• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • Home
  • About
  • Fav Books
  • Tools
  • Journal
  • Hire Me
  • Contact
Small Biz Geek

Small Biz Geek

Small Business Design, Marketing & Technology Journal

Website design services

A Journal on Small Business Design, Marketing and Technology

  • The Internet
  • Marketing
  • Graphic Design
  • Web Dev
  • Web Design
  • Social Media
  • Technology
  • Miscellaneous

How Safe Is Your Password from the $450 Billion Cybercrime Industry?

By Small Biz Geek on September 12, 2017 · Filed Under: Internet, Scams, Security Updated: March 12, 2018

In 2016, cyber criminals profited $450 billion. With dedicated, professional criminal organisations operating with impunity, the least you can do is review your password strength. 

Cyber criminal wearing a hooded top

These days our entire lives seem to be guarded by passwords. Sadly, the ability to lie, manipulate, misinform and mislead is becoming more sophisticated as thieves learn to slip in and out of your online accounts undetected. 

You’ve probably received text messages, emails and phonecalls from someone claiming to be from a real organisation, whether it’s your bank, Microsoft, HMRC, eBay, PayPal, Royal Mail or any other well-known name. 

I received a text alerting me of suspicious activity on my bank account and went to great lengths to discover the legitimacy of this message. Turns out it was real, but better safe than sorry, was my reasoning.

What cybercriminals want to is to break the authentification mechanism, and passwords are part of the entirety of that mechanism.

Even if you don’t have your bank account emptied, you could still be a victim. Someone obtaining and selling your details in order to commit fraud against larger businesses makes you their proxy.

How Hackers Obtain Your Password

There 3 primary ways to get your password. Phishing, guessing and brute force.

Phishing

The first method is to trick you into giving it up willingly by sending you a scam email which directs you to a fake site where it can be stolen. This falls under the remit of human error because the user becomes unknowingly complicit in a socially-engineered attack.

Fake Netflix email

Fake Netflix email (Click to enlarge)

This carrot and stick approach is not particularly sophisticated but people do fall for it. Receiving a fake email from a bank, PayPal, HMRC, utilities and entertainment providers is not uncommon.

You can normally spot fake emails by checking the email reply-to address, or by hovering your mouse cursor over the website address in the email body and looking at the preview on the bottom left.

As I was writing this post an email came from Virgin Media, telling me that a bill was ready for me to pay. This came through to an email address I had never disclosed to them so I was suspicious.

Scam Virgin Media Email

Fake ISP bill (Click to enlarge)

The email was convincing in that it cited and linked through to some legitimate pages on the VM website, but the reply to address was [email protected] 

They’d never used an email like that before, so I checked out www.virginmediaconnections.com and was faced with a parked domain. An inactive website.

Furthermore, the “View Bill” button in the email linked to a completely different website. I didn’t click anything – obviously – but by hovering my cursor over the button, the preview URL in the bottom left corner was revealed.

That was the trap, sprung and ready to decapitate.

Scam email link preview

I sent the screenshot of the email to Virgin Media via their Twitter profile.

Guessing

Hackers use other information available online about you to guess the password. Many people use derivatives of names, dates, pets, significant places and locations.

They could be using digital spying techniques to gather information about you to join the dots.

If you’re the kind of person who uses the same passwords for different services, it’s going to be easier to hack you. Facebook’s own Mark Zuckerberg fell victim to this. 

Brute Forced Entry

Brute force is where a hacker basically just tries every possible password until they get the right one.

It’s always possible to brute force a system if you have enough computers to do it – like a government.

Using brute force, hackers can cycle through 8 billion password combinations per second. Research from a Norwegian security convention in 2013 claimed that an 8 character password could be cracked in 6 hours.

The longer the password, the longer it takes to crack. A very complex password could take up to ten years to crack.

It’s possible to theoretically calculate the time it would take to crack any password, but how accurate these estimates are is up for debate.

Choosing a Strong Password

Many websites and online services are beginning to reject weak passwords at the sign up stage.

A good password should contain:

  • UPPERCASE letters (ABC…)
  • Lowercase letters (def…)
  • Numbers (123…)
  • Spaces (” “)
  • Punctuation (.,:;-!? and the like, usually used in sentences)
  • Symbols (@&+=>$#*^~ and the like, usually NOT used in sentences)
  • Respelling (i.e., no words that can be found in a dictionary — for example, using “kwean”, and not “queen”)
  • More than 15 characters, and the more the better

Generating a Complex Password

I use a password generator to come up with strong, complex passwords. These are not supposed to be easy to remember, so you’ll need to write this down somewhere.

When you write it down, be mindful of the subtle difference between things like the letter “o” and a zero.

Choosing A Memorable Password

If you need to be able to remember your password, you can use three random words: something you know, something you have, something you are.

The UK Government are running TV ads encouraging the use of stronger passwords comprising of three random words, which potentially takes away any guesswork from would-be hackers if the words you choose have no personal significance.

Banks are beginning to run media campaigns across TV and the internet encouraging this too:

Don't let criminals steal your information. For more advice visit Lloyds Bank: https://t.co/9GFyoHRhtN @TakeFive pic.twitter.com/NiIwUw5AfW

— Lloyds Bank (@AskLloydsBank) May 30, 2017

Send Passwords Safely

I’ve worked with clients who have sent me passwords and usernames together as plain text in an email message. Unless the credentials are about to be changed, this is not good.

A much better way of exchanging login credentials would be to talk over the phone, but if the details are too complicated to read out and write down, send the password and username separately via different media, without mentioning what it’s for.

For example, have someone send the username by email the password by WhatsApp. You will be expecting it so you’ll know what it’s for. Apparently, the CIA call this approach to data retention “compartmentalisation.”

