Worst Passwords EVER!

In its sixth annual Worst Passwords report, SplashData, a provider of various security applications and services, listed the 25 weak and easy-to-guess passwords most frequently posted on various hacker forums and websites.

Related image

Presenting the list of the top 25 bad passwords people use. I hope that known of you, my dedicated readers are relying on any of these to protect your information.

  1. 123456
  2. password
  3. 12345
  4. 12345678
  5. football
  6. qwerty
  7. 1234567890
  8. 1234567
  9. princess
  10. 1234
  11. login
  12. welcome
  13. solo
  14. abc123
  15. admin
  16. 121212
  17. flower
  18. passw0rd
  19. dragon
  20. sunshine
  21. master
  22. hottie
  23. loveme
  24. zaq1zaq1
  25. password1

The list is based on 5 million leaked passwords, and almost 4% of hacked users used “123456” as their password of choice while more than 10% used another from the list.

Most had a single word password, which is a dream come true for any hacker planning a quick and effective dictionary attack. Using this method, a hacker pretends to be the user and tries to log into their account, using a predetermined set of words or phrases from a list called “dictionary”.

Frequent usage also applies to another group of passwords on the list: sequences. “123456”, “qwerty” or “zaq1zaq1” are key sequences, which means the used symbols are near one another on the physical keyboard. This kind of passwords is another dictionary favorite, but is also susceptible to a brute force attack. This tactic is similar to a dictionary attack, since it also happens on the login screen, but instead of using ready-made lists, a hacker uses a special algorithm which attempts to enter different character combinations until a password match is found (i.e. attacker will try using “1234”, then “12345”, etc.).

I recommend again friends, take the time to select a good password manager and use distinct, unique & complex passwords for all of your online accounts. The time you spend doing this may save you much hard-ache later.  You can check out our previous articles regarding password managers here.

Share This:

OneLogin Hacked

Its the same old story all over again. Another online company has been hacked and thousands of accounts exposed. This time, ironically it was a “password manager” services company that was hacked.

Image result for onelogin hack

Password manager OneLogin suffered a massive data breach Wednesday, and the attackers may have gained access to sensitive customer data, such as login information for a variety of companies. OneLogin manages login credentials for a variety of cloud applications for more than 2,000 enterprise clients.

OneLogin has stated that its investigation is ongoing, wrote on its blog Wednesday that the attacker was able to access database tables that contain information about users, apps, and various types of keys. “While we encrypt certain sensitive data at rest, at this time we cannot rule out the possibility that the threat actor also obtained the ability to decrypt data,” the company wrote in a letter to clients.

The attack began on May 31 when a malicious actor somehow obtained access to a set of Amazon Web Services (AWS) keys and used them to access the AWS API from an intermediate host with another, smaller service provider in the U.S., according to the company.

Through the API, the attacker was then able to create several instances of the company’s IT infrastructure to probe the company’s system. The company said it was alerted to the unusual database activity seven hours later, at which point it shut down access to the affected instance and the AWS keys associated with it. The breach is thought to be enormous, as all of company’s data centers in the U.S. were hacked.

The possibility that the hacker may have obtained enough data to decrypt the encrypted credentials, meanwhile, could mean that thousands of businesses, including Yelp and Pinterest, may need to change their login information for every cloud service they use.

The details are still hazy, and OneLogin has yet to make a public announcement about exactly what data has been stolen. But in the meantime, the company has apparently contacted all of its clients to advise that they immediately reset any passwords stored on OneLogin’s servers.

This is not the first time that OneLogin has suffered a breach in recent months. The company also suffered a breach from July to August when an attacker using a OneLogin employee’s password was able hack its servers and access company analytics and logs.

Share This:

Mastering Password Managers

With this past week’s WannaCry ransomware scare I thought I would take a little time, again to write about how incredibly important password management is to the security of your data. Passwords are of course, inconvenient, time consuming and memory challenging which is why many people do not handle them seriously. However without good password management you are seriously taking a chance with your security.

I also wrote earlier this week that Microsoft is looking to kill passwords altogether for their services, however we are not exactly sure when that is going to happen and Microsoft not withstanding passwords are going to be around for quite a while yet… so you might as well master them.

