There is an opinion that security can simply be bought or that you can stop at a level once reached, which will last forever. Alas, this is far from the case. Both now and 15-20 years ago. Let’s consider this using a behavioral and technological example of password guessing.
Until a few years ago, it was considered safe to change passwords after a certain period of time, say, three months. System administrators and software developers made everyone follow this rule, and people dutifully changed their passwords at regular intervals. And it was considered safe, very much so. But there were several nuances in this strategy.
Studies and observations have shown that if people are forced to change passwords on a regular basis and on a schedule, they begin to write them down on pieces of paper, in notebooks; just add a character to the old password ( it was MyPassword1, it became MyPassword2, then MyPassword3) , etc.
If an attacker gains access to one of these passwords, he can easily predict what the password will be in six months or a year, which will enable him to continue using the victim’s data without additional efforts. And the victim herself will change the password only when the time comes for the next change.
What is the custom now? Everything is simple here: if you suspect that the password has been stolen, you will want to act immediately, and not wait for the expiration date to fix the problem.
For example, if you entered your mail password somewhere in a public place where surveillance cameras are installed, it is better to change the password. I had to log into my Facebook account on someone else’s device – it would be safer to update the login details.
During quarantine, many users use their devices at home, and if you have not become a victim of a phishing attack or installed some suspicious software, you do not need to change your password regularly. This should only be done if you suspect that someone might have gotten the login information for a particular account.
Of course, in this case, it is necessary to follow the rules of the uniqueness of the password ( one account – a separate password), length ( the longer, the better) and the absence of any personal information in it ( without any birth year and mother’s maiden name).
Today, these rules of conduct are considered the norm, taking into account the collected previous experience of using passwords, but soon they will be revised and conclusions with recommendations will be different. Keep for updates.
On the technical side, there are also many surprises here. For example, before it was enough to ” pixelate” or ” blur” important information ( passwords, numbers, addresses, etc.) on any electronic document or screenshot and publish it in the public domain.
Photo: CC
Now, almost any user can try to recover the hidden password in the screenshot using the Depix tool. True, five years ago there were similar tools, but less effective.
Yes, the accuracy at first may not be the highest, but, say, knowing the exact meaning and sequence of 8 characters of the password out of 12 is almost a victory. Such a password will be very easy to crack by picking up the missing values.
The effectiveness of this method will constantly grow, subject to training and mass use, and eventually the technology will spread to other methods of hiding information, such as ” blurring”.
Most likely, in the near future, based on this algorithm, chat bots or applications will appear, into which it will be possible to upload a picture with pixelated text and get a decrypted version at the output.
What to do in this case? Change your behavior and tools. Stop publishing documents containing sensitive information altogether. If you still need it – crop the document, hide the data using painting, not pixelization, and so on. Well, shake up / clean up all your old publications, where you pixelated something.
As you can see, just doing everything once and relaxing will not work. The field of digital security is very dynamic, therefore it requires your close attention.
