Category Archives: password

Smashing Security #064: So just a ‘teeny tiny’ security issue then?

Smashing Security #064: So just a 'teeny tiny' security issue then?

A Namecheap vulnerability allows strangers to make subdomains for your website, Troy Hunt examines password length, and ex-Google and Facebook employees are fighting to protect kids from social media addiction.

All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, who are joined this week by special guest HaveIBeenPwned's Troy Hunt.

For YouTube Stars, Influencers: More Risk of Hacks after Octoly Breach

Octoly, the Paris-based agency for online “influencers” apologized following the leak of sensitive and personally identifying information on 12,000 clients. But clients were furious they were not informed by the company first and researchers warn that those exposed could face increased risks of both online and offline harm.  The firm...

Read the whole entry... »

Related Stories

With the Advent of Biometrics, Are Passwords Going Away?

By Jackson Shaw, VP of product management for One Identity

Facial recognition and fingerprint scanning for device authentication are no longer futuristic concepts reserved for James Bond movies. In fact, biometrics seem to be gaining ground over their inferior cousin, the password, by the day. So, why do we all still have more passwords than we would care to remember? And whatever happened to the much-hyped “death of the password”?

Three burning questions that dog the authentication discussion are:

  1. Why are we still using passwords when there are so many more secure options out there?
  2. Will biometrics ever become the standard for authentication?
  3. Assuming passwords are here, for at least a little while longer, how can I make them work for me?


Why are we still using passwords?

To understand why we are still using passwords, we need look no further than human nature. We like what we are comfortable with and resist change.

Since the very inception of networked computing, there has been a need for user authentication in order to access systems and data, and the easiest authentication to build into a system is the password. All you need is a directory and a few simple technologies to enforce the security. Consequently, the vast majority of systems use password authentication as the default — and in many cases, password authentication is the only option.

For those of us purchasing and implementing these applications, passwords have always been good enough… until they weren’t. The people that rely on these systems are comfortable with passwords. They have all kinds of tricks to help them remember their passwords (which, by the way, is often the reason passwords are the weak link in the security chain). And passwords are cheap – often password-based authentication is built into the systems that we rely on. Implementing a more secure or convenient authentication method will only add expense, management overhead, and possibly user dissatisfaction.

In addition, consider the fact that most organisations rely on older systems that default to password-based authentication. Switching to biometric enabled systems can be expensive, or require long deployment and integration cycles, and often comes across as an effort to fix something that isn’t broken. Not to mention that when multiple legacy systems are in play, those challenges are magnified many times over.

So why are we still using passwords? My opinion is, quite simply, because it’s good enough. Until there is a compelling event, technological breakthrough, or regulatory mandate forcing the issue, passwords will remain king.

Will biometrics become the new standard?

I believe that, yes, biometrics will eventually become the new standard. But only after enough password-based breaches hit enough organisations with enough negative effect that they are forced to implement stronger forms of authentication.

But I would also argue that multi-factor authentication (an approach in which biometrics is becoming a key player) is quickly becoming “a” standard, if not “the” standard. More and more organisations today are implementing the need to supplement the single factor of something you know (the password) with a second factor of either something you have (such as a smart card or OTP token), and more recently another factor could be something you are — otherwise known as biometrics.

Since second factors of the “something you have” variety are easier to implement and more easily integrated with legacy systems, I would expect continued growth in one-time passwords (OTP) and smart card authentication, while biometrics slowly gains ground.

So maybe the correct answer to this question is: multi-factor authentication will become the standard quickly, with biometrics being incorporated into a fraction of those use cases…at least for the foreseeable future.

How can I make passwords work for me?

Authentication technologies, whether they be password or biometrics, exist for one purpose – to secure access to systems and data. With the death of the password being greatly exaggerated, there is a compelling need to find ways to use them better. In other words, we need to find ways to ensure that passwords fulfill their purpose and work for your company’s security processes. Recent NIST guidelines provide cool alternatives to the strict rules we’ve been told to abide by when setting a strong password. For example, use a long phrase rather than a distorted version of your pet’s name. However, many legacy systems simply don’t provide the flexibility to implement these dramatically different password policies.  But there is hope. Here’s some ideas:

