Posts

Are Password Managers as Safe as You Think They Are?

You have probably heard of password managers, and you probably think they are pretty safe, right? Well, there is new research out there that may might make you think twice, especially if you use password managers like KeePass, 1Password, Lastpass, or Dashlane. Frankly, I’m not worried about it, but read on.

Specifically, this study looked at the instances of passwords leaking from a host compute or focused on if these password managers were accidently leaving passwords in the computer’s memory.

What was found was that all of the password managers that were looked at did a good job at keeping these passwords secure when in a state where it was “not running.” This means that a hacker would not be able to force the program into giving away the user’s passwords. However, it was also noted that though each password manager that was tested attempted to scrub these passwords from the memory of the computer, it wasn’t always successful…meaning, your passwords could still be in the memory.

Some of these programs, like 1Password, seemed to have left the master password, but also the secret key for the program. This could possibly allow a hacker to access the info in this program. But, it’s important to note that these programs are trying to remove this information, but due to various situational issues, it’s not always possible.

Another program, LastPass, was also examined, and it, too, caused some concern amongst researchers. Basically, the program scrambles the passwords when the user is typing them in, but they are decrypted into the computer’s memory. Additionally, even when the software is locked, the passwords are still sitting in the memory just waiting for someone to extract it.

KeePass, which is yet another password manager, was also looked at here. In this case, it removes the master password from the computer’s memory, and it is not able to be recovered. However, other credentials that were stored in KeePass were able to be accessed, which is also problematic.

Should you be worried about this? Well, it depends on your personal thought process. Some people probably won’t care too much, and others won’t be affected because they don’t use password managers that have these issues. Since the researchers pointed out these issues each password manager has done their own updates and corrected any issues. The real vulnerability isn’t the security of the password managers but the security of the devices, their users and if the users are deploying the same password across multiple accounts.  Using the same password over and over is the risk here. So get a password manager so you can have a different password everywhere.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

5 Digital Security Tips That You Should Always Beware Of

Hackers are out there, and they have their eyes on YOU! So, you are the first line of defense against them. Do you know how to make your smart phone or computer more difficult for hackers to access? Here’s five tips to help:

Password Information

  • You would think that these days, everyone would know how to create and use a strong password, but people don’t. Every online account you have should have a strong, long password made of a combination of symbols, letters, and numbers. You should also use a different password for each account.
  • A good, strong password is at least 8-12 characters in length. It is also made up of both upper case and lower-case letters, symbols and numbers. Make sure it doesn’t spell anything, either. Example: “yi&H3bL*f#2S” However a phrase will do to. Such as iLike1ceCream!
  • Activate two-factor authentication on every account you can. This way, even if your password gets into the wrong hands, the hacker can’t get in unless they also have access to your smartphone.

Understand the Cloud

  • Yes, the cloud is pretty cool, but it is still vulnerable. The cloud, essentially is just internet connected servers that sit in climate controlled secure facilities. These are generally secure. However, if your device doesn’t have the best security, the data in the cloud becomes vulnerable through your device. Example: your bank which is cloud based, is unlikely to get hacked, but your PC is. If you don’t use security software, or if you don’t update your software, cloud security doesn’t matter much.
  • Since the cloud is a huge source of data, a lot can go wrong. So, should you rely on the cloud to protect you or should you protect yourself? Feel good that in general whatever cloud serve you are using is secure. But if you are downloading pirated content and shady software, then cloud security will not protect you.

New Devices Don’t Mean Safe Devices

  • Many believe that if they have a new device that it is perfectly safe. This isn’t true. Androids and Macs need antivirus just like PCs need antivirus. And right out of the box, all devices operating systems, browsers and software should be updated.

Antivirus Software is Great, But Not Perfect

  • Yes, it’s awesome to have good antivirus software, but it’s not the only thing you have to do to keep your device safe. Think of your antivirus software as an exterminator. Like a pest control expert in your home, they get out the vast majority of insects when you call them. However, they can’t 100% eradicate every single egg, larvae, and bug. Free antivirus software is the same. It does a great job for the most part, but it won’t get everything. Free antivirus doesn’t come with a firewall, antispyware, antiphishing or other fundamental security tools. A paid service will generally accomplish this.
  • Ask yourself this: would you want your bank using free antivirus software? Then why do you?

Updating Your System

 It can get annoying when your system alerts you with a pop-up to update your software, but don’t hit “remind me later.” In most cases, this update contains important security patches that you need to install to be safe. It’s best to allow automatic updates on every device.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

Use a Password Manager Or You WILL Get Hacked

Do you ever use the same password over and over again for different accounts? If so, you are not alone. However, this is quite dangerous. It’s best to use a different, unique password for each account, and to make it easier, you should use a password manager.

According to surveys, people understand that they should use unique passwords, and more than half of people get stressed out due to passwords. Furthermore, about 2/3rds of people said that they had forgotten a password or that a password issue had cause problems at work.