Here areof my favorite password management applications, each with a free option. My favorite is LastPass, however each will do the trick if you want to lock out the cyber-criminals from getting a hold of your data.


Image result for lastpass logo png

 

There are two versions of LastPass – free and premium. Both can store an unlimited number of account logins in a secure vault protected by a master password, will complete online forms for you automatically, and can employ multi-factor authentication.

The premium edition also syncs across multiple devices, stores passwords for desktop programs, and lets you share secured folders with other people. with customizable permissions.

One of LastPass’s best features is its ability to generate strong, unguessable passwords for all your accounts, which it then stores for you. There’s no need to remember long, awkward streams of characters, or re-use the same password for multiple accounts. It’s a class act.


Image result for dashlane png

Dashlane is LastPass’s most serious rival, and like LastPass it’s absolutely superb with strong password security, exceptional ease of use and ability to store notes for future reference.

In addition to the Windows desktop password manager, there are browser plugins and mobile versions, and as with LastPass there’s a premium edition of Dashlane that adds unlimited syncing and sharing.

The premium edition of Dashlane costs US$39.99 per year, but the free version provides all the essentials: you get the core password manager, autofill and digital wallet features, all of which work flawlessly.


 

Image result for roboform logo

RoboForm claims to be the world’s best password manager, though its free version only lets you store up to 10 logins and lacks the breadth of features offered by some of its rivals. If you need to store more passwords, a premium account costs US$9.95 for the first year, though the mobile apps are free.

It’s available for Windows, Mac, iOS and Android, and is a good option for anybody who wants a simple and secure way to sync passwords between desktop, laptop and mobile devices.

RoboForm doesn’t have quite the same features lists as Dashlane or LastPass, but it’s a very good tool nonetheless and the free mobile apps are excellent.


Image result for keepass logo png

It isn’t the prettiest password manager around, but KeePass Password Safe is both free and open source with strong security, multiple user support and a whole bunch of plugins to expand the app further.

The password manager is small enough to run from USB without installing on a PC, it can input from and output to a wide range of file formats and there are stacks of customization options to play with.

The fact that KeePass Password Safe is open source means anybody can inspect the code for potential weaknesses, which means that any security issues can be identified and fixed quickly. It’s a great little app, if a bit intimidating for absolute beginners.


Image result for sticky password logo

Sticky Password comes from the team behind AVG Antivirus, so you can be confident that security is its top priority.

There are two versions of Sticky Password: free and premium. The latter adds cloud syncing and backup, and costs US$29.99, £19.99 (about AU$40) a year. There’s also a lifetime license available for $149.99, £96.99 (about AU$200) – an option not offered by any other premium password manager.

The app works on PC, Mac, Android and iOS, supports fingerprint authentication on mobile, is available as a portable USB version and offers lots of synchronisation options including Wi-Fi syncing with local devices. It doesn’t support the Edge browser just yet but it will once the Anniversary Update introduces extension support.


There you go. Give these a try. Anyone of them will help you lock down your accounts, secure your data and perhaps prevent a security disaster from impacting you. The time you spend doing this will be well spent… believe me.

Share This:

It’s Time to Change Your Password… Again

Looks like it’s time to change passwords again. Security researchers have discovered a massive database of login credentials, over 560 million emails and passwords  to be exact, put together by an unknown person. All of the information is unsecured.

Image result for security passwords

The database was discovered by the Kromtech Security Research Center. Most of the information is already easily available, which allows users to see if their accounts have been compromised in previous data breaches.

That means most of the information contained on this database was compromised during other incidents at sites such as LinkedIn, LastFM, Tumblr, and Dropbox. So if you didn’t change your password recently on any of those sites it is definitely the time to do it.

No one knows who actually put the database together, but the researchers are calling them “Eddie” after a user profile name in the data.

Share This:

Microsoft’s Eyes the End of Passwords

Passwords were expected to have died a long time ago, but they have managed to hold on for over two decades, which is very surprising. Thirteen years ago Bill Gates declared that “passwords were passé”. Now Microsoft is introducing a replacement for the outmoded authentication system.

Image result for passwords

For years, organizations have sought to educate employees about the importance of secure passwords and of resisting phishing attacks which often fails.

