Cybercrime & Passwords
Cybercrime poses a significant threat in the UK, and weak or compromised passwords are a major gateway for cybercriminals. The National Cyber Security Centre (NCSC) emphasises that using strong, unique passwords and enabling two-step verification are crucial steps to protect online accounts.
The Link Between Passwords and Cybercrime
Cybercriminals employ various techniques to obtain passwords, which they then use for malicious purposes.
​
Methods of Obtaining Passwords:
-
Phishing: Deceptive emails, messages, or websites trick users into revealing their login credentials.
-
Malware: Malicious software like keyloggers can record keystrokes, capturing usernames and passwords.
-
Brute-Force Attacks: Automated tools try numerous password combinations until the correct one is guessed, especially effective against weak passwords.
-
Credential Stuffing: Attackers use previously stolen username/password pairs from data breaches on other websites, hoping users reuse passwords.
-
Social Engineering: Manipulating individuals into divulging their passwords or other sensitive information.
-
Data Breaches: When websites or services are hacked, stored passwords can be compromised.
-
Man-in-the-Middle Attacks: Intercepting communication between a user and a service to steal login credentials.
-
Buying Stolen Credentials: Cybercriminals purchase lists of compromised accounts on the dark web.
How Stolen Passwords are Used
Once cybercriminals have obtained passwords, they can use them to:
-
Access sensitive accounts: This includes email, social media, banking, and other online services.
-
Commit financial fraud: Making unauthorised purchases, transferring funds, or opening new accounts.
-
Steal personal information: Obtaining data for identity theft or selling it on the dark web.
-
Spread malware: Using compromised accounts to send malicious links or attachments.
-
Launch further attacks: Using access to one account to compromise others.
-
Account Takeover: Locking the legitimate user out of their account and taking control.
-
Data Theft: Accessing and stealing sensitive personal or corporate data.
-
Install Ransomware: Encrypting data and demanding a ransom for its release.
-
Disrupt services: In some cases, compromised accounts can be used to launch denial-of-service attacks.
Password Security Best Practices:
Creating and maintaining strong, unique passwords is essential for protecting yourself from cybercrime. Here are key best practices:
-
Create Strong Passwords:
-
Length: Aim for at least 12-16 characters or more. Longer passwords are significantly harder to crack.
-
Complexity: Use a combination of uppercase and lowercase letters, numbers, and symbols.
-
Avoid Personal Information: Do not use names, birthdays, pet names, addresses, or other easily guessable information.
-
Avoid Common Words and Patterns: Stay away from dictionary words, common phrases, and simple sequences like "12345" or "qwerty." Consider using a memorable phrase or sentence.
-
Uniqueness: Use a different, strong password for each of your online accounts. If one account is compromised, others will remain secure.
-
-
Use a Password Manager: These tools securely generate and store complex passwords, so you only need to remember one strong master password. They can also automatically fill in login details.
-
Enable Multi-Factor Authentication (MFA): Whenever available, enable MFA. This adds an extra layer of security by requiring a second verification method (e.g., a code sent to your phone or a biometric scan) in addition to your password.
-
Keep Passwords Secure:
-
Don't Share Passwords: Never tell anyone your passwords, even friends, family, or IT support (they should have other ways to access accounts if needed).
-
Be Cautious of Phishing: Never enter your password on websites accessed through suspicious links in emails or messages. Always go directly to the official website.
-
Don't Write Passwords Down Insecurely: Avoid writing passwords on sticky notes or keeping them near your computer. If you must write them down, store them securely. Consider writing down hints instead of the actual password.
-
-
Update Passwords Regularly: While not always strictly necessary if you have strong, unique passwords, changing passwords periodically, especially for critical accounts, can add an extra layer of security. Change passwords immediately if you suspect an account has been compromised.
-
Check for Compromised Passwords: Use online tools like "Have I Been Pwned?" to check if your email address or passwords have been involved in any known data breaches. If so, change your passwords immediately on all affected accounts, especially if you reused the compromised password elsewhere.
-
Be Wary of Public Wi-Fi: Avoid entering sensitive information, including passwords, on unsecured public Wi-Fi networks. Consider using a Virtual Private Network (VPN).
-
Secure Your Devices: Use strong passwords or passcodes to protect your computers, smartphones, and tablets. Keep your software and antivirus protection up to date.
By understanding the risks and implementing these password security best practices, individuals in the UK can significantly reduce their vulnerability to cybercrime.