However, a password manager can easily solve the issues associated with passwords. A password manager is a type of software that can store login info for any and all websites that you use. Then, when you go to those websites, the password manager logs you in. These are safe, too. The information is stored on a secure database, which is controlled by a master password.

Using a Password Manager

Most people have more than one online account, and again, it’s so important to have a different password for each account. However, it’s very difficult to remember every password for every account. So, it’s not surprising that people use the same one for all of their accounts. But, if using a password manager, you can make it a lot easier.

  • When using a password manager, you can create a password that is safe and secure, and all of your passwords are protected by your master password.
  • This master password allows you to access all websites you have accounts on by using that master password.
  • When you use a password manager, and you update a password on a site, that password automatically is updated on all the computers that use your password manager.

Password Managers Can Ease Your Stress

When you first start using a password manager, it’s likely that you’ll notice you have fewer worries about your internet accounts. There are other things you will notice, too, including the following:

  • When you first visit a website, you won’t put your password in. Instead, you can open the password manager, and then there, you can put your master password.
  • The password manager you use fills in your username and password, which then allows you to log into the website with no worries.

Things to Keep in Mind Before You Use a Password Manager

Password managers available on the internet from many reputable security companies. However, before you pay for them, there are some things that you should keep in mind:

  • All of the major internet browsers have a password manager. However, they just can’t compete with the independent software that is out there. For instance, a browser-based password manager can store your info on your personal computer, but it may not be encrypted. So, a hacker can might that information anyway.
  • Internet browser-based password managers do not generate custom passwords. They also might not sync from platform to platform.
  • Software based password managers work across most browsers such as Chrome, Internet Explorer, Edge, Firefox and Safari.

Password Managers are Easy to Use

If you are thinking about using a password manager, the first step is to create your master password.

  • The master password has to be extremely strong, but easy to remember. This is the password you will use to access all of your accounts.
  • You should go to all of your accounts and change your passwords using the password manager as an assistant. This ensures that they are as strong as possible, too.
  • The strongest passwords contain a combination of numbers, uppercase and lowercase letters, and symbols. Password managers often create passwords using this formula.

Managing your accounts online is really important, especially when you are dealing with passwords. Yes, it’s easy to use the same password for every account, but this also makes it easy for hackers to access those accounts.

Don’t Reuse Your Passwords

You might think it would be easy to reuse your passwords, but this could be dangerous:

  • If your password is leaked, hackers can get access to all of your sensitive information like passwords, names, and email addresses, which means they have enough information to access other sites.
  • When a website is hacked, and all of your passwords and usernames are discovered, the scammer can then plug in those passwords and usernames into all of your accounts to see what works. These could even give them access to your bank account or websites like PayPal.

Ensuring Your Passwords are Secure and Strong

There are a number of ways to ensure your passwords are secure and strong. Here are some more ways to create the best passwords:

  • Make your passwords a minimum of eight characters long.
  • Mix up letters, numbers, and symbols in the password, making sure they don’t spell out any words.
  • Have a different password for every account that you have. This is extra important for accounts containing financial information, like bank accounts.
  • Consider changing your password often. This ensures your safety and security.

If you have a weak password, you are much more susceptible to hacks and scams. So, protect your online existence, and start utilizing these tips.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Remember This: Hackers Like Strong Passwords, Too

In late 2016, a huge data breach occurred. More than 412 million accounts were affected when hackers got into FriendFinder Networks.

5DAccording to sources, approximately a million of those accounts had the password ‘123456,’ and approximately 100,000 has the password that was simply, ‘password.’ This, of course, is despite the efforts from pros about password management and the importance of a strong password.

Complex Passwords are Inconvenient

This data breach is just one of many, and it shows that using passwords alone are risky and have consequences. Additionally, complex passwords are inconvenient, and this means that people often avoid using them, or they write them down, or use them across multiple accounts, meaning there is a great chance that they can be stolen.

Keeping in mind, still, that passwords are flawed. This is not because they are often so easy to guess and easy to hack, it’s because they are quite expensive to maintain. Approximately 20 to 50 percent of calls to the help desk are due to password resets because people forget them.

All of this means that things have only gotten worse when it comes to the usability of passwords over the past few years. So, to keep the control that is necessary to ensure the data is safe in an organization, the IT team must use tools that will address these major security concerns. When you consider all of this, it is truly shocking that so many people are still using passwords such as ‘password’ and ‘123456.’

If you look at all of the data-breaches that have occurred in 2016 and consider the millions of people who have been caught up in these breaches, it’s absurd that people are picking passwords that are so easy to guess.

However, you also should keep in mind that it doesn’t matter what your password is, security experts and IT professionals keep hammering in the importance of changing passwords. Even if you are choosing passwords that are a bit more advanced than ‘123456,’ you should still change your password, often.

