Tag Archives: guidelines

Weak Password Control – A Self Inflicted Injury

imageOver the weekend, Gawker.com was attacked, leading to a compromise of some 1.5 million user login credentials on Gawker owned sites, including Gizmodo, and Lifehacker.

According to Gawker Media

Our user databases appear to have been compromised. The passwords were encrypted. But simple ones may be vulnerable to a brute-force attack. You should change your Gawker password and on any other sites on which you’ve used the same passwords.

In an ironic twist to this tale of woe, it turns out that Nick Denton, the site’s founder, had not followed his own advice and in fact, used the same password for his Google Apps account, his Twitter account, and others.

So what gives? Why would someone with the supposed technical competence of Denton be so boneheaded? I suspect it’s because the reality is – he’s no different than any typical user when it comes to establishing and enforcing proper password control. A lackadaisical effort is the norm.

I understand the the dilemma. Complicated, in other words, safe passwords are hard to remember, whereas easy passwords, in other words unsafe passwords, are easy to remember. And, a single password is surely easier to remember than a series of passwords, simple or not. No surprise then, that most computer users’ employ a single, easy to remember, and consequently – unsafe password.

So what’s a user to do to avoid this critical security lapse? Well, you could follow the most common advice you’re likely to find when it comes to password control, and install a “password safe” – an application designed to store and retrieve password.

The Internet is full of advice that on the face of it seems reasonable, responsible and accurate. You know how it is – if you hear it often enough then it must be true. In my view, the password safe advice falls into this category.

Let me pose this question – you wouldn’t hang your keys outside your front door, would you? Of course you wouldn’t. Then why would you save passwords on the Internet, or on your computer? If there is one computer truism that is beyond dispute, it’s this – any computer application can be hacked, including password safes.

I have never saved passwords online, or on a local machine. Instead, I write my passwords down, and record them in a special book; a book which I keep ultra secure. There are some who disagree, for many reasons, with this method of password control, but I’m not about to change my mind on this issue.

I know that on the face of it, writing down your password seems counter intuitive, and flies in the face of conventional wisdom, since the issue here is one of security and safety.

But, ask yourself this question – is your home, office, wallet etc., more secure than your computer? If the answer isn’t “yes”, then you have additional issues that need to be addressed.

While it may be true that you don’t want your wife, lover, room mate, or the guy in the next office, to gain access to your written list of passwords – and writing down your passwords will always present this risk; the real risk lies in the cyber-criminal, who is perhaps, thousands of miles away.

Computer security involves a series of trade-offs – that’s just the reality of today’s Internet. And that brings us to the inescapable conclusion, that strong passwords, despite the fact that they may be impossible to remember – which means they must be written down – are considerably more secure than those that are easy to remember.

Here are some guidelines on choosing a strong password:

Make sure your password contains a minimum of 8 characters.

Use upper and lower case, punctuation marks and numbers.

Use a pass phrase (a sentence), if possible. However, not all sites allow pass phrases.

Since brute force dictionary attacks are common, keep away from single word passwords that are words in a dictionary.

Use a different password for each sign-in site. This should be easy since you are now going to write down your passwords. Right?

You are entitled, of course to disregard the advice in this article, and look at alternatives to writing down your passwords, including Password Safe, a popular free application. As well, a number of premium security applications include password managers.

Interestingly, Bruce Schneier, perhaps the best known security guru and a prime mover, some years back, behind the development of  Password Safe, is now an advocate of – you guessed it; writing down your passwords.

If you have difficulty in devising a strong password/s, take a look at Random.org’s, Random Password Generator – a very cool free password tool.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

15 Comments

Filed under cybercrime, Don't Get Hacked, downloads, Freeware, Interconnectivity, Internet Safety, Online Safety, Password Control, Software, System Security, Windows Update

Cyber Shopping on Black Friday? Six Tips From PandaLabs To Keep You Safe

imageCyber shopping on Black Friday can be very appealing – no lining up at midnight, no line ups at all, no risk of being trampled by unruly crowds, shop in your PJs if you like, “shopping around” and comparing prices is a snap, and the list of benefits goes on.

