Websites will go to great lengths to protect their users with online security measures, often requesting that users provide complicated passwords and requiring answers to multiple personal security questions. It can become annoying when websites require special characters, numbers, and varying lower and upper cases for passwords. However, this greatly increases the security of the user’s password selection, often forcing them to deviate from their usual password patterns and increasing the number of passwords possible, reducing the risk of it being determined by brute force calculation.
There are 26 letters in the English language, 10 single-digit numbers and roughly 32 special characters that can be used for passwords. If lower- and uppercases are included, the number of unique letters is doubled to 52. Therefore, if a password is created requiring different cases, a special character and a number, there are 52 + 10 + 32 = 94 choices for each letter/number/character in a password. When a password is required to be at least eight characters long, this leads to 948 possible passwords, which is roughly equal to 6 quadrillion. Compare that to a five-character password where only lower case letters are used and there are 265 possible passwords, which is only around 12 million.
When hackers use brute force attacks to crack passwords, the shorter and less complicated the password, the better. It’s easy to see why companies require their employees to have complicated password rules to make them as secure as possible. Users have been coached to avoid using the same password for multiple websites, repeat digits or letters or use passwords that might be easily guessed, (such as “password"). Unfortunately, not everyone follows these guidelines, and even a great password doesn’t guarantee online security, as we’ve seen with the massive hacks at Equifax, Uber and other companies.
It only takes one weak link in the software or employees associated with a company’s password database to cause a massive security issue for everyone involved. It hardly matters that there are 6 quadrillion possible passwords if hackers have access to your password because a database admin used “admin” as their password. Companies are starting to realize the importance of these database security breaches and are taking stronger security to prevent future security issues. Database encryption, limited access, strict backend password procedures and timely installation of software patches that eliminate vulnerabilities are all being taken more seriously now.
Protecting Against Social Engineering
Even with secure company databases and hard-to-guess passwords, users sometimes give their passwords and security information to hackers. Although it seems like users would be smarter in protecting their passwords, hackers employ time-tested social engineering techniques to manipulate users into giving them their information. The techniques include posing as an authority, appealing to the user’s greed and exploiting a user’s desire to help, among others. For example, around tax time emails show up claiming to be from the IRS that demand immediate action that requires signing onto a website or providing personal information by email. This is an example of posing as an authority and using fear to motivate users to give up their passwords.
Another example can usually be found after a natural disaster, for instance, the flooding in Houston this year. An email, or a link in social media, or even an app will claim to be a charity offering relief to victims of the disaster. Security information or passwords are requested to facilitate a transaction with the donator’s bank account. A generous and eager user will provide this information without thought. Often these charities will have names that sound like other charities to inspire trust. The methods are varied and are all essentially a con game meant to trick users into giving up their private information and compromising their online security.
Many of the more tech savvy out there may find these approaches easy to spot and obvious. However, for the uninitiated, or those just off their guard that day, they can be surprisingly effective. For the hackers, it’s a numbers game. If they can get 0.5 percent of people to bite on their con, it simply becomes a game of getting in front of as many people as possible. If they can get their link viewed one million times on social media, at 0.5 percent they are still capturing 50,000 passwords. It’s the reason we will see the same scam over and over again until it becomes a punch line. The scams are still netting some small percentage of passwords or other useful information and thus are worth it for those trying to compromise a user’s online security.
Measures can be taken to train users to spot and avoid these social engineering approaches, but it will be difficult to ever achieve 100 percent security. Scammers have existed since the beginning of documented history and likely long before that. They use a human’s expectations and instincts to get them to give up something they otherwise would carefully protect. As long as online security is based on the password system, social engineering will remain a serious threat to online security.