Fraud Alert: Password Management

Yogesh Sapkale 28 October 2022

Consumer Interest

This morning, while checking tweets, I came across a post by the police commissioner of the government railway police (GRP) in Mumbai. He informed that the official (and verified) Twitter account of GRP Mumbai had been hacked and that people should not pay heed to any fresh tweets till the account was restored. The hacked account was used to retweet posts related to Elon Musk's takeover of Twitter and tweets from Tesla. However, this incident again highlights the crucial aspect of passwords and password management.

Dear Mumbaikars, it has come to our notice that the @GRPMumbai handle seems to have been hacked. We request you to not pay heed to any fresh tweets till we update. The concerned agencies are working on regaining access.
— CP GRP Mumbai (@cpgrpmumbai) October 28, 2022

What is more shocking is that fraudsters are found stealing verified accounts from Twitter and Instagram and selling it on the black market. Buyers (read criminals) are using these verified accounts to promote new fungible tokens (NFTs).

According to an investigative report by The Verge, such thefts occur regularly, with dozens losing their profiles every day if the frequency of new listings on marketplaces for verified profiles is any evidence. "In this particular Telegram group, control of a verified account usually goes for a couple of hundred dollars, which buyers usually hope to make back by promoting NFT scams," it says.

As demand for verified accounts surges for NFT promotions and scams, hackers have taken to more accessible channels like Telegram to reach broader audiences, The Verge says, adding that the way hackers break in is easier than you think.

Passwords are the first line of defence mechanism in securing almost all electronic information, networks, servers, devices, accounts, databases, files, and more. This also means if your password/s are weak and poorly managed, it would lead to incidents like unauthorised access, credentials leak and data breaches.

Whenever I discuss the password issue, many people have two primary 'difficulties'—one, how to create a strong password and second, how to remember it. Essentially, it would help if you created a strong password that is easy to remember for you but difficult for others, including cybercriminals.

A Strong Password Should:

• Be of at least eight characters in length (I would suggest using at least 13 characters for robustness)

• Contain both upper and lowercase alphabetic characters (e.g., A-Z, a-z)

• Have at least one numerical character (e.g., 0-9)

• Have at least one special character (e.g. ~!@#$%^&*()_-+=)

How To Create a Robust Password That Is Easy To Remember

• Choose a password that doesn't contain a readable English word

• Mix upper- and lower-case letters

• Use a number or symbol in the middle of the word

• And, of course, create unique passwords for different sites

• Also never use name/s, date of birth, or mobile number of you or your family member or near and dear ones

Here Is How To Do It

• Start with an original but memorable phrase—for example, 'Pappu cant dance saala'.

• Convert this simple phrase into an acronym. Be sure to use some numbers, symbols and capital letters, too.

• Create a sequence that you can easily remember. For example, take the first letter of each word. 'Pcds' (You can use last letters or second letters of this phrase… Use your wild imagination)

• Add special characters or numbers in between. For example, you can add numbers based on the number of characters. Here I am using 1 after 'P', 2 after 'cd' and 3 after 's'. So the combination would be 'P1cd2s3'

• Now, add special characters in this combination. For example, I will use '$' in between 'cd' and any other character at the end. So the combination would be 'P1c$d2s3&'

Site-specific Passwords

If you are using 'P1c$d2s3&' as a basic password, then you add specifics like bank name, email, social media, etc. For example, For ICICI Bank 'P1c$d2s3&ICICI', for SBI 'sP1c$d2s3&Bi', and for Gmail, 'mailP1c$d2s3&G'

For general sites which don't affect you personally or financially, use simple phrases to create passwords.

Reserve your most robust, distinct passwords for critical services—like your bank account, computer and personal email.

Now let us see how strong the passwords are...

I have an online tool available free of cost to check the robustness of passwords that we created. (Here is the link http://password-checker.online-domain-tools.com/)

I just interchanged upper and lower case letters for the first (Pappu to paPpU) and last words (sala to SalA) in the paraphrase to increase the total number of characters in the password. See the result below! (paPpU1c$d2s3&SalA, but kindly refrain from using it since it is available on a public platform)