World Password Day 2018

There really is a day for everything and today it’s World Password Day! With the beautiful weather we’ve been having lately you’re probably thinking about cleaning, gardening, and all of the other renewal-driven projects that this time of year brings. Though we’d rather be outside, spending a few minutes to “spring clean” your digital security is well worth it.

This is also a good time to remind yourself to be on the lookout for fraud – I’ve received email scams recently related to the Canada Revenue Agency and tax time. Stay alert, and don’t fall for it!

According to the annual fraud survey commissioned by the Chartered Professional Accountants of Canada, “more than seven-in-ten (71 per cent) of those surveyed agreed that they are concerned about identity theft.” Almost four in ten respondents fear their personal information has already been compromised! Protecting your personal information is important, but with so much of our lives online now, it can be difficult.

security

Having strong passwords (and password hints, security questions, etc.) and good password management practices are critical for protecting yourself. Unfortunately, too many people simply don’t pay enough attention to this. It doesn’t have to be difficult or time consuming to make some simple changes that will really make a difference.

Here are my tips!

Use strong passwords and change them semi-regularly

According to Troy Hunt, a security expert who built and operates Have I Been Pwned (more on that in a minute), most passwords are terrible. “In other words, 86% of subscribers were using passwords already leaked in other data breaches and available to attackers in plain text.” The top ten includes passwords like “123456”, “qwerty”, and the ever-popular “password”.

Don’t use those passwords! Instead, generate a unique, strong password for every account you use. There are plenty of tools to help you generate passwords that are strong and that match the varied requirements that different sites have (like length, special characters, etc.). Here’s the one I use from LastPass.

It’s important to use a different password for each account. That way, if one site is compromised, your credentials can’t be used to get into other sites too. It’s also a good idea to change your passwords once or twice a year, to decrease the likelihood of a compromise. Of course, if you know a service you use has been hacked, you should change your password there right away.

Get a password manager

With a different, randomly generated password for each account, how do you remember them all? You can’t. This is where a password manager comes in! Think of it like a digital vault in which you store all of your account credentials. Then instead of remembering each one, you only need to remember the master key that you use to get into the vault.

There are a number of good password managers out there like 1Password, Dashlane, and Passpack. I use and recommend LastPass. All of them provide tools to generate strong passwords, encrypt and store them, offer browser extensions and mobile apps to make logging in easier, and typically provide ways to securely share passwords with others. One of the cool features LastPass offers is Security Challenge, which analyzes your passwords and gives you a score along with step-by-step instructions on how to improve your passwords.

While there are pros and cons to each service and their various philosophical approaches to storing your data, I don’t think you should spend too much time worrying about that. You can get a more secure solution if you’re willing to do some work and give up some convenience, but if it becomes too cumbersome to use, then what’s the point?

Use a passphrase for your password manager

With a password manager you only need to remember one password – the one to get into the password manager! So you should make it as strong as you can. One way to do that, while still ensuring it is memorable and easy to type, is to use a passphrase instead. Whereas a password is a random list of letters, numbers, and symbols combined, a passphrase is more like a sentence, though it can still have those elements.

password strength

So a passphrase might look like: “trusted walrus shows off 500 petty limes”. I generated that using this Passphrase Generator, but there are plenty of other tools you can use. The key is to not use a phrase or sentence that is common or easily guessable. It should be nonsense! You can also consider running it through the Pwned Passwords tool to see if it has ever been exposed in a data breach.

Don’t use real answers for security questions

So now you have strong passwords and a password manager to help you organize them. The front door to your digital home is secure, but what about the back door or the side doors? Many sites will require you to set some security questions in case you forget your password or sometimes to confirm you are who you say you are when logging in from a new location. Don’t answer them!

Well, don’t answer them factually. Instead, generate a new random response for each question and store them in your password manager! This way, if an attacker figures out your mother’s maiden name or your favorite school teacher or your first car, the information won’t help them break into your accounts.

