Posts

Creating Passwords that are Bulletproof

It can be a real hassle to keep track of the passwords you use. So many people use the same combination of username and password for every account. However, this isn’t a good idea. In fact, it’s terrible. You see, these days, many data breaches could be traced back to people using the same password across multiple accounts. And once the bad guy finds his way in, especially logging into your email, it is game over. From there, it’s easy to reset the pass code for almost all of your accounts when the bad guy controls your email too.

All it takes is a cracker to find this password, and now every account you have is compromised. And finding that password is even easier. Some studies show as many as 40 million records were compromised in 2021. Many of those records are passwords. At ProtectNowLLC.com, we have a tool that has access to over 12 billion compromised records where you can search your username aka your email address to find out if your username and associated password have been compromised on a variety of breached accounts.

Thankfully, there is an easy solution: use a password manager. I’ve had a password manager in place since 2004. At this point I probably have close to 700 different online accounts. And I might know the password for maybe five of them. The rest, only my password manager knows the password which I can easily look up. But I’ve never committed them to memory. Most people say “what if the password manager gets hacked” while this might be a valid concern, it’s not a concern of mine.

The low hanging fruit isn’t a password manager getting hacked, it’s people reusing the same passcode across multiple accounts and those credentials being available on the dark web. But, if you don’t want to use a password manager because you’re afraid the password manager is going to get hacked, you can also do the following:

Creating a Unique Password

Research shows that the best passwords are 14 characters long. Those that are shorter than that are easier to figure out. If a site doesn’t let you create a password that is 14 characters, it is possible to adapt it. Password managers do a very good job of creating/generating long strong unique complicated passcodes.

First, make a list of all of the sites you have a username and password for, and then put those sites into categories. For example, all of your sites for social media would be in a category, all of your email sites together, all of your banking sites together, and all of your shopping sites together.

Then you want to create a password that is eight characters. This will serve as the first part of any other password that you create. For example, the first eight characters might look like this:

CM&@t*yZ

Next, remember your categories? You will create a three-character password that is significant to those. For instance:

  • Social media sites – SM#
  • Email sites – &eM
  • Shopping sites – $h0
  • Banking sites – 8aN

So, this gives you 11 characters of the recommended 14-character password that you want to use. Now, you need three more characters, and that would be specific to the site.  So, let’s say you are creating a password for your bank. This is made up like the following:

Eight-character + three-character password (category) + three-character (site)

So, for your bank, it would look like this:

CM&@t*yZ8aNp$X

This is a very difficult password to guess, and for many people, easier to remember. But it’s not easy for everyone to remember. There is a solution, but first, keep this in mind. When you have to change your password, you can keep the final six characters and just change the first eight.

Now, how can you remember the first part of the password? One way to do this is to simply write it down and store it in a safe place. However, don’t keep it near your computer. Another thing you can do is to create a phrase that will help you remember.

Here’s an example. Let’s say our phrase is “My brother asked me for bread and salt.” If you take the first letter for all of the words, it would be this:

MBAMFBAS

This could be your eight-character first part…and you can make it more secure by making some swaps:

M3@MFBA$

This still makes the password very difficult for a hacker to guess but makes it easier for you to remember. You can use the same method, of course, for the smaller parts of the password.

Honestly, if you’ve got even this far in this article, congratulations to you. You must be some weird math savant with an elephants memory. Frankly, the above gives me a headache. Like I said in the first three paragraphs, it’s best to just use a password manager and forget all of this work, but if you don’t want to, this method works pretty well.

Written by Robert Siciliano, CEO of Credit Parent, Head of Training & Security Awareness Expert at Protect Now, #1 Best Selling Amazon author, Media Personality & Architect of CSI Protection Certification.

Are Password Managers as Safe as You Think They Are?

You have probably heard of password managers, and you probably think they are pretty safe, right? Well, there is new research out there that may might make you think twice, especially if you use password managers like KeePass, 1Password, Lastpass, or Dashlane. Frankly, I’m not worried about it, but read on.

Specifically, this study looked at the instances of passwords leaking from a host compute or focused on if these password managers were accidently leaving passwords in the computer’s memory.

What was found was that all of the password managers that were looked at did a good job at keeping these passwords secure when in a state where it was “not running.” This means that a hacker would not be able to force the program into giving away the user’s passwords. However, it was also noted that though each password manager that was tested attempted to scrub these passwords from the memory of the computer, it wasn’t always successful…meaning, your passwords could still be in the memory.

Some of these programs, like 1Password, seemed to have left the master password, but also the secret key for the program. This could possibly allow a hacker to access the info in this program. But, it’s important to note that these programs are trying to remove this information, but due to various situational issues, it’s not always possible.

