Posts

Don’t Name Your Dog After Your Password

Recently I got a puppy for my child. We decided to name the puppy 4wgu23x5#9. My wife,8yysH3m, thought we should name the dog 0x2%#b5. But I’m sure she’ll get over it. Meanwhile, I’m helping my older child with setting up a few social media accounts, and I suggested the two passwords: Rover and Spot.

5DIs there something wrong with this picture?

Of course! But this picture replays itself millions of times over all the time, as people name their passwords after their pets, family members or favorite sports teams. Don’t do online what you wouldn’t do in real life.

When creating passwords remember that you should avoid using things that are personal to you and that could be easy for a hacker to find out about you. Things like your pet’s name, maiden name, birthday, name of your high school and child’s name can be easily found on social networks, making it even easier for hackers to crack your passwords.

Here are some other great tips to make sure that your passwords are strong and protected:

  • Make sure your passwords are at least eight characters long and include numbers, letters and characters that don’t spell anything.
  • Use different passwords for separate accounts, especially for banking and other high-value websites.
  • Change your passwords frequently.

Robert Siciliano is an Online Safety Expert to Intel Security. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!

Lost your Master Password, do This

You have a master password, from your password manager, for 28 accounts. Life has been so easy since!

5DBut then you lose this master password. First off, you can’t fix this like you would if you forgot your password for PayPal or your credit card’s site. Plus, each password manager service has a different solution.

Yet how do you lose a master password in the first place? If it’s impossible to remember,then it may not be a good master password, regardless it should be written down somewhere in a secret location.

Lifehacker.com explains the requirements for various password manager services if you actually lose your master password.

Dashlane

  • A lost master password with Dashlane is like, well…imagine your backpack falling into a dark crevasse—gone forever—even if you have applications for your smartphone for Dashlane.
  • You’ll need to create a new account or reset the existing account, but either way, you must start from scratch.

1Password

  • You’re out of luck if you lose your master password—gone with the wind; you must begin all over again, just like with Dashlane.

LastPass

  • Offers a one-time password, after which you must reset your password
  • Requires the computer you’ve already been using LastPass for
  • You’ll need the associated e-mail account. Otherwise, you must begin everything from ground zero.

KeePass

  • Lose your master password with this and you’re done. You must start from scratch.
  • Don’t even bother trying to crack it because KeePass does have built-in protection.

Roboform

  • It’s too bad here, too. Resetting your password means losing all of your data.

Of course, you don’t ever have to be in this hairy situation in the first place.

  • Write down your master password and store it in a secret location; do this several times, even, and make sure the locations are ones you won’t forget.
  • Write down the one-time password or backup code for your service (if it has these features). Write it down in more than one location, e.g., tape a stickie with it on the underside of your desk may not be the most secure, but an option.
  • See if the service allows you to export your password, then do so. Then save it on your computer and also print it out for a hardcopy duplicate. For better security don’t store it in your computer but instead in a USB drive (in addition to hardcopy).
  • See if the service provides a feature for emergency contacts, then set this feature up.
  • Back up all of your data as a general rule.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention. Disclosures.

Password Security vulnerable to Trickery

There’s only one entrance to the house: a steel door two feet thick. If someone from the outside touched the door—even with a battering ram—they’ll get an electric shock. No bad guys could get through, right?

2DWell, suppose the bad guy tricks the homeowner into opening the door…and once open, the bad guy strangles the homeowner. Do you see what happened? All that security is worthless if the homeowner can be tricked. And the same goes for passwords. You can have the longest, strongest, most gibberish password around…but if you allow yourself to be skunked by a hacker…it’s over.

Think you can’t get skunked? A hacker could post a link to a “video” claiming it’s Taylor Swift with a 50 pound weight gain—anything to get you to click—and you end up downloading a virus to your computer.

Or maybe you get suckered into giving your credit card number and the three-digit code on its back to some site to “re-verify your credentials” because your account has been “compromised” – says an e-mail supposedly from the company you have the account with. Instead it’s a phony e-mail sent by a hacker.

Security begins by not falling for these ruses but also by not having crummy passwords.

First ask yourself if it’s super easy to remember any of your passwords. If it is, chances are, they contain actual names of people…or pets…in your life. If you have your pet and its name plastered all over your Facebook page, for instance…a hacker will figure that your password contains the name.