So, if you cyber shop, you may not face the risk of being trampled to death by an unruly crowd, or being shot to death by an angry shopper – both tragedies actually did happen on Black Friday, November 28, 2008. But, you will face substantial cyber security risks.

Staying safe while you cyber shop requires that you be much more wary, and that you understand that cyber crooks salivate at the opportunities Black Friday cyber shopping creates for exploiting the unwary and careless consumer.

Cyber shopping safely requires that you follow well established best practices that have proven to substantially reduce the risk of being victimized.

PandaLabs suggests holiday shoppers adhere to the following best practices this Friday and Monday, and throughout the holiday shopping season:

Avoid using search engines for locating special holiday deals. Criminals commonly turn to Blackhat SEO, which involves maliciously using search engine optimization around hot keywords to poison search engine results. Instead of using a search engine, go directly to reputable sites that you are familiar with. Screenshots of a recent malicious Black Friday search result is available at here.

Don’t click on embedded links in advertisement e-mails. E-mails that appear to be advertisements from legitimate vendors could be a well-disguised scam or malware attack. Chances are you’ll be able to find the same deal by going directly to the website in your favorite web browser.

Install all available operating system updates and patches. Cyber criminals are particularly skilled at exploiting critical vulnerabilities in operating systems and commonly used applications. Computer users are often silently redirected to a website with a carefully crafted malicious payload that leaves the computer infected with data-stealing malware or extortion-based threats. In addition to updating your system, PandaLabs strongly advises people to update Adobe Flash, Adobe Reader, and Java software, which are all commonly targeted by cyber criminals.

Don’t underestimate criminals. Cyber criminals have no limits, and will create fake advertisements, shopping carts, poison various search terms and more in order infect your computer and steal your personal data. If you’re unsure if a site is legitimate, run a search online to see if you can determine whether it’s widely known. If you can’t find details on a retailer, PandaLabs advises holiday shoppers to take their business elsewhere.

Only purchase from sites that offer secure browsing (SSL/https). You can tell if a site uses SSL/https if there is a padlock icon on the bottom corner or in the address bar of your browser. Some browsers like Internet Explorer and Chrome turn the address bar green to indicate that the site is secure. Even if a site uses SSL/https, remember that SSL only works to create a secure Internet tunnel between you and the e-commerce server. You can still transmit sensitive data over to cyber criminals, so it’s best to run frequent anti-malware scans.

Always use updated anti-malware protection. Despite growing awareness of today’s Web-borne threats, many people still don’t use even a basic anti-virus solution and leave themselves vulnerable to infections, data loss and identity theft. You can download Panda Security’s award-winning Panda Cloud Antivirus software, which is completely free, here.

About PandaLabs:

Since 1990, PandaLabs, the malware research division of Panda Security, has led the industry in detecting, classifying and protecting consumers and businesses against new cyber threats.

At the core of the operation is Collective Intelligence, a proprietary system that provides real-time protection by harnessing Panda’s community of users to automatically detect, analyze, classify and disinfect more than 63,000 new malware samples daily.

The automated classification is complemented by a highly specialized global team of threat analysts, each focused on a specific type of malware, such as viruses, Trojans, worms, spyware and other exploits, to ensure around-the-clock protection.

Learn more about PandaLabs and subscribe to the PandaLabs blog here. Follow Panda on Twitter and Facebook.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

4 Comments

Filed under Cyber Shopping Tips, cybercrime, Don't Get Scammed, Don't Get Hacked, Internet Security Alerts, Panda Security, PandaLabs, Safe Online Shopping Tips

Should You Forget About Password Safes and Write Down Your Passwords?

image There are days when Surfing the Internet, it seems to me,  is like skating on thin ice – one wrong move and you’re in trouble. I know – this past weekend I got hacked. After 20+ years – BAM!

