Here he goes again, Mr Doom and Gloom! Well, not quite but read on if you use passwords.
Yes, I said passwords! We all do. We use them all day every day. After reading an article by Memphis Barker, in which he asks whether you think your password is safe, then think again, I quickly realised just how unsafe, and how stupid most of us are.
In reality, the vast majority of people use passwords like this:
- We use the same password for multiple logins
- We use a password which is basically is easy to remember, easy and quick to type
- We (sadly) put ease before security
Take a look at the graphic down the bottom of this page.. if you’re password is one of them.. be very very afraid! Whats even worse, is that 90% of passwords can not only be guessed by hackers, it takes them less than 30 seconds to clear out everything you own, because you use the same password.
I am now going to try and scare you.. imagine a hacker just figured out your password:
- Bank and marchant account funds.. gone! Irretrievable
- PayPal and eBay accounts, funds gone.
- Facebook, Twitter locked out.. they change your password so YOU can’t get in.
- Anywhere that you have ever used your password, online shops, clubs.. gone!
Now before you jump up, and start changing your password, consider this.
The future is probably… fingerprint and or eye retina passwords.. wont that be good! But in the meantime, you must, must, must get yourself security minded and upgrade (at least) your passwords.
Did you know there is software that can securely store your passwords and enter them when needed. Of course there is, there is software to do just about everything these days. There are free and paid versions of password software, besides the in-browser software that you are more likely used to. In-browser password managers either pop-up and ask you whether you want help logging in, or the password field contains a bunch of asterisks [*********] that have been stored from a previous login.
I don’t suppose there is anything wrong with inbrowser software other than its not very secure. If other people have access to your computer, it means if they visit the same login page, then the inbrowser feature will remember your login and show it to the visitor meaning they are in. Hmmm, bank, Facebook, dating site, whatever site.. all vulnerable because you thought you were secure.
The benefit of proper out-house (ha!) software, is that when you leave your computer, you can turn-off (log-out) of the password manager, meaning the visitor has to login (know your password) to have access to your stored passwords. There are other advantages too.. they can store other fields like commonly asked questions (name, address, phone etc) and even remember bank details like credit cards (if you want it to).
We use Password Software (RoboForm*) to create and store passwords. Because our job requires us to know anything upwards of 2,000 logins, we don’t really have much choice. Yes, RoboForm is also password protected, but it keeps the bad guys out and keeps us 100% secure. Unfortunately, there are one or two forms that for one reason or another that RoboForm does not recognise, and that means a slower login process, but the vast majority are quick and easy.
* Just in case you’re thinking there is a catch.. we have no association with RoboForm.
Hey, you can choose to not use software, but I would ask:
- How will you make every password a secure standard*
- How will you make a different password for each website?
- How will you remember each password? You can’t write them down or store them anywhere unless they too are password protected?
* Standard = h@ywire w1th symb() ls or use a passphrasewords such as ‘battery connect horse staple’.
CHANGE YOUR PASSWORDS NOW
If nothing else, please go and change your passwords now. Even its its using the logic above (Standard) and below (Traditional) but at least change them to something that will take you longer to type but make it much harder for hackers.
Traditional passwords don’t cut the mustard anymore. Use a passphrase so it’s far harder for someone else to guess or hack your devices. A pro tip here is to also not use something that’s known to link back to you. For example, James Bond would never use ‘BondJamesBond007′.
So, the simplest answer is software.
If you are one of our clients, then firstly you know your passwords are safe with us, but are they safe at your place? A client recently called and said that their web site had been hacked into and so had their email account. Most likely, it was the other way round.. the hacker got into their email account and went looking for their login details.
Oh, and just while we’re on security..
We’re big on AVG for our anti-virus protection and internet safety. They send us a monthly ‘Security Tips’ email and several tips this month caught our eye:
- What to do with old computers
- Location services on your smart phone
- Software that covers your tracks
- What to look for when buying something online
- Got a WebCam? Cover it!
- iPad & iPhone Security
Read More on each at AVG
And this one blew us away…
Don’t use free WiFi
Using free WiFi may be tempting, by it’s certainly not worth the risk! Public wireless networks generally don’t have adequate security measures in place to protect the data you transmit. This means a crafty cybercriminal could potentially intercept your online interactions, access your data and/or steal your passwords!
Only use WiFi networks that you trust and know to be fully secure (i.e. password protected). Also ensure that you don’t unknowingly connect to free WiFi networks by switching Ask to Join Networks on. This can be done by tapping Settings > Wi-Fi.
So, don’t tell me you haven’t been warned!
BE AFRAID, BE VERY AFRAID
Think your internet password is safe? Think again, writes Memphis Barker.
If you stopped 10 people in the street with an appropriate story you’d get one or two to give their passwords up.
Until not so long ago I used one tinpot password for pretty much all my activity online. Eight characters long – without numbers or symbols – its prime value was sentimental, the product of a relationship that started in the era of the floppy disk.
Then paranoia struck. On February 1, 250,000 Twitter passwords were stolen by hackers. Had the hackers cracked mine– and found their way to the gmail and bank account daisychained to it– well, they wouldn’t quite have been able to retire, but the fear (and raunchy spam I’d been a vessel for) was enough to spook me into a radical overhaul of my online security.
