Hacking Hacked: Password Security in the Digital Age
As we continue to shift to online work environments and remote learning, cybersecurity has become imperative to business operations. From Netflix to work emails, it is important that the passwords we use every day are crafted to keep information private.
From using the same eight digits across accounts to protecting our data behind “password” or “12345”, we have all committed a security faux pas at one point or another. Although it may be a pain to track dozens of passwords, keeping them complex and varied across platforms is the best way to keep personal information safe from hackers.
The Massachusetts Institute of Technology developed the first computer password in 1961, 17 years after the first digital computer graced the halls of the University of Pennsylvania. The credential protected the Compatible Time-Sharing System (CTSS), an early inter-user messaging system that required each researcher to develop their own personal log-ins.
These early security codes were simple and accessible, and all researchers with access to CTSS also had access to the passwords of others. This simplicity left the system vulnerable and in 1962 MIT researcher Allan Scherr used his coworkers’ information to game the System and work more than his allotted four hours a week. As the first hacking job, this highlighted the importance of computer security for corporations, institutions, and (often) their bottom lines. Scherr’s actions catalyzed the current age of security, and computer scientists began the race to develop password standards that could keep up with increasingly complex operating systems.
The father of UNIX operating systems, Robert Marris, developed one such security method that is still in use today: hashing. This encryption function applies a mathematical formula to a string of characters to convert it to numerical code. This code is later stored in a computer system as numbers and not the plain text the user originally inputted. This approach protects the user and makes accounts harder to hack.
Despite this breakthrough in cybersecurity, not all websites use password encryption. Instead, user credentials are often stored on one master list, leaving personal information vulnerable to hackers and their programs.
How Hackers Hack
As of 2020, an average of 30,000 new websites are hacked every day with attacks occurring every 39 seconds. These sites are usually legitimate landing pages for small businesses that unintentionally distribute malware. “Hacking” is an ambiguous term that conjures up images of sunlight-starved teenagers and darkened rooms with warped voices. Below are three common methods hackers use to steal company data.
The statistic above illustrates how often businesses with weak security protocols are breached. Hackers often target these sites to access its users’ credentials. They then use a technique called credential stuffing to gain access to websites beyond the original. Many users often use the same password across sites. Therefore, if a hacker can steal an individual’s password from one, they will use that same string to often, successfully, gain access to other websites a user might frequent.
We’ve all gotten pop-up ads telling us that we’ve won the newest iPhone or an email that almost looks like it actually belongs to that budget office of the next school over. According to UNC ITS, phishing is a “method through which bad actors attempt to gather personal information – including usernames, passwords, credit card numbers, and more – through malicious email links or attachments.” This method often attempts to trick users into supplying information to what they believe is a genuine request from a company or business.
Password spraying is a technique in which hackers use a common list of passwords against a user account name. Keep reading to ensure you and your constituent’s passwords stay off the list.
Protecting Your Data
A 2020 study by WebARX found that out of 13 crimes measured, including murder and terrorism, cybercrime is more concerning to Americans than any other offense. Specifically, seventy-one percent of participants cited concern about the privacy of their personal data, with sixty-seven percent citing identity theft.
Still---as of this year an estimated 23 million account holders use “123456” alongside their usernames. Other popular choices include “qwerty”, “password”, and “iloveyou.”
When even one user account is compromised, educational institutions can face a loss of finances, data, processes, and storage. This liability can be avoided by introducing enterprise-level password management systems, alongside specific requirements to the constituents of the institution. These requirements can vary in complexity, but often suggest that a user include an uppercase letter and at least one digit.
In the past decade, more and more companies have transitioned to two-factor authentication methods as an added layer of security. In addition to a user’s password, this authentication method requires an additional form of authorization. This process can protect both users and the companies they work for.
Still, in a world where complexity and variety are a must, memorizing a long list of non-sensical characters can be difficult. When this becomes a pain-point, use a password management system to keep unique log-in details in one place.
These systems are built to protect the data of businesses and individuals, and the leading ones use a technique called “zero-knowledge.” This tactic enables the software to encrypt and store several passwords, all the while protecting them from outside forces---including the company behind the software.
For example, products like LastPass, Dashlane, Keeper, and BitWarden are enterprise-level vaults, that encrypt and decrypt at the device level. The Digital Solutions and Services of the School of Government is using the University’s site license of Lastpass to help provide security and password protection for its users. Every user is given a digital vault and its contents are kept secret, even from LastPass itself. The master password, which gives a user access to all of their vaulted passwords, is never sent to LastPass’ servers or accessible by the application. These security precautions make LastPass an ideal candidate for organizations of every kind, from educational institutions to technology companies.
As technology develops, so do hacking methods. As a corporation, business, or educational institution, it is important to protect the students, faculty, and employees that entrust us with their data. Breaches in security can result in the loss of data, and finances, and most devastatingly, the trust of users. Employ a mix of credential standards, best practices, and “zero-knowledge” software to achieve the maximum level of security for your business.