Another way to easily remember—and type—passwords is to use keyboard sequences. Maybe you use the same password for 14 accounts: 123kupkake. Is this easy for a hacker to crack? Depending on the level of sophistication of the hacker and the tools he possess, maybe. Imagine a hacker cracking this with his software. He’ll get into all your accounts if you have the same password.

There are many password manager services out there to help you create a strong, long password, though randomly hitting keys on your keyboard will produce the same result. But the password manager will grant you a single password to get into all your accounts, sparing you the drudgery of having to remember 14 long passwords of jumbled characters.

Another layer of security is to try to only register with online accounts that have two-factor authentication. For instance, see if your bank offers this (many actually don’t). Two-factor makes it next to impossible for someone to hack into your account.

Strong and long passwords—all different for all of your accounts; a password manager; two-factor authentication; and what else? Don’t be suckered into giving up your private information!

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention. Disclosures.

If You use these Passwords, You will get hacked

Have you heard of iDict? It’s a tool that hackers can use to get passwords via what’s called brute force attacks. It’s designed to crack into iCloud’s passwords, and supposedly it can circumvent Apple’s anti-brute force attack security.

5DBut iDict doesn’t have as big a bite as you might think. A long, strong password is no match for iDict. But if you have a password that’s commonly used (yes, hundreds of people may have your exact passwords; you’re not as original as you think), then it will be a field day for iDict.

Some examples of passwords that iDict will easily snatch are:

password1, p@ssw0rd, passw0rd, pa55word—let me stop here for a moment. What goes on in the heads of people who use a variation of the word “password” as a password? I’m sure that “pa$$word” is on this list too.

And here are more: Princess1, Michael1, Jessica1, Michelle1 (do you see a pattern here?) and also John3:16, abc123ABC and 12qw!@QW. Another recently popular password is Blink182, named after a band.

Change your password immediately if it’s on this list or any larger list you may come upon. And don’t change it to “passwerdd” or “Metallica1” or a common name with a number after it. Come on, put a little passion into creating a password. Be creative. Make up a name and include different symbols.

For additional security, use two-factor authentication when possible for your accounts.

Though iCloud has had some patch-up work since the breach involving naked photos of celebrities (Don’t want your nude pictures leaking out? Don’t put’em in cyberspace!), iCloud still has vulnerabilities.

And hackers know that and will use iDict. If your password isn’t on the top 500 list from github.com, but you wonder if it’s strong enough, change it. If it has a keyboard sequence or word that can be found in a dictionary, change it. If it’s all letters, change it. If it’s all numbers, change it.

Make it loooooong. Make it unintelligible. Dazzle it up with various symbols like $, @, % and &. Make it take two million years for a hacker’s automated password cracking tools to stumble upon it.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention.

3 Stupid Simple Tips to protect your Identity

For anyone who goes online, it’s impossible to hack-proof yourself, but not impossible to make a hacker’s job extremely difficult. Here are three things to almost hack-proof yourself.

http://www.dreamstime.com/stock-photos-identity-theft-red-words-binary-code-computer-monitor-image39907813Two-factor authentication. Imagine a hacker, who has your password, trying to get into your account upon learning he must enter a unique code that’s sent to your smartphone. He doesn’t have your smartphone. So he’s at a dead-end.

The two-factor authentication means you’ll get a text message containing a six-digit number that’s required to log into your account from someplace in public or elsewhere. This will surely make a hacker quickly give up. You should use banks and e-mail providers that offer two-factor. Two factor in various forms is available on Gmail, iCloud, PayPal, Twitter, Facebook and many other sites.

Don’t recycle passwords. If the service for one of your accounts gets hacked, the exposed passwords will end up in the hands of hackers, who will invariably try those passwords on other sites. If you use this same password for your banker, medical health plan and Facebook…that’s three more places your private information will be invaded.

And in line with this concept of never reusing passwords, don’t make your multiple passwords sound schemed (e.g., Corrie1979, Corry1979, Corree1979) for your various accounts, because a hacker’s penetration tools may figure them out.

Use a password manager. With a password manager, you’ll no longer be able to claim not being able to remember passwords or “figure out” how to create a strong password as excuses for having weak, highly crackable passwords. You’ll only need to know the master password. All of your other passwords will be encrypted, penetrable only with the master password.