Another program, LastPass, was also examined, and it, too, caused some concern amongst researchers. Basically, the program scrambles the passwords when the user is typing them in, but they are decrypted into the computer’s memory. Additionally, even when the software is locked, the passwords are still sitting in the memory just waiting for someone to extract it.

KeePass, which is yet another password manager, was also looked at here. In this case, it removes the master password from the computer’s memory, and it is not able to be recovered. However, other credentials that were stored in KeePass were able to be accessed, which is also problematic.

Should you be worried about this? Well, it depends on your personal thought process. Some people probably won’t care too much, and others won’t be affected because they don’t use password managers that have these issues. Since the researchers pointed out these issues each password manager has done their own updates and corrected any issues. The real vulnerability isn’t the security of the password managers but the security of the devices, their users and if the users are deploying the same password across multiple accounts.  Using the same password over and over is the risk here. So get a password manager so you can have a different password everywhere.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

How to Create Bulletproof Passwords

It is a hassle to keep track of all of your passwords. So, many people use the same username and password combination for all of their accounts. This, however, is a big mistake. All it takes is one hacker getting ahold of one of your accounts, and the rest of your accounts are now compromised. Thankfully, there is a pretty easy way around this…One way is a password manager and for those who don’t trust them, try below.

Creating Passwords that are Unique

The best passwords are 14 characters. Passwords that are shorter are statistically much easier to guess. If a site doesn’t allow a password that is 14 characters, you can adapt the following to fit:

Make a list of all websites you have a username and password for, and then make lists categorizing them. For instance, put all of your social media sites together, your email sites, your shopping sites, and banking sites.

Next, create an eight-character password. This will be used as the first part of every password that you create. For instance, it might look like this:

H76&2j9@

Next, look at your categories. Create a three-character password for those. So, you might do this:

  • Social media sites – SM$
  • Email sites – @eM
  • Shopping sites – $ho
  • Banking sites – BaN

Finally, the last three characters of the 14-character password will be specific to the website.

Let’s say you are creating a password for your Facebook account:

Eight-character + three-character (category) + three-character (unique to site)

So, your password for Facebook would be:

H76&2j9@SMSg5P

This is now a very strong password ad for some of you that is much easier to remember. But not me, above doesn’t work for me. More in a minute…When you have to change your password in the future, you can keep the final six characters and just change the first eight.

So, how do you remember the first part of the password? One way is to just write it down in a secure location. Don’t keep in near the computer, though. Another thing that you can do is to create a passphrase, which makes it easy to remember a password.

Let’s use this phrase

“My sister asked me for milk and butter.” If you take the first letter of all of those words, you would have this:

MSAMFMAB

This could be used as your eight-character common denominator.

You can even go further and make it more secure by swapping out some of the letters with numbers or symbols:

M3AM4MA8

Now, the common part of the password is even more difficult to guess, yet still fairly easy to remember. You can also use this method for the shorter part of the password, or even come up with your own methods for password success.

Oh and that “in a minute” comment…just use a password manager and forget the above madness. My password manager created this: *zWo5j!wUxCVWV and it means nothing and I’ll never remember it because my password manager serves as my memory now.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

Use a Password Manager Or You WILL Get Hacked

Do you ever use the same password over and over again for different accounts? If so, you are not alone. However, this is quite dangerous. It’s best to use a different, unique password for each account, and to make it easier, you should use a password manager.

According to surveys, people understand that they should use unique passwords, and more than half of people get stressed out due to passwords. Furthermore, about 2/3rds of people said that they had forgotten a password or that a password issue had cause problems at work.

However, a password manager can easily solve the issues associated with passwords. A password manager is a type of software that can store login info for any and all websites that you use. Then, when you go to those websites, the password manager logs you in. These are safe, too. The information is stored on a secure database, which is controlled by a master password.

Using a Password Manager

Most people have more than one online account, and again, it’s so important to have a different password for each account. However, it’s very difficult to remember every password for every account. So, it’s not surprising that people use the same one for all of their accounts. But, if using a password manager, you can make it a lot easier.

  • When using a password manager, you can create a password that is safe and secure, and all of your passwords are protected by your master password.
  • This master password allows you to access all websites you have accounts on by using that master password.
  • When you use a password manager, and you update a password on a site, that password automatically is updated on all the computers that use your password manager.

Password Managers Can Ease Your Stress

When you first start using a password manager, it’s likely that you’ll notice you have fewer worries about your internet accounts. There are other things you will notice, too, including the following:

  • When you first visit a website, you won’t put your password in. Instead, you can open the password manager, and then there, you can put your master password.
  • The password manager you use fills in your username and password, which then allows you to log into the website with no worries.