There are any number of possibilities as to what happened, but one of those possibilities is not unauthorized access to my online saved Passwords. I don’t save passwords online. I never have, and I never will.

Instead, I write my passwords down, and record them in a special book; a book which I keep ultra secure.

There are some who disagree, for many reasons, with this method of password control, but I’m not about to change my mind on this issue, and here’s why –

The world is full of advice that on the face of it seems reasonable, responsible and accurate. You know how it is – if you hear it often enough then it must be true.

One piece of computer security advice that you’ve probably heard over and over again is – don’t write down your password/s. The problem is; this piece of advice couldn’t be more wrong, despite the fact it seems reasonable, responsible and accurate.

Here’s the dilemma we face. Complicated, in other words, safe passwords are hard to remember, whereas easy passwords, in other words unsafe passwords, are easy to remember. No surprise then that most computer users’ employ easy to remember, and unsafe passwords.

You know the kind of passwords I’m talking about – obvious passwords, like your first name, or your wife’s name, child’s name, date of birth date, etc. – passwords you’re not likely to forget. And that’s the problem – there’s no point in having a password at all if cyber-criminals will have no difficulty in figuring it out.

Cyber-criminals use simple processes, all the way to highly sophisticated techniques, to capture online passwords as evidenced by the Hotmail fiasco last year, in which an anonymous user posted usernames, and passwords, for over 10,000 Windows Live Hotmail accounts to a web site. Some reports indicate that Google’s Gmail, and Yahoo Mail, were also targeted. This specific targeting is one possibility that might explain how my Gmail account got hacked.

Not surprisingly, 123456 was the most common password captured, followed by (are you ready for this?), 123456789. Some truly brilliant users used reverse numbers, with 654321 being very common. Pretty tricky, huh? I’m being a little cynical, but..

I know that on the face of it, writing down your password seems counter intuitive and flies in the face of conventional wisdom, since the issue here is one of security and safety.

But, ask yourself this question – is your home, office, wallet etc., more secure than your computer? If the answer isn’t “yes”, then you have additional issues that need to be addressed.

While it may be true that you don’t want your wife, lover, room mate, or the guy in the next office, to gain access to your written list of passwords – and writing down your passwords will always present this risk; the real risk lies in the cyber-criminal, who is perhaps, thousands of miles away.

image Computer security involves a series of trade-offs – that’s just the reality of today’s Internet. And that brings us to the inescapable conclusion, that strong passwords, despite the fact that they may be impossible to remember – which means they must be written down – are considerably more secure than those that are easy to remember.

Here are some guidelines on choosing a strong password:

Make sure your password contains a minimum of 8 characters.

Use upper and lower case, punctuation marks and numbers.

Use a pass phrase (a sentence), if possible. However, not all sites allow pass phrases.

Since brute force dictionary attacks are common, keep away from single word passwords that are words in a dictionary.

Use a different password for each sign-in site. This should be easy since you are now going to write down your passwords. Right?

You are entitled, of course to disregard the advice in this article, and look at alternatives to writing down your passwords, including Password Safe, a popular free application. As well, a number of premium security applications include password managers.

Guest writer, Glenn Taggart’s article from yesterday – LastPass Password Manager – Secure Your Passwords and User Names, offers a terrific review of another free password application.

If you have difficulty in devising a strong password/s, take a look at Random.org’s, Random Password Generator – a very cool free password tool.

As an additional form of protection, you should consider the Firefox add-on KeyScrambler, which will protect you from both known and unknown keyloggers.

For additional info on password management, checkout Rick Robinette’s “PASS-the-WORD”… Basic password management tips” Many regular readers will remember that Rick is a very popular guest writer on this site.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

28 Comments

Filed under cybercrime, Don't Get Scammed, Don't Get Hacked, downloads, Email, Freeware, Gmail, Google, Internet Safety, Online Safety, Personal Perspective, Software, System Security, Windows 7, Windows Tips and Tools, Windows Vista, Windows XP, Yahoo

Be Safe – Write Down Your Passwords

The world is full of advice that on the face of it seems reasonable, responsible and accurate. You know how it is – if you hear it often enough then it must be true.

image How many of us are ever likely to forget our Mother’s advice – dress warmly in the cold, or you’ll get sick? Advice, as it turns out, that has been debunked by the medical community. Despite this, most people, that I know, still believe Mom’s advice.

One piece of computer security advice that you’ve likely heard over and over again is – don’t write down your password/s. The problem is; this piece of advice couldn’t be more wrong. Just like Mom’s advice though, it seems reasonable, responsible and accurate.

Here’s the dilemma we face. Complicated, in other words, safe passwords are hard to remember, whereas easy passwords, in other words unsafe passwords, are easy to remember. No surprise then that most computer users’ employ easy to remember, and unsafe passwords.

You know the kind of passwords I’m talking about – obvious passwords, like your first name or your wife’s name, child’s name, date of birth date, etc. – passwords you’re not likely to forget. And that’s the problem – there’s no point in having a password at all if cyber-criminals will have no difficulty in figuring it out.

Cyber-criminals use simple processes, all the way to highly sophisticated techniques, to capture online passwords as evidenced by the Hotmail fiasco earlier this week, in which an anonymous user posted usernames, and passwords, for over 10,000 Windows Live Hotmail accounts to a web site. Some reports indicate that Google’s Gmail, and Yahoo’s Mail, were also targeted.

Not surprisingly, 123456 was the most common password captured, followed by (are you ready for this?), 123456789. Some truly brilliant users used reverse numbers, with 654321 being very common. Pretty tricky, huh? I’m being a little cynical, but..

I know that on the face of it, writing down your password seems counter intuitive and flies in the face of conventional wisdom, since the issue here is one of security and safety. But ask yourself this question – is your home, office, wallet etc., more secure than your computer? If the answer isn’t “yes”, then you have additional issues that need to be addressed.

While it may be true that you don’t want your wife, lover, room mate, or the guy in the next office, to gain access to your written list of passwords – and writing down your passwords will always present this risk; the real risk lies in the cyber-criminal, who is perhaps, thousands of miles away.

image Computer security involves a series of trade-offs – that’s just the reality of today’s Internet. And that brings us to the inescapable conclusion, that strong passwords, despite the fact that they may be impossible to remember – which means they must be written down – are considerably more secure than those that are easy to remember.

Here are some guidelines on choosing a strong password:

Make sure your password contains a minimum of 8 characters.

Use upper and lower case, punctuation marks and numbers.

Use a pass phrase (a sentence), if possible. However, not all sites allow pass phrases.

Since brute force dictionary attacks are common, keep away from single word passwords that are words in a dictionary.

Use a different password for each sign-in site. This should be easy since you are now going to write down your passwords. Right?

There are alternatives to writing down your passwords of course, including Password Safe, an excellent free application. As well, a number of premium security applications include password managers.

If you have difficulty in devising a strong password/s, take a look at Random.org’s, Random Password Generator – a very cool free password tool.

As an additional form of protection you should consider the Firefox add-on KeyScrambler, which will protect you from both known and unknown keyloggers. Personally, I wouldn’t think of signing on to the Internet without KeyScrambler being active.

For additional info on password management, checkout Rick Robinette’s “PASS-the-WORD”… Basic password management tips” Many regular readers will remember that Rick is a very poplar guest writer on this site.

If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

10 Comments

Filed under Don't Get Scammed, Don't Get Hacked, downloads, Email, Firefox Add-ons, Freeware, Internet Security Alerts, Online Safety, Safe Surfing, Software, Utilities, Windows Tips and Tools