  • Add multi-factor authentication. There are many options available for a two- or three- factor in authentication, and making sure that it fits with the culture of your organisation is the best way to ensure that users will be able to seamlessly gain access to their work without having it disrupt their workflow.
  • Reduce the number of passwords you use — but change them frequently. Much of the trouble with hacked passwords is that they are easy to discover. This can be the result of poor practices such as never changing a password or the use of social engineering to guess them. However, a single hard-to-guess password that is changed often, and applies everywhere is an ideal remedy to their traditional weaknesses. Single sign-on and directory consolidation are fairly easy and common technologies that achieve this end.
  • Take advantage of all your options. When implementing new systems, be sure that they support the standards necessary for adding multi-factor authentication to the mix and ensure that the policy you enforce for accessing those systems uses all the options available to you.

So, while the death of the password may be highly exaggerated for now, authentication is evolving, and biometrics will slowly become the new standard of the future. Set yourself up today to seamlessly and securely move into the password-less world, for when it finally arrives.

The post With the Advent of Biometrics, Are Passwords Going Away? appeared first on IT SECURITY GURU.

Survey: Few Americans Are Taking Proper Password Security Precautions

Thursday is “Change Your Password Day,” a national observance of password security and best practices. Passwords are often the first line of defense protecting users from criminals with the malicious intent of invading systems and stealing data, a threat which emphasizes the importance for people to use strong and diverse passwords. Unfortunately, many Americans continue […]… Read More

The post Survey: Few Americans Are Taking Proper Password Security Precautions appeared first on The State of Security.

Millennials, careless with passwords, spur shift to biometrics – study

A survey of 4,000 adults from the US, the Asia Pacific (APAC) and Europe indicates a new trend is afoot concerning authentication – particularly in the steps consumers take to safeguard their digital lives.

Examining consumer perspectives around digital identity and authentication, IBM Security found that people are beginning to prioritize security over convenience when logging into services and devices, easing the long-held belief that “convenience is king.”

Millennials and the Generation Z, described in the report as “younger adults,” are a bit careless about the strength of their passwords but are also more likely to entrust their digital identity to biometric locks, multifactor authentication and password managers.

“With millennials quickly becoming the largest generation in today’s workforce, these trends may impact how employers and technology companies provide access to devices and applications in the near future,” says the technology giant.

The report is lengthy and studded with numbers, making it a difficult read for some. To make it easier on the eyes, skim the key findings below:

  • While 67 percent are comfortable using biometric authentication today, 87 percent are confident they will join the party soon
  • 75 percent of millennials are comfortable using biometrics, less than half use complex passwords (those containing upper and lower case letters, special characters, etc.) and 41 percent reuse passwords
  • Older generations showed more care with password creation, but were less inclined to use biometrics and multifactor authentication
  • APAC users are more familiar with biometric authentication than consumers in the U.S.
  • The average American manages over 150 online accounts that require a password, and that number is expected to double in the coming years
  • For social media apps, convenience re-enters the spotlight (36 percent), followed by security (34 percent) and privacy (30 percent)
  • 44 percent ranked fingerprint biometrics as one of the most secure methods of authentication
  • 55 percent worry about how their biometric data is collected and used, and 50 percent fear others could fake their biometric data and break into their accounts
  • Those aged 55 and older use 12 passwords, while Gen Z (ages 18 – 20) averages only five passwords, suggesting they re-use them more
  • 75 percent of millennials are comfortable using biometrics, compared to just 58 percent of those over age 55
  • APAC users were also the most comfortable with biometrics today (78 percent comfortable vs. 65 percent EU, 57 percent US)
  • Europe has the strongest password practices, with 52 percent of respondents using strong passwords, vs. 46 percent in APAC and 41 percent in the US

Overall, the data indicates that younger generations are no longer fond of traditional passwords. IBM believes this poses a challenge for employers that manage millennial users’ access to data.

“As the percentage of millennial and Gen Z employees continues to grow in the workforce, organizations and businesses can adapt to younger generations’ proclivity for new technology by allowing for increased use of mobile devices as the primary authentication factor and integrating approaches that substitute biometric methods or tokens in place of passwords,” the report concludes.