Phishing and similar attacks using e-mail continue to rise each year. Clearly, the constant haranguing by technology professionals to employees to change their passwords and make them more complicated, as well as their pleas not to click on suspicious links/attachments, are falling on deaf ears.

Complicated Passwords – Just to Much Work?

Indeed, the only way passwords can be effective, according to NIST, the US National Institute for Standards and Technology, is by requiring users to come up with 16 character (preferably a mix of letters and digits, with some capital letters and/or alphanumeric symbols thrown in) standard passwords, allowing for as many as 64 characters, instead of the eight to 16 character range most organizations require for passwords today. We have enough trouble getting people to remember eight characters; can we really rely on peoples’ memories to remember 16, 20, or more?

This is why I have been recommending – if not pleading to my co-workers, family, friends and readers of this publication to rely on password managers like “LastPass” to help them with this.

In addition to all this, passwords have another major weakness. They are extremely inappropriate for mobile users. Already in 2015, mobile searches began outpacing desktop searches, and by the end of this year mobile e-commerce revenues are expected to match revenues from desktop/laptop engagements. By 2018 it is expected that mobile users will surpass desktop users.

For many people, using passwords on their mobile devices is just too much trouble. Numerous surveys have consistently shown that about a third of Android device users do not even bother to lock their screens with a password which is considered one of the most basic security moves.

Image result for Microsoft Authenticator

Microsoft’s New Password Solution

The replacement for passwords according to Microsoft is its new updated Microsoft Authenticator, a push authentication system that “shifts the security burden from your memory to your device.” Instead of typing in a password, “which can be forgotten, phished, or compromised,” users simply respond to a push notification when they try to access their Microsoft account. Besides being more secure than a password, push authentication “is easier than standard two-step verification” as well, says the company.

If implemented correctly, this system is a lot more secure than the one that prevails now, where users login with their password, since there are now two or more factors that are being used to authenticate the user, rather than just a single factor which is the “something a user knows” (their password).

Microsoft as well as Apple & Google (both have similar projects) have set an industry trend in mobile authentication to replace passwords. Will users finally let go of passwords? I actually believe they are – it just can’t be too complicated or time consuming if their is to be industry changing adoption.

Share This:

Yahoo! Hacked… Again

Share This:

Yahoo has been hacked… again. News that the company was breached back in 2013, and the personal information of more than one billion of its users was stolen, should serve as a reminder that everyone’s email and personal information is vulnerable to hacking.

yahoo-data-breach

Safeguards you can take include creating strong passwords and changing them regularly. If you do not manage your passwords properly, you could be putting your personal or financial information and our identity at risk.

Protecting Yourself with Strong Password Management

The more complicated and lengthy a password is, the harder it will be for hackers to guess.

Don’t include your kids’ names, birthdays or references to any other personal details. Hackers routinely troll Facebook and Twitter for clues to passwords like these. Obvious and default passwords such as “Password123” are also bad, as are words commonly found in dictionaries, as these are used in programs hackers have to automate guesses.

Long and random combinations of letters, numbers and other characters work best.

Your password reset questions should be as unique as possible too, and don’t be tempted to recycle those either. This was some of the information stolen in the Yahoo hack. And with the help of social media, it’s not hard for hackers to find those little personal tidbits like what your mother’s maiden name is, or the name of your hometown.

Reusing Old Passwords?

No. Avoid using the same password for multiple sites, so that a break of your school’s PTA site wouldn’t lead hackers to your online banking account.

You can make things easier on yourself by using a password-manager service such as LastPass. Password managers can remember complex passwords for you — but you have to trust them.

Changing Your Passwords

While some security experts argue that it’s more important to pick a complicated password than to change them frequently, if you haven’t changed your Yahoo password since 2013 do it now.

And even if you have changed your Yahoo password in the last three years, you might want to do it anyway. Breaches are often worse than they first appear. LinkedIn disclosed earlier this year that a 2012 breach affected 117 million accounts — not the 6.5 million previously thought.

Multi-Factor Identification

Multi-factor identification — which asks users to enter a second form of identification, such as a code texted to their phone — will provide additional protections. It’s now commonplace for many email and social media accounts.

Even if hackers manage to get your password they still need your phone with the texted code.

Closing Old Accounts

Delete or deactivate accounts you no longer use. Has your Yahoo email account been filled with spam since before the invention of smartphones? Maybe it’s time to say goodbye.

You can learn more about LastPass here.

Share This:

Another Reason to Consider LastPass

Security. I talk about it here. Managing your passwords. Mission Critical. I revisit this topic regularly because it is so important. One of my favorite solutions for getting control of your online security is LastPass.  Today LastPass just got a little cheaper.

LastPass announced today that you will no longer need a paid Premium account to access the service on multiple devices. This feature is now free for everyone.

“Starting today, you can use LastPass on any device, anywhere, for free,” LastPass’s Joe Siegrist writes in the LastPass blog. “No matter where you need your passwords—on your desktop, laptop, tablet, or phone—you can rely on LastPass to sync them for you, for free. Anything you save to LastPass on one device is instantly available to you on any other device you use.”

This is great news for anyone who relies on the security and availability of LastPass—which both generates and stores complex passwords for multiple services—but can’t afford the Premium service. Granted, Premium is a reasonable $12 per year.

If you’re already using the free LastPass service, which previously limited the number of devices you could use, you’re all set: You can now use the service across an unlimited number of devices. If you were previously paying for LastPass Premium to use this feature, you just need to wait until your Premium subscription expires; at that time, your account will automatically convert to a free account.

That said, LastPass Premium still provides enough functionality to more than warrant its cost. Features include:

  • Family password sharing with up to five users
  • Ad-free experience
  • Yubikey and Sesame 2FA options
  • Priority tech support
  • LastPass for applications
  • Desktop fingerprint identification
  • 1 GB of encrypted file storage

You can find out more at the LastPass web site.

Share This:

500 Million Yahoo Accounts Hacked

yahooIf you have a Yahoo account you should immediately change your password. Yahoo has been hit with a hack that has exposed 500+ Million accounts. Yes 500 Million. What makes this worse is that this hack occurred back in 2014 but only now has this information been released to the public.

Information including names, addresses, secret answers and passwords was stolen from Yahoo at some point in late 2014 and showed up for sale on the dark web in August this year. Yahoo says the “vast majority” of passwords were secured using an algorithm called bcrypt, which renders it impractically expensive for an attacker to try to break, but the Yahoo has not given any way of checking which passwords were actually stolen. Until they do, you should assume your password is unprotected, and act aquickly.

This means even if you no longer use Yahoo – but you did back in 2014 you should log back into it and change your password – without delay.

You should also change the security information for any account that used the same passwords or security answers as your Yahoo account. This means if your Yahoo account used your mother’s maiden name, you are safest if you start using a different security question.

This advice doesn’t just apply to the people who had a Yahoo webmail account. A number of other popular services shared Yahoo logins, most notably BT Internet’s webmail service, and online photo storage service Flickr. Former users of other Yahoo properties including social bookmarking service Del.icio.us may also have Yahoo accounts without being aware.

Protecting Your Online Information Is Serious Business

As I have recommended many times. Everyone should take their online security very seriously. Hacking and stealing our online information is – in many ways the crime of the future, and the future is now.  One of the best – and easiest ways to do this today is by using a password manager like LastPass. With password managers you can enjoy some sense of online security by using different encrypted passwords for each and everyone of your online accounts.

Share This:

69 Million Dropbox Accounts Hacked

dropbox-hackedIt’s been a while since a posted a story about a security breach. Well – that streak is over.

Dropbox users who have not updated their passwords over the past four years should do so immediately because more than 68 million records from Dropbox accounts hacked in 2012 have now appeared online.

It was learned yesterday that the compromised Dropbox files showing up online included both user email addresses and hashed passwords. The information appears to have stemmed from a breach reported by Dropbox in 2012, the publication said.

This latest development indicates that the 2012 breach had the potential for far more fallout than Dropbox initially revealed to users.

Users who signed up for the service before mid-2012 and haven’t changed their passwords since then would receive a prompt to update them the next time they signed in, Patrick Heim, Dropbox’s head of trust and security, wrote in a blog post last week. Heim wrote, That while there was no sign that users accounts had been improperly accessed, Dropbox’s security teams recommended such precautions based on threat monitoring related to old credentials that were hacked in 2012.

