Posts Tagged ‘passwords’

Chad Perrin of Tech Republic has put together a fantastic how-to for using Firefox’s in-built password manager. The article shows you, step-by-step, how to set up a Master Password in Firefox.

Why use a Master Password? Having unique and complicated passwords for all the various websites you use is the most secure method of accessing them. But then you’re likely to forget all those passwords. By using the password manager in Firefox, you can store all those passwords, and just remember a single unique password.

This is something you can set up either on Mac or PC following the same instructions, although on the Mac you would access the interface via Firefox > Preferences.

After you set up the password manager, you’ll be required to enter the master password whenever you start up Firefox. In order for this security to be useful for you, remember to quit Firefox whenever you leave your computer or whenever you’re traveling.

Caveat: using Firefox is not a fool-proof security method for storing your passwords. If you want an even stronger solution, consider using an external password manager such as Password Safe.

While you’re at TechRepublic, also check out the recent article about setting IT Security Policies.

After reading a very good article recently about the importance of strong passwords, I thought I’d put together a simple post to ask – have you checked the security of your passwords lately? Are they strong enough?

The easiest way to check your password strength is to use Microsoft’s Password Checker, which will tell you if your password is strong enough. It doesn’t guarantee that your password won’t be hacked, but knowing your password is as strong as it can be is one simple step you can take to protect your personal information.

Here’s me checking one of my passwords:

If you don’t hit the ‘best’ level in the password strength meter, consider changing your password. You can follow the tips Microsoft lays out here, or read more in the article referenced above on Windows Secrets.

Just how “secret” are your “secret questions”? You know, when you sign up for many websites, they have a password-retrieval system that allows you to use a pre-set question, or a question of your own.

Most of the time, the secret questions we tend to gravitate towards are easy – things like “What’s your mother’s maiden name?” or “What’s your pet’s name?”. We’ll remember those answers fairly easily… but others may figure them out just as easily.

Research presented by Microsoft and Carnegie Mellon University at the IEEE Symposium on Security and Privacy this week indicates that 28% of people surveyed (130 ppl surveyed) could guess the correct answers to other people’s secret questions if they “knew and were trusted” by them. For those without such a close tie, there was still a 17% chance that the answer to the question could be guessed.

“Secret questions alone are not as secure as we would like our backup authentication to be,” says Stuart Schechter, a researcher with software giant Microsoft and one of the authors of the paper. “Nor are they reliable enough that their use alone is sufficient to ensure users can recover their accounts when they forget their passwords.”

This study doesn’t even take into account a hacker who may be willing to take the time to dig up information about you! So, ask yourself, how “secret” are the answers to your questions?

Answers that require only a little personal knowledge to guess should be considered unsafe. Those questions could include “What’s your favorite sports team?” or “Where were you born?”

The study found that memorable questions still pose a risk to legitimate users. The study found that 16% of the participants forgot the answers to their secret questions 3-6 months later, if memorable, and 1 in 5 will forget all the answers to their secret questions.

Bruce Schneier, a security expert, says that he’ll often type in a random answer to a security question and will call the company if he needs to retrieve a password.

Via technology review ; Image: Clipart

Sophos recently released a report on password security that indicates that only 19% of people use multiple passwords to access different websites (based on an online survey of 676 people). From the remainder, 33% use one password to access all websites and 48% use a few different passwords.

It is recommended that users assess their passwords for strength (read more about that here) and use different passwords to access different sensitive accounts. Doing so will help users protect their personal and corporate data. There are more advanced password strategies you can employ if you want an added measure of security – these can include the use of tools like PassSafe. Here’s a video that Sophos put together talking about password security:

Simple tips for better web password security from Sophos Labs on Vimeo.

As Sophos notes, password security should not be overlooked. Far too many people stick with dictionary words, or simple passwords such as “1234″. These passwords are easily guessed by hackers and can be used to exploit a computer network. For example, one Conficker-infected computer can be a risk to a whole network, with the worm using 200 common passwords to try to spread.

Following the publicized hacks of ‘big’ accounts (Britney Spears, Barack Obama, Fox News) on the social networking site Twitter, Sophos is calling on Twitter to enforce stronger password security (though, really, every company should enforce strong password standards of its users).

An 18-year-old with a history of celebrity pranks has admitted to hacking several high-profile Twitter accounts. The hacker, GMZ, says he was able to use an automated password-guesser to do a “brute force” attack to guess the password of a Twitter user. Since Twitter allowed an unlimited number of login attempts (a poor security tactic), the hack was easy. The password of one account was as simple as “happiness”, a very insecure password.

Although he didn’t realize it at first, he’d hacked into a Twitter staffer, and that opened up the ability to reset the password on any Twitter account. For fun, he asked other hackers if they wanted access to any Twitter account and posted a video he made of his hack:

DMZ then filled requests to access several high profile accounts, including Barack Obama’s account and Britney Spears’ account. Those accounts were then hijacked and they sent fake messages, as demonstrated here. DMZ was in Twitter for a couple of hours before his access was blocked by Twitter.