Security 101: 7 Tips Every Young Startup Needs to Keep Itself Safe

There are many managerial and operational tasks required to successfully grow a startup business. One of the biggest mistakes startup businesses make is neglecting to safeguard their data from cyber threats. Some studies show that 200,000 new malware samples were discovered each day in 2016. Unfortunately, analysts expect this number to increase as more businesses […]… Read More

The post Security 101: 7 Tips Every Young Startup Needs to Keep Itself Safe appeared first on The State of Security.

The State of Security: Security 101: 7 Tips Every Young Startup Needs to Keep Itself Safe

There are many managerial and operational tasks required to successfully grow a startup business. One of the biggest mistakes startup businesses make is neglecting to safeguard their data from cyber threats. Some studies show that 200,000 new malware samples were discovered each day in 2016. Unfortunately, analysts expect this number to increase as more businesses […]… Read More

The post Security 101: 7 Tips Every Young Startup Needs to Keep Itself Safe appeared first on The State of Security.

The State of Security

Elon Musk’s “Boring Company” Flamethrower For $600 Is Real

Guess the password to pre-order Elon Musk’s flamethrower for $600

Elon Musk, the CEO of Tesla, SpaceX, and The Boring Company, is living up to his promise that he had made last December. Back then, he had tweeted that if The Boring Company (his tunnel and infrastructure digging effort) sells 50,000 hats bearing the company’s name, his company would start manufacturing state-of-the-art flamethrowers.

Soon after selling the required number of hats, Musk tweeted “Hats sold out, flamethrowers soon!” on the eve of Christmas.

While Musk’s message was considered as a joke by many, reddit users on several Musk-related subreddits noticed earlier this month that the URL “” began redirecting to a white page with a single password box in the center.

Earlier this week, a subredditor managed to guess the original password – “flame” – and got access to the page that mimics the Boring Company logo. The user found a pre-order prompt for a $600 flamethrower instead of a $20 hat. He took a screenshot that shows a Boring Company-branded flamethrower with a pre-order button under it.

“Prototype pictured above,” the listing reads. “Final production flamethrower will be better.” However, the password to the shop page has been changed since then.

It’s unclear if the screenshot in the tweet is legitimate and when will the flamethrower actually go on sale. But for now, from the looks of the image all we can assume is that the flamethrower is for real.

The post Elon Musk’s “Boring Company” Flamethrower For $600 Is Real appeared first on TechWorm.

Hawaii’s missile alert agency keeps its password on a Post-it note

Hawaii's missile alert agency keeps its password on a Post-it note

Last Saturday the people of Hawaii received a terrifying alert about a ballistic missile heading its way. Thankfully, the alert turned out to have been sent in error by the Hawaii Emergency Management Agency.

Now evidence has come to light that some of the organisation's staff might be in the habit of sticking Post-it notes containing passwords onto their computer monitors.

Read more in my article on the Hot for Security blog.

How to protect your Mac from the ‘App Store password’ bug

Shortly after the discovery of the “root” bug plaguing Macs worldwide, Apple is faced with another embarrassing flaw in the newest version of its macOS. And it’s yet another password-centric vulnerability.

A recent post on Open Radar reveals that the App Store preferences pane in System Preferences can be unlocked by a local admin with a bogus password – or, as our own tests revealed, no password whatsoever.

The steps to reproduce the bug are:

1) Log in as a local admin

2) Open the App Store preferences pane from the System Preferences

3) Lock the padlock if it is already unlocked

4) Click the lock to unlock it

5) Enter any bogus password (or leave the password field blank)

6) Hit Return / Enter

If these steps reproduce the bug on your Mac, you are affected.

The flaw is not terribly dangerous, but it’s not entirely harmless either. Anyone with physical access to the machine can alter the settings to control how that Mac downloads and handles third-party software. A bad actor could (theoretically) use this bug to make it easy to deploy malware onto the unsuspecting victim’s computer at a later time.

Mac users running macOS High Sierra 10.13.3 beta are reportedly unable to reproduce the bug, indicating that either Apple is aware of the flaw, or something new in the beta inadvertently “breaks” the bug. So, what can you do until Apple releases the fix? Not much except tighten the existing security settings on your Mac.

You can leverage the “hot corners” feature to quickly enable a screensaver whenever you get up from your desk. Go to System Preferences -> Desktop & Screen Saver and look for the Hot Corners button in the bottom right-hand corner of the window.

