Fix your passwords (and use two factor authentication!)

March 25, 2017

Recently Keeper Security looked at 10 million stolen passwords and their blog post of the most popular passwords has me thinking. Two main thoughts actually:

  • Why do people (individual consumers) put so little effort into passwords after all the press we have seen?
  • And – why are companies still not following best practices when it comes to allowing consumers to create these passwords?

Where have these people been? And why are they allowed to continue such sloppy bad practices?

What are the top 10 passwords found in those 10 million stolen passwords in 2016 according to Keeper Security’s findings:

  1. 123456
  2. 123456789
  3. qwerty
  4. 12345678
  5. 111111
  6. 1234567890
  7. 1234567
  8. password
  9. 123123
  10. 987654321

Guess what were the top 10 most common passwords back in 2010 (from passwords stolen from the rockyou site – so a much smaller data set)?

  1. 123456 (still number 1 in 2016)
  2. 12345
  3. 123456789 (moved up to number 2 in 2016)
  4. password (at least it dropped to number 8 in 2016)
  5. iloveyou
  6. princess (where did this come from?)
  7. rockyou (remember the name of the site?)
  8. 1234567 (moved up one spot in 2016)
  9. 12345678 (moved up to number 4 in 2016)
  10. abc123

Looks very similar, huh? We haven’t learned anything in 6 years!

I am just like everyone else. I have a limited number of passwords I use at most of my web sites. Security experts would suggest you have a totally different password for every site you go to and you keep them safely in your head (or use a password manager!). I can’t do that. There is just no way. But I do have a few simple passwords I use for “normal” sites. And I have special (more complex) passwords I use for more sensitive sites like my email. And then very secure sites, like my banking web sites, I do have unique separate very complex passwords for each of them. I don’t have the best memory (honestly, I have a pretty bad memory). But I follow some simples rules, the first being never ever ever use a word from the dictionary with all lower cases. Even the lowest level password I have is a mixture of upper and lower case and numbers. And it’s not a word in a dictionary, but it is something I can remember easily.

Simple rules of thumb when picking a password are:

  • Pick something you can remember (a sticky note is not secure! and if you have to write it down, don’t tape it to your monitor!)
  • Don’t use any part of your name, your user name, your spouse’s name, your kid’s name, your dog’s name, etc.
  • Don’t use your birthday, your kids birthday, your street number, etc.
  • Don’t use a common word in a dictionary
  • Always use a mix of upper and lower case
  • Always have at least one number
  • Always have at least one special character
  • Use passwords longer than the normal 5 or 6 characters; I suggest 8 or 9 characters or more.

I know that list seems impossible, but it really isn’t too hard to follow. I have a Sys Admin friend who always uses pass phrases (similar to number 5 on the rockyou list above, iloveyou) as his passwords. But he uses mix case (iLoveYou), adds in numbers (1L0v3Y0u), and special characters, so in the end “iloveyou” becomes “1L0>3Y0u!” or something similar. And honestly he would never use a passphrase as simple (or as clean) as i love you.

So, go fix your passwords! At least on your email and banking sites. And remember – 1L0>3Y0u!

And turn on two-factor authentication! Most popular sites have a two factor option now.

Apple’s Two-factor Authentication (which replaced Apple’s old Two-Step Verification, which was basically the same thing pre-iOS 9), go to the My Apple ID page and sign in. Look for Security > Two-Factor Authentication and click “Get Started…”

https://support.apple.com/en-us/HT204915

Google calls its system 2-Step Verification.

https://yourcto.wordpress.com/2013/01/07/2-step-verification-for-gmail/
https://www.google.com/landing/2step/

Facebook has two factor authentication, but they call it Login Approvals, access it by going to Settings > Security. Click “Edit” next to Login Approvals and “Enable” on the top right.

https://www.facebook.com/help/loginapprovals

And Google has a nice checklist you should know about:
https://yourcto.wordpress.com/2010/10/18/security-check-list-from-google/

The Keeper Security blog post:
https://blog.keepersecurity.com/2017/01/13/most-common-passwords-of-2016-research-study/


iPad is one of the safest computing devices you can use

July 4, 2013

I haven’t addressed this since 2010 so it is worth repeating again.  The iPad is one of the safest computing devices you can use, probably more secure than your PC, but you have to set it up properly.

