Have you ever gone to an ATM to withdraw cash and had a complete blank when you were asked to key in your secret pin?
What about when you’ve had to update your password on your email and then you sit in front a locked screen because you absolutely cannot remember what you changed it to. Or, maybe, you’ve keyed in the wrong password into your smart phone seven times and now it is locked and if you do it wrong one more time, you will be locked out for hours.
Passwords are the most widely used security control online. We create them and use them to control every aspect of our online environment. For something so important, most people are exceptionally lazy at keeping them protected. For example, a common password like “123456” would take less than a second to crack. Yet, in data breach paste sites that published hacked data, this password has featured over 23 million times!
So how do hackers do it? Passwords are vulnerable to a few things, including:
Brute force attack – someone using an automated trial and error cracking attempt that cycles through commonly used passwords.
Credential stuffing – where criminals use stolen usernames and passwords from sites to access other online accounts that use the same usernames and passwords.
Here’s the answers to the most common questions IDCARE receives concerning passwords:
How long should a password be? Security experts recommend password managers which often use in excess of 16 characters, but for those without a password manager the advice is between 12 and 15 characters, using symbols, upper and lower case letters and numbers.
How often should I change my passwords? The more frequent the better, but aim for every 30 days.
Is anything stronger than a password? Yes, having multi-factor authentication with your password and username. This is usually a code that is provided at a point in time that is then added to the username and password when logging in. Good email providers have this function, but most don’t have this as the default setting!
What else can I do to keep my passwords safe? Don’t forget to change default factory setting passwords on non-obvious devices, such as modems, child monitors, and network storage devices.
How do I know if your password has been stolen?
Your anti-virus detects malware, including “key stroke loggers” that capture the user’s typing of their password.
You’ve been locked out of an online account because someone has broken in.
You have checked your email against a data breach paste site – these tell you what information of yours has been compromised in a data breach. Some of these sites contain information that impact hundreds of millions of accounts.
You experience identity theft and notice strange things are happening, such as your phone going to ‘SOS’ (because of an unauthorised port), unexplained transactions from online banking, or new products and services have been order. Not all identity theft is caused by a stolen password, but some certainly is.
If you think your password has been exposed, here’s a list of what you can do NOW to keep it safe:
Change it immediately.
Check the relevant account to make sure that your recovery settings haven’t changed, like an unknown email or phone number is present.
Think about where else you may have used the same email and password combination.
Mix them up!
Think about a Password Manager. These services take the guess work out of having to remember long and complex passwords. Yes, they too are vulnerable, but in our view not as vulnerable as not having one.
Write a list of what personal, account and credential information you think you had in the account that has been exposed about you and other people, such as family members.
Book a time with an IDCARE Case Manager as a free and anonymous community service to work the angles on what can be done to protect yourself or family members that have had information exposed (you can do this at www.idcare.org).
IDCARE is here to provide you with specialist support and guidance when faced with a cyber and identity related issue. Contact one of our Identity & Cyber Security Case Managers to learn more about our Support Services and how we can help you.
IDCARE as a registered charity does not ask individuals to donate or pay for our front line services. We are not a charity that can receive tax deductible donations. We rely on organisations that care enough about you to care about us to keep our charitable service going. Proudly these organisations are displayed above and on our Subscriber Organisations page. If you are asked for payment from someone claiming to be from IDCARE, please report this to us using our Report Phishing email.
IDCARE has access to the Department of Social Services’ Free Interpreting Service, delivered by the Translating and Interpreting Service (TIS National). Access to the Free Interpreting Service is provided to assist you to communicate with non-English speaking people who hold a Medicare card. Please note that the service does not extend to New Zealand citizens or residents who do not hold an Australian Medicare card, or to tourists, overseas students or people on temporary work visas.
New Zealand Relay provides services to help Deaf, hearing impaired, speech impaired, Deafblind and standard phone users communicate with their peers. A TTY user connects to New Zealand Relay via a toll-free number and types their conversation to a Relay Assistant (RA) who then reads out the typed message to a standard phone user (hearing person).
The RA relays the hearing person's spoken words by typing them back to the Textphone (TTY) User.
The National Relay Service (NRS) is an Australian government initiative that allows people who are deaf, hard of hearing and/or have a speech impairment to make and receive phone calls.
The NRS is available 24 hours a day, every day and relays more than a million calls each year throughout Australia.