Then, you should set your Mac to ask for a password immediately after the screensaver kicks in. To do this, visit the Security & Privacy module under System Preferences.

Finally, look out for Apple’s 10.13.3 update and install it the moment it becomes available.

Malware Dev Charged with Spying on “Thousands” of Users for 13 Years

The United States Justice Department has charged an alleged malware author with spying on thousands of users for a period of 13 years. An indictment filed with the U.S. District Court for the the Northern District of Ohio (Eastern Division) asserts Phillip R. Durachinsky, 28, of North Royalton Ohio masterminded a scheme by which he […]… Read More

The post Malware Dev Charged with Spying on “Thousands” of Users for 13 Years appeared first on The State of Security.

Behavioral biometrics will replace passwords by 2022 – Gartner

In just a few years, we can all safely forget those cumbersome passwords we use to secure and unlock our devices. And we will be able to thank on-device artificial intelligence (AI) for easing the strain on our memory, according to a forecast by Gartner.

Gartner analysts believe on-device AI, as opposed to cloud-based AI, will mark a paradigm shift in digital security, and will do so sooner than most people think.

“On-device AI is currently limited to premium devices and provides better data protection and power management than full cloud-based AI, since data is processed and stored locally,” Gartner says in a report published on January 4.

The research company outlines 10 AI solutions expected to run on 80% of smartphones in 2022 that will become an essential part of vendor roadmaps and our everyday lives. At least four of them impact security.

“Digital Me”

“Smartphones will be an extension of the user, capable of recognizing them and predicting their next move,” reads the report. “They will understand who you are, what you want, when you want it, how you want it done and execute tasks upon your authority.”

This ability will not only ensure that your digital devices act under your authority, and your authority alone, but it will also ensure you know what to expect from them in terms of functionality and behavior. Going by Gartner’s forecast, “digital me” will be a crucial selling point for IoT / smart home vendors in the next couple of years.

Personal Profiling

New-generation smartphones will collect behavioral data to more accurately profile the user, paving the way for dynamic protection and assistance in emergency situations. It will also benefit insurers. Gartner speculates that car insurers will be able to adjust insurance rates based on driving behavior.

Behavioral Biometrics is an emerging technology that analyzes user behavior (including keystroke dynamics, gait analysis, voice ID, mouse use characteristics, signature analysis and cognitive biometrics), and creates a unique biometric template on the device. When the behavior doesn’t match the template, the (presumed) impostor is blocked from using the device or the device requires multi-layer authentication (just in case it makes a mistake).

Content Censorship/Detection

A device with on-board AI could automatically detect inappropriate content – such as objectionable images, videos or text – and flag it, or block it altogether.

“Computer recognition software can detect any content that violates any laws or policies,” according to the report. “For example, taking photos in high security facilities or storing highly classified data on company-paid smartphones will notify IT.”

User Authentication

Probably the boldest, but also the most-likely-to-materialize prediction from the report is the idea that on-device AI will render password-based authentication obsolete. Passwords / passcodes and PINs are indeed a weak defense, with hundreds of millions of credentials leaked, stolen or otherwise compromised every year.

For example, a list of 100 worst passwords compiled by SplashData was only made possible thanks to 5 million leaked credentials.

“Password-based, simple authentication is becoming too complex and less effective, resulting in weak security, poor user experience, and a high cost of ownership,” Gartner asserts.

“Security technology combined with machine learning, biometrics and user behavior will improve usability and self-service capabilities. For example, smartphones can capture and learn a user’s behavior, such as patterns when they walk, swipe, apply pressure to the phone, scroll and type, without the need for passwords or active authentications.”

Gartner isn’t just making assumptions either – Australian scientists have successfully prototyped a small wearable that uses your gait as an authentication token.

Other AI technologies that Gartner expects in portable devices by 2022 include emotion recognition, natural-language understanding, audio analytics, and more.

The road to “true AI”

Artificial intelligence was founded as an academic discipline in the 1950s and it has since had many ups and downs. Tasks requiring “intelligence” from a machine are often discarded from the definition as they become ubiquitous.

Optical character recognition, for example, has become so mundane that it no longer fits the definition. This has led computer scientist Larry Tesler to postulate a theorem along with a now-famous quip: “AI is whatever hasn’t been done yet.”

