The audio from the October 14 meeting of the Senior Statesman of Virginia, focusing on Internet Security, is now available through the Charlottesville Podcast Network. 10 Don’ts author Eric Rzeszut was one of two featured speakers.
In Chapter 2 of 10 Don’ts, we tell readers: “Don’t Give up Your Passwords.” We discuss methods for improving password security, including the use of “two-factor authentication,” which uses two forms of credentials instead of one. The two factors can be drawn from something you know (a password or PIN); something you have (your cell phone or an identity token); and something you are (a fingerprint or retinal scan).
Yahoo! already had optional two-factor authentication for users of its online services, similar to offerings from Google, Microsoft, Apple, and others. This week, they introduced a new form of authentication, which seems to take a step backwards:
In an effort to simplify authentication for its services, Yahoo has introduced a new mechanism that allows users to log in with temporary passwords that are sent to their mobile phones…
The new system offers better security than static passwords, which can be stolen in a variety of ways, but it’s not as effective as two-factor authentication because it depends solely on how secure the user’s phone is…
In addition, if a phone is lost or left unsupervised, it could be used to generate a password for the phone owner’s Yahoo email account. As many incidents have shown, a person’s email account can be a gateway for further compromises, because it can be used to reset the password for the user’s accounts on other websites.
MacWorld’s article recommends (and we agree) that users stick with two-factor authentication if seeking a more secure form of password management. This “reset-by-phone” method introduces additional vulnerability.
In Chapter 2 of 10 Don’ts (“Don’t Give Up Your Passwords”), we discuss the use of password managers in lieu of remembering multiple complex passwords. Password management applications use a master password to secure complicated logins.
Obviously, you should never forget your master password. But what if you do?
If you lose or forget your master password, getting in usually isn’t as simple as just clicking a “forgot password” button, like you would for any other account on the web. In most cases, you have to jump through a few hoops—or you can’t get it at all. In this post, we’ll look at some of the popular password managers out there and what you can do to avoid getting into this sticky situation.
In Chapter 2 of 10 Don’ts, we discuss how users can be smarter with their passwords — using passphrases instead of words, using password manager applications, etc.
Looks like some people still need to get the message:
It’s 2015 and it would be nice to think that people had learned what makes a good password by now. They haven’t. And this list of the 25 most popular passwords of 2014—maybe also make that the worst—proves it.
SplashData’s annual list compiles the millions of stolen passwords made public throughout the year and assembles them in order of popularity. A glance down the list reveals that we’re all still morons, with “123456”, “password”, “12345”, “12345678” and “qwerty” making up the top five. No, really.
Law enforcement and criminals alike have been lifting fingerprints from surfaces (like smartphones and drinking glasses) to either solve crimes or steal identities longer than Law and Order has been on television. But extracting this biometric data is about to get even easier.
A member of Chaos Communications Congress (CCC), Europe’s largest hacker association, claims he can re-create fingerprints using photographs of a person’s fingers. Jan Krissler, also known by his alias “Starbug,” presented his findings at the CCC’s 31st annual convention in Hamburg, Germany this weekend.
In Chapter 2 of 10 Don’ts, we discuss the importance of passwords — how to use them, how to safeguard them, how to choose stronger versions. We also discuss techniques that can replace or augment passwords — one example is “two-factor authentication,” where a password is combined with a second factor to allow access. Two factors are more secure than one!
One of the more common forms of two-factor authentication is via the use of a security key, or identity token. These physical devices connect to your computer via USB — if you don’t have the device, you can’t log in to the service or system you’re attempting to access. These devices have not been widely used outside of corporate IT environments. However, Google is looking to change that:
“Announced on Tuesday, the optional Security Key technology requires that a Chrome user take two additional steps to sign in to their Google account: plug a small key into the USB port on their computer and tap a button. The process is a simpler and more secure version of the 2-Step Verification process that Google offers to security-conscious users. With 2-Step Verification, users receive a code from Google on their phone or in e-mail that they must enter into Google’s site to complete the login process.
Users that opt for the Security Key technology will have to purchase a special USB key, which typically costs less than $20.”
As a 10-day countdown to the October 20 launch of 10 Don’ts on Your Digital Devices, each day an excerpt from a different chapter will be published here.
Chapter 2 of 10 Don’ts is entitled “Don’t Give up Your Passwords.” Using a character named Jackie, a university database administrator, we examine the history of passwords, better ways to manage your passwords, and new methods like biometrics which can augment or replace passwords.
Jackie, a newly hired HR database administrator (DBA) at a major state university, has several years’ professional experience working with big data. In her first week Jackie is “on-boarded” into the position. She is immediately granted full access to a large number of university systems and databases, which have disparate password and access requirements. Because of an absence of coherence across departments and university subunits (which is typical of large organizations), Jackie has to learn several new logon procedures for these assets. Some of the more sensitive systems at the university depend on “two-factor” authentication, requiring Jackie to use a physical identity (sometimes called an authentication or cryptographic) token in combination with a password.
In order to keep all of these passwords and protocols straight as she learns the ins and outs of her new position, Jackie writes them down under the desk blotter at her workstation. Jackie’s physical work space is an open cubicle. Because cubicles keep no secrets, one of her coworkers notices this practice. She warns Jackie that, in addition to being extremely dangerous practice, writing down passwords in an unsecured location is actually grounds for termination from the university. She shows Jackie how to use a password app on her smartphone, protected with a master password. This app can be used to secure the passwords and logon procedures required for Jackie’s job. If the phone is secured with a personal identification number (PIN), and the app is secured with a master password, this password management scheme is approved by her university.
October is National Cybersecurity Awareness Month — perfect for the authors of 10 Don’ts, as our book will be released on October 20!! The book is intended for a “non-technical” audience — if you’re the go-to person for your friends and family when it comes to technology and security needs, you might want to buy this book as gifts for those people!!
If you are the de facto security/technology person for your friends and family, this article from today’s Naked Security offers some helpful reminders as to what you can do to keep them (and their devices) safer from malware and other exploits:
“Do you get late night calls from your Dad when he can’t send email?
If your colleagues can’t print do they stop by your desk before they go to IT?
Do the people in your house act like the speed of the internet is yours to command?
If the answer is ‘Yes’, then welcome to the cybersecurity front line.
It doesn’t matter if you’re a raw recruit or a seasoned veteran – you’re here because your family, friends and colleagues have nominated you. You are the phone-a-friend who knows about computers and, like it or not, you’re part of what’s keeping a relentless, sophisticated and well-funded criminal enterprise from their cyber front door.
Fetch your cape, hero, you’ve got work to do.”