Fix your passwords (and use two factor authentication!)

March 25, 2017

Recently Keeper Security looked at 10 million stolen passwords and their blog post of the most popular passwords has me thinking. Two main thoughts actually:

  • Why do people (individual consumers) put so little effort into passwords after all the press we have seen?
  • And – why are companies still not following best practices when it comes to allowing consumers to create these passwords?

Where have these people been? And why are they allowed to continue such sloppy bad practices?

What are the top 10 passwords found in those 10 million stolen passwords in 2016 according to Keeper Security’s findings:

  1. 123456
  2. 123456789
  3. qwerty
  4. 12345678
  5. 111111
  6. 1234567890
  7. 1234567
  8. password
  9. 123123
  10. 987654321

Guess what were the top 10 most common passwords back in 2010 (from passwords stolen from the rockyou site – so a much smaller data set)?

  1. 123456 (still number 1 in 2016)
  2. 12345
  3. 123456789 (moved up to number 2 in 2016)
  4. password (at least it dropped to number 8 in 2016)
  5. iloveyou
  6. princess (where did this come from?)
  7. rockyou (remember the name of the site?)
  8. 1234567 (moved up one spot in 2016)
  9. 12345678 (moved up to number 4 in 2016)
  10. abc123

Looks very similar, huh? We haven’t learned anything in 6 years!

I am just like everyone else. I have a limited number of passwords I use at most of my web sites. Security experts would suggest you have a totally different password for every site you go to and you keep them safely in your head (or use a password manager!). I can’t do that. There is just no way. But I do have a few simple passwords I use for “normal” sites. And I have special (more complex) passwords I use for more sensitive sites like my email. And then very secure sites, like my banking web sites, I do have unique separate very complex passwords for each of them. I don’t have the best memory (honestly, I have a pretty bad memory). But I follow some simples rules, the first being never ever ever use a word from the dictionary with all lower cases. Even the lowest level password I have is a mixture of upper and lower case and numbers. And it’s not a word in a dictionary, but it is something I can remember easily.

Simple rules of thumb when picking a password are:

  • Pick something you can remember (a sticky note is not secure! and if you have to write it down, don’t tape it to your monitor!)
  • Don’t use any part of your name, your user name, your spouse’s name, your kid’s name, your dog’s name, etc.
  • Don’t use your birthday, your kids birthday, your street number, etc.
  • Don’t use a common word in a dictionary
  • Always use a mix of upper and lower case
  • Always have at least one number
  • Always have at least one special character
  • Use passwords longer than the normal 5 or 6 characters; I suggest 8 or 9 characters or more.

I know that list seems impossible, but it really isn’t too hard to follow. I have a Sys Admin friend who always uses pass phrases (similar to number 5 on the rockyou list above, iloveyou) as his passwords. But he uses mix case (iLoveYou), adds in numbers (1L0v3Y0u), and special characters, so in the end “iloveyou” becomes “1L0>3Y0u!” or something similar. And honestly he would never use a passphrase as simple (or as clean) as i love you.

So, go fix your passwords! At least on your email and banking sites. And remember – 1L0>3Y0u!

And turn on two-factor authentication! Most popular sites have a two factor option now.

Apple’s Two-factor Authentication (which replaced Apple’s old Two-Step Verification, which was basically the same thing pre-iOS 9), go to the My Apple ID page and sign in. Look for Security > Two-Factor Authentication and click “Get Started…”

https://support.apple.com/en-us/HT204915

Google calls its system 2-Step Verification.

https://yourcto.wordpress.com/2013/01/07/2-step-verification-for-gmail/
https://www.google.com/landing/2step/

Facebook has two factor authentication, but they call it Login Approvals, access it by going to Settings > Security. Click “Edit” next to Login Approvals and “Enable” on the top right.

https://www.facebook.com/help/loginapprovals

And Google has a nice checklist you should know about:
https://yourcto.wordpress.com/2010/10/18/security-check-list-from-google/

The Keeper Security blog post:
https://blog.keepersecurity.com/2017/01/13/most-common-passwords-of-2016-research-study/


Can’t see the “Allow your Apple Watch to unlock your Mac” checkbox in macOS Sierra

October 4, 2016

So, I installed macOS Sierra and went to set up the automatic login to my Mac using my Apple Watch. I had everything set up right. I had the correct hardware. I had the correct software versions. Why can’t I get this work? I couldn’t even see the check box to “Allow your Apple Watch to unlock your Mac” in the Security & Privacy tab in System Preference.

I went through the whole turn off “two-step verification” on my iCloud account (appleid.apple.com) and turned on “two-factor authentication.” A little confusing but I did it as requested. So why can’t I set up using my Apple Watch to log into my Mac? I did everything right.

Well after many google searches and getting really frustrated I found an article on Macworld that had a little coda at the end where the author (Glenn Fleishman) shared his friends work around to this issue. He had to change his messages to use his Apple ID (settings->messages->send &recieve and then turn on “use my Apple ID”) to get everything working correctly. That was it! That fixed it! Why? I have no idea, but it worked. Hope this helps you too.


iPhone users – update to 9.3.3 now!

