I was one of those customers whose Tesco bank account was frozen the other weekend due to a ‘sophisticated hack‘.
Fortunately, no funds were removed from my account and I wasn’t really inconvenienced in a big way as it’s not my main current account.
Like many people these days, I conduct most of my personal finance online so I was interested to read this article the other week on password strength and security.
There’s some decent advice on how to create robust passwords and I can’t be the only person here to admit that I can occasionally be quite lax with my passwords.
Anyway, in the article, there’s a ‘how secure is my password‘ link where you can check the strength of your passwords, so I gave it a go with one of my passwords (or rather, something very similar to my actual password) and got this result:
Bugger…time to change this password methinks to something a bit more complex and tougher to decipher. And no, this wasn’t my Tesco bank account password – that one, when I tested it, would apparently take 1 Month to crack.
Fortunately, another one of my passwords got this result:
I now need to try to change all my passwords so that I get a similar result!
The tough bit will be remembering them all!
I might have to start using a password manager but how safe are those? I might check out Dashlane, as featured in the article.
Bank Security
The most robust password however probably won’t be of any use if the bank itself is targeted, as in Tesco’s case, although who really knows? Maybe my password which would take a computer a month to crack did stop thieves from nicking money from my account, but equally, it could be that they didn’t get round to my account before Tesco plugged the breach.
This recent article revealed that perhaps other banks’ online security aren’t quite as resilient as they should be against hackers – Tesco isn’t even mentioned!
This is probably a good time to put forward the idea of having an emergency fund with a bank other than your main bank, to cover the event of your account be hacked.
But then, how safe is your emergency fund? That could be hacked too!
Cash under the mattress, anyone?
Wow scary stuff. Looks like most of my passwords would take 6 years to crack.
Indeed, Tawcan! 6 years seems pretty robust though!
Hi Weenie,
Good to hear that you werent too badly affected – thats got to be a relief but it does remind everyone of the need to change passwords regularly, and to good solid ones! I rotate changing mine (to new and different ones) fairly regularly, but then I have a lot.
You are spot on though, you dont have everything in one account / bank, thats just asking for trouble – a bit like putting all your money into Enron stock some years ago (I didnt!).
For me, I have emergency cash spread around 3 different banks, and then two current accounts with two different banks, so a total of 5 different banking licences which means I am mostly safe, but a good point about what about cash – I can only get it from one account, so maybe I should find somewhere to hide some ready cash just in case!
Keep up the good work!
London Rob….a….k….a….. 😉
Cheers London Rob AKA…. 🙂
I have three current accounts (with different banks) for different purposes and my small emergency fund is with yet another bank. However, the bulk of my funds is in my ‘main’ account so I think I do need to spread some of the cash around so I don’t get caught short.
I think you hold some emergency cash in premium bonds too? That’s what I think I will do too!
Hi Weenie,
Sensible – I dont have a huge amount in any one account – my usual main account gets emptied within a week of my salary going in through the usual automated direct debits 🙂
I do indeed – Premium Bonds hold a bit of emergency cash and reinvest the winnings, I’ve yet to need to take anything out of them so I dont yet know how fast I can get at them in an emergency…
London Rob… or is it… ? 🙂
“London Rob… or is it… ? ”
Such a tease!!! The suspense is killing me! 🙂
Thanks for the reminder about beefing up passwords, fear I’ve also been a bit lax about some of mine.
Definitely agree about spreading cash between different accounts, to prevent problems if one gets frozen, or even if your card gets lost or stolen for that account. I’m keen on using multiple high paying current accounts to earn extra interest too.
Hi Faith
Yes, as mentioned above, while I do have different accounts, most of the cash is in my main account so I do need to spread it so there’s enough in the other accounts should something dire happen password security-wise! Two of my accounts pay interest (TSB and Tesco), so I should make sure they’re topped up to their maxes (they’re not!).
Haha – reminds me of this:
https://xkcd.com/936/
Maybe you’ve made an assumption that a computer can have an infinite no. of go’s when trying to guess a password?
I don’t know – security is hard and confusing
A password manager or DIY password manager (an encrypted text file) is pretty essential these days unless you take the approach of same password for everything – which is frowned upon I’ve heard..
Haha, thanks for that link, TR!
No, I don’t know if a computer can have an infinite number of guesses at a password. If not, I don’t understand how accounts can be hacked unless the actual passwords have been stolen?
I do need to consider the password manager.
I always wonder about how long it takes to crack a password: don’t most important systems lock you out after several bad attempts?
….. so number of attempts to crack would be more useful than time don’t ya think?
Hi Mark
Not sure, I’m guessing that when you, say log into your bank account, you’re using the front end interface (website) to log in and it locks you out after several bad attempts. When a hacker gets in, he/she isn’t using the usual website, but probably via ‘backdoor’ and there might not be a lock out or it’s bypassed?
I think the assumption behind saying ‘it will take n hours/days/months’ to crack is that the encrypted password has been stolen and can be cracked offline, which bypasses any restrictions on the site about only allowing n attempts.