More recently AI has become a controversial topic, where even those actively developing AI systems express deep concerns about its implications if not handled correctly. Tesla CEO Elon Musk and theoretical physicist Stephen Hawking are just two of many prominent figures of our time casting a gloomy projection of AI in the years to come.

Still, humanity is a long way from true AI. Even the most complex computer systems today can’t emulate the most basic characteristics of human intelligence, such as reasoning or planning.

Web Tracking Threat Could Raise the Risk of Cybersecurity Breaches, Researchers Find

Researchers at Princeton University recently warned that web tracking firms can abuse password mechanisms to steal usernames and email addresses, increasing the risk of cybersecurity breaches.

The most commonly used browsers, such as Chrome, Safari and Firefox, include a login manager to save and autofill usernames and passwords when individuals visit a site. The researchers discovered that web trackers can abuse this auto-insertion technique and collect sensitive information covertly.

While abuse of the flaw appears limited so far, IT managers and users should be alert to the risk and apply any techniques that can help limit the potential threat of cybersecurity breaches.

Understanding the Risk

The researchers at Princeton’s Center for Information Technology Policy found evidence that web tracking firms secretly insert hidden login forms on sites, reported Bleeping Computer. The managers used by browsers autofill the fields in these hidden forms with login information, such as username and passwords, without the user’s knowledge.

Experts have long warned about the potential security risk associated to the autofill function in browsers. However, the Princeton researchers are the first experts to provide evidence of this vulnerability being used to track individuals on the web. They also created a demo of the hidden form that allows users to see the flaw in action.

Brave is the only major browser that is not susceptible to the threat of username and password disclosure. While chromium-based browsers delay the release of a password until the user interacts via a click, this is not a strong form of protection.

Detailing the Evidence

The Princeton researchers reported in a blog post that they found two web tracking services, Adthink and OnAudience, that use secret login forms to collect sensitive user details. These services have collected details via embedded tracking scripts across 1,110 websites.

The good news is that neither of the firms gathered password information. Instead, the services focused on creating hashes of email addresses, PC Magazine noted. Princeton researcher Gunes Acar told the publication that hashed email addresses allow these companies to improve their tracking of users, even if these individuals clear cookies or switch devices.

Acar said that it is unclear how the data could be used. His colleague Arvind Narayanan told the source that publishers are usually unaware of the insertion of third-party scripts that can be used to pilfer data. Any potential risk of privacy violations usually result in the removal of offending scripts.

Preventing Cybersecurity Breaches

However, the threat of privacy intrusions will create concerns for individual users and the IT managers who protect sensitive data. Bleeping Computer referred to comments from independent researcher Lukasz Olejnik, who suggested site owners might be unaware of web tracking and potential violations to the forthcoming General Data Protection Regulation (GDPR).

IT managers must wake up to this new regulation and the risk of cybersecurity breaches. Publishers, users and browser vendors must work to prevent autofill data exfiltration. Publishers can prevent autofill by placing login forms on a separate subdomain. Users should also install ad blockers or protection extensions to prevent third-party tracking.

Finally, the researchers suggested that browser vendors should reconsider allowing surreptitious access to autofilled forms. This could be accomplished by giving users the option to turn off the technique, or to request user interaction before autofilling. At a minimum, browser developers must start thinking about how their technologies might be abused by third-party scripts.

The post Web Tracking Threat Could Raise the Risk of Cybersecurity Breaches, Researchers Find appeared first on Security Intelligence.

Introducing GoCrack: A Managed Password Cracking Tool

FireEye's Innovation and Custom Engineering (ICE) team released a tool today called GoCrack that allows red teams to efficiently manage password cracking tasks across multiple GPU servers by providing an easy-to-use, web-based real-time UI (Figure 1 shows the dashboard) to create, view, and manage tasks. Simply deploy a GoCrack server along with a worker on every GPU/CPU capable machine and the system will automatically distribute tasks across those GPU/CPU machines.

Figure 1: Dashboard

As readers of this blog probably know, password cracking tools are an effective way for security professionals to test password effectiveness, develop improved methods to securely store passwords, and audit current password requirements. Some use cases for a password cracking tool can include cracking passwords on exfil archives, auditing password requirements in internal tools, and offensive/defensive operations. We’re releasing GoCrack to provide another tool for distributed teams to have in their arsenal for managing password cracking and recovery tasks.