I won’t pretend this is a dramatic tale. It is, however, a drama that is relevant to many garden-variety internet users. As work and social life shift on to the internet, and people freight their profiles with more valuable data, there’s growing consensus that passwords – ‘‘ icecream’’ , ‘‘ tomcat’’ , ‘‘ loveyou’ ’ – are no longer up to the job of keeping out intruders (be they 14-year-old ‘‘ script kiddies’ ’ or statesponsored agents).
Bill Gates was among the first – almost 10 years ago – to pronounce them ‘‘ dead’ ’ and now the reedy voice of Microsoft’s founder has been joined by a chorus of hundreds – from hacked individuals to governments to Google itself.
These password-o-phobes foresee higher hurdles. Soon, many hope, you will sign into your bank or email via fingerprints , voice recognition or the veins in your palm.
Alarm bells have been ringing for security professionals more or less continuously over the past three years. In 2011, the number of Americans affected by data breaches increased 67 per cent. Every quarter, another multinational firm seems to trip up.
PlayStation was a larger casualty, forced to pay $171 million to protect gamers after its network was broken into. Before Twitter went down, 6.5 million encrypted passwords were harvested from LinkedIn, 250,000 of which later appeared ‘‘ cracked open’ ’ on a Russian forum. (‘‘ 1234’’ was the second most popular choice; ‘‘ Iwish-Iwasdead’ ’ and ‘‘ hatemyjob’ ’ appeared on one occasion each.) Now all these once-precious words have been added to gigantic lists that hackers can spin against other accounts.
It seems security fears spread best, however, from person to person. Late last year, Wired magazine published a cri de coeur from writer Mat Honan, detailing how hackers destroyed his digital life in an attempt to steal his prestigious three-letter Twitter handle , @mat.
Much of Honan’s work was wiped. Dire warnings (‘‘ you have a secret that could ruin your life … your passwords can no longer protect you’’ ) punctuate the report, and in the two days after it was published,a quarter of a million people (myself included) followed Honan’s advice and signed up for Google’s two-step verification process.
If his story doesn’t do it for you, try the woman held to ransom for her email account, or ex-president George W. Bush, who found images of his paintings hacked and published across the web.
But a long queue of critics doesn’t mean that a move away from passwords is being recommended or embraced by all.
‘‘ Despite their imperfections,’’ says Dr Ivan Flechais, aresearch lecturer at Oxford University’s Department of Computer Science, ‘‘ they’re convenient anda cheap option for developers … I don’t see passwords changing across the board any time soon’’ . This line has been unwaveringly accurate since the first articles dismissing passwords appeared in 1995.
And internet users who don’t own valuable Twitter handles, or weren’t aware there was a market for such things, might be thankful to find a body of opinion sticking up for the right to use whatever brittle codes they choose.
Reluctance is understandable. At the moment, safer also means more time-consuming . That half a second needed to chug through the memory for a complex password (‘‘* 874 or 8*47?’’ ) or go through Google’s twostep process (which pings acode to the user’s telephone), can feel gratingly out of sync with the warp-speed of modern computer habits. Chip-andpin devices for online banking are still seen by most as a necessary evil.
Can we just armour-plate existing password technology? To an extent, yes. Security gurus in the ’90s advised going h@ywire w1th symb() ls to keep out intruders, but free hacking software now available has common substitutions learned by rote, so besides frying the human brain (which struggles to deal with mixed alphabets), these are of comparatively little use today.
Instead, passphrases are in vogue, chains of dictionary words – such as ‘‘ battery connect horse staple’ ’ – that generate a hardy level of length and randomness. Mine (seven in total) include the middle name of a writer, a fictional beast and a species of plant.
In the unwillingness to ditch passwords altogether, some spot a gap in the market. Ravel Jabbour, formerly part ofa password research team at the American University of Beirut, argues that any biometric replacement technology (such as fingerprint verification ) will have to be ‘‘ state of the art’ ’ and most likely ‘‘ costly to implement at a wide scale’’ .
The solution developed by Jabbour, an amateur drummer, is admirably make-do-and-mend . While a hacker might never be prevented from guessing or stealinga word, he realised that if users had to remember a ‘‘ beat’’ to which the word was typed in (say ‘‘ W.o….. r.d’’ ) then the code alone would be so many useless letters: its key locked ina user’s head. Jabbour’s idea flamed through the press but, without commercial investment, falls into the category of unrealised brainwave.
But what do hackers themselves think? Matthew Gough, principal security analyst at Nettitude, an ethical hacking firm in Britain, says ideas like Jabbour’s are a ‘‘ stop-gap’’ . He should know. As an ethical hacker, Gough makesa living from finding the weak points in a company’s security. (‘‘ I’m trained to break stuff,’’ he says.)
He looks nothing like the hacker of stereotype – he’s tall, clean-shaven and, when we meet , is wearing a smart fleece jacket. I had hoped he’d take a crack at my new personal passphrases , but Gough declined. His trade has regulations. Plus, since I was standing in front of him and asking for it, he’d lost the element of surprise.
