago, a research team stumbled across an open Elasticsearch database jam-packed with more than 72GB of data containing over 380 million records of individuals’ sensitive information. The login information and user data found on this particular database was actively being verified on Spotify when it was found. The reality of the situation is that an unscrupulous hacker was using the database to store Spotify login in credentials that were obtained illegally from other sources through a hacking process known as “credential stuffing”.

using the same password can lead to credential stuffing

At this point, the question begs to be asked; what on earth is “credential stuffing”?

Credential stuffing is a cyberattack used to steal the user names, emails and passwords of user accounts through large-scale automated login requests. This type of attack is aimed at people who use the same password for multiple services and accounts.

Typically, the hacker will obtain the ID and password from one source. In most instances, it is from a data breach on a company website. The hacker then uses that user name and password to gain access to other accounts used by the individual by using automated scripts. One big brand that has fallen victim to such a hacking attack is North Face.

spotify’s action against the credential stuffing attack

When the research team who found the database with stored credentials on it approached Spotify, it was discovered that the database belonged to a group or individual who was using it to defraud Spotify.

The company had to act quickly to protect its users and render the stored information on the illegal database useless and so they rolled out a company-wide (and user-wide) password reset. Up to as many as 350 000 users of Spotify were impacted by the attack which is considered a minor impact when you take into account that nearly 300 million users make use of the service on a monthly basis.

what is the real risk to you?

If you are thinking that a credential stuffing attack doesn’t really affect you, think again. You might not be a Spotify user, but perhaps you use a variety of other online services. Are your user names and passwords unique for each of those accounts? If not, you are at risk.

Statistics show us that credential stuffing used in conjunction with automated attacks (referred to as account takeover attacks) have increased by a massive 72% in the last 12 months alone. Why? Because it works for the hacker and because many people don’t take the risk and warning seriously until it directly impacts them. Don’t wait to become a victim! Take action now.

what to do

The first step is to make a list of all of your online accounts and services along with their user names and passwords. If any of them are using the same combinations of user names and passwords, change them! You must use a strong and unique password on each and every one of your online services and accounts.

Activating multi-factor authentication is also a really good step in the right direction.

last word

If you are a Spotify user, it’s a good safety precaution to change your password as soon as possible. Also, spend some time reviewing your current passwords and commit to changing them regularly.

Have you been impacted by a credential stuffing attack before? Let’s us know – we would love to hear about your personal experiences!

Poor Password Behaviour & Choices Continue to Thwart Security

Be honest… how many passwords do you have? The reality is that most people have one password that they use on every device, as well as for all of their online accounts. This isn’t just a risk for your personal information…it’s also causing a massive headache for IT security professionals.

For years we have heard tech professionals offering password tips, advising on ‘safe and secure’ passwords. “Have a different password for separate accounts”, “change your password regularly”, “don’t use personal information in a password that someone could guess” – these are some of the things that have been said time and again. Yet it seems people just don’t listen, as data breaches and theft, due to poor passwords, is at an all-time high.

What’s the Real Problem Behind Poor Passwords?

Simply put, people are bad and lazy when it comes to setting passwords. We choose the quickest and ‘easiest’ way out when asked to create a password. Instead of choosing something secure, we choose something that we can remember. And in most instances that’s a birthday, pets name, maiden surname – you know how it goes.

As technology became a bit smarter and began to prompt us to use passwords that are more challenging to guess by combining capital letters, numbers and personal characters, many of us still opted for the easiest route. This is why you see passwords cropping up, such as “p@ssw0rD” – which essentially, isn’t very secure at all.

The path of least resistance

It would also seem that many of us have become blasé about password security. When told that our accounts have been hacked and that the data has been breached, the accepted and recommended solution is to change our passwords. Some do this, a large portion of us don’t. And even those that do change their passwords, only attend to the particular account that has been hacked, overlooking the fact that the same password has been used across multiple devices for multiple accounts.

Another problem area for bad passwords is routers. Most routers come with a pre-loaded default password attached for easy setup and installation. As a gateway to the internet, a router needs to be secure, yet the default passwords are often easy to guess and need to be changed. So many people never change the default password leaving themselves open to being locked out by hackers – similar to a lock on your house. If you sell your home and the new owners don’t change the locks – your keys will always have access, which means you could lock the new owners out!

Go Ahead – Change Your Password!

Are you a poor password offender putting your data and personal information at risk?  Security experts suggest planning a schedule for password changes, making it a routine for the long term that includes a new password for your router and ALL of your accounts.