As the Kathmandu Post reported, in May 2022, “90.56% of the population in Nepal had access to the internet, according to the management and information report of the Nepal Telecommunications Authority.”
Across the country, 27.37 million citizens are active internet users. As digitalization increases as expected in the nation, so will the number of cyber incidents.
Good cybersecurity is not just the responsibility of the government; the onus also falls on users. Protecting oneself online is a matter of robust password practices, such as using long and complex passwords and protecting these appropriately.
However, there is conflicting information online about what actually constitutes these best practices. Today, we’re taking a closer look at password misconceptions before examining why good password management matters.
We were once told that regularly changing our passwords was essential, and many online services and account providers still mandate password changes. However,emerging evidence suggests that changing one’s passwords is a bad idea.
According to Microsoft, the reasoning behind this is that frequent changes may prompt a situation whereby users fall back on easy-to-remember or recycled passwords from other accounts.
Even if a user has little to lose from a hack financially, unintentionally allowing a threat actor access to their accounts via weak passwords can have a far-ranging impact. For example, the hacker may use that user’s account to carry out social engineering attacks on other users.
For instance, as most of us have seen, threat actors regularly use a stolen account to send suspicious links to that user’s friends or contacts, tricking them into downloading malware or other nefarious software.
Yes, complexity matters, but it’s not the be-all and end-all of password security as many of us believe. Hackers use advanced software to crack passwords, and whether a character is an A, a, or @ makes little difference to today’s brute force and dictionary attack tools.
Instead, password complexity must be balanced with uniqueness and length. Today’s best password practices suggest a minimum of 12 characters and a random combination of numerals, upper and lowercase letters, symbols, and punctuation.
According to the United States Federal Bureau of Information (FBI), length is the key to a strong password.
Passwords should not be memorable. In fact, they should be the distinct opposite. In today’s age of advanced technology, there is no need to memorize passwords as we have tools tocomplete this task for us. For example, a good password manager such as LastPass or ZohoVault can securely store and generate strong passwords.
Users only need to remember one single master password or passphrase and the software will do all the heavy lifting, including automatically logging users into the websites and apps they visit and use.
This myth has some validity: sure, users shouldn’t leave their passwords listed on a piece of paper where others can easily discover it. But by the same token, threat actors aren’t hunting for pieces of paper, they are using advanced technology to crack passwords.
It’s better to write a complex master password, such as for a password manager, down on a piece of paper and keep it in a safe place than to rely on simple passwords such as “1234” across numerous accounts.
There has been a lot of attention paid to ATM-based cyber crimes in Nepal in recent years. For example, in September 2020, the Nepalese police force arrested five people in relation to cloned credit cards. The Chinese nationals involved in this incident hacked into the Nepal Electronic Payment System (NEPS).
Earlier in the same year, Foodmandu suffered a major data breach with the data of 50,000 consumers exposed. Extortion and ransomware are also a growing issue; in 2021, the director Dipashree Niraula’s Facebook page was hacked with the threat actors involved requesting Rs 10,000 in ransom for its safe return.
Poor national cybersecurity regulation and a number of known loopholes place digital systems, including those of individual users, at risk in Nepal. In 2022, the country moved up a few rankings to 94th in the Global Cybersecurity Index, which shows progress overall, but there is still a lot toachieve.
Couple vulnerable systems nationwide with poor digital hygiene practices, and you have a recipe for cyber security disasters. The risks of not protecting individual accounts well include financial losses, extortion, identity theft, and others.
Passwords are the first line of defense, and as such, they need to be treated as important and protected accordingly.