When it comes to the identikit internet user, suggests Gough, hacks are carried out most often not through a crack or a guess but via what’s known as ‘‘ social engineering’’ : tricking us into giving up their passwords, either through clicking on a bad link (‘‘ phishing’’ ) or sleight of hand.
‘‘ If you stopped 10 people in the street with an appropriate story,’’ he says, ‘‘ you’d get one or two to give their passwords up.’’
Gough once infiltrated a private company’s legal team for a week, nobody questioning the alibi that he was ‘‘ needed for IT’’ . It is, he says, this unreadiness for attack that hackers – ethical and otherwise – prey on most. ‘‘ Most people just aren’t aware of the threat.’’
That may be true. But the clearest sign the password could soon be usurped, and the threat lifted off our gullible shoulders, can be worked out from the players involved in the race to redefine online security.
Google and Intel are among those kicking up dust, so too the FIDO alliance , a group whose members include PayPal. The first to come up with a nottoo-boring solution will gain an invaluable market share.
Google, for example, wants us to put a ring on it. Eric Grosse, its vicepresident of security, co-authored a paper published recently starting from the familiar point that passwords are ‘‘ no longer sufficient to keep users safe’’ and revealing his company’s response – a tiny USB card that logs you into your Google account, or a smart-card-embedded finger ring that can sign you into a computer through a single tap.
Grosse doesn’t claim these are for certain the answer to our security woes; he does claim, however, that if it’s not them, it will be ‘‘ some equivalent piece of hardware’’ .
Google’s ubiquity gives it something of a head-start . But qualms have gathered like static. First, as Nettitude’s Gough points out: People will ‘‘ lose [these devices], break them, or have them stolen’’ .
Second, fashion and tech don’t always go together. To the only semisecurity-conscious , a Google ring might feel like an uncomfortably concrete pledge of allegiance to the internet giant. ‘‘ Till death do us part … ’’ etc.
Move a technological step forward – to biometric authentication – and the ring or key becomes part of the human body itself. Biometrics remove the need to stasha token about one’s person , and a hand or finger or iris can never be pilfered.
Sridhar Iyengar, director of security research at Intel Labs, has developed a palm-vein sensor.
Unlike fingerprints , which aren’t completely unique (they have aone in a million repeat rate) and – if you leave a fingermark on your computer – can be cracked with the aid of a gummy bear (YouTube it), the veins in your palm have no partner on Earth, according to Iyengar. In Japan, where touch is avoided as much as possible, this style of sensor already grants citizens access to cash machines.
There are drawbacks here too, both in terms of the cost of technology itself and sceptical public opinion. But one of the main fears about biometric authentication, says Iyengar, is something ofa chimera. Australian citizens guard privacy seriously. While government-issue ID cards are the norm in Nordic countries and India, the idea has never taken off here. The prospect of registering one’s own body parts toa central database, then, is unlikely to appeal. Cloud storage systems (like LinkedIn’s ) have been breached before and will be again.
But the benefit of biometric measures like Iyengar’s is that the security circle starts and finishes with the user. Should palm-vein sensors win marketshare , your palm’s special pattern will be verified by the sensor alone, not checked againsta record held centrally by Intel– so a break-in would be immaterial.
Does this mean they’ll be commonplace in five years? It’s a gamble. IBM predicted biometrics would go mainstream by 2015 but sounds a more cautious note today.
Ian Robertson, executive architect of IBM’s privacy and security practice, says developers see it as a ‘‘ chickenand-egg’ ’ problem: they’ll only launch a fingerprint verification system, for example, when ‘‘ confident that a very high proportion of their customers were ina position to use it’’ .
There is one point of agreement. Representatives of Google, Intel and IBM all foreseea world in which our main security device will be the mobile phone. Always in our pocket, its ‘‘ smartness’ ’ can be harnessed to perform the role of high-tech key.
The most likely mid-term step, says Robertson, will see log-on devices like Google’s USB ‘‘ become yet another app on a smart-phone’’ .
In the long-term , he adds, we may see ‘‘ biometric readers on mobile phones’’ .
At which point, hacking would presumably becomea far less appealing career and we could go back to worrying about what our emails say, not who might be snooping.
In part, progress depends on us – the web’s innocent masses. It’s been four weeks since Ichanged my password toa cavalry of new passphrases, and muscle memory still sees the old beloved word (a retro chewy sweet) typed into password boxes across the web.
Companies will struggle to create security that gets under this convenience limbo. But the web is a darker place than most of us realise, and while we wait for better technology to filter through, it’s probably best to get used to slowing down and locking up.
Source: Fairfax Media
Do we recommend it.. 100% Yes!
$30 is a small price to pay for security and peace of mind.
We purchased RoboForm in 2008 and upgraded in 2011. It allows us to install on multiple computers and then dynamically syncronize the passwords across each computer. This alone saves us a lot of time. When you create a new login and password, it pops up and asks if you want it to store the login. Then it automatically updates the other computers. It basically means, you only have to remember ONE password.. how simple is that? Want to know what our one password is?