The case for secure email - Part 1: Passwords
From twitter to Linkedin to facebook, these services have one thing in common: They all utilize email as the backbone for notifications and password resets. In part 1 of our series on email security, we'll look at passwords and why you shouldn't have easy to guess non-randomized passwords.
Why should you or your organization be concerned about the security of your email? What you can do to mitigate service interruptions? From breech attempts such as phishing scams, to virus infiltration to Denial of Service attacks, email is the most utilized service on the planet and because of this, is constantly under attack from external (and in many cases internal) sources.
Email, like many social network services is a publicly available service. Similar to twitter and facebook, messages and information posted are available for public consumption. Unlike those other media tools, email is also an extremely private service. Most of us, would not be too happy with anyone gaining access to our email in order to search and look at our emails. There are messages that are deemed for our eyes only, whether it's a love letter from someone special, or financial documents from the CFO.
At the same time, emails while being sent across the wire for the end user(s) are always between the originating person and the people deemed to receive the emails. This is quite different than other social tools where once posted the entire world can see. Change the email you're sending out from BCC to CC and now everyone on the email chain knows who's been emailed, which may or may not be a good thing.
Email often has a higher complexity model than other toolsSimple in form, complex in getting locked down. Forget your password to a site, no problem, get it emailed to you. Want to sign up to a website or service? No problem! All you need to provide your email address. Some sites are moving towards allowing you to sign up with other means such as a text message to a cell phone, but those have their own security issues that make that form of security insecure.
Email can also be quickly hacked. Let's say we settled on a standard of passwords with 8 characters. While this is a little dated in today's world many sites still have very easy to guess password requirements. Financial institutions are often some of biggest culprits of easy to guess passwords. Many people also base their passwords on their name, their spouses, their kids, pets, home address. There are known as Dictionary passwords.
As an example, we'll start with a password of "superman",
Lets use a password analyzer. I have chosen to use: howsecureismypassword
Initial Password: superman —> Instantly cracked
With 1 capital: Superman —> Instantly cracked
With 1 capital and 1 number: Sup3rman —> 2 hours
With 1 capital, 1 number, and 1 non alphabet number: Sup3rm@n —> 9 hours
With 2 capitals. 1 number, and 2 non alphabet numbers: Sup3rM@n! —> 4 Weeks
With 3 capitals, 2 numbers, and 2 non alphabet numbers: SUp3rM@5! —> 4 Weeks
So even with a lot of changes to the initial word, it's a dictionary based word and easy to crack. Password crackers would likely never try for more than a week since they will most likely be brought down quickly once they've been detected on an external network. If however, you have multiple computers running the same password cracking software with different passwords, then the password of 4 weeks can be brought down to days or even hours to crack.
I myself am a victim of this as well. I have used the same password for a long time, but the password is quite secure, even though its stale and should be changed. And while it's a secure password, my email address was harvested from various online hacks years ago and checking my email address against the haveibeenpwned, I discovered 5 different hack attempts between 2013 and 2018 released some personal information. As secure as my password is, the password could now be out in the wild in an unhashed form trying to be used to login to different other sites I might be a part of. Time to change my passwords where it was harvested to randomly generated passwords independent of each other.
So even though I am a victim of a harvested attack against other services I decided to check my own password against the checker to see how good it is. In its current form, it would take a hacker approximately 200 years to crack my old password, so I'm not overly worried about the password. Also of note is that I've been using this same password for about 8 years before it was harvested in database dumps.
Now let's look at a modern password of 20 Characters, randomly created by a password generator, in this case 1Password.
RK2_bmpNX92K-.LHAPGy —> This password would take approximately 4 Sextillion Years to crack. I don't know how long that it is exactly, but it seems like a long (and fun) amount of time.
So while long passwords are frustrating, they are indeed extremely beneficial in making sure your data stays secure and intact from external sources. There are also a lot of password management applications out there as well that can be utilized, some for free or very little to help you control your passwords.
Good passwords are just 1 part of having secure email.Sensitive data is sent back and forth between colleagues often between different offices, companies, and countries. I don't believe anyone is sending financial statements over twitter! People often email themselves their passwords and email is often sent unencrypted to external once it leaves your domain. Email is at the forefront of almost all brute force attacks with dictionary attacks being the largest culprit. If you've got an easy to guess password, its only a matter of time before your email is compromised. This goes for any service, but in general twitter and Facebook are often hacked using different methods, often from an attacker gaining access to inside servers that offer them more options. There are websites dedicated to hacking social media services such as facebook in 5 minutes or less.
If a person gets access to your email password, they can then use your email account to spam millions of people. This in turn gets your IP address and domain(s) blacklisted, and causes lots of unrepairable harm to both your personal information and your business brand. Business gets affected and the cog in the wheel that was working smoothly yesterday is now missing a few sprockets. The IT department now gets to play damage control and repair the problem, force all users to change their passwords to something more secure and work with many different Blacklisting Services to get your domain removed from blacklists. Depending on the scale of the attack, this can take anywhere from a few hours to a few weeks to get completely resolved.
Complex passwords suck. A lot! But if you take some time now to lock down your passwords and use a good password manager to handle your logins, you can mitigate and stay in front of any breach attacks and help to keep your email secure. Does your current email provider allow for complex passwords? They should! If not, consider switching your on-premise solution to Axigen, or if you are currently hosted with another cloud provider, make the switch over to our own mailhive service, as we've built our solution to be as secure as possible.
In part 2 of our secure email series, we'll be looking at brute force attempts and how to keep them at bay.