Keeping in mind the sensitivity of passwords, GoCrack includes an entitlement-based system that prevents users from accessing task data unless they are the original creator or they grant additional users to the task. Modifications to a task, viewing of cracked passwords, downloading a task file, and other sensitive actions are logged and available for auditing by administrators. Engine files (files used by the cracking engine) such as Dictionaries, Mangling Rules, etc. can be uploaded as “Shared”, which allows other users to use them in task yet do not grant them the ability to download or edit. This allows for sensitive dictionaries to be used without enabling their contents to be viewed.

Figure 2 shows a task list, Figure 3 shows the “Realtime Status” tab for a task, and Figure 4 shows the “Cracked Passwords” tab.

Figure 2: Task Listing

Figure 3: Task Status

Figure 4: Cracked Passwords Tab

GoCrack is shipping with support for hashcat v3.6+, requires no external database server (via a flat file), and includes support for both LDAP and database backed authentication. In the future, we plan on adding support for MySQL and Postgres database engines for larger deployments, ability to manage and edit files in the UI, automatic task expiration, and greater configuration of the hashcat engine. We’re shipping with Dockerfile’s to help jumpstart users with GoCrack. The server component can run on any Linux server with Docker installed. Users with NVIDIA GPUs can use NVIDIA Docker to run the worker in a container with full access to the GPUs.

GoCrack is available immediately for download along with its source code on the project's GitHub page. If you have any feature requests, questions, or bug reports, please file an issue in GitHub.

ICE is a small, highly trained, team of engineers that incubate and deliver capabilities that matter to our products, our clients and our customers. ICE is always looking for exceptional candidates interested in solving challenging problems quickly. If you’re interested, check out FireEye careers.

POLL: Do you use two-factor authentication?

October is National Cyber Security Awareness Month in the US, and European Cyber Security Month in Europe. Basically, institutions in these two countries have decided that it’s time for people to get serious about cybersecurity. And they’re right to do it – according to F-Secure’s Business Security Insider blog, there was 81 cyberattacks every minute in 2014.

So hacking is a serious business for these attackers. And one security measure that experts would like to see used more widely is two-factor authentication.


Two-factor (or multi-factor) authentication refers to using more than one piece of information to safeguard access to accounts. Many popular services, such as Facebook and Twitter, offer it to users. However, very few services require it. It’s really more of an option for people interested in having a little bit of extra security for their accounts. A recent survey from Google points out that 89 percent of security experts use two-factor authentication for at least one of their online accounts.

But it’s less popular amongst non-experts. Only 62 percent of non-expert respondents to Google’s survey used two-factor authentication. Other studies indicate that two-factor authentication may be even less popular, with one recent consumer survey finding that 56 percent of respondents were unfamiliar with two-factor authentication.

Although two-factor authentication has been around for ages, it’s starting to become offered by many online services. Passwords are currently the standard in account security, but adding in two-factor authentication adds an extra layer of security. It basically means anyone that gets access to your password will essentially only have “half a key” to your account.

So why don’t more people use it? After all, nearly 80 percent of people are open to alternatives to traditional passwords. One reason might be that it’s too difficult or inconvenient. But the widespread use of mobile devices is making this much easier. Email and SMS messages seem to be easiest and the most popular, with one study finding almost 90 percent of participants using two-factor authentication did so by receiving a code through SMS or email, which they could then enter into a website to confirm their identity.

Another reason could be availability. It’s up to companies and organizations providing online accounts to offer two-factor authentication to customers. This website provides a pretty good list of different online services offering two-factor authentication, so it’s a pretty handy resource. You can also use the site to send tweets to companies not offering two-factor authentication (so don’t hesitate to send a message if you want someone providing you with a service to improve their account security features).

If you crunch the numbers provided by the site, you can get an idea about how common two-factor authentication is for different kinds of services:

  • Cryptocurrencies: 96%
  • Identity Management: 93%
  • Cloud Computing: 77%
  • Gaming: 69%
  • Hosting/VPS: 69%
  • Email: 65%
  • Domains: 65%
  • Developers: 63%
  • Communication: 62%
  • Backup and Sync Services: 60%
  • Investing: 38%
  • Banking and Financial Services: 35%
  • Health: 30%
  • Finance: 28%
  • Education: 25%
  • Entertainment: 7%

So two-factor authentication is definitely more prominent in some industries than others. F-Secure Security Advisor Sean Sullivan says that it’s definitely worth choosing services offering two-factor authentication, especially for important accounts that you use daily, or contain really sensitive information.