First, the biggest security risk probably is physically losing the device. iPads are a great size and easy to carry everywhere, which also makes them easy to leave behind or forget. Luckily for us Apple gave us “Find My iPad.”  Under Settings-> iCloud->turn on Find My iPad.  You also have to have location services turned on, so go to Settings->Privacy-> then turn on Find My iPad (while you are there check to see what other apps are using location services).  And of course you have to have an iCloud account.  You should also enable Remote Wiping, which allows you to delete the data on a lost iPad (as long as it can connect to the Internet). But again to do this you will need an iCloud account which is configured in Settings -> Mail, Contacts, Calendars -> iCloud.  This service also allows you to remotely send a signal to the device to play a sound and/or to display your phone number and a message that the device is lost and ask the person that finds it to call you.  And if all that fails, to wipe the device. It’s a great service!  Find my iPad is actually misnamed, because the same service works on iPhones, iPads, MacBooks, iMacs, basically all your Apple devices.

Also, all iPads ship with hardware encryption built-in, but you need to enable it. The simplest way to do that is to set a passcode on your iPad. As soon as you do, your data will be automatically encrypted. To enable a passcode, go to Settings -> General -> Passcode Lock and then enter a four-digit code twice. If you’d like to be extra-safe, on that same page, you can turn the Simple Passcode option to off then you can then use longer codes. You should also set Require Passcode for no more than 5 minutes and turn Erase Data on.  And please turn on Auto-Lock!

Note: if you have small kids that play with your iPad, you may not want to turn on Erase Data.  Erase Data will erase all the data on your iPad if the wrong passcode is entered 10 times. Something a little one just might do.

You can find more information at:

http://www.apple.com/ipad/business/it-center/security.html

and

http://images.apple.com/ipad/business/docs/iOS_6_Security_Sep12.pdf

 

And if you use wifi hotspots like those you find at Starbucks, McDonald’s, or at hotels / airports please use a personal VPN!

https://www.witopia.net/support/why/
http://netsecurity.about.com/od/perimetersecurity/a/Why-You-Need-A-Personal-Vpn-Service.htm

I personally like https://www.witopia.net  and the price point is good.  But you can find other options at:  http://netforbeginners.about.com/od/readerpicks/tp/The-Best-VPN-Service-Providers.htm

On my iPhone I have done all the above (again, please at least turn on a passcode and auto-lock) plus I have also turned OFF “Siri” and “Reply with Message” under “Allow Access When Locked” on my iPhone.

 

 

 

 

 

 

Links:

https://yourcto.wordpress.com/2010/10/14/security-on-your-ipad/

http://www.apple.com/ipad/business/it-center/security.html

http://images.apple.com/ipad/business/docs/iOS_6_Security_Sep12.pdf

https://www.witopia.net/support/why/

http://netsecurity.about.com/od/perimetersecurity/a/Why-You-Need-A-Personal-Vpn-Service.htm

http://netforbeginners.about.com/od/readerpicks/tp/The-Best-VPN-Service-Providers.htm


2-step verification for gmail

January 7, 2013

In my earlier post on my most use iPhone and iPad Apps in 2012 I mentioned that I hope by now you are using 2-step verification. Google provides us with this great free tool to help better secure your Google account, but you have to opt-in and set it up for it to do you any good.

Basically, once you have 2-step verification turned on and set up, you use your smart phone (android or iOS) as a key fob. The Google 2-step verification app provides a new 6 digit number ever minute. So now instead of just a simple user name and password protecting your Google account (ie your gmail), you now have your user name, your password, and the six digit number from the 2-step verification. Unless the bad guy trying to get into your account has access to your phone and knows your password it is now much much harder for them to get access to your account.

The official Google blog walks you through the process to set up 2-step verification and I don’t think I can improve on what they wrote, so just follow their simple directions:
http://gmailblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.html

Links:


BYOD in the Enterprise

March 13, 2012
Bring your own device (or BYOD) is real and is happening now in most enterprises. Employees today have their smart phones and are bringing iPads and other tablets to work already. It’s not if, it’s not when, it’s now. What are you doing to protect your network and your company data?
The Pew Internet Project recently reported that ownership of tablets among U.S. adults nearly doubled between mid-December 2011 and early January from 10 percent to 19 percent. According to a Cisco poll of 1,500 decision-making IT workers in the United States, Canada, the United Kingdom, France, Germany and Spain, conducted in late 2011, one tablet is requested for every three smartphones. Workers in the United States and France are asking for them the most at 21 percent. In addition, 64 percent of employees in the United States polled said they were bringing in devices without consent. So the devices are in your enterprise, with or without your knowledge and consent. Are your networks ready? Do you have the correct security policies in place?