Things to Keep in Mind Before You Use a Password Manager

Password managers available on the internet from many reputable security companies. However, before you pay for them, there are some things that you should keep in mind:

  • All of the major internet browsers have a password manager. However, they just can’t compete with the independent software that is out there. For instance, a browser-based password manager can store your info on your personal computer, but it may not be encrypted. So, a hacker can might that information anyway.
  • Internet browser-based password managers do not generate custom passwords. They also might not sync from platform to platform.
  • Software based password managers work across most browsers such as Chrome, Internet Explorer, Edge, Firefox and Safari.

Password Managers are Easy to Use

If you are thinking about using a password manager, the first step is to create your master password.

  • The master password has to be extremely strong, but easy to remember. This is the password you will use to access all of your accounts.
  • You should go to all of your accounts and change your passwords using the password manager as an assistant. This ensures that they are as strong as possible, too.
  • The strongest passwords contain a combination of numbers, uppercase and lowercase letters, and symbols. Password managers often create passwords using this formula.

Managing your accounts online is really important, especially when you are dealing with passwords. Yes, it’s easy to use the same password for every account, but this also makes it easy for hackers to access those accounts.

Don’t Reuse Your Passwords

You might think it would be easy to reuse your passwords, but this could be dangerous:

  • If your password is leaked, hackers can get access to all of your sensitive information like passwords, names, and email addresses, which means they have enough information to access other sites.
  • When a website is hacked, and all of your passwords and usernames are discovered, the scammer can then plug in those passwords and usernames into all of your accounts to see what works. These could even give them access to your bank account or websites like PayPal.

Ensuring Your Passwords are Secure and Strong

There are a number of ways to ensure your passwords are secure and strong. Here are some more ways to create the best passwords:

  • Make your passwords a minimum of eight characters long.
  • Mix up letters, numbers, and symbols in the password, making sure they don’t spell out any words.
  • Have a different password for every account that you have. This is extra important for accounts containing financial information, like bank accounts.
  • Consider changing your password often. This ensures your safety and security.

If you have a weak password, you are much more susceptible to hacks and scams. So, protect your online existence, and start utilizing these tips.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Remember This: Hackers Like Strong Passwords, Too

In late 2016, a huge data breach occurred. More than 412 million accounts were affected when hackers got into FriendFinder Networks.

5DAccording to sources, approximately a million of those accounts had the password ‘123456,’ and approximately 100,000 has the password that was simply, ‘password.’ This, of course, is despite the efforts from pros about password management and the importance of a strong password.

Complex Passwords are Inconvenient

This data breach is just one of many, and it shows that using passwords alone are risky and have consequences. Additionally, complex passwords are inconvenient, and this means that people often avoid using them, or they write them down, or use them across multiple accounts, meaning there is a great chance that they can be stolen.

Keeping in mind, still, that passwords are flawed. This is not because they are often so easy to guess and easy to hack, it’s because they are quite expensive to maintain. Approximately 20 to 50 percent of calls to the help desk are due to password resets because people forget them.

All of this means that things have only gotten worse when it comes to the usability of passwords over the past few years. So, to keep the control that is necessary to ensure the data is safe in an organization, the IT team must use tools that will address these major security concerns. When you consider all of this, it is truly shocking that so many people are still using passwords such as ‘password’ and ‘123456.’

If you look at all of the data-breaches that have occurred in 2016 and consider the millions of people who have been caught up in these breaches, it’s absurd that people are picking passwords that are so easy to guess.

However, you also should keep in mind that it doesn’t matter what your password is, security experts and IT professionals keep hammering in the importance of changing passwords. Even if you are choosing passwords that are a bit more advanced than ‘123456,’ you should still change your password, often.

You also must consider this: it doesn’t matter how good your password is and how complex you make it; passwords are still vulnerable. What we need is a change in our thoughts about security and a revision of our concept of what a password is and does.

In some form or another, passwords have existed as a way to secure information for centuries. For most of this time, they have worked well. However, with technology changing the world, this old form of security needs to be refreshed to meet the needs of the time.

More Security is Necessary

To overcome all of the issues that are associated with passwords, companies should take time to look at different forms of security. All you are doing now is wasting time and money by changing passwords and making them stronger. On top of this, when your business experiences a data breach, you could be facing a fine and of course, embarrassing questions. Instead, it’s time to drop this concept of using passwords as the only means of security.

We need an approach that eliminates passwords altogether. Using, for instance, two factor or multi factor authentication or better, un-hackable security tokens is one way to ensure that no passwords are stored, created, or transmitted. This will help us all to remain safe.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Will Biometrics replace Passwords?

The days of using a computer to access your bank account, using a password, may be coming to an end, to be replaced entirely (as some experts believe) with a fingerprint or face scan using a smartphone.

8DThe smartphone employment of such biometrics will drastically reduce hacking incidents, but will be problematic for those who do not own a mobile device. Major banks are already offering the fingerprint scan as a login option.

Other biometrics currently in use by banks are the eye scan, facial recognition and voice recognition. Banks are sold on the premise that biometrics offer significantly more protection of customers’ accounts than does the traditional means of accessing accounts, what with all the hundreds of millions of data pieces (e.g., SSNs, e-mail addresses) that have been leaked thanks to hackers.

Though biometric data can be stolen, pulling this off would be much more difficult than obtaining a password and username. For instance, only a specific mobile device may work with the owner’s biometrics; a crook would have to have possession of the phone in order to hack into the owner’s bank account.

Nevertheless, biometrics aren’t foolproof even for the rightful owner, in that, for instance, poor lighting could skewer facial recognition.

Unlike the once-venerable password, banks do not keep customers’ biometrics in storage; your fingerprint is not in some secret cache of your bank. Instead, banks store templates in the form of numerical sequences that are based on the customer’s biometrics.

Can hackers obtain these templates? It’s possible, but with additional security layers, banks say that it would be very difficult, nothing compared to the ease of getting someone’s traditional login data.

For instance, an extra security layer might be that the biometric of eye recognition requires a blink—something that a thief can’t do when using a photo of the accountholder’s eye for the scanning recognition process.

Doubling up on login requirements—biometric plus password—is an even stronger defense against hackers. And banks are doing this with the fingerprint biometric.

In a world where it seems that the hackers are getting closer to taking over, the time for biometrics as being a part of the login process has arrived—and not too soon.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

32 Million Twitter Pass for sale Add two-factor NOW

The Dark Web, according to LeakedSource, got ahold of 33 million Twitter account details and put them up for sale. Twitter thus locked the accounts for millions of users.

5DTwitter, however, doesn’t believe its servers were directly attacked. So what happened? The bad guys may have created a composite of data from other breached sources. Or, they could have used malware to steal passwords off of devices.

Nevertheless, the end result meant that for many Twitter accounts, there was password exposure—leading to the lockdown of these accounts. The owners of these accounts had to reset their password after being notified of this by e-mail.

Some users who did not receive this e-mail notification will find that their accounts are locked.

An Ounce of Prevention

  • Go through the passwords of all of your vital accounts, and see which ones are unique, long and strong. You’ll likely need to change many passwords, as most people use simple to remember passwords that often contain keyboard sequences and/or words/names that can be found in a dictionary, such as 890Paul. These are easily cracked with a hacker’s software.
  • Who’d ever think that Facebook’s chief executive Mark Zuckerberg’s Twitter account could be hacked? It was, indeed, and it’s believed this was possible due to him reusing the username of his LinkedIn account several years ago.
  • So it’s not just passwords that are the problem; it’s usernames. Not only should these be unique, but every single account should have a different username and password. However if a username is an email address, you can’t do much here.
  • Passwords and usernames should be at least eight characters long.
  • Use more than just letters and numbers-use characters if accepted (e.g., #, $, &).
  • So Paul’s new and better password might be: Luap1988($#.
  • Sign up with the account’s two-factor authentication. Not all accounts have this, but Twitter sure does. It makes it impossible for a crook to sign into your account unless he has your cell phone to receive the unique verification code that’s triggered with every login attempt.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Celebrate World Password Day in 2016 With These Tips

Each year, researchers in security take the time to rate some of the worst passwords found on the Internet. While popular pop culture events have caused waves with the list of the worst passwords of 2015 – think “solo,” “starwars,” and “princess” – the worst passwords of last year were still the usual suspects, “password,” “123456,” and “qwerty.”

5DIt shouldn’t be a surprise to anyone that researchers estimate as many as 90 percent of all user-generated passwords are subject to hacking. However, it might surprise you to know that even passwords that you believe to be secure will give little protection if it gets leaked.

On May 5th, the 4th World Password Day will commence, and Intel Security is, for the first time, departing from its usual stance of asking users to change their passwords to something stronger. Instead, they are asking users to add multi-factor authentication, or MFA.

MFA is an extremely powerful security feature that is available on most major websites for free, and this helps to stop any unauthorized person from accessing the account, even if this person knows your password. This feature combines the login with other identification factors such as face recognition, fingerprints or a code that you can use, which is delivered by text message.