“You should figure out what accounts are critical and focus on securing those by using strong, unique passwords and two-factor authentication,” he says. “Lots of companies will offer a monthly or periodic two-factor authentication check, which requires you to enter a code you receive via SMS into a pre-defined phone or computer. It’s really worth having a primary email account with one of these services, as you can centralize information there instead of spreading it around, which makes it easier to stay in control of your accounts.”

Next time you’re thinking about setting up an online account somewhere, you may want to circle back to whether or not they offer two-factor authentication. With the number of devices expected to explode as the Internet of Things becomes more and more popular, it only makes sense to consider whether you’re information is as secure as you’d like.

[ Image by momentcaptured1 | Flickr ]

3 Password Tips from the Pros

Passwords are the keys to online accounts. A good password known only to account owners can ensure email, social media accounts, bank accounts, etc. stay accessible only to the person (or people) that need them. But a bad password will do little to prevent people from getting access to those accounts, and can expose you to serious security risks (such as identity theft). And sadly, many people continue to recycle easy to guess/crack passwords.

A recent study conducted by researchers from Google attempted to nail down the most common pieces of advice and practices recommended by security researchers, and unsurprisingly, several of them had to do with passwords. And there were several gaps between what security experts recommend people do when creating passwords, and what actually happens. Here’s 3 expert tips to help you use passwords to keep your accounts safe and secure.

  1. Unique Passwords are Better than Strong Passwords

One thing experts recommend doing is to choose a strong and unique password – advice many people hear but few actually follow. Chances are, if your password is on this computer science professor’s dress, it’s not keeping your accounts particularly secure.

Many major online service providers automatically force you to choose a password that follows certain guidelines (such as length and character combinations), and even provide you feedback on the password’s strength. But security researchers such as F-Secure Security Advisor Sean Sullivan say that, while strong passwords are important, the value of choosing unique passwords is an equally important part of securing your account.

Basically, using unique passwords means you shouldn’t recycle the same password for use with several different accounts, or even slight variations of the same word or phrase. Google likens that to having one key for all the doors in your house, as well as your car and office. Each service should get its own password. That way, one compromised account won’t give someone else the keys to everything you do online.

A strong password will be long, use combinations of upper-case and lower-case letters, numbers, and symbols. The password should also be a term or phrase that is personal to you – and not a phrase or slogan familiar to the general public, or something people that know you could easily guess. But there are still many ways to compromise these passwords, as proven by The Great Politician Hack.

So using unique passwords prevents criminals, spies, etc. from using one compromised password to access several different services. Sullivan says choosing strong and unique passwords for critical accounts – such as online banking, work related email or social media accounts, or cloud storage services containing personal documents – is a vital part of having good account security.

  1. Experts Use Password Managers for a Reason

One study showed that the average Internet user has 26 different online accounts. Assuming you’re choosing unique passwords, and you fit the bill of an “average Internet user”, you’ll find yourself with a large number of passwords. You’ve now made your account so safe and secure that you can’t even use it!

That’s why experts recommend using a password manager. Password managers can help people maintain strong account security by letting them choose strong and unique passwords for each account, and store them securely so that they’re centralized and accessible. Keeping 26 or more online accounts secure with strong and unique passwords known only to you is what password managers do to keep your data safe, which is why 73% of experts that took part in Google’s study use them, compared to just 24% of non-experts.

  1. Take Advantage of Additional Security Features

Another great way to secure accounts is to activate two-factor authentication whenever it’s made available. Two-factor (or multi-factor) authentication essentially uses two different methods to verify the identity of a particular account holder. An example of this would be protecting your account with a password, but also having your phone number registered as a back-up, so any kind of password reset done on the account makes use of your phone to verify you are who you say you are.

While the availability of this option may be limited, security experts recommend taking advantage of it whenever you can. You can find a list of some popular services that use two-factor authentication here, as well as some other great tips for using passwords to keep your online accounts secure.

[Photo by geralt | Pixabay]