I know your passwords: risks and helpful precautions

Cover Photo by Matthew Henry on Unsplash

Would you hand over your house keys or the diary where you've written down your ATM PIN to a stranger for safekeeping?

I bet anyone would respond with a resounding "No!"

Yet, the same people might save a text file full of passwords on their PC and then copy it to one of the many online services (Drive, Dropbox, OneDrive, etc.)

Is there a difference between the two actions?

Today, we're discussing exactly that: the perception of risk.

Let's start with an example: how long do you think it takes to break a padlock? Think about it for a moment and come up with an answer before watching this video

From now on, you'll view gym lockers in a different light :-)

Well, here lies the problem. The mistaken feeling of being secure exposes us to the majority of risks.

The same situation arises in the digital realm. No one perceives any danger, with most objections being "But I have antivirus / But there's a firewall / Who would be interested in my data, anyway?"

In this article, we'll attempt to answer these questions:

• Who would be interested in my data?
• What are my data worth?
• What risks are associated with their loss?
• How can one protect against these risks without becoming paranoid?

Who would be interested in my data?

Your data, because it's yours, probably interests no one, unless you have an enemy targeting you specifically.

However, your data as part of a large aggregate is certainly appealing to spammers, to send you advertisements, phishing attempts, or simply to resell user lists.

Another, far more dangerous purpose is identity theft (to blame you for crimes committed by the criminal).

A further aim is similar to the previous, namely to use you as a conduit for other targets or to access corporate data. For instance, they could infect your PC, using it to launch cyberattacks against other targets. Any subsequent police investigation would trace back to you instead of the actual perpetrator, complicating matters further as you'd have to prove your innocence.

What are my data worth?

Those who commit these types of crimes obviously do so for financial gain.

The value can be derived from various sources:

• Reselling lists to spammers
• Theft/ransom of your data (ransomware/cryptolocker)
• Direct theft of money (charges on the account, credit card theft)
• Theft from third parties using your data or your internet connection as a conduit.

What risks are incurred with their loss?

This is the most delicate point on which it's important to insist so that everyone is educated about the real risks involved.

The risks: the "cloud's" reliability

Let's start with a sore point, accompanied by a famous joke:

"THERE IS NO CLOUD, IT’S JUST SOMEONE ELSE’S COMPUTER"

Image from https://9gag.com/gag/aNYbY66

What you see above is a rare snapshot of what "the cloud" truly is... merely a server (or multiple servers, it hardly matters) managed by others where you entrust your data.

No matter how much a provider, whoever it may be, boasts about their security measures, remember that the data encryption keys are always in their possession, unless explicitly stated otherwise.

What does all this mean? That system administrators can always access the data and can (due to server attacks or human error) lose them or have them stolen by third parties.

The first objection to this type of risk is that the providers are giants who spend millions of dollars on security, making the data more than safe.

Well, below is the ranking of the top 5 "data leaks", massive data or account losses suffered by these supposedly secure providers:

5. Equifax (143 million accounts + 209,000 credit cards) year 2017

6. eBay (145 million accounts) year 2014

7. Adult Friend Finder (412 million accounts) year 2016

8. Marriott International (500 million accounts) year 2014

9. Yahoo (3,000,000,000 THREE BILLION accounts) year 2016

The source is CSO online, and these are just the most striking data, not necessarily the most recent available online. Don't think these are the only ones; there's also Dropbox, MySpace, LinkedIn, Spotify, Tumblr, and many others (still referring to a few years ago).

The risks: password

Passwords are like house keys. They must be handled carefully, not left unguarded. Moreover, you should never use the same password on two different sites. If a password from one site is stolen, all sites where it is used are potentially compromised.

Passwords are like house keys. They must be handled carefully, not left unguarded. Moreover, you should never use the same password on two different sites. If a password from one site is stolen, all sites where it is used are potentially compromised.

Dropbox lost 66 million accounts due to an employee who had used their work password also on LinkedIn. Thanks to the LinkedIn data leak, hackers were able to penetrate Dropbox's systems. All due to the recklessness of a single employee. (source Lastpass blog)

In what ways can a password be stolen?

• Database theft (site hacks)
• Theft of files on one's PC with passwords saved in clear text
• Phishing / Social engineering
• Network traffic interception (man in the middle)

We've already discussed database theft, with the most famous data leaks. Such data losses can concern encrypted data (assuming they can't also steal the encryption key) or even passwords directly saved in clear text on servers (up until a few years ago, it wasn't so obvious that everything was encrypted, and even today we don't have the guarantee that it's always done despite being a best practice).

