MAC’s New Root Problem

The username is the “root” of all problems for Apple’s latest operating system.

It turns out you don’t need a password to log in to a locked Apple device using MacOS High Sierra — just the username “root.”

By heading to your device’s System Preferences, under Users & Groups, you can click on the lock and get hit with a prompt asking for a username and password to change settings. Then, instead of entering a password, you can type in “root” for the username and leave the password field empty.

After clicking unlock several times, it should eventually open up, no passwords necessary.

The simple exploit means anybody with physical access to your MacOS High Sierra device can log in on your computer, no matter how secure your passwords are.

Image result for mac root problem

The bug works for every aspect of the OS that would normally require a password, which means someone could also get access to your Keychain, containing all your passwords.

MacOS High Sierra was also plagued with a password issue when it launched, after a former NSA hacker showed that he could extract sensitive data from Keychain using an app downloaded online.

There’s a workaround for the “root” flaw until Apple fixes it. You can turn guest users off, or change the root password from your directory utility.

Another reccomendation is creating the username “root” and setting a password to solve the blatant issue.

Share This:

Understanding Two-Factor Authentification

If you aren’t using two-factor authentication yet, you’re way behind and leaving your accounts vulnerable to hackers and phishers. In fact – you probably have been exposed to two-factor authentication and do not even realize it. If you ever forgot a password and were sent a text message with a code or if you were required to answer security questions you have already used two-factor authentication.

Image result for two factor authentication

Passwords today are simply not secure enough, especially when considering your personal and financial security.

There are several types of two-factor authentication security. Also not all two-factor authentication methods are equal. Some are safer and more secure then others. Here’s a look at the most common methods and which ones best meet your individual needs.

Two-Factor Authentication vs. Two-Step Authentication

Before diving in, let’s take a quick moment to clear up some confusion between two-factor authentication and two-step authentication. They’re similar, but not quite the same — one’s a square, the other a rectangle.

Two-factor authentication is when you protect an account with two factors. A factor is either “something you know” (e.g. password), “something you have” (e.g. phone), or “something you are” (e.g. fingerprint). To truly be protected by two-factor authentication, your account must require two locks of different factors before granting access.

The Pros and Cons of Two-Factor Authentication Types and Methods two factor authentication methods

If an account is protected by two locks of the same factor, then it falls under two-step authentication (or two-phase authentication). For example, a password and a security question are both “something you know,” making authentication two-step but not two-factor. Though this can still provide adequate protection, two-factor authentication is preferable.

Just as a square is a rectangle but a rectangle isn’t a square, two-factor authentication is a type of two-step authentication but not the other way around.

Method 1: Security Questions

The Pros and Cons of Two-Factor Authentication Types and Methods two factor authentication method security

What is it?
When creating an account, you choose one or more security questions and set answers for each one. When logging into that account, you have to provide the right answer to each question to validate that you have rightful access.

The Pros
Security questions are extremely easy to set up. Most of the time, the service provides a dropdown menu of questions — all you have to do is pick one and give the answer. You don’t need any other equipment, devices, etc. The answer is just stored in your head.

The Cons
Many security question answers can be found in public records (e.g. your father’s middle name) or socially engineered (e.g. phishing emails or phone calls). To get around this, you can make your answer gibberish and effectively make it a second password — but be careful that you don’t lose it or forget it!

Method 2: SMS Messages

The Pros and Cons of Two-Factor Authentication Types and Methods two factor authentication method sms

What is it?
When creating an account, you provide your mobile phone number. Whenever you want to log in, the service sends you an SMS message with a verification code that expires (usually after 15 minutes). You have to input that number to complete the logging in process.

The Pros
SMS messages are extremely convenient. These days, pretty much everyone has an SMS-capable device and can receive SMS messages free of charge. Usually the messages arrive instantly, but even when they don’t it rarely takes more than a few minutes. If you ever lose your device, you can transfer your phone number so you’ll never be permanently locked out.

The Cons
You have to trust the service enough to share your phone number. Some disreputable services may use your number for advertising, or sell it off for monetary gain. And since phone numbers aren’t actually tied to devices, hackers can actually circumvent SMS-based authentication without ever touching your phone (though it isn’t easy).

Method 3: Time-Based One-Time Passwords

The Pros and Cons of Two-Factor Authentication Types and Methods two factor authentication method totp

What is it?
When you create an account, you’re assigned a “secret key.” After installing a code-generating app (like Google Authenticator or its alternatives), you scan a QR code to load the secret key into the app. It then generates one-time passwords every so often (e.g. 30 seconds) using the secret key as a seed, and you need these one-time passwords to log in.

The Pros
The codes are generated based on a mixture of the secret key and the current time, which means you can get valid codes on your device even when you have no reception and/or no mobile service. And since the secret key is stored on the device itself, it can’t get intercepted or redirected (such as through a phone number takeover).

The Cons
You will be unable to log in if your device runs out of battery or dies altogether. Sometimes internal clocks can desync between device and service, which results in invalid codes. These are two reasons why printing backup codes is essential.

If a hacker somehow clones your secret key, then they can generate their own valid codes at will. And if the service doesn’t limit login attempts, hackers may still be able to compromise your account through sheer brute force.

Method 4: U2F Keys

The Pros and Cons of Two-Factor Authentication Types and Methods two factor authentication method u2f

What is it?
Universal 2nd Factor (U2F) is an open standard that’s used with USB devices, NFC devices, and smart cards. In order to authenticate, you simply plug it in (for USB keys), bump it (for NFC devices), or swipe it (for smart cards).

The Pros
A U2F key is a true physical factor. Unlike SMS codes, they can’t be intercepted or redirected. And unlike most two-factor methods, U2F keys are phishing-proof because they’re only registered to work with sites you’ve registered. It’s one of the most secure 2FA methods currently available.

The Cons
Because U2F is a relatively new technology, it isn’t yet widely supported. For example, as of this writing, NFC keys only work with Android mobile devices whereas USB keys mainly work with the Chrome browser (Firefox is working on it). U2F keys also cost money, often between $10-$20 but could go higher depending on how rugged you want it to be.

Method 5: Face, Voice, Fingerprint

The Pros and Cons of Two-Factor Authentication Types and Methods two factor authentication method biometrics

What is it?
Facial recognition, voice recognition, and fingerprint scans all fall under the category of biometrics. Systems use biometric authentication when it’s imperative that you really are who you say you are, often in areas that require security clearance (e.g. the government).

The Pros
Biometrics are extremely difficult to hack. Even a fingerprint, which is arguably the easiest to copy, requires some kind of physical interaction. Voice recognition would need some kind of statement said in your voice, and facial recognition would need something as drastic as plastic surgery. It isn’t unbreakable, but pretty close.

The Cons
The biggest downside, and the reason why biometrics are rarely used as a two-factor method, is that a compromised biometric is compromised for life. Plus, how comfortable would you feel giving up your face, voice, or fingerprints? Would you trust them to be kept safe? Most wouldn’t.

Which Two-Factor Authentication Method Is Best?

Well, it depends on what you value most:

  • For balance, time-based one-time passwords are the best. You just have to be careful about keeping backup codes in case you lose or break your device.
  • For privacy, U2F keys are the best. They can’t be used to track you and you don’t have to give up any personal information to use them. But they cost money.
  • For convenience, SMS messages are the best. Yes, they can be intercepted or redirected, and yes, they fail with bad reception, but they’re quick, easy, and secure enough.

If given the choice, don’t ever rely on security questions as a two-factor method. If you have no other option, then prefer to use it as a second password. Don’t ever answer the question directly, especially if the answer isn’t something that only you know.

Share This:

Forgetting Your iPhone Passsword

With the latest generations of iPhones featuring all sorts of fancy unlock mechanisms like Face ID and TouchID, the reliance on a good-old passcode is going downhill.

As you’re less accustomed to entering it now, the chances of forgetting your passcode shoot up significantly. Forgetting your iPhone’s passcode can be a very frustrating experience. Fortunately, there are a few ways you can use to reset your passcode.

Before we dive into those methods, try using the following tip to recall your password.

Try Using This Tip to Recall Your Password

It might sound obvious, but try recalling your passcode keeping this tip in mind. It can save you from the hassle of having to explore other ways to remove your passcode.

forgot iphone passcode

It’s a common misbelief that only 4-digit passcodes can be set on the iPhone. We wouldn’t blame the users though, as the option is buried inside the Passcode Settings. In reality, you can set a custom numeric code or a custom alpha-numeric code.

It’s possible that you might have set a custom numeric or alphanumeric passcode, but are trying to recall only potential 4-digit numbers. So, try recalling your passcode with this increased scope of digits. Be careful though, as entering the wrong passcode six times disables your iPhone.

If that doesn’t seem to work or your iPhone is disabled; no worries. Let’s look at some of the ways to reset your iPhone’s passcode.

The Fix: Erase Everything on Your iPhone

Apple makes it very clear that the only way to fix a forgotten iPhone password is to erase everything on your iPhone. Unless you made a backup before you forgot your passcode, there’s really no way to save your iPhone’s current data. It might not sound pretty, but it’s a trade-off you’ll have to make if you ever forget your iPhone’s passcode.

There are three ways to erase the data on your iPhone, remove the passcode, and start from scratch.

1. Erase Your iPhone Using iTunes

If you’ve previously synced your device with iTunes, you can use a recent backup to restore your iPhone and reset its passcode. Here’s how to erase your device using iTunes.

forgot iphone passcode

  1. Connect your iPhone to the computer you previously synced with.
  2. Open iTunes. If iTunes lets you in without prompting for a passcode, you can proceed. However, if it prompts you for a password, then try connecting your device to any other computer you might have synced with. If you have never synced with any other computer, this method won’t work for you. In that case, skip to the “recovery mode” section to learn how to erase your iPhone using recovery mode.
  3. Assuming that iTunes didn’t prompt you for the passcode, wait for iTunes to sync your device and make a backup.
  4. When the sync completes, click on Restore iPhone and let the restoration process complete — iOS will be reinstalled from scratch.
  5. When complete, the iOS setup screen should pop-up on your iPhone. Here, tap on Restore from iTunes backup .
  6. Choose the latest backup to restore from.

Doing so will restore your data to that point in time when the backup was made. Also, it will remove the passcode, thus giving you a chance to set up a new one.

2. Erase Your iPhone Using iCloud

If you sync your iPhone with iCloud and not iTunes, and you have Find My iPhone enabled on your locked device, you can erase your iPhone using iCloud. You can also use this method if you don’t have physical access to your iPhone. Note that your locked device should be connected to a Wi-Fi or cellular data. If it isn’t, you can swipe up from the bottom to open Control Center and toggle these.

In the rare case that you’ve disabled access to Control Center on the lock screen, and you do not have an active internet connection, this method won’t work for you. Fortunately, you can still reset your iPhone using the instructions given in the next “recovery mode” section.

Having verified all the prerequisites, here’s how to erase your iPhone using iCloud.

  • Open iCloud dashboard and log in using your Apple ID.
  • Click on All Devices at the top and then select your iPhone.
  • Click on Erase iPhone.

Your iPhone’s data should be wiped remotely, thus erasing everything and removing the password. On the setup screen, you can choose between restoring from an iCloud backup or setting up your iPhone as a new one. Select the one you want. Then, you can set a new passcode.

Note: You can also use the Restore method in iTunes, then choose to recover from iCloud when iOS boots back up if you want to.

3. Erase Your iPhone Using Recovery Mode

If you have never synced your device with iCloud or iTunes, erasing your iPhone using recovery mode is your only option. Doing so will erase your iPhone’s data permanently and basically set it up as new. Here’s how to erase your iPhone using recovery mode.

forgot iphone passcode

First, connect your iPhone to a computer and Open iTunes. The hardware key combination required to enter recovery mode varies between different iPhone models. Here’s an excerpt from Apple’s support page on how to enter recovery mode:

  • On an iPhone 8 or iPhone 8 Plus: Press and quickly release the Volume Up button. Then press and quickly release the Volume Down button. Finally, press and hold the Side button until you see the recovery mode screen.
  • On an iPhone 7 or iPhone 7 Plus: Press and hold both the Side and Volume Down buttons at the same time. Keep holding them until you see the recovery mode screen.
  • On an iPhone 6s and earlier, iPad, or iPod touch: Press and hold both the Home and the Top(or Side) buttons at the same time. Keep holding them until you see the recovery mode screen.

When you enter the recovery mode, iTunes will prompt you to either Restore or Update your iPhone. Click on Restore.

forgot iphone passcode

iTunes should begin downloading software for your device. If the download takes more than 15 minutes, the iPhone will exit the recovery mode automatically. In this happens, just repeat the above steps. Once the process is completed, you can set up your iPhone and set a new passcode.

Unfortunately, without a backup your data will be lost.

Other Methods You Can Try

Apple takes pride in the fact that it values user security and privacy. While there’s no denying that Apple’s security infrastructure is top-notch, it’s also true that it isn’t bullet-proof. For instance, a developer used a $500 box to exploit a vulnerability in iOS 10.3.3 and iOS 11 beta to perform a brute force attack and bypass the lock screen.

The brute force method could take days to work, depending on the complexity of the password. Fortunately, Apple patches such vulnerabilities swiftly.

Perhaps this might be the most impractical method to bypass your passcode, not just because of the price of the box, but also because you’d have to be really unlucky (lucky?) to be running a vulnerable version of iOS. If you have some really important data that you cannot afford to lose, but you still need to reset your passcode, you might want to give it a try.

The Aftermath

Now that you’ve successfully removed your iPhone’s passcode, it’s time to go back to the basics and learn from this experience. In no particular order, here’s what you should do.

  • Keep your iPhone backed up: The importance of backup cannot be stressed enough. If you had to reset your passcode and didn’t have a backup, you might agree that losing precious data is a dreadful experience.
  • Keep your iOS updated: A few brute-force boxes that exploit a vulnerability in iOS have popped up in the past. Apple often acts quickly and patches the vulnerabilities. Therefore, it’s best to keep your iOS updated.
  • Create a strong yet memorable passcode: A strong password doesn’t necessarily have to be tough to remember.

Share This:

Managing Your Passwords with 1Password

Mnaging your passwords is critical to protectingyour digital information. If you are not using one, use should. I have written about my personal favorite password manager, LastPass many times. However there are many options to help you with your passwords, including 1Password.

1Password is a popular password and data manager that’s already available on a wide variety of devices and platforms. It recently made its way to Microsoft Edge in the form of an extension.

Using 1Password allows you to securely store your passwords and data on the 1Password application for your PC and then easily log in to sites or fill out forms using the extension on Microsoft Edge.

To use the extension, you have to first download and setup 1Password on your PC. Both of these are free to download but using the service costs either $2.99/month for an individual license or $4.99/month for a family plan. There’s also a 30-day free trial available.

It saves you time and effort

1Password lets you store website login data and passwords, credit card information, bank account information, documents such as passports, and many other types of data that you need to keep track of. All of this information is saved securely within 1Password which requires a secret key to initially set up and a master password that you have to enter to unlock the PC program.

It takes some time to add all of your information but in the long run using 1Password saves you time and effort. You’re going to have to enter all of this information at least once in the future anyway, saving it in 1Password means that after you enter it once you don’t have to do it again.

You can also use 1Password to generate extremely complicated passwords for each of your logins.

The extension just works

After initial setup of the Windows app and the extension, 1Password is ready to go and just works when you need it.

When you’re on a site that needs any information that’s stored in 1Password you just click the extension’s icon and select what you want 1Password to use to fill the site. This works well and makes logging in and filling out information significantly faster.

The extension is easy to use and takes care of all the complicated stuff like encryption and security for you. The end result is a point and click interface that streamlines your web usage.

Some quick security tips

1Password is only as secure as the person using it. If you setup 1Password with all of your information and then don’t take the necessary security measures, you could actually have made it easier for someone to use your information and spend your money. Some simple features and tips help make sure you don’t risk your own data security.

You can setup auto-lock to lock 1Password every time you lock your PC or after your PC has been idle for an amount of time that you specify. This option is on by default and worth keeping on.

Additionally, using 1Password means that if someone gets your password for the service and has hold of your device, they can do all sorts of damage. As you should with any password, keep it secure and don’t write it down or record it anywhere.

A couple of things that hold 1Password back for some

1Password is easy to use, secure and works well with Windows 10 and Microsoft Edge. But a couple things are missing that might be important to certain users.

First up is that 1Password doesn’t support two-factor authentication. Not everyone uses this type of security, but if you do, it’s important to note that 1Password does not support it. They have an explanation as to why they don’t support it if you want to read into it more.

Second, is a lack of Windows Hello support. Not everyone is set up for Windows Hello, but if you’re all in on the ecosystem, it can be a factor into which services you use. According to a support forum post earlier this year, Windows Hello is planned but doesn’t have a specific ETA. The forum also goes into detail as to why 1Password currently supports fingerprint unlock on Android and Apple’s Touch ID but not Windows Hello at this time.

Overall thoughts

1Password is easy to use, streamlines the awkward process of entering passwords and does it in a secure way.

The extension itself works extremely well and syncs very quickly when you add new information into your 1Password account.

Over time, it would be nice to see 1Password jump even further into the Windows 10 ecosystem with Windows Hello support and a UWP app, but to a lot of users, those aren’t deal breakers or even a factor they consider.

If you’re interested in trying out a password manager, or are just interested in making a switch from the one you’re currently using, 1Password is worth a look, especially since they have a free trial period that’s long enough to let you make an informed decision.

 

Share This:

Equifax Crisis Worsens

The Equifax security breach just keeps getting worse. At the end of the day this sad situation proves a point I have been pressing for years now. You can not trust others with your digital security. You must take security very seriously. The first thing everyone should do is – take passwords seriously, very seriously.

Think about this, would you leave your wallet or your purse on a table – all alone – in a public place? Of course you would not. Your passwords are even more important then this.

Image result for password managers

My reccomendation is to find a password manager, like LastPass and take some time setting up unique, encrypted passwords for each of your accounts. This is not as difficult or as expensive as it sounds. You can learn more about LastPass here.

OK – lets get back to the lastest disaster that is Equifax.

One month after news came out about a massive breach at Equifax, the credit bureau is still struggling with the fallout. The latest blow arrived yesterday when an independent security researcher reported discovering that links on the Equifax Web site were attempting to redirect him to a malicious URL.

In a blog post last week, analyst Randy Abrams said that he visited the Equifax site to check and see whether false information from another credit bureau had made its way into his credit report on Equifax. When he tried to access his personal information, he said he was redirected to a site with a fake Flash Player update screen. In a tweet yesterday, Abrams said it appeared that the issue might indicate Equifax’ Web site had been breached again.

Image result for equifax breach

Equifax revealed in early September that its systems had been compromised sometime between May and July, causing sensitive personal data for around 143 million Americans, as well as a number of Canadian and British citizens, to be exposed. Early this month, the company increased its estimate of the number of U.S. victims by 2.5 million. The U.K.’s National Cyber Security Centre reported earlier this week that nearly 700,000 Britons might have been affected by the breach.

Abrams noted on his blog that he “just sort of tripped over” the latest problem at Equifax’ Web site while trying to view his credit information. The appearance of a Flash update site was an immediate red flag, according to Abrams.

“Seriously folks, Equifax has enough on their plate trying to update Apache,” he said. “They are not going to help you update Flash. I know that nobody is surprised at my find, but watching Equifax is getting to be like watching a video of United Airlines ‘deplaning’ a passenger . . . It hurts.”

The fake Flash download links appeared during at least four separate visits Abrams made to the Equifax site, according to a report today in Ars Technica. An analysis by the German IT firm Payload Security gave the malicious file that attempted to load a threat score of 96 out of a possible 100.

Meanwhile, U.S.-based security writer Brian Krebs has pointed out that the Equifax breach could expose not only people’s names, Social Security numbers, and birth dates, but also details about their salary and employment histories. Krebs also criticized the Web site that Equifax created to keep people informed about the issue.

Share This:

Yahoo’s Security Breach Grows Worse

In December 2016, Yahoo revealed it had been hacked back in 2013. It was reported at the time that this security breach by an “unauthorized third party” saw the user data associated with 1 billion accounts stolen. However, it turns out that this epic hack was even worse than Yahoo thought.

This hack didn’t just affect 1 billion random Yahoo users. Instead, it hit every single Yahoo account that existed in August 2013. And there were 3 billion of them at the time. Let that sink in for just a minute: 3. billion. accounts. Making it the largest data breach in history. That we know of…

The Most Epic Security Breach Ever Recorded

Since Yahoo first disclosed the hack Verizon has acquired the company. During that acquisition new intelligence was uncovered that clued Yahoo into the fact it had underestimated just how epic this hack was. Rather than “just” 1 billion users being affected, all 3 billion users were caught up in it.

Image result for yahoo hack

Yahoo has subsequently sent out a notice revealing the truth. The company states it now believes that “all Yahoo user accounts were affected by the August 2013 theft”. And Yahoo, now called Oath, has drawn this conclusion “following an investigation with the assistance of outside forensic experts”.

Thankfully, although the size of the security breach has been scaled up significantly, the information stolen has remained the same. Which means that “names, email addresses, telephone numbers, dates of birth, hashed passwords […] and, in some cases, encrypted or unencrypted security questions and answers” were stolen.

However, Oath (formerly Yahoo) is ultra keen to stress that no “passwords in clear text, payment card data, or bank account information” was stolen from its servers. This should be of some comfort to anyone who had a Yahoo account in 2013. Which is probably most people reading this right now.

Please Follow Yahoo’s Common Sense Advice

Oath has created a full page of FAQs related to this data breach. And this provides the common sense advice the company suggests you follow in order to safeguard your information. Which basically amounts to changing your passwords and security questions and answers for any and all Yahoo accounts, and, crucially, all other accounts that share the same or similar information.

Share This:

Was Your Data Stolen in the Equifax Breach?

Yesterday we first reported about the massive Equifax security breach. Today more details have emerged as well as additional details regarding how you can see if your data is at risk. Sadly I checked mine this morning – and indeed my data was possibly “exposed”. Also, surprisingly I was advised to wait until September 13 for more details.

Image result for equifax

This data breach could affect up to 80 percent of all U.S. credit card users, and – as I reported above – the credit reporting giant Equifax is doing a terrible job of reassuring customers. As of this writing, getting through to the company on the phone is nearly impossible and online access is not much better.

What Data Was Stolen in the Breach?

Equifax revealed what is potentially one of the biggest data breaches in U.S. history, and the company could be facing a $1 billion lawsuit as a result. Though the hack was discovered on July 29, it was only just revealed by the company. This delay is reporting the hack to the public is almost always the case – which is why password management is so critically important. I have written about this many times.

Hackers were able to access sensitive data including names, social security numbers, addresses, dates of birth, phone numbers, and driver’s license details for 143 million consumers between May through July 2017. Approximately 209,000 users also had their credit card details stolen, and about 182,000 users had details from their Equifax dispute documents stolen.

The breach mostly affects U.S. residents, along with some U.K. and Canada citizens.

How to Find Out If Your Data Was Stolen

There’s been plenty of confusion on how to find out if you were affected.

Equifax has set up an online tool that lets customers check if they were part of the data breach, but it requires entering more personal information (last six numbers of your social security number) and the results are vague & inconclusive (as I experienced). You may be understandably skeptical about handing over more information to a company who’d find itself on the receiving end of such a large breach.

If you prefer to call the company, you can reach them at 866-447-7559. Good luck getting through1

For immediate results, go to the web tool provided by Equifax and click “Begin Enrollment.” Do NOT click Continue Enrollment! (According to the terms of service, enrolling in TrustedID will waive your rights to legal representation, including participation in any class-action lawsuits.)

You’ll see a screen where you can enter the last six digits of your social security number and your last name.

If your data was stolen, you will see the message below. Again, do NOT click the Enroll button!

Up until last night, customers may have seen one of three messages. The one listed above, another saying they were not affected, and a third providing a date on which they could enroll in the company’s TrustedID Premier service.

What Should You Do?

Consumer Reports offers some suggestions for those who find that their information may have been compromised.

Credit Monitoring: You can sign up for Equifax’s free TrustedID Premier service which is a credit monitoring service that is currently free. As mentioned above, enrolling does preclude you from participating in a class-action lawsuit against the company.

Credit Security Freeze: One of the most common suggestions from security experts in the wake of the breach is to place a credit security freeze. This will not affect your credit score and will not impact prescreened credit offers.

In order to place a freeze, you must request a security freeze with all three credit bureaus:

There is a BIG problem with this move however!

First, this is not free. The fee varies from state to state, but it shouldn’t cost you more than $10 per credit bureau.

Secondly, the freeze will prevent new lines of credit being opened in your name, which of course means that if you were planning on purchasing or renting a home, financing a car, applying for a job, or getting a new credit card, you will have to lift the freeze first.

Finally, Lifting the freeze may also cost up to $10 per credit bureau.

Stay Vigilant: Keep a vigilant eye on your bank accounts for any suspicious activity. Consumer Reports recommends setting up alerts on your bank accounts for unusual activity: suggested parameters include your balance and the size of transactions. While Consumer Reports does not suggest it, you should also be vigilant when it comes to your online accounts. Set up two-factor authentication, create secure passwords, and don’t click on links in emails claiming to be from Equifax.

Equifax has said that it will mail out notices to consumers who credit card numbers or dispute documents with personal identifying information were impacted.

Share This:

Mastering Password Managers

It goes without saying that everyone needs to use stronger passwords, and the best way to do that is with a password manager. The truth is, passwords that are hard to hack are very hard to remember, however you really do need long and complex passwords.

Top 3 Password Manager Apps for Android

That’s where password managers come in handy. There are all kinds of password managers out there, including some as basic as your browser’s rudimentary list of saved passwords list and some as elaborate as entire cloud systems that work across multiple devices and platforms.

All of these models have some basics in common: they store your passwords, they auto-fill details on login forms, and they keep your passwords encrypted in databases. The differences are where those databases are kept, the types of encryption and recovery options available.

Weaponized Math: Encrypted Passwords

Your browser can save passwords, but that often isn’t very secure. One of the main appeals of a password manager is that it saves all of your passwords behind one password in a single database.

Of course putting all your plain text passwords in one place isn’t much of a security measure in and of itself. Instead, your passwords must be encrypted, which secures your passwords. But since the amount of control over password databases can vary, you’ll want to figure out which model works best for you.

When boiled down, encryption is the use of math to disguise your data. The key used to transform the plaintext is randomly generated, the strength of the encryption is based on this key size in bits. In layman’s terms: the more bits, the more security. This is because the more compelx the key, the more complex the resulting output is.

Depending on the algorithm, that substitution is repeated. In certain cases, they key is transformed to further obscure the output. This process is creates what’s called a hash, which often has added salt—additional randomization added to the hashing process. This ensures the original value is completely obscured without the correct starting input, key, and salt.

There are additional factors like block size, initialization vectors, and other more advanced concepts. If you’re interested in the gory details, check out our detailed breakdown of encryption

Local Safes: Keeping Control

The best way to keep a secret is to never tell anyone. If you don’t want your passwords anywhere other than on your hard drive, a local password manager is your best option. This keeps your data on a device that you physically control, leaving your security directly in your own hands.

One of the more popular password managers is KeePass, an open source Windows solution with ports on Mac and Linux. It offers a lot of flexibility and control, including the ability to select between multiple encryption algorithms.

best password managers 2016 keepass

And if you’re looking for a complete escape from passwords, you can even use key files to unlock your passwords. (You put key files on a USB drive or other portable storage, then use the physical device as a key to authenticate with the machine.)

The downside to KeePass is the same as its strengths: you control the keys to the kingdom, so if you lose your key files or master password, you’re out of luck. In such a case, your only option would be to start over from scratch and set up every password again.

Your file is also limited to where you save it, so you’re responsible for any backups you want to maintain. If you want mobile sync, you’re going to need to do it manually (or with a separate syncing service like Dropbox) and a compatible reader on your tablet/phone. And if something goes wrong, you’re on your own.

Local managers give you a lot of security and control, but you lose a rescue plan and out-of-the-box portability.

Syncing Systems: Multiple Devices

If you’re juggling multiple devices with many passwords, keeping a master file locked on a PC somewhere is not the best solution — especially if you’re trying to log into Amazon on your phone or check your bank balance on your tablet. Don’t weaken the password just to make it more memorable!

That’s where hybrid approaches like 1Password come in, which uses Dropbox or your local network to automatically sync your password between devices. This gives you the ability to keep everything working across devices, but you are still the only one with the key to your data.

Image result for 1password logo

But you lose some of the crunchier options, such as multiple encryption algorithms and key file logins.

This fixes a lot of the downsides of the local-only option, as you can keep your phone, tablet, and computer all in sync. You’ll also need to trust Dropbox as a cloud host, though 1Password does add an extra layer of security on top with its own strong encryption, so you can rest assured of any security worries.

If you’re really worried about interceptors and other vectors of attack, you can just use your local network to synchronize your passwords across devices. You won’t have any hope of recovering a lost master password if you choose this route, but it does ensure that 1Password won’t have access either.

Cloud Services: Any Device, Anywhere

Keeping all of your passwords in the cloud requires a certain amount of trust in a company to do things the right way. My favorite choice here is LastPass.

LastPass keeps an encrypted copy of your password database in the cloud, making it available on almost every platform and browser imaginable. You will need a premium membership for several of their features, but the basics are there for free.

Image result for lastpass logo

Your devices do all of the encryption and decryption, ensuring that your master password is not on LastPass’s servers. If you don’t have access to the Web, a copy is cached locally so you can still unlock. There is an additional layer of protection in two-step verification as well.

You have to trust their security is as robust as promised, as LastPass makes for an obvious target for hackers. However, with a good master password and two-step verification enabled, you should be confident about the security of your password safe. And if you ever forget your password, you can recover your safe.

Literally the Least You Can Do

If you’re a Mac and/or iOS user, you already have access to a password manager built into your operating system: iCloud Keychain. This is an extension of the OS X keychain that uses iCloud to keep all of your passwords synced across devices.

Windows has a similar feature called Credential Manager, but it does not have the same cross-device syncing.

This is pretty comparable in terms of security to LastPass, but it’s limited to Apple devices. Unless you’re only running exclusively on Apple products, you’re going to be missing your passwords on some of your other devices, which can be a huge nuisance.

Yet even if you’re a big Apple fan, you still may not want to lock yourself into the platform because you never know what kind of other devices you may get in the future.

You Really Need a Password Manager

Unless you have an iron-clad memory, using different passwords across all of your accounts is going to prove difficult. Doing so with hard-to-crack passwords? Near impossible. Getting a password manager ensures that you can keep all of your accounts safe and secure using a single master password.

Find the model that works best with you and find the product that works best for your devices. Almost every manager has a free trial or free tier that you can try out. Once you’ve made your choice, go through all of your online accounts and update the passwords to be more complex.

That’s really all there is to it.

Share This:

Has Your Password Been Exposed ?

You know by now that you should be changing your passwords regularly. I have have been strongly recommending password managers for several years now. This is because every day there seems to be another cyber security crisis. If you haven’t changed your passwords recently, it’s now officially time: a massive database containing login credentials is floating around the internet.

Image result for password hack

We don’t know who’s behind the breach, but over 560 million leaked emails and passwords — 243.6 million unique email addresses — are compromised. First uncovered by the Kromtech Security Research Center, the leak has been confirmed by security researcher Troy Hunt, who created the “Have I Been Pwned” website.

What kind of information does it have?

The good news is, there hasn’t been a new hack: the trove of credentials is a collection of data from previous breaches at LinkedIn, DropBox, LastFM, MySpace, Adobe, Neopets, Tumblr and others. Some of these breaches are years old.

What makes this database troublesome from a security standpoint is how accessible it makes sensitive information. It basically compiled private data from various prior hacks to create one convenient database for hackers to illegally access.

Who is at risk?

Essentially, anyone who never updated their credentials at the time of the original breach. If you haven’t stayed on top of every hack and checked your status each and every time, then you could be at risk.

How to check if your credentials are compromised

The easiest way to see if your credentials are vulnerable is to go to Hunt’s site — Have I Been Pwned. Here, you can type in your email and find out if your email and password are safe or not.

Image result for pwned

You may have changed your password at the time of a given breach, but let’s be real: you may not remember. If you scroll below the results, the site shows you which breaches you were impacted by. To view information on sensitive breaches, subscription is required. If this is your first time on the site and you get the dreaded “Oh no—pwned!” message, then it’s best take a screenshot of the result and change your password immediately.

Why a screenshot? The site tells you how many “breached sites” it’s on (in other words, how many unique incidents took your credentials) and if there are any “pastes” — a paste is when the information is shared on a public website. Saving this information (you can also jot it down somewhere safely) can let you know in the future if you’ve been breached again if the information in the results change.

Don’t understand what’s going on? It’s okay. Just go change your email password to be safe. And be sure to create a strong password.

Share This:

Protecting Your Passwords with Ice Cream

As a reader of this fine technology blog you no doubt are taking your security seriously. One of the most important things you can do to protect your personal data is adopting a strong password plan. I have recommended LastPass many times in the past – and it remains my password manager of choice.

The problem has remained the same since the dawn of the internet. People generally do not always use effective passwords. They’ll often use things like their birthday or the name of their pet in their login information. To make matters worse, people have a tendency to use the same password for multiple accounts. This happens because birthdays and pets are easy to remember. The same goes for recycling the same password for multiple accounts. In an attempt to get users to create better passwords, some companies like Apple force them to include special characters, numbers, and an uppercase letter in the password. Browsers offer to remember your password for you and all you have to do is set a good one. Another solution is to use a password vault. A password vault is an app that stores your logins. It allows you to set complicated passwords and remember them.

If you have a shared computer, multiple vaults can be used to separately store information for everyone that uses it. The vault locks itself automatically after a set period of time. If you walk away form your computer and forget to lock it, the vault and the information in it will still be safe.

Storing Information

Ice Cream Password Manager lets you store more than just your login information and it’s duly sorted by the type of information it is. You can mark information that you frequently use as a ‘Favorite’ but it is otherwise sorted into categories like Login, Credit cards, bank accounts, identities, passports, etc.

These categories don’t just sort information. Each one has fields that make it easy to enter information. For example, the passport category has essential fields like issuing authority, the date it’s been issued and when it will expire, your date of birth, etc.

Similarly, the Bank accounts category has fields for entering your bank’s Swift code and your account’s IBAN number. What this essentially ensures is that you enter all relevant information that’s related to an entry. You might have to take the time out to fill it all in but once that’s done, you’re never going to have to search online or through physical papers to locate the information you need.

Desktop App And Chrome Extension

The desktop app and Chrome extension don’t need one another to function but, if you have both of them installed your information is synced. The extension makes it easier for you to add login information. Every time you log in to a new domain, the extension offers to save it.

One advantage that comes with the Chrome extension is that it has a password generator. The password generator doesn’t just give you a random password. You can specify the length and how many special characters you need in your password.

The Chrome extension syncs all the vaults you’ve created, password and all. Like the desktop app, the Chrome extension locks itself after a period of inactivity and you need to enter your vault password to access your information.

Backup

Ice Cream Password Manager lets you schedule regular backups. In fact, you can keep multiple, incremental copies of your data.

Additionally, you can sync your information with Dropbox.

Security

I mentioned early on that the Ice Cream Password Manager automatically locks itself after a period of inactivity. The app lets you choose what that period of inactivity is. You can also set it to automatically clear the clipboard one minute after you’ve copied any information from your vault.

Shortcomings

Ice Cream Password Manager is an overall well developed app. It has a couple shortcomings. (1) it doesn’t lock down characters for known fields. For example, passport numbers are only 9 characters long. Similarly, IBAN codes are 14 characters long. In both these fields, you can enter as many characters as you like. This is problematic because you might accidentally repeat a character when entering your information and never know it happened until you try and use it.

(2) Another problem is that there is NO mobile app. We often need our passwords while on the run and this is a serious flaw. However if you want a free password manager this looks like a fairly good option and hopefully a mobile app is on the way.

Ice Cream Password Manager is pretty well made. It’s stable and the information is quick to sync between desktop and browser. There’s a Firefox add-on in the works so there isn’t much left wanting. If you struggle with remembering your password, or your purposefully keep simple ones, give this app a try. It will help you set complicated passwords and remember them. It will also make sure you always have all your important information in digital form on your computer at all times.

You can learn more about Ice Cream Password Manager here.

Share This:

1 2 3 5