Turn on multi-factor authentication

Another thing you can do to improve your online security is to use multi-factor or two-factor authentication wherever possible. This means that in addition to your username and password you need another piece of information to login, usually a generated code of some kind. Most of the big sites like Facebook and Google support this, and it only takes a few minutes to enable. If you have the option of using SMS or an app, go with the app. I recommend the Microsoft Authenticator app which you can download for Android, iOS, and Windows Phone.

You can see a full list of websites that support two-factor authentication here. If nothing else, turn this on for your email accounts (Gmail, Outlook, etc.) and Facebook or any other site you often use to login to other sites. Of course, you should also enable this for your password manager!

Get educated and stay informed

Once you have done the above, stay informed. It doesn’t have to be all boring technical stuff, a lot of great information has been made available that is much more accessible. Here are some suggestions:

That’s it! Happy World Password Day – stay safe!

Putting my New Year’s energy to good use

tasks I’m not really a fan of New Year’s resolutions, though like many people I often feel re-energized at the start of a new year. Instead of putting that energy into a list of year-long tasks or goals that would inevitably be abandoned, I decided this year that I’d try to capitalize on that energy to accomplish a few things I often put off. I settled on three things: passwords, backups, and bills.

I feel pretty good about my strategy for passwords, with one exception – I don’t change my passwords often enough. Sometimes I get lazy and use an existing password when I sign up for a new site, but the important sites all have unique, randomly generated, strong passwords (well as strong as they can be…I still can’t believe that banks don’t allow special characters and long lengths). It’s good security practice to change passwords regularly, but that never seems to happen. Over the last week, I’ve changed all my passwords. I started with the list of sites and services that I use regularly, and changed everything else as it came up. I’m sure there are a few that I’ve missed, and I’ll change them the next time I need to login. It wasn’t as hard as I thought it would be actually!

The second thing I tackled was backups. Despite having pretty good systems in place to backup Paramagnus stuff, I don’t have a good process for my personal stuff. I still don’t, but I did manage to accomplish a few things. First, I bought a new hard drive and copied everything from my existing data drive onto it. I’ll store the old one somewhere safe now. Second, I backed up a bunch of stuff to Amazon S3. It’s inexpensive, fast, and easy. Lately I’ve been using CloudBerry Explorer, it’s a great app! I’m going to try to back up important data more regularly, but that’ll be an ongoing thing.

The final thing I did? I turned off paper bills. I logged into every site that I currently receive something in the mail for and found that almost all of them have a “go paperless” button buried somewhere in the interface (some call it “change notification options” or something similar). I typically shred bills as soon as they arrive anyway, so why receive them at all? I do everything online, and I have no need for the physical copies. Now it’ll really be a unique experience to receive something in the mail!

I’ve got a number of things on the go that require time and energy of course, but these were my “New Year’s tasks” if you want to call them that. Anyone else shun resolutions in favor of accomplishing something right away?

Would you give your password for theatre tickets?

This news is a few days old, but organizers for the Infosecurity Europe trade show have completed their “annual pulse-taking of people’s susceptibility to social engineering.” This year, they asked individuals for private information in return for theatre tickets:

Claire Sellick approached a woman in London’s tony theater district with a clipboard and a chance to win tickets to an upcoming show. All the woman had to do was answer a three-minute survey on locals’ theater-going habits. Or so she thought.

The woman answered questions about her name, date of birth, mother’s maiden name, name of the first school she attended and more. All of that information could easily be used to gain access to “secure” data, like a bank account. The woman wasn’t the only one though. Here’s the results of the experiment that surveyed 200 people:

  • 100% provided their names upon request.
  • 94% provided pet’s names (common passwords) and their mother’s maiden name (common second form of authentication) when told actors frequently use both to create stage names.
  • 98% gave their address in order to receive a winning voucher.
  • 96% divulged the name of their first school. Combined with mother’s maiden name, the two are key pieces of information used by banks for verification.
  • 92% provided their date of birth and the same number supplied their home phone number.

Just goes to show that for all the technology in the world, humans are always the weakest link. No number of firewalls, passwords, or other security features will prevent a person from giving up valuable and sensitive information. So, be mindful about what you divulge! Your mother’s maiden name might be just as important as your bank account number!

Read: Search Security