The theft of passwords from one's PC is another aspect not to be underestimated. Once access to the PC is gained (direct access or obtained through a backdoor or phishing), it's important not to leave a nice gift for the malicious actor by putting a file on the PC in the documents folder perhaps named password.txt.

In recent years, with the emergence of Bitcoin, targeted attacks have been developed to penetrate PCs in search of "wallets", encrypted wallets containing cryptocurrencies. With the skyrocketing value of Bitcoin, this activity has become very appealing as computers have transformed from small piggy banks to containers of vast amounts of money. The web is filled with sensational stories of people who have lost hundreds of thousands of dollars due to intrusions into their PCs and the consequent theft of the wallet, along with the relevant passwords.

AND EMILI specializes in development and strategic consulting for digital channels.

The risks: physical access to the PC

In a work environment that's not entirely secure (imagine a large office with numerous employees and external collaborators), it's always prudent to lock your PC when stepping away from your desk, even for just a few seconds.

There are scripts through which a malicious individual can approach the PC, insert a USB stick, and execute any sequence of operations in mere seconds (from stealing passwords to inserting a backdoor for the purpose of remote spying or installing a virus).

A notorious case was Stuxnet, where the USA managed to destroy a nuclear facility in Iran by simply infecting PCs. The full story can be found in this article.

The risks: phishing and social engineering

Phishing is the most critical aspect in recent times. Antivirus software on email servers has become efficient enough to block malicious attachments in emails. Therefore, the focus has shifted to deceptive emails that are becoming more plausible and induce users to click, possibly on a URL hidden by an "URL shortener," leading them to a site identical to the legitimate one. Subsequent insertion of user and password effectively gifts access data to the malicious actor. Currently, two-factor authentication is one of the most effective methods to mitigate the risk.

Two-factor authentication turns your smartphone into your keychain, thus making it a critical point of vulnerability.

Twitter CEO Jack Dorsey's own Twitter account was hacked (!) despite being protected by two-factor authentication. The attackers managed to deceive the phone provider, performing a "SIM swap", they managed to activate a new SIM on Dorsey's phone number. Taking possession of the phone number means being able to receive verification SMS for all accounts, perform password recovery, and much more. You can read all the details of the story in The New York Times.

Social engineering targets the vulnerability of the person, the emotional sphere that leads to mistakes and allows deception.

Tramite il social engineering è possibile estorcere informazioni o fare vere e proprie truffe

• The thief who knocks on the old lady's door, posing as a gas technician
• The call from a salesperson pretending to be the gas supplier and asking for the meter number (and then you find a new contract in your name)
• Calls that induce you to reveal personal data (which, added to other information, can construct a complete profile of you) or directly passwords

In this video, we see a perhaps somewhat extreme example but it illustrates how effective it can be.

Those interested in the topic can also watch "The Dark Arts of Social Engineering," which delves into more detail and demonstrates various techniques.

The risks: network traffic interception

Everything that travels over the internet can be easily intercepted. It's crucial, therefore, that all data is encrypted. Only in recent years has the encryption of nearly all protocols (web, email, FTP) become widespread.

It's also possible to glean personal information from merely observing page navigation or from metadata extracted from network traffic (whom I'm contacting and when, even if I can't see the content of the communications).

How can one fall victim to interception?

The method is called "Man in the middle" which, as the name suggests, positions itself between the user and the recipient of the communication.

The simplest means is via Wi-Fi, with various modes of interception. One of these is explained in the video found below.

With simple tools accessible to almost everyone, it's possible to intercept all traffic and know whom I've contacted and where I've navigated.

Image from Pineapple e-commerce website

If the data is transmitted in clear text (email client configured with an unencrypted protocol, or the use of FTP), then passwords can be directly read from the traffic, as in the example video below.

It's possible to intercept traffic on wired networks as well, but it's more complex because it would mean connecting a small tool directly into the network being intercepted (for example, in the server room of an office).

Image from Pineapple e-commerce website

The risks: doxxing and stalking

Doxxing and online stalking are attacks targeted at a single individual. If someone targets you and wants to harm you, they can collect all the data you scatter online, through social media, from which much more information can be obtained than one might think. This is discussed in detail in this article.

The risks: identity theft and financial fraud

Identity theft is one of the most serious crimes one can fall victim to. Whoever takes possession of your data, for example, your email inbox, through which they access your social accounts or retrieves a copy of your identity documents, can cause significant harm, for example:

• Direct fraud (stealing money from your bank account, making purchases in your name)
• Defrauding others while blaming you
• Making you say things (on social media) that you haven't said (defaming others)
• Using you as a spammer (Phishing sent to your contacts, who, seeing your name as the sender, take the message for granted)

Financial scams are on the rise, with 27,000 cases occurring in 2018 alone. (source Il Messaggero)

How can one protect themselves from these risks without becoming paranoid?

The first rule is to be vigilant and protect your passwords from the theft risks described so far:

• Be aware of phishing (both phone and email). Never, under any circumstances, provide passwords over the phone to strangers.
• Avoid connecting to public Wi-Fi. Nowadays, phone plans offer so much data that there's no longer a need to seek free browsing through Wi-Fi.
• Disable automatic connections to open and unprotected Wi-Fi networks.
• Be cautious of “shoulder surfing,” i.e., someone beside you peeking as you type (especially in public places).
• Never, ever, EVER use the same password on two different sites. It’s been said before, but it cannot be overstated.
• Choose a strong password (we’ll look at this shortly).
• Do not save lists of passwords on your PC without encryption. Use a password manager.

Second rule: choose a strong password.

Did you know that if an 8-character password can be guessed with a brute-force attack in a few hundred hours, just two additional characters transform it into an impenetrable password that would require hundreds of years to be guessed?

The problem with passwords is that they need to be of a minimum length to be effective, must contain uppercase, lowercase, numbers, and symbols to broaden the alphabet, and must always be different from each other. But the main difficulty is due to the fact that we have too many, so we write them down (insecurely) somewhere or use predictable schemes to generate them (even if they are not identical, they are very similar and follow a very simple rule for generation).

There are various methods to make them safer and more mnemonic, for example, using phrases.

“The-surf-flies-under-the-cow-2” is a nonsensical phrase that nevertheless brings a smile and evokes a funny image.

This partially simplifies because it’s easier to remember than a password with uppercase, lowercase, numbers, and symbols.

However, the problem of the number of passwords to remember remains. Recalling which phrase was used for which site becomes complex when managing too many accounts.

Ultimately, the safest method by far is to rely on a password manager.

• You only need to remember one password, the one to unlock the archive, so you can make it very complex.
• All the passwords you will use will be automatically generated by the software, so they will be totally random, very long, and very complex, as you will never need to remember them.

You can delve deeper into the subject with this article.

There are two password managers, both free and open source, that I recommend trying:

Keepass: completely offline. It creates an encrypted file on your PC. It’s not suitable if you want to manage the passwords of multiple computers or also those of your smartphone. For a single PC, it’s the most secure by far.

Bitwarden: multi-platform, available for PC, Mac, Linux, and smartphones both iOS and Android. It syncs online and is very secure (provided you use a strong password to unlock it). Very convenient for having all your passwords synced and at hand.

Final advice, data encryption in the cloud: if you want to save data in the cloud (backup of PC/Mac/Smartphone and online folder synchronization), I suggest IDrive.

This is one of the few cloud services that allow you to choose to have the data encryption key only on your PC (the true "zero knowledge / end to end" encryption).

This means that you and only you can decrypt the data. The downside is that it's impossible for the provider to recover the data if you lose the password, but that's how it should be. The provider cannot access the data in any way, which are encrypted on your PC before being sent online.

If the site were violated and a malicious actor copied all the data, they would only obtain the encrypted version, impossible to decrypt because the key to decrypt it does not physically reside on the servers. Decryption is impossible because you chose a strong password, right?

With IDrive, you can both backup your computer and use a directory to synchronize in ways similar to other providers (Dropbox, Google Drive, OneDrive, etc.).

The free space is 5 gigabytes for backup + 5 gigabytes for synchronization folder. For paid plans, it's easy to find referral links on Google to get discounts of up to 90% for the first year (which becomes almost free).

AND EMILI specializes in development and strategic consulting for digital channels.

This page has been translated using automated translation tools and artificial intelligence technologies. We strive to ensure that the content is accessible in multiple languages, but please be aware that the translation may not be perfect. If you have any doubts or need clarifications, please feel free to contact us.