The invisible thief

Thief climbing out of a laptop

If you live in South Africa, there's a good chance you have been a victim of theft.

We know the thief is the person in the wrong. But that doesn't mean we do nothing. We recognise the risk, and we take precautions. We lock our doors. We install burglar bars or an alarm system. Our cars have tracking devices.

Our personal information is the cyber-equivalent of our possessions. And, like our cars and our TVs, it can be stolen. We need to recognise the risk and take precautions.

Passwords are like underwear

How many passwords do you have?

You might have one or more for work. Then there is internet banking. And your private email. And social media. And every place you shop online. And SARS. And your home WIFI. And your medical aid. And the site where you registered to vote, and where you paid your traffic fine. Not to mention your cell phone PIN. And your bank card PIN.

We all know our passwords must be strong. That, like our underwear, we must change them often and keep them secret. Some systems remind us to change our passwords. But what about the rest?

You've (almost certainly) been pwned

If you've never heard the word "pwned" before, it's got nothing to do with pawn shops (or porn shops). It is an obscure geek term that means someone has gained illegal access to or control of you.

It's likely that one of your passwords has been exposed during a data breach. The list of breaches is long, and on the rise. LinkedIn, Yahoo and Facebook have all had breaches.

And there have been plenty of breaches in South Africa. In 2017, the Master Deeds database exposed millions of records, including ID numbers. In 2018, the ViewFines breach exposed the records of 934,000 SA drivers. A few weeks later, Liberty Life had a huge breach. And in August 2020, the Experian data breach risked the personal information of 24 million South Africans.

You can check if your details have been exposed at Troy Hunt's website: haveibeenpwned.com

Your brain is a very bad password manager

That is a direct quote from one of Troy Hunt's blog posts. And it's true. The only way you can remember your passwords is if they are shorter, meaningful and you don't have too many of them. Which, by definition, means they are not strong.

Let's be honest: password management is work

Try a real password manager

A password manager is a program where you store details of your logins and passwords. It encrypts the information in a secure vault. You only need to remember one password: to open the password manager.

A good password manager generates strong passwords for you. It can check if any of your passwords have been pwned. Most password managers have mobile and desktop versions, so you can sync across your devices.

Somebody will argue about the risks of a password manager. But that risk is much smaller than the risk you run when you use weak passwords on dozens of sites. According to the UK National Security Centre, password managers are a good thing.

The title of Troy Hunt's blog post sums it up: Password managers don't have to be perfect, they just have to be better than not having one. Do yourself a favour: read the article. He also offers an interesting perspective on a non-tech solution: a password logbook.

There are plenty of good free password managers. It only takes a few minutes to download and install one. 

Unfortunately, you still have to do the work. At first, I only used a password manager to store my passwords. I still often chose passwords that I could remember. Then I had to change all my passwords after one was pwned, and that took a lot of time. 

It's not just the hacker

It's easy to blame the hacker. Sometimes it's easy to blame the user. But developers also have an important responsibility. They need to make sure that their code has strong burglar bars and a working alarm system. So keep an eye open, because in the future we will offer a series of emails about web application security.

Leave a Comment

Your email address will not be published. Required fields are marked *

Thank You

We're Excited!

Thank you for completing the form. We're excited that you have chosen to contact us about training. We will process the information as soon as we can, and we will do our best to contact you within 1 working day. (Please note that our offices are closed over weekends and public holidays.)

Don't Worry

Our privacy policy ensures your data is safe: Incus Data does not sell or otherwise distribute email addresses. We will not divulge your personal information to anyone unless specifically authorised by you.

If you need any further information, please contact us on tel: (27) 12-666-2020 or email info@incusdata.com

How can we help you?

Let us contact you about your training requirements. Just fill in a few details, and we’ll get right back to you.