With company issued laptops, you can enforce login screens, passwords, encryption and back ups. I personally always turn on the security features available to me on my devices, but how many of those un-authorized devices lack even a basic login screen when the smart phone or tablet is turned on? And the new iPad is just going to make it worse. The iPad2 was already a good device for doing presentation for a road warrior tired of lugging around their laptop (and it looks cooler too), but now the new iPad has an even better display and better graphics. Employees lose laptops. It is pretty common. How much easier is it to lose an iPad? Or get it stolen? What information is on that device? How much company confidential data is now loose in the wild? What data is in their email? What spreadsheets do they have? And confidential presentations?

If you don’t have policies and procedures in place already you are behind… BYOD is in your enterprise already.


Is it time to clean up your old internet accounts? Or, who really uses MySpace anymore?

March 13, 2012
So, I was cleaning out my junk mail this morning and found a phishing scam that was made to look like it was from MySpace.  My first thought was – “Wow, I haven’t been to my MySpace page in years, why am I getting an email from them?”  But that thought was quickly replaced by – “What a lame phishing scam, and why would you use MySpace?” 

But that got me thinking, why do I have a MySpace account still? I haven’t been to my page in literally years. What purpose does MySpace serve for me anymore? And with all the websites getting compromised out there, do I want my private information just sitting on their servers? Or passwords?  I use different passwords on each website, but many people use the same password across multiple websites, if one of those old websites gets hacked how many other website will the hackers have access to? Even if they don’t get hacked, what if they change their privacy policies to give away all my info?  I’m not reading their policies anymore.  Or what if they go out of business and new buyers use the data for who knows what?

 

But I don’t mean to pick on MySpace, the thought applies to all my old accounts on too many sites to count.  Like Excite. Who uses Excite for email anymore? I was able to finally guess what my password was on MySpace, but I have no idea anymore what my Excite password was.  And to retrieve your password Excite forces you to know your zip code when you signed up.  I’ve moved way too much to have a clue what my zip code was way back when. I guess I will just have to add it to a list and try to delete it later. How about FriendFeed?  Did that ever take off?  Why do I still have an account there?

 

The more I start thinking about it, the more old accounts I can think of that I should just delete.  I don’t need all those old accounts sitting out on the web like dirty socks on the floor. Time to simplify my life and protect my privacy.  It’s time to clean up my Internet debris.

 

 

Other links:

Anti-virus continued… (for those with Windows PCs)

March 13, 2012
Ok, I was feeling bad.  I wrote a post last week about anti-virus for the Mac, but that is still a pretty small threat (at least it is if you are educated on the issues).  PC users have had to address this issue, from, if nothing else, Microsoft’s success of owning so much market share (and maybe they deserve a little of the blame too), for quite a while now.  I think almost all PC users are aware and guarded against malware and viruses.

 

I don’t know if you have heard of it before, but I am a big fan of Immunet (disclaimer – Immunet is owned by Sourcefire). But don’t take my word for it, even CNet gave it four and a half stars. 🙂 You can run Immunet’s free anti-virus even if you already have an anti-virus loaded on your PC.  The download can be found at  http://www.immunet.com/free/index.html

 

And, if you think you might already have a virus or malware, you might want to run Ad-Aware Free Internet Security 9.0.  

You can download it at http://download.cnet.com/Ad-Aware-Free-Internet-Security/3000-8022_4-10045910.html.  That will make sure your anti-virus is working properly and make sure you don’t have any malware already on your PC.

 

Just remember the famous trademark phrase from Sergeant Phil Esterhaus: “Hey, let’s be careful out there.”  Be aware of what you are doing and who you trust, change your passwords often and use strong passwords.

Anti-virus on a Mac? Yup, it’s time.

March 13, 2012
It is sad to say, but Mac has become a target for malware. Mac Defender proved that.  So it’s time to start using an anti-virus.  There are many out there.  Sourcefire has ClamAV which Mark Allen has put a nice front end on to create ClamXav (open source and free, but please donate) which works well on a Mac.  Another good option is a slightly more user friendly Sophos http://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-mac-home-edition.aspx (again free).   I’ve tried using Norton and McAfee in the past but they were resource hogs. I don’t think it matters as much what you use, just that you are using one.  

Little Snitch is nice too, it’s not an anti-virus but it does alert you to all the apps that are talking across your network. Interesting to see if nothing else. 

 

No script is another tool to look at if you use Firefox (or not scripts for Chrome). Again, I allow most scripts to run, but it is good to see what scripts different websites are running and what they are tracking.

%d bloggers like this: