HOW PASSWORDS ARE CRACKED
There are a few ways that hackers can gain access to your online services – some cleverer than others – but the main ones we’ll focus on here are:
- Data breaches
- Reused passwords
- Brute force attacks
A data breach is where a hacker has hacked the actual business and gained access to your data that way. For example, in 2013 Adobe was hacked and the details of an estimated 153 million user records were obtained by the hackers.
Reused passwords is self explanatory – you use the same password to login to everything. This means that should a hacker gain access to one password, they have access to all of your accounts. Take the Adobe hack above, if you had an Adobe account and reused the same password on your Office 365 account – then hackers have easy access to your emails.
A brute force attack is where a hacker uses their computer to guess over and over your password. Computers do things much faster than we do, and a hacker can make thousands of guesses per second.
The picture to the right highlights exactly how easy it is for a hacker to guess your password using a brute force attack. If your password is 4 numbers long, that means there are ten thousand possible combinations – which in computer terms is practically nothing.
By comparison, a 10 digit password containing letters, numbers, and symbols has around 170 quintillion possible combinations – making it much harder to crack.
It therefore goes without saying that if you have long passwords that contain numbers, letters, and symbols, AND you use a different password for every service – you will protect yourself as much as possible.
However, the obvious problem is how do you remember all of these passwords…
One option is to use a password manager. This single login contains all of your passwords and you only need to remember this one password. You can therefore make all of the other passwords 18 characters of completely random jibberish (and therefore practically unhackable).
The downside is that you have a single exposure site – if a hacker gets access to this master password, they have access to all of them. You can combat this by using a long “passphrase”, and setting up two-factor-authentication.
A passphrase is a phrase you will easily remember, but appears random to a computer. U2c@nLoveMCA@ccountants is relatively easy to remember, and will be almost as difficult for a computer to crack as kd*7juyd*3KG8(3e2#24*.
The more complicated you make the passphrase, the harder it is to crack.
TWO FACTOR AUTHENTICATION
“2FA” as it’s commonly referred to means using your phone or other method of providing a second password or code. Even if a hacker did guess your master password, without this additional code they can’t access your data. 2FA isn’t perfect, and there are some pretty sophisticated scams out there designed to gain access to your 2FA code – but it is an extra layer of security that is vital in this day and age.
HAVE MY DETAILS BEEN HACKED?
When your password has been hacked, it is often sold on the dark web (after all, people who hack are in it for the money), and there are thankfully some good people on the dark web that compile lists of known hacks that anyone can view (with passwords hidden of course).
If you head to https://haveibeenpwned.com/ you can type in your email address to see if your email address (and password) have been compromised at any stage. If your email shows up, then it means hackers around the world know your password, and means you need to change it. Remember that if you use your password on more than one site, then you need to change ALL of them to remain safe.
SECURITY AT MCA ACCOUNTANTS
We take the obligation to keep our clients data safe and secure very seriously. We use a sophisticated password manager with 2FA plus random passwords implemented for all logins. Staff members cannot see their individual login passwords (they can only access sites via the password manager), and after 4 incorrect login attempts to the password manager their login is blocked.
We also abide by all recommendations and never email your tax returns and other sensitive information. Emails are not sent “securely” (in computer terms) and can be intercepted relatively easily. In addition, there are many instances email accounts of our clients being hacked and if we had emailed tax returns, then the hacker could use that info to commit identity theft.
It is for this reason that we use our client portal as the sole means to access your tax returns digitally. We know it’s another login that you need to maintain, but any person that has had their identity compromised will tell you it’s a small price to pay to keep it safe.