You also must consider this: it doesn’t matter how good your password is and how complex you make it; passwords are still vulnerable. What we need is a change in our thoughts about security and a revision of our concept of what a password is and does.

In some form or another, passwords have existed as a way to secure information for centuries. For most of this time, they have worked well. However, with technology changing the world, this old form of security needs to be refreshed to meet the needs of the time.

More Security is Necessary

To overcome all of the issues that are associated with passwords, companies should take time to look at different forms of security. All you are doing now is wasting time and money by changing passwords and making them stronger. On top of this, when your business experiences a data breach, you could be facing a fine and of course, embarrassing questions. Instead, it’s time to drop this concept of using passwords as the only means of security.

We need an approach that eliminates passwords altogether. Using, for instance, two factor or multi factor authentication or better, un-hackable security tokens is one way to ensure that no passwords are stored, created, or transmitted. This will help us all to remain safe.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

If You use these Passwords, You will get hacked

Have you heard of iDict? It’s a tool that hackers can use to get passwords via what’s called brute force attacks. It’s designed to crack into iCloud’s passwords, and supposedly it can circumvent Apple’s anti-brute force attack security.

5DBut iDict doesn’t have as big a bite as you might think. A long, strong password is no match for iDict. But if you have a password that’s commonly used (yes, hundreds of people may have your exact passwords; you’re not as original as you think), then it will be a field day for iDict.

Some examples of passwords that iDict will easily snatch are:

password1, p@ssw0rd, passw0rd, pa55word—let me stop here for a moment. What goes on in the heads of people who use a variation of the word “password” as a password? I’m sure that “pa$$word” is on this list too.

And here are more: Princess1, Michael1, Jessica1, Michelle1 (do you see a pattern here?) and also John3:16, abc123ABC and 12qw!@QW. Another recently popular password is Blink182, named after a band.

Change your password immediately if it’s on this list or any larger list you may come upon. And don’t change it to “passwerdd” or “Metallica1” or a common name with a number after it. Come on, put a little passion into creating a password. Be creative. Make up a name and include different symbols.

For additional security, use two-factor authentication when possible for your accounts.

Though iCloud has had some patch-up work since the breach involving naked photos of celebrities (Don’t want your nude pictures leaking out? Don’t put’em in cyberspace!), iCloud still has vulnerabilities.

And hackers know that and will use iDict. If your password isn’t on the top 500 list from github.com, but you wonder if it’s strong enough, change it. If it has a keyboard sequence or word that can be found in a dictionary, change it. If it’s all letters, change it. If it’s all numbers, change it.

Make it loooooong. Make it unintelligible. Dazzle it up with various symbols like $, @, % and &. Make it take two million years for a hacker’s automated password cracking tools to stumble upon it.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention.

Lessons learned from a Password Attack

It’s easy for millions of passwords to be stolen via hacking into Facebook, Twitter and Gmail accounts: It recently happened because malware was unknowingly downloaded into computers worldwide that extracted log-in information. The data was then directed to the hackers’ server, which was tracked to the Netherlands.

5DA password is never 100 percent secure, but instead, more or less secure than others. Passwords can be cracked in many ways:

Cracking security questions. It seems that most people use easily-traceable names for their secret question when registering a password, such as names of family members and schools they attended. This information is often on their social media profiles and, with a bit of legwork, can be figured out. Often, passwords include these names as well.

Simple passwords. The passwords of 123456, abc123, 11111, etc., are easy to type out and are also among the most common, and thus easily figured out. “Princess” and “querty” are also commonly used words.

Using the same passwords for different sites. One-third of data-breach victims in a recent attack had been reusing passwords. Password reuse for social media, banking and e-mail opens the gate to identity theft.

Dictionary attacks. Software exists that will run any word that’s found in a dictionary (or commonly misspelled words) into the password field. If you use these words, the software will eventually score a hit.

Social engineering. This is when a thief tricks a user into revealing a password (often by sending an “urgent” e-mail informing the user to visit a site where he “must” type in his password).

There is still hope that one day a way to design a 100 percent secure password will be developed, perhaps through a fusion of biometrics, multi-factor authentication and image-based access.

What can you do in the meantime?

  • Use non-traceable words for passwords and answers to secret questions.
  • Avoid using passwords that flow easily off your fingertips like 67890, asdfg, etc.
  • Never reuse passwords. Passwords for all accounts should be very different from each other.
  • Invent names for your passwords that can’t be found anywhere. Avoid phonetic variations of common words or proper names. Don’t use backwards-spelled words.
  • Make sure nobody can see you enter your password.
  • Always log off if other people are nearby no matter how briefly you’ll be away.
  • Use up-to-date comprehensive security software.
  • Never use your password on a public computer.

Robert Siciliano, is a personal security expert contributor to Just Ask Gemalto and author of 99 Things You Wish You Knew Before Your Mobile was Hacked! . Disclosures For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247.