World’s Biggest Spambot Dump: New Zealanders urged to check and change passwords
Yesterday it was reported that more than 700 million email addresses, and a number of passwords, have been leaked in
what is already being referred to as one of the largest spambot dumps the world has ever seen.
At present, it is believed the data dump originated via a spambot called Onliner however this is yet to be verified. You
can check if your email address has been affected at haveibeenpwned.com.
Security experts are advising those affected to change their passwords immediately to reduce the risk of further
This recommendation begs the question – what makes a secure password?
Aura Information Security’s general manager, Peter Bailey says, "While security experts have been talking to people
about securing their passwords for years, it is still one of the easiest points of access for hackers to use. Too often
passwords are written down, reused or too easy to hack."
Passwords are the gateway to you and your companies’ private materials, but the importance of password security is often
overlooked – which can lead to increased cyber security risk for businesses.
Here are six top tips on how to maximise your business’ password security from Aura Information Security’s Peter Bailey:
1.Use a password manager
A good password manager, which is essentially a vault that stores all your passwords in one place and is protected by a
master password, will help to make the task setting strong, different passwords for multiple accounts far easier. These
password managers rely on you setting a very strong master password, so Aura recommends using a “passphrase” as this
master password – that is, a sequence of four or five words. These days, it’s length, not complexity, that makes a good
password, so try to choose longer words that aren’t predictable or easy to guess. Fortunately, it will be the last
password you have to remember, as most password managers include password generators to create strong (long and complex)
passwords for you, so you’ll never have to look at or type in another password again. There are lots of options out
there, ranging from online solutions such as 1Password or LastPass, to the more technical solutions such as KeePass.
Most solutions provide mobile apps as well, so you can manage your passwords on your iOS or android devices too.
2.Use two-factor authentication where it is available
Where two-factor authentication is offered (even Facebook offers it days), make use of it. Two-factor authentication
combines username and password (factor one) with a second level of verification, like a TXT code to your mobile or a 2FA
code generator such as Google Authenticator (factor two).
3.Don’t reuse passwords
If a hacker does manage to access your business password, having the same password for everything could spell disaster.
The same goes for employee passwords, sharing passwords between their personal and business accounts increases the
chances that the password could be compromised. It’s best practise to have multiple passwords, to minimise the potential
impact on your business should one password be discovered.
4Never disclose or share your credentials
Cyber criminals are getting more and more sophisticated, but in our experience the same types of tricks that have been
used for years by hackers are still the most effective – and that is social engineering. In other words, tricking an
employee into clicking on an infected link, revealing a user name and password or paying an invoice that looks like it
has come from a legitimate source. Perhaps our biggest piece of advice is that good security starts with staff education
and effective security policies – and that includes never revealing your passwords to anyone, or including passwords in documentation (emails, work
instructions, application user guide etc.).
5Ensure your employees understand cyber security
Most security breaches can be attributed to employee error…or ignorance. Employees who use weak passwords or use the
same password across personal and work accounts can prove to be the weak spot that hackers use to penetrate your
business. To ensure your business fosters a culture of cybersecurity awareness, regular training and education is key.
If you don’t have a CISO to help lead the charge, there are some great online tools and employee checklists available
from sites such as ConnectSmart.govt.nz and cert.govt.nz. Aura also recently launched its e-learning tool, which is
designed to provide businesses with the ability to train and educate staff whilst also identifying areas for
6Make your password complex, but easy to remember
Previous advice has recommended combining upper and lower case letters, using number and symbols when creating your
password. The inability for people to remember these complex passwords ends up putting individuals at higher risk of
cyber hacks – by writing down your password in order to actually remember it, you’re opening yourself up to more threat.
Instead, think of an easy to remember phrase or word combination. Lyrics of a song, a short quote from a movie or book,
or even a dinner dish are good options to make your password complex enough to deter hackers, but still easy to