Patrick Heim also stated that Dropbox had already emailed “all users we believed were affected and completed a password reset for anyone who hadn’t updated their password since mid-2012.” That ensures that even if hackers could crack the compromised credentials, they would not be able to access users’ Dropbox accounts.

Dropbox Users – Change Your Password

If you have a Dropbox account I would take the time to change your password regardless. Also if you are using online services such as Dropbox you should also delete old accounts that you no longer use and of course avoid reusing the same passwords on multiple sites and be wary of third-party integration that lets users, for example, access games or other applications via a Facebook or Dropbox login

Manage You Passwords!

Also – as I have suggested many times in the past invest in a password manager like LastPass. You life will be much easier… and more secure.

 

Share This:

The Case for Password Managers

Here is something that probably drives you crazy. Passwords. How many times do you have to reset your password? How much time do you lose trying to figure out just what your password is for a particular website? Do you panic when you hear about another security breach and have you ever feared that your personal information has been stolen?

We are live in a digital world and there is nothing we can do about that. Passwords and security are simply going to continue to become more difficult and harder for us to manage. I believe that the best way for you to safely and efficiently manage your online security is by investing your time (and sometimes a little cash) in a good password manager.

Using a password manager will address these problems that most of us face as we travel through the digital universe.

  1. Error messages galore – It’s annoying to type out a password, especially as password requirements get more complex. And many times, we type them in wrong. This is even more of a problem using the small keyboards on a smartphone or tablet. With a password manager, your password is automatically filled in for you when it detects the login screen, or you can easily tap the password for entry into a mobile app.
  1. The forgotten password lock-out – Enter that password one too many times, and boom – you’re locked out. Again. That’s the last thing you want to deal with when you’re logging in to pay your credit card on time or need to respond to an email quickly. Password managers never forget the stuff you’ve stored in them, and that stuff includes your passwords. Never get locked out again with a password manager.
  1. The reset (the aftermath of the lock-out) – Once you’ve finally admitted that you can’t remember your password, you have to go through the painful and usually time-consuming password reset process. Will the link to reset your password come through immediately? Or in a few hours? No one knows, and no one has time for that.
  1. Creating a tough as $%!t password – With the increased frequency of breaches, many sites are implementing stronger password requirements – 35 characters, 6 symbols, uppercase, lowercase – who can remember all that?! Thankfully, we have the technology of a password manager for that. Not only can it create that complicated password in one click, it remembers it without any work on your part.
  1. What’s your Wi-Fi, again? – You have friends over for game night and everyone wants to control the music from their own phone. But before they can do that, you get the age-old question, “What’s your Wi-Fi password?” And a 15-minute delay ensues as you try to track it down again. Ah! But with a password manager like LastPass, you’ll have it right where you want it. Simply store your Wi-Fi credentials in a Secure Note, and share that Note with your friends so you don’t ever have to dig up and spell out your Wi-Fi password again.
  1. Your billing address is not correct – You’re shopping online, just buying a new pair of shoes, but as soon as you enter your name, the browser populates your billing and shipping information with your office address. As much as you’d love to charge those new shoes to work, that won’t fly. With LastPass, you can create profiles for your credit cards so you don’t need to enter the information each time – LastPass just fills it in for you automatically.
  1. Post-breach password changes – The modern reality is that passwords are a hot commodity and hackers are going to keep trying to steal them. After each new breach, we as consumers run around changing this password or that one, which can be a hassle and quite time-consuming. But password managers like LastPass can help you figure out where you’ve reused the same password that was breached, and will even automatically change passwords for you making it extremely easy to be extremely secure.
  1. Not having a password when you need it – It’s happened to everyone. You’re on the go – running errands, away for the weekend – and you get an email that your electric bill is due – today! Normally that’s not a problem, but the password for your electric company account is stored in your browser or on a sticky note next to your computer, which isn’t helpful now. With a password manager you have access to your passwords wherever you are, from any device. So paying your electric bill from a rest stop on the side of the highway is no big deal.

Take a look back at this list. How many of these frustrations have you dealt with just in the last month? Passwords aren’t going away; they’re actually becoming more of a pain, but they don’t have to be.

My favorite password manager is LastPass but there are others out there as well. You can learn about many of the best password managers by checking out this PC Magazine article.

Share This:

1 2 3 4