A Scottish IT boss has called on businesses and organisations to review their password policies.after it was revealed yesterday (Tuesday) that the Scottish Parliament was targeted by a “brute force” cyber-attack from external sources .
Austen Clark, managing director of Scottish IT specialists Clark Integrated Technologies, comments: “Another day, other cyber-attack, this time at the Scottish Parliament, yet any organisation or public body could be in the frame.
“This was classified as a ‘Brute Force Attack’ which works by targeting the unsuspecting victim or organisation through a determined and prolonged series of requests to break through their defences by guessing their passwords.
“This type of attack is unrelenting, imagine someone at your door with an endless number of keys who keeps trying the lock until finding one that works.
“They begin with a basic key – starting with a well-known example – Password (instantly cracked) – if that doesn’t work then – Password1 (also instantly cracked) – and so on trying combination after combination. There will be thousands of combinations tried until they find one that works.
“They don’t stop there – they continue to build their list of passwords, cataloguing them and saving them for future use. These lists of active details with their compromised and now saved passwords are sold on the Dark Web.
“There are well documented examples of these attacks spanning back many years, with still active login credentials and passwords. ‘Brute Attack’ may not not sound very sophisticated but it is very effective, and very disruptive as it floods IT resources with demands and requests to access your operation.”
How can businesses protect themselves? Mr Clark says that reviewing password policy is the obvious place to start, heeding the latest advice to look at alternative combinations that would be almost impossible for a hacker to guess.
Mr Clark states: “You will often hear people telling you that they struggle with combinations of passwords, how can they remember a unique password for every service online that they use. Bank, retail, travel, trains – people resort to one password for nearly all their accounts and services that they use regularly.
“Password advice to date has been to use a combination of letters and numbers – Lett3rs and Numb3r5 – using upper and lower case and special characters.
“This advice has changed and the days of constantly updating passwords at least every 90 days is receding. It is time to look at alternative combinations like creating and using phrases that are easy to remember but would be virtually impossible to guess.
“Here are a couple of examples – ‘mycathasdandruff’ or ‘theshipisintheclouds’ – the combination of words and nonsense with no spaces make these almost impossible to guess. If you want to try a few examples use the following tool to test them – howsecureismypassword.net
“You’ll find that complex combinations of words are easier to remember and almost impossible – although nothing is definite – to be guessed by computing logic.
The example – mycathasdandruff – would take 35,000 years to crack, based on this combination of nonsense, and while it may be nonsense it is easy to remember.
“Stay safe out there take control of your Data and Secure your ability to use our brave new digital world.”