Feeds:
Posts
Comments

Posts Tagged ‘Passwords’

In the post-Equifax hack world, it would be easy to give up the ghost and just assume you’re going to get hacked at some point  Easy, but of course not prudent.  Thankfully, there are a few things you can do to make stealing your information harder – at least via your password-ing skills – without making your life harder too.  Here are a few we’ve found in our readings on the topic.

First, let’s start with the misguided notion that passwords must be ultra-complicated in order to be hack proof.  Not so say the experts.  While T!sK8%gB$x@ may be effective, its complexity is not necessarily… necessary.  The idea that passwords must be convoluted started with some 2003 guidelines from the National Institute of Standards and Technology that insisted you need a random combination of letters numbers and symbols.  Turns out, that wasn’t as effective as they thought it would be.

While you should still avoid easily guessed passwords, a strong password can in fact be logical and easy to remember.  Start with this bit of advice, courtesy of blogger and Internet radio host Kim Komando: A password should simply be able to withstand 100 guesses.  According to Komando, experts tell us that the bad guys can “guess” a password correctly about 73% of the time.  Worse, they can access other accounts of that user thereafter with mostly just slight variations on the original password.  (Come on, admit it… you do it too.)

Note too that dedicated hackers turn to your media feeds (Facebook, Twitter and Instagram) to scour info about you that may be useful.  That should rule out using numbers from your birthday, or pet names or other special favorites that could be easily deduced.

Today’s experts suggest that instead of complex, difficult to remember combinations, try using a phrase (or a “passphrase” in the parlance) that is easy to memorize but hard for others to crack.  Maybe your favorite cookie is a macaroon and your grandmother was a stenographer in Buffalo.  Ilovemymacaroonstenographerinbuffalo would be mighty difficult to guess, wouldn’t it?  Or you might use a phrase in which you take the first character of each word, and perhaps pump it up with just a couple numbers (or symbols), like: 18fsasyaofbfutcann63.  That’s the first words of the Gettysburg address (Four score and seven years ago our fathers brought forth upon this continent a new nation, framed by the year of the address, 1863.)  You may not like our phrase, but surely you can find one of your own.

All that said, the newest NIST guidelines now suggest passwords of as many as 64 characters, and even allow spaces.  Most of us still use the minimum required, usually about 8 characters, including numbers and special characters.  That’s not the most hack-proof approach, and it’s true that stretching it out will increase the safety of your password but, really… 64 characters?  Here again, stringing together a chain of words that only you could logically know and construct with a couple special characters thrown in, is about the only way to get there.

One final tip: If it ain’t broke, don’t fix it.  You don’t need to change your passwords that often.   When a password expires, explains NIST’s Paul Grassi, “it isn’t a motivator to create a brand new password, it’s a motivation to shift one character so you can remember the password” — thereby, of course, defeating the purpose of the change in the first place.

If you’ve created a truly strong password, set it and forget it – well, not literally, but you know what we mean – stick with it unless you’ve been notified of a breach of security.  And when in doubt, use two-factor authentication, whereby the site pings you back with a text message or email, and you can receive notifications on changes.

The solutions really aren’t all that difficult or complex.  The weak link here is that we are all, after all, such creatures of habit.  And we all know it.

Read Full Post »

Recently, Qualcomm Inc., a leading supplier of mobile-device chips announced its Spectra imaging system, which (according to the Wall Street Journal, 8-21-17) “can extract depth information from objects including faces.”  In other words, your password will soon – finally! – be replaced by an image of your face.  It’s about time, eh?

The company plans to use the technology soon in its next line of mobile processors, and around the same time, Apple may soon, it is rumored, offer a similar feature on the iPhone.  Might facial recognition finally be the password replacement technology we’ve longed for?

The technology differs a bit from that used in security cameras around the world.  Your phone or laptop camera, after all, don’t need to spot you in a crowd, it just needs to distinguish one face – yours – and it can do it very well, since you’re likely to be only a foot or two away.  Its structured light technology is said to splay tiny infrared dots across an image of your face (or other target) and, by reading distortions, capture incredibly detailed and accurate information.  And because of its use of infrared technology, it can work in the dark.

Apple has not confirmed any of this yet, according to the Journal, but it does appear to have the necessary patents, technology and, perhaps, inclination – say at the unveiling of the 10th anniversary iPhone.

Best of all, Qualcomm has indicated that its Spectra chip with facial-depth recognition capabilities will be available for future versions of Android phones.  While previous versions of the Samsung phone could be ‘fooled’ by holding up an image of another person’s face, the Spectra chip boasts of having the added capability of “live-ness detection,” thus making it less likely to be fooled, even with a 3-D printed mask.

You’ll teach your phone the same way you do with thumbprint recognition today, and images will be securely stored on the device itself, not in the cloud.

Eventually, supply chains being what they are, the technology will trickle down into less expensive devices, with the potential to actually become “mundane” one day according to the CEO of biometrics company Tascent.  That’s a good thing, as the improved simplicity and security that come from being able merely to look at our devices is likely to curb our otherwise bad password habits through which we all too often put our finances and personal information security at risk.

 

 

 

 

Read Full Post »

… “123456”.  And that’s a problem, according to Security Keeper, Inc.  For years, tech firms have been trying to limit the damage hackers can do by cracking conventional passwords.  They’ve tried two-factor authentication for Gmail, iris scanning, fingerprint ID… and yet phishing and scamming schemes not only persist, they become larger, more audacious, more widespread and more costly.

Our firm has witnessed more than one of our ERP clients compromised by ransomware in the last year.  And while weak passwords aren’t necessarily the only way in to networks, they don’t help.  A product manager at Yahoo! once put it succinctly: “Our vision is to kill passwords completely.”  This was noted in a recent article on computer security in Bloomberg Businessweek (June 2017).  “In the future we’ll look back on this time and laugh that we were required to create a 10-character code” with mixed case, numbers and symbols, according to Yahoo’s Dylan Casey, VP of Product Management.  And the day can’t come soon enough for most of us.

To move in that direction, new ideas are emerging.  Yahoo lets email users unlock their accounts solely through a push notice sent to their smartphones, no password required.  Others are following similar “smartphone-as-skeleton-key” approaches, or are expanding the use of biometrics as unique identifiers, in lieu of passwords.  Samsung is about to allow Galaxy S8 owners authorize mobile payments (in the U.K. for now) utilizing the phone’s iris scanner.  Microsoft and Lloyds Banking are experimenting with allowing users access to online accounts using a webcam photo of their face.

Microsoft also offers fingerprint authentication via smartphone, with plans soon for desktops and laptops.  According to Alex Simons of Microsoft, “You’ll be able to take your phone, walk up to your Windows 10 PC and just user your thumbprint to log in.”  Barclay’s bank is experimenting with identify verification over the phone using vocal records.

While none of these security measures is perfect (you can fool the S8’s facial recognition for example by holding up a photo of the right person’s face), still… they’re big steps in the right direction.  As in all things tech, it’s only a matter of time.

Michela Menting, a security researcher at ABI Research still believes it will be tough to get those last holdouts from using their 123456 though “until we have embedded devices in ourselves that can act as that password.”  Scary thought.  Welcome to the future.

But we’ll close with this factoid from USA Today: 37% of Americans keep a piece of paper with all of their passwords somewhere they deem safe.  (Want to bet it’s more than that?)

 

Read Full Post »