I use a password manager, as it seems a lesser risk than using weak passwords. As mine syncs the password database with Dropbox, I apply an extra layer of security by including ‘xxx’ in the password in the manager and leaving a hint to myself in the ‘notes’ field to replace it with something like ‘my favourite fruit when I was 12’ – that way if someone (eg the password manager author) gets hold the password, they can’t use it.
yes possible to crack offline Steve, but how does one know it is cracked if not tried? I find it hard to believe that it is possible to ‘crack’ a password without trying it 🙂
That said with so many passwords needed/used today a password manager can make sense – I like the ones that generate random passwords.
These “time to crack” estimates work on the basis that the website has been hacked and the username / password pairs have been stolen.
In the worst case the passwords are stored in plain text, so that username / password pair is “cracked” immediately.
In most circumstances the passwords will be encrypted (using something called a hash function) so the time represents how long it takes to break that encryption offline. Once broken the username / password pair is known. The key point is that the hash function is easy to calculate but hard to reverse.
In either case it is not necessary to use the original website to check that you’ve got the correct password because you’re working from the website’s own password file.
(See useful info here: https://www.wordfence.com/learn/how-passwords-work-and-cracking-passwords/ )
Trying to “crack” a password without the password file should be much harder (if you don’t have a really insecure password) but does depend on the website limiting incorrect password attempts. This is not always implemented, even by companies that should know better (e.g. I believe Apple’s “find my iPhone” facility was implicated in the theft of celebrity photos because it did not limit incorrect password retries, allowing passwords to be attacked by brute force).
I would speculate that in many cases the weak point on an account is likely to be the user themselves (open to phishing scams) or the password recovery process (security questions that might be easier for someone else to answer than you might think…).
Personally I use LastPass and enable two factor authentication wherever possible.
Thanks for the detailed and interesting post, Nick. I think you’re right, the biggest weakness in any sort of security is down to us users via phishing scams. I received a first the other day: ‘PayPal’ called me on my landline and told me that in order to reactivate my account, I needed to tell them my password. Yes, really. I didn’t, of course!
Hi Steve
Great idea re the added layer of security – I write hints and clues for my passwords at work, to the amusement of my colleagues (but they still can’t guess them!).
I’ve been using a password manager for about a year now. At last count, I had over 140 online logins, so there is no way for me to remember that many different, complex ones. To slightly mitigate the risk of the password manager itself being hacked, I don’t store my main bank account or my recovery email address in there. This also helps if for whatever reason I can’t access my password manager. It is so much easier to remember just 2 different complex passwords (plus the mega one for the password manager). I have to admit that there are times it can be slightly inconvenient, but this is far outweighed by the security and convenience of not having to type in passwords all the time, or to try and think them up – it generates new ones for me.
Hey Mrs ETT
Cheers for the input – I will definitely set up a password manager and I think like you, I won’t store my main bank account on there. I think the reason why I’ve not used password managers before was perhaps due to trust (although they must be very different beasts from when they first came out) but also, I thought they would be inconvenient but compare that to the inconvenience of being hacked! My task for this weekend then – password manager!
I looked at a password manager once but couldn’t be arsed with it in the end.
Probably a very lax attitude but as people have said you could spend a lot of effort creating passwords that are hard to crack then just have the website/bank whatever hacked anyway so it’s not really in your hands.
That password strength thing is good. The main takeaway is that longer passwords are better than funky ones that are hard to remember (as xkcd link confirms above) Funnily enough the following password:
f**koffi’mnotgivingyoumypassword
Came out with the following:
63 DECILLION YEARS
to crack your password
🙂
We had a guy come into work the other day who was a professional hacker, he did some security training with us, and it is scarily easy how some websites are to hack. He told us how with free to download software the 15 year old Kid with very little hacking knowledge used to hack all the Sony playstation accounts. Yes that’s right pretty much anyone could have done that it’s just he had the balls/stupidity to actually go and do it.
Scary stuff indeed!
I’ve signed up to Dashlane now and it’s not bad, though will take some getting used to. It’s managed to trace a lot more logins and passwords that I thought I actually had – those could have been stolen and I’d not even know about them until too late!
LOL @ 63 decillion years!
I have 1 password for the vast majority of sites I don’t care about, and a few others for the financial ones. I happy to write them down on paper (with letters missing) as I’m more confident about the physical security of my house (and visibility of any breach occuring) than any password manager.
Hi John B
Yes, I too have the same password for certain ‘unimportant’ sites.
I have written notes and clues to my passwords in the past but I think I will go down the way of a password manager.
Hey Weenie,
I have used password manager 1Password for about 2 years now and I honestly don’t know how I survived without it before. I have really strong passwords for all the sites I use as a result. Of course if 1Password did somehow get hacked I’d be in trouble. The way I look at it is that it’s their sole business and what they base their reputation on…if they ever got hacked they’d basically be doomed, so I figure they have ample incentive to stay at the forefront of security. Possibly a bit naive for a viewpoint, but in any case I feel a lot more secure online that I used to be!
OR
Hey OR
Well, I’ve signed up to Dashlane now and it’s already helped me keep track of the various online accounts as I’ve been doing my Christmas shopping!
In the back of my mind, I’m still a little nervous hence there are a couple of accounts which I haven’t included.