Even the President is getting into the password game. That’s how important it is to have a strong password. President Obama recently suggested that Americans should start to protect themselves online by turning on this multi-factor authentication. Additionally, when you supplement passwords with MFA, you will greatly decrease the chance that you become a victim of fraud or identity theft.

Here are some of the best ways to protect and strengthen your password:

  • Create passwords that are strong by using symbols and a mixture of upper and lower case letters
  • Use a different password for every account you have
  • Utilize a password manager to keep track of all of your passwords
  • Turn on the multi-factor authentication feature when possible.

You can find out how well your passwords stack up by testing them online at Passwordday.org, by taking a pledge to add MFA, or even watch some videos about computer security.

You can also join in on a Twitter chat on May 5 at 3 pm Eastern/Noon Pacific. Stop.Think.Connect is hosting the chat and will be joined by @Telesign, @IntelSecurity and @StaySafeOnline. When you pledge to turn on MFA, which is free on most web services, you will be entered in a drawing to win a prize. Make the pledge today to turn on the MFA feature on May 5th, which is World Password Day.

Robert Siciliano is an Online Safety Expert to Intel Security. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! See him knock’em dead in this identity theft prevention video. Disclosures.

Shred your Boarding Pass

Apparently there are people who take pictures of their airplane boarding pass…and post it online. I’m dead serious. I’ve heard of toddlers getting excited over scraps of paper, but full-grown adults posting images of their boarding pass online? Don’t get me started.

2DLet’s just only say that this is incredulously absurd. Like, who cares about your bleepity bleep boarding pass, right? OK, you got bumped up to First class. SAVE IT. Well wait a minute. Fraudsters care.

Fraudsters also care about the boarding pass that’s left intact in a rubbish can or lying on a seat somewhere.

Few travelers know that the bar code on the boarding pass MAY contain that individual’s home address, e-mail address, name and contact number. All a crook needs is this basic information (revealed via bar code reader off his cell phone!) to get the fraud ball rolling.

  • Keep your boarding pass out of everyone’s sight except the airport employee who requests it.
  • After you no longer need it, tear it up and flush it down a toilet.
  • When you arrive to your hotel, don’t bring it with you to your hotel room and leave it sitting out in full view. Shred and destroy it prior.  Putting it in the hotel room trash isn’t enough. Realize that when you’re not in the room, maids and other hotel employees can gain access—and I can’t say it enough: You just never know who has a bar code reader app.
  • And for Heaven’s sake, don’t post images of it online, if for no other reason, this makes you come across as less interesting than a doorknob. In fact, don’t even think of taking a picture minus the bar code. You just never know with today’s technology what a crook could get off an image online.

Man, if you still don’t believe me about any of this, check out these two very short but alarming videos. You’ll be flabbergasted at how much information about you a techy thief could get off of your boarding pass! “If a hacker can find it, he can find YOU!”

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

Change Passwords or not; that is the Question

We’re told to change our passwords often to minimize getting hacked. Now we’re told this is a bad thing.

5DBut not for any inherent techy reason. It’s because frequent password changing makes many people lower their guard when it comes to creating new passwords.

They get lax and end up with passwords like Bear1, Crazy4u and GetHigh1978. Or, they often only minimally change the password, such as going from Hotbaby!! to Babyhot!!.

Believe it or not, despite an infinite number of permutations involving 26 letters, 10 numbers and 10 symbols, many people struggle to create new passwords beyond just minimally altering existing passwords. And don’t even ask these folks to remember any new and very different, strong passwords.

But if you already have unique, strong and jumbled passwords, you do not have to frequently change them. So if your Facebook password is Ihv1dggnPRvGr8tGamz!, there is no reason to change this 90 days after creating it. However, changing ANY password every six months to a year is still a wise idea. And this infrequency won’t leave you drained.

And you can always use a password manager to do the figuring for you anyways. A password manager will create long, strong and unique passwords, and issue you a single master password.

Rules for a Virtually Uncrackable Password

  • Does not include any names that are found in a dictionary, including proper names, sports team names, rock group names, city names, etc.
  • Does not have any keyboard sequences, no matter how unintelligible. So even though sdfgh looks jumbled, it’s just as much a sequence as 12345.
  • It contains numbers, letters and symbols.
  • If you predict struggling to remember a bunch of jumbled passwords, then think of a phrase that you will never forget, especially one that pertains to the account you want to create the password for. An example might be the password for your credit card account. You can shorten “I Hate Making Credit Card Payments” to: iH8tmkngCCpymnt$!.

You can also shorten phrases that pertain to things you love, like for instance, a phrase about your favorite movie, food, vacation, TV show, etc.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.