Better still, try QuickForget by Automattic. Paste a password into the form and set it to be forgotten after so many views or so many hours. Share the unique link that is generated with the person who needs the password.

Password quick forget service

Unfortunately, several companies, including Playstation, Yahoo and Credit Karma, have been known to store and send passwords in plain text. 

Personal data in emails can be intercepted very easily. Have a look at the website Plain Text Offenders.

Store Passwords Safely

You need to guarantee the physical security of written or recorded passwords. Online password storage services are available as a freemium service, but it depends on how much you trust them not to get hacked. And LastPass was hacked, although the user data was not compromised.

A frequently backed up and carefully guarded password protected word document containing your data in plain text on a USB drive is an option. A locked drawer or safe helps.

I’ve put together an MS Word document to store website credentials. It’s convenient but poses a risk; all the details are lumped together.

Disposing of Data

If you need to dispose of passwords printed or written on paper, use a decent shredder. The importance of destroying data correctly cannot be emphasised enough.

Don’t overlook the digital storage methods either. Disk data can be easily recovered after deleting it, and I know because I’ve recovered long lost files from over 10 years ago!

It took some time but to my surprise, usernames and passwords were pulled from what was supposed to be a newly reformatted drive using data recovery software purchased online.

The Dark Web is Coming for You

You’ve heard of the dark web – the anonymous, unregulated underbelly of the internet – the place where anyone from arms dealers to perverts communicate in secrecy and fulfill their agenda away from the glare of mainstream cyberspace. 

Here, hackers peddle their attack software and share information with one another on attack techniques. You can buy everything there from a base-level attack to a much more advanced version.

You often see these hacking products marketed as bronze, silver and gold levels of services, making data attacks routine, efficient and professional. 

Are you taking the issue as seriously as the bad guys are? 

As Caleb Barlow says in his TED Talk, we should be on a war footing. Improve your passwords, develop safer habits and review how and where your data is stored.

Watch on TED

Related Posts

  • Should You Expand Your Small Business Abroad?
  • Vote “Remain” in the EU: Britain is a Steadying Hand on Digital Law Madness
  • The Long Term View on Digital Marketing

Filed Under: Internet, Scams, Security Tagged With: Cyber crime, Password, Privacy, Security

About Small Biz Geek

I'm Darren, helping small businesses with design, marketing & tech.
Read more about me and follow me on Twitter.

Small Business Website Design

Do you need help with something web related?

To hire me see the page about my services.

Reader Interactions

Get Updated by Email

If you liked this article, consider subscribing to the RSS feed by email.
Your email address won't be shared. Read the privacy policy.
* indicates required field.
Are you human? (Spam check)

Comments

  1. Victor says

    October 12, 2017 at 6:47 am

    I typically suggest to my users that they create their own algorithm to end up with a unique password for each website. I have also started to encourage the use of password managers such as 1-Password. What do you think of these practices?

    Reply

Add Your Thoughts Cancel reply

Your email address is safe and will NOT be shared with anyone else.

Hateful, spammy or abusive comments will not be tolerated.

For more information please see the comment policy.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Primary Sidebar

About the Webmaster

Hello, my name is Darren, a 36-year-old business enthusiast eager to learn and do good work.

I’m a website builder for hire working with small to medium businesses.

Search Website

Let’s Connect

  • LinkedIn
  • Twitter
  • YouTube

Recently Read Book

Don't Make Me think - Steve Krug

“Don’t Make Me Think: Revisited” – Steve Krug (Book Review)

A person of average technical ability must be able to navigate your website easily. This is required reading for anyone wanting to create a better experience for their visitors…

Latest Journal Entries

  • Computer Says No: Does Your Website Work for People with Disabilities?
  • Chinese Tinder Profiles Are Using Photos of Pretty Girls to Scam “Investors”
  • Small Biz Owners “Trapped” Using Email Addresses Belonging to Internet Service Providers
  • In the Pandemic, QR Codes are Finally Proving Worthy in the West
  • Small Businesses Finally Start Marketing and All It Took Was a Global Pandemic
  • Unable to Meet in Person? Communicate Stress-Free with Online Audio/Video
  • UK Contractors Operating Ltd Companies Should Be Mad as Hell with HMRC and IR35
  • 20 Years On and Website Hit Counters are Still a Waste of Pixels
  • Competitors Can Easily Edit Your Google and Facebook Business Listings
  • Waiting on Final Images for a WordPress Website? Use Temporary Placeholders and Design Around Them
  • GoDaddy Loves Spamming Branded Footer Links to WordPress Installatron Sites
  • Dealing with Negative Comments on Your Paid Social Media Posts

Footer

Primary Navigation

Home
About Darren
Good Books
My Tools
Blog Posts
Hire Me
Contact Me

Secondary Navigation

The Internet
Marketing
Graphic Design
Website Development
Website Design
Social Media
Technology
Miscellaneous

Derby & Nottingham Area

Small Biz Geek
Office 897
109 Vernon House
Friar Lane
Nottingham
NG1 6DQ

Telephone

Tel: +44 (0) 115 714 3290
Tel: +44 (0) 7951 897 243

VoIP

Skype: ilkestonwebdesign
WhatsApp: 07519 897 243

Email

[email protected]

Let’s Connect

Twitter
YouTube
LinkedIn
RSS

Subscribe to Blog by Email

Subscribe to Blog By Email

Social Calendar

WordPress Nottingham Meetup
WordPress Derby Meetup
Genesis Framework by StudioPress


Copyright © 2021 · Small Biz Geek · Privacy Policy · Commenting Policy · Website Disclaimer · ICO number: ZA305900


Written and designed by Ilkeston Web Design

This site uses cookies More info