July 22, 2016

If you haven’t updated to iOS 9.3.3 yet, update now!

Apple fixed a bug that allowed a hacker to take over your iPhone by simply texting or emailing you a malicious TIFF picture file. The bug was made public after being discovered by Tyler Bohan, a researcher who works for Cisco’s security unit. He discovered that older versions of iOS and OS X contain an exploit that could theoretically allow a media file like a photo or video to defeat built-in software security measures and take over your device. The malformed media file could arrive as an email, iMessage, webpage, or other apps. If the malicious TIFF image is viewed on the device the hacker could gain full control of the device, including accessing passwords without you knowing. Apple has fixed this exploit in iOS 9.3.3. If you haven’t updated yet, you are still at risk.

To update:

  • Go to settings
  • Click on general
  • Then click on software update
  • Then click on download and install the update

An added benefit, I am hearing that after updating to 9.3.3 that some people are seeing performance improvements – a faster iPhone is a good thing 🙂

About the security content of iOS 9.3.3: https://support.apple.com/en-us/HT206902


What to look for when hiring?

May 19, 2016

I have built quite a few teams, so over the years I have developed a few general rules when hiring:

Rule 1) I look for self starters. Someone that can show a proven track record of getting things done. As employees they don’t just bring me the problem, but they also bring a possible solution or two.

Rule 2) I look for smart people open to new ideas and perspectives. The best team is a diverse group who aren’t afraid to respectfully discuss new ideas that might lead to a better / faster / cheaper way of getting the job done. People who are open to creative solutions.

Rule 3) I follow the no bozo rule – only hire A players.
Guy Kawasaki described the no bozo rule as “a theory which states that “A” players hire “A+” players [people better than themselves], but “B” players hire “C”, “C” hire “D”, which ultimately leads to a company full of bozos.” I have also observed that a smaller team of A players can produce much more than a larger team of B players in the same amount of time.

Rule 4) I look for hires with long term potential – someone with a passion for learning and professional growth. Are they taking an online class or what are they reading right now? Do they have a blogger they follow? I also understand that sometimes you have a task that needs a person and you need to hire a resource to fill that specific need right now, but that is when you hire a contractor or consultant. I hire my line positions for the long term. A contractor may become a line hire if they prove their worth and are a fit long term. I also look for “fit;” first do they have the skills we need, but also will they fit into our culture (but remember the Rule 2 above, you have to hire people with new ideas and perspectives)?

Rule 5) And part of that "fit" is following the no jerk rule – you can’t have one person disrupting everyone else. Just because you are good doesn’t give you the right to be a jerk. One bad apple can disrupt an entire team. An “A” player isn’t a jerk. To be a true "A" player the candidate should be a team player and work well with others.

And finally, Rule 6) is the candidate passionate about what we are doing? Do they believe in the mission and goals?

If you follow these general rules you are on your way to building a great team.


Wi-Fi Assist – thank you, Apple?

October 11, 2015

It makes sense – Apple was solving a problem many of us probably didn’t know existed – With wi-fi assist Apple uses your phone’s cellular network to boost your connectivity. And why not? A good cellular connection is just as fast as some wi-fi networks. The issue I have with it is Apple didn’t warn us. My data usage last month was higher than I expected. It took me a while to figure out what changed, but I think this is it. It’s great Apple is speeding my access up, but I wish they had made the impact of this new feature clear!

If you want to turn this feature off it’s pretty straight forward; just a little hidden. First go to settings, then to cellular, scroll all the way to the bottom of the cellular page (all the way) and you will see Wi-Fi Assist right above the reset statistics link. Slide the wi-fi assist button to the left and it will be turned off.

While you are on the cellular page go ahead and look at all the apps that use a cellular connection. Do all those apps need to have access to your cellular network? If not, you can turn off cellular access for the apps you can afford to only give access via wi-fi. For example I only down load movies and tv shows when I am on wi-fi. Things like that.

Hopefully turning off wi-fi assist and limiting some of your apps access to cellular will help keep your data access charges reasonable too.


Your presentations best friend – Do not disturb

March 2, 2015

So, I love my iPhone and iPad. I have tuned my notifications set up so I have just about the right amount of information that pops up. Normally it’s not overwhelming. Well, until I decided that my iPad was the best presentation device out there. Which it is awesome! I think it is just about perfect.
I just wish I had remembered to manually turn on Do Not Disturb. It’s so easy to do too – just go to Settings then Do Not Disturb (can’t be much clearer can they?) and then manually turn on Do Not Disturb (very first option – just slide that option on). So easy and yet I forgot. Learn from my mistakes – before connecting to that projector manually turn on Do Not Disturb. I know I will from now on…


Another Apple iOS7 security hole

June 25, 2014

Turn off access to Control Center from the lock screen! It’s not worth the risk. There is another way to bypass the lock screen in iOS7 – if you have a missed call and have access to Control Center from lock screen turned on anyone can have access to whatever app you have running in the foreground. EverythingApplePro has a short video showing the vulnerability http://youtu.be/Hg9Vy7XzGZY

But at least there is an easy fix until Apple comes out with a patch, just turn off access to the Control Center from locked screen for now. Not a huge inconvenience.


%d bloggers like this: