Home
Insightful &
Helpful Articles

Here is what we're working on and
thinking at Hedgehog security.

So - two newsworthy cases of criminal activity probably based on passwords recovered from other attacks or exposures in little more than a week. This week the National Lottery released a statement, updated today, in which they reveal that they had detected suspicious activity in which over 26,000 customer accounts had been accessed, with around 50 having actual financial activity since then. Last week there was the affair with bogus Deliveroo food orders.
It is no accident that when asked, last year, for my 10 rules on good personal password management the very first rule was "no password re-use". If you re-use a password you are delegating the safety of all your online accounts to the one with the poorest security. Think about that for a moment. Compare the team behind your bank account and the effort that goes into keeping your identity and money safe, and that little one-person-in-a-bedroom craft store who is probably too busy with the business to ever stop to even consider the implications. Who do you think has the greater understanding of security, and systems defence and customer security? Now if you use the same credentials for the bank as for craft store, and due to some oversight or poor understanding of good process and configuration your account details end up in a criminals hands your bank account suddenly becomes a nice juicy target for them to locate and abuse.
Never re-use passwords. Particularly important where there is money involved, but almost as much the rest of the time because there is probably identity detail to be gathered somewhere amongst your accounts which could be put to other fraudulent use.
Of course it is never too late to change. Even if you currently have accounts sharing passwords, the solution is very simple - change them, and use a password administration tool to help with the task of managing them. The moment you change the password, whatever old password information a would-be snooper or intruder might have is invalidated.