| Internet account security, passwords, AI 'hackbots' 09:43 - Oct 16 with 4273 views | NthQldITFC |
I'm a former web developer and I've always been pretty careful about online security, minimising my exposure and doing (fairly) good practice in password strength and uniqueness, but not good at periodically changing passwords.
I was just about to set up a new family account for something this morning with access including people who aren't particularly web/tech/security savvy, and who may have scoffed at using more than one password or anything more complicated than a personally important word with a few numbers added. I will, of course, insist on more than that for the thing I'm setting up.
But it occurred to me that I haven't read anything much about AI being used in a fire and forget manner to crack all sorts of user accounts on the web, and how much more important good password security might be now. Of course, any decent application will have a throttling function to stop an automated system firing a large number of attempts at it, but AI must in theory make it easier for all sorts of actors to track a person's profile around the web and build up dictionaries of worthwhile password attempts to be tried on an automated basis without tripping security on some weaker websites.
Anyway, a lot of waffle, but just intended as a general 'review your password security' reminder to everyone. I personally use an encrypted password manager with a very strong phrase-based master password which I know well, and strong randomised individual passwords which have to be copy and pasted in (perhaps a slight security risk there though!) Better systems are available, and more knowledgeable minds than mine on here will no doubt advise.
|  |
| |  |
| Internet account security, passwords, AI 'hackbots' on 14:06 - Oct 17 with 239 views | Vegtablue |
| Internet account security, passwords, AI 'hackbots' on 23:18 - Oct 16 by Bbmaj |
I’ve worked in cyber security for 25+ years so have some insights here.
We ask colleagues to avoid storing passwords in the browser due to the threat of malware compromising your device. In that scenario, passwords stored in the browser could potentially be misused. Malware could also result in a keylogger being installed to capture your passwords at the point of entry.
A dedicated password manager is less risky, but not without flaws especially if cloud based. Cracking all your eggs in one basket means dealing with a very messy omelette. One of the best features of a password manager is the quick creation of truly random and complex passwords which you don’t have to remember or type in. A little black book, non-digital, can be safe if you keep it secure - maybe avoid writing site names in full but use some form of code.
Someone else has suggested MFA. That is the best protection of all, however you do need to consider what happens if you lose your device (or whatever solution provides your additional authentication factor). Also, SMS based MFA is vulnerable to SIM swapping (a social engineering attack on your mobile phone provider) so consider an Authenticator app instead.
Another good suggestion is using a tiered approach. Many services dont really carry much risk, but your main email, social media and anything financial deserves a unique, strong password and MFA.
AI hasn’t made it easier to crack a strong, random password, only a predictable one. Length is strength, so rather that using symbols and numbers you can create a memorable pass phrase by chaining unconnected words. You might be able to construct visual memory triggers to help remember the words, e.g. https://xkcd.com/936/?correct=horse&battery=staple
I’ll stop boring you now… [Post edited 16 Oct 2024 23:31]
|
Great info cheers and thanks all, very enlightening thread. I have around 200 saved passwords on my Google browser that I will set about moving* to a safer platform. My banking passwords are different long random series of letters and numbers that I mostly remember and have stored in a 'little black book' (though I wrote them down a long time ago in a word search puzzle format that I can no longer fully decipher lol).
*changing and moving I guess [Post edited 17 Oct 2024 14:08]
|  | | |
| Internet account security, passwords, AI 'hackbots' on 14:47 - Oct 17 with 209 views | Ryorry |
| Internet account security, passwords, AI 'hackbots' on 13:08 - Oct 17 by Bbmaj |
It depends…
Probably safe enough, as the App should be installed on a device which will be recognised and trusted. If not, additional information/confirmation should be requested and not just a 5 digit PIN. However, if your device is compromised then you may be at some risk.
Banks are actually quite good when it comes to security though. There will be close scrutiny of the app security/updates and they build in additional safeguards for approving payments or changing personal details. But that safeguard could be a code sent by SMS to the compromised device!
Morale of the story = be cautious when installing new apps on your phone and make sure you apply security updates. I won’t mention VPN apps here, although that could be relevant to some readers.
Do your banking in person at a branch if you want to avoid risks (although app can be very convenient for modern life and also help to quickly identify suspicious activity/payments).
The main threat here is social engineering or phishing, where you are “persuaded” to carry out the attackers actions (that may be making the payment or installing the malware laden app). It’s simple and remarkably effective. Attacks will focus on low hanging fruit, so east and cheap will be preferred to highly technical and complex. |
“But that safeguard could be a code sent by SMS to the compromised device!”
That is indeed one of the options usually offered when their security kicks in whilst buying unusually expensive items online!
I suppose at least my phone is on just a few seconds before it locks if unused, so if physically stolen or lost would I hope be safe.
Thanks again the advice. |  |
| |
| |
By continuing to use the site, you agree to our use of cookies and to abide by our Terms and Conditions.
