European Cyber Security Month: How I hacked myself
October 1, 2018
As part of European Cyber Security Month, Jake Moore, cyber security specialist at ESET UK, divulges some excellent advice on managing passwords.
Who has forgotten a password before? Surely, it's one of those trusty few passwords we always use… the dog’s name, your child’s date of birth, 'Password123’. Well you can just reset it, oh no wait - this one is still connected to that back-up email address you stopped using years ago!
Sound familiar? But what happens if you lose the password to your encrypted iPhone backup and you need to restore the damn thing? This is exactly what happened to me.
I went to do a typically mundane iOS update on my iPhone recently and, as per usual, I did a quick backup through iTunes before I started.
However, halfway through the update, my phone crashed and became a very expensive brick in no time. I left it, but nothing was playing ball. Eventually, the phone decided to revert to the dreaded factory settings, wiping all my data on the device. No contacts, photos, data – nothing.
But thankfully, I had that trusty valuable backup I had done one hour earlier. Or so I thought…
I plugged in my phone and hit restore from backup on this machine. Now this is where it happened - it asked me for my iPhone backup password (encrypted restore passwords are only required if you want to backup data such as the heart app or 2FA authenticator apps, for example).
I thought I knew this password. Well, this is where panic struck. It transpired I did not know my password! All my online passwords are randomly generated in a password manager, but for some reason, I had not input this one, and now it was asking me for it…
It dawned on me – I was going to have to try and crack the password to my own device. I immediately turned to some brute force software that I trust, pointed it at the encrypted file and ran it. Wanting to blame anyone but myself, I went to bed in a mood, muttering, "How can Apple allow this?"
Eventually, it located an eight-character password I had originally used in 2010. I went back to iTunes, typed it in and thankfully, everything was restored back on my phone.
Well today marks the start of European Cyber Security Month – an opportunity for everyone to stop, think and re-educate themselves about good cyber security practices and information sharing. The first week of this awareness month focuses on ‘basic cyber hygiene’, assist people in establishing and maintaining daily routines, checks and general behaviour required to stay safe online. And password management is one of the most basic things every person needs to get right.
This, then, brings me back to my story. Everything that happened to me that day acts a reminder to always make back-ups of your data and remember to record the password. It also highlights the importance of having a password manager – both at work and in your personal lives – to not only avoid having to hack yourself like I did, but also to protect your most important personal and business accounts.
Password managers are simply designed to do the heavy lifting of creating, storing and protecting your accounts and the data they hold. They act as a digital safe; encrypting and storing all your passwords locally and offline.
Indeed, password managers are all the rage in password security and, intuitively, it is hard to deny their merits. In addition, recent research found that password managers benefit both password strength and uniqueness, although apparently this strategy works only if the passwords are generated by the software.
Either way, assuming that you trust the implementation of your password manager, then its security is largely determined by the robustness of your master password. That’s doubly relevant if you consider that you’re effectively putting all your eggs into a single basket. That basket could, in fact, become a single point of failure.
So, this Cyber Security Month, consider how secure your passwords really are and take the time to implement a password manager to protect all your devices and accounts properly.
In my next article, I will explore the second theme as part of this awareness month, expanding your digital skills and education.
Gerald Beuchelt, CISO at LogMeIn, explores the practical reasons as to why biometrics cannot be considered a true replacement for text-based passwords. Apple caused a stir when it introduced technology …