Anyone can easily get online and steal passwords - and it will not cost them much either.
This was the message during a live hack coordinated this morning by Jason Hart, senior vice president in Europe for two-factor authenticaton provider CRYPTOCard.
During the hack, he set up his own wireless hotspot, which he simply called BT Openzone.
As delegates used the wireless service, Hart was able to get hold of whatever usernames and passwords were being typed into web applications, just by using an easily downloadable password recovery tool called Cain & Abel.
When Hart and his team tested out the method across cafes in the UK, 100 per cent of web browsers in the various establishments used the fake BT Openzone service.
"That's how easy it is, it is instant," said Hart.
"People believe passwords are secure, but if someone has got your password you won't know about it."
There are various other methods people can use to acquire passwords, from searching for them with simple Google algorithms to using paid-for services run by groups such as the Slick Hackers Group, the security expert explained.
He claimed the solution to the problem was two-factor authentication, where two independent forms of identification are required in conjunction to allow user access.
"There should be no reason why internet service providers shouldn't be supplying everyone with two-factor authentication," Hart added, noting Virgin Media had committed to offering such services with the help of CRYPTOCard.
He also sought to dispel the myth that using complex passwords will protect user accounts from hackers. Cyber criminal's methods for stealing passwords render length and variation in characters, letters and numbers meaningless, Hart said.
"Obviously people need to not have a password that is 'password'," he added.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
I love magic links – why aren’t more services using them?Opinion Using magic links instead of passwords is safe and easy but they’re still infuriatingly underused by businesses
-
Password management startup Passbolt secures $8 million to shake up credential securityNews Password management startup Passbolt has secured $8 million in funding as part of a Series A investment round.
-
LastPass breach comes back to haunt users as hackers steal $12 million in cryptocurrencyNews The hackers behind the LastPass breach are on a rampage two years after their initial attack
-
GitHub launches passkeys beta for passwordless authenticationNews Users can now opt-in to using passkeys, replacing their password and 2FA method
-
Microsoft SQL password-guessing attacks rising as hackers pivot from OneNote vectorsNews Database admins are advised to enforce better controls as attacks ending in ransomware are being observed
-
No, Microsoft SharePoint isn’t cracking users’ passwordsNews The discovery sparked concerns over potentially invasive antivirus scanning practices by Microsoft
-
Microsoft Authenticator mandates number matching to counter MFA fatigue attacksNews The added layer of complexity aims to keep social engineering at bay
-
As Google launches passwordless authentication for all, what are the business benefits of passkeys?News Google follows Apple in its latest shift to passwordless authentication, but what are the benefits?