A password manager will generate strong passwords for you as well as conduct an audit of your existing passwords.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

The “Heartbleed” Bug has not been exterminated

Though the breaking news of the Heartbleed vulnerability is a month old, this doesn’t mean that this “bug” has been squashed.

heartbleedThere still remain about 318,000 servers that are vulnerable to this OpenSSL bug, according to security researchers, though this figure is about half of what it was a month ago.

The Errata Security blog announced they calculated the 318,000 via a recent global Internet scan, which also revealed that more than 1.5 million servers still remain supportive of this “heartbeat” thing.

And there may actually be a lot more servers “bugged” because the count applies only to verified cases. Nevertheless, why are there over 318,000 still affected a month after aggressive Heartbleed mitigation went into effect?

Fraudsters can use this bug to attack those 318,000 systems. This flaw in encryption leaves private data like credit card numbers and passwords open for the kill.

Though many of the giant services fixed this problem within a prompt timeline, the smaller services are still struggling with it, and hackers know this. A crook can identify the compromised server and then exploit the bug and steal the private data that’s in the server’s memory or take control of an online session.

So how can you protect your private information?

  • Go to http://tif.mcafee.com/heartbleedtest, which is McAfee’s Heartbleed Checker tool. Enter the URL of a website to see if it’s vulnerable.
  • If no vulnerability is detected, change your password for that site. After all, if a site has already been bugged, changing your password at that point is useless.
  • If vulnerability has been detected, then keep an eye on your account activity for signs of unauthorized activity.
  • After a site has been patched up, then change your password.
  • And this time (if you already didn’t originally), create a strong, long password. This means use a mix of characters (letters, numbers, symbols) and use more than eight. And don’t include a word that can be found in the dictionary unless your password is super long, such as “I eat Martians for breakfast.” (The spaces count.) This would be a nearly uncrackable password due to its length and nonsensicality. But so would the more difficult to remember Y48#dpkup3.
  • Consider a password manager for creating strong passwords and remembering them, such as McAfee SafeKey.
  • For better security use two-factor authentication. This involves a one-time code for each time someone tries to log into an account.
  • As ongoing protection consider a credit freeze and identity theft protection to prevent new account fraud.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

Should You Store Passwords In The Cloud?

It seems that almost every site on the web requires a password. At least twice a week, I get an email from someone who wants me to join yet another network, which requires yet another username and password. You can cop out and use the same username and password combination, but that’s just asking for trouble.

The key to surviving password management going forward is to make a small investment in a password management service that stores your passwords in the cloud and also on your computer. The best thing about a password manager is that you ultimately have just the one master password to remember, which gets you access to all the different passwords for each site.

What to look for:

  • A password generator tool that makes strong passwords that cannot be cracked, and that you never really need to remember, because they are all stored in the password manager.
  • One that works across multiple browsers and can sync multiple PCs.
  • Smartphone application syncing with the cloud.
  • Security of password managers is pretty much a nonissue at this point, since most have levels of encryption that can’t be easily cracked.

The real security vulnerability is with your own computer and any existing or future malware that can log your keystrokes or take screenshots. Run virus scans and the most updated version of your antivirus software to prevent any infections.

Another layer of protection is to add your computer’s built-in onscreen keyboard to your task bar and use it to enter your master password.

Cloud-based password managers:

RoboForm is my favorite. It’s $9.95 for the first year and $19.95 every year after that.

Install RoboForm on as many computers and mobile devices as you wish, all with the same license. Seamlessly keep your passwords and other data in sync. Always have a backup copy of your passwords and other information. It’s also extremely secure and easy to use.

Keepass is free. This is a free open-source password manager, which helps to securely manage your passwords. You can store all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish). For more information, see their features page.

For $39.35, 1Password can create strong, unique passwords, remember them, and restore them, all directly in your web browser.

LastPass is also another good free option.

Using a password management tool like those listed above is easier: never forget a password again and log into your sites with a single mouse click.

It’s everywhere: the program automatically synchronizes your password data, so you can access it from anywhere at anytime.

It’s safer: protect yourself from phishing scams, online fraud, and malware.

It’s secure: all of your data is encrypted locally on your PC, so only you can unlock it.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures