Week 11: Recycling is good, but not when it comes to passwords

19.03.2024 - Strong and complex passwords are key when it comes to protecting access to internet services. However, complex passwords have the disadvantage that they are difficult to remember, which tempts many users to either reuse the same password for multiple accounts or create straightforward passwords. This in turn significantly reduces the level of security. It is therefore worth considering using a password manager. However, as an example reported to the NCSC this week shows, that can also have its pitfalls.

Resetting passwords via email or reusing the same password

Last week, a case was reported to the NCSC in which a leaked password was used multiple times for different service accounts. Not only was the password hijacked and used to facilitate a fake sextortion email, but various social media accounts were also taken over. The perpetrator was also able to access an online shop and send malware to all the contacts stored in the victim's email account.

In cases such as this, the attackers are likely to have had access to the email account and then used the password reset function to try to take over various other accounts. The NCSC has already published a report on this topic:

However, as the attacks described above are likely to have involved different groups of offenders, the NCSC assumes a different set of circumstances were involved. In this case, the password was probably part of a data breach some time ago and offered on the relevant forums. That assumption was confirmed after checking the email address on Have I Been Pwned. This service can be used to check whether someone's credentials - email address and password - have been part of a data breach. In this particular case, the password appeared in 2020 in a breached database that was offered on various hacker forums. It must therefore be assumed that the credentuials were known to various groups of perpetrators and subsequently misused for their own ends.

Report on Have I been pwned that the password appeared in a data collection in hacker forums in November 2020.
Report on Have I been pwned that the password appeared in a data collection in hacker forums in November 2020.

But how is it possible for various accounts to be compromised using the stolen password? The answer is simple: In this case, the victim reused the same password for multipole accounts. Independently of each other, the perpetrators used the password to access different accounts almost simultaneously. The case shows just how important it is to use a different password for each online account.

Avoid using straightforward passwords

However, that's not the end of the story. Make sure you avoid using straightforward passwords. If you use a password like ‘ThisissuperPassword!01’, for example, then it is quite likely that you might at a later date then be tempted to use ‘ThisissuperPassword!02’. By trying out different combinations, the chances are that potential attackers will still manage to take over the account.

Using a password manager

This is where a password manager can help. A password manager is a tool that helps you to create and store secure passwords. It generates and stores complex passwords and fills them in automatically when you log in to websites and apps. You don't have to think up a complicated password when creating an account, nor do you have to remember the password for the future.

However, even here there is one important point to bear in mind. A password manager is protected by a master password. So, if that password falls into the wrong hands, the intended gain in terms of security is lost. And if that should happen, the attacker would not only have access to all of your passwords, they would also know exactly which account they belong to. Just such a case was reported the NCSC last week. A malware gained access to the victim's computer, which also contained a password manager file. As the file was only protected by an easy-to-guess password, it was only a matter of time before the attackers got their hands on the passwords. As a precautionary measure, the victim then had to change the passwords for all of their accounts. Fortunately, in this case the victim noticed the attack in time and was able to act promptly. If a malware infection and the resulting data siphoning remain undetected, the consequences can be extremely serious. It is therefore essential that you have a strong master password.

Precautionary measures

  • Use a password with at least 12 characters, consisting of upper and lower case letters, numbers and, if possible, special characters.
  • Don't use the same password more than once.
  • Use two-factor authentication (2FA). This adds an extra security step on top of your password, such as a numerical code that is generated and displayed in an authenticator app. Don't worry: 2FA is easy to use: you only have to set it up once, and usually you don't even have to enter the code each time – only if you log in on an unknown device. The second factor makes it much harder for someone to hack your account.
  • You should only ever enter your email password in a webmail account (check the URL) or an email program on your PC and/or mobile phone. Never enter your password on a website you opened via a link in an email.
  • If possible, use different email addresses for different purposes.

Last modification 19.03.2024

Top of page

https://www.ncsc.admin.ch/content/ncsc/en/home/aktuell/im-fokus/2024/wochenrueckblick_11.html