Twitter says they are doing a full security review and are already at work to strengthen the sign-in process. This security issue came immediately on the heels of a Twitter phishing scam.

This piece of news has prompted Bruce Schneier to write a great article reminding us that technology is only part of the solution to security issues. The article talks mostly about the threats of impersonation, not web security, but it’s a great read.

BTW, if you are a Twitter user, you can follow Absolute Software news at: twitter.com/absolutecorp.

Bruce Schneier put together a good article for The Guardian about choosing a strong password. Passwords are a huge security issue for businesses, as this report indicated.

Though the most common password used in a 2007 survey was “password”, not much has improved for 2008: the most common password is now “password1″. In order to describe what makes a “good” password, Schneier describes how programs are used to hack passwords. These programs are sophisticated, testing hundreds of thousands of passwords per second in an intelligent pattern.

The password-hacking programs will try the most likely passwords first, then will move on to typical password combinations of root+appendage (or prefix). Something like “nachos123″, for example. There are common number and letter sequences that people use to prefix or suffix common words. 24% of all passwords can be cracked with the first 100,000 combinations of these options. The password program will try different dictionaries, will replace letters with common symbols such as “@” for “a”, etc. Running all of these combinations, which could take weeks, will break two thirds of all passwords.

If the hacking program is fed personal information about you, like the name of a pet, birth date, or postal code, the effectiveness shoots straight up. If you save your password anywhere on your computer memory, including browser-recalled passwords, it can track them down.

So, how do you choose a good password?

Bruce Schneier recommends a password creation process that will turn a sentence into a password. His example was:

“This little piggy went to market” ===> “tlpWENT2m”

This way, you choose a sentence that is meaningful to you, and also choose your own method of code to break it down into a more secure character string. Once you have a password, don’t write it anywhere or use it for multiple applications. If you fear you won’t recall your password, write it down and keep it somewhere more secure, like in your wallet. If you can avoid writing the exact password, write the un-abbreviated sentence or a hint instead. You can also use a program such as Password Safe (free) to create an encrypted username / password list and a single Master Password.

Continue reading this post about choosing strong passwords.

Image: Clipart

In follow-up to the 10 Common Risks Employees Make That Put Data at Risk, another study recently showed that the majority of organizations require only passwords for employees to access critical data. In addition, the passwords used are found to be quite weak.

Quest Software conducted a study on User Authentication which showed that 52% of the 150 organizations surveyed have only basic user authentication (passwords) to access critical data. Stronger forms of authentication would include hardware tokens, digital certificates or risk-based scoring.

Other findings from the study:

• 88% of enterprise users have multiple work-related passwords, averaging between five and six
• 64% of organizations do not require users to change their passwords
• 45% of organizations allow standard dictionary terms (like “password”)
• 29% of organizations have no requirements for password length

For those investing in stronger user authentication, stronger risks from external users (remote employees, contractors, customers, etc) have prompted them to action.

Setting up a strong user authentication plan is crucial, but for those companies that are new to this area, the first and most basic area to enforce is to have your employees choose strong passwords. You can read more about that here.

Image: Clipart

Cyber-Ark Software has released the results of a new survey indicating some disturbing facts about insider data breaches by exiting employees.

Cyber-Ark interviewed 300 IT security professionals for their annual survey. This year, 88% of respondents said that, “if laid off tomorrow, would take valuable and sensitive company information with them.” And that’s just counting the respondents who were honest enough to admit they’d act unethically!

When asked what information employees would take, the target information includes: CEO’s passwords, customer database, R&D plans, financial reports, M&A plans and a list of company passwords.

“Most company directors are blissfully unaware of the administrative or privileged passwords that their IT staff has access to which allows them to see everything that is going on within the company. These privileged identities, which lie on hundreds of servers and applications, very rarely get changed as it’s often considered too much hassle. When people leave the organization, they can often still access the network using these passwords to acquire highly sensitive data” – Udi Mokady – president and CEO of Cyber-Ark.

Most companies may be unaware of the full list of admin passwords that an IT employee has access to, and this could prove dangerous. Privileged passwords that access sensitive information should be secured and routinely changed, particularly when IT employees leave.

Other interesting survey results:

• One third of companies believe internal espionage and data leaking has resulted in data going to competitors or criminals
• One quarter have suffered data breaches by internal sabotage and/or IT security fraud
• 35% send sensitive or confidential information via email (an insecure medium, most of the time)
• One third of IT administrators admit to keeping passwords on post-it notes
• One third admit to snooping on the network to look at confidential information like salary details, personal emails, meeting minutes, etc

Via network world ; Clipart via Microsoft / Presentation Pro