Privacy and Security News and Tips 20160726

Treat your password like your toothbrush. Don’t let anybody else use it, and get a new one every six months.Clifford Stoll

Weekly Tip

We all have numerous passwords that we count on in our daily lives, but how safe and secure is that password? Have you shared it with anyone? Were you aware that a federal court has made sharing passwords illegal? Do you use a password manager? Today I saw news of a zero-day vulnerability on Lastpass.

Protecting your Personally Identifiable InformationWe must be ever-vigilant with our passwords and password managers as well as two-factor authentication (2FA) (see links for more). Despite a federal ruling on sharing passwords, one of our presidential candidates asked their potential VP and his entire family, including grown children, to share all of their social media passwords with the campaign. California has ruled in favor of employers demanding the social media passwords of employees (long-standing ruling). There are numerous other examples of overreaching attempts at circumventing your privacy and security, so we all must be fully aware of what is and is not legal as well as what we will and will not allow when it comes to our data and privacy. It is best practice to use a password manager, 2FA, secure passwords, unique passwords for each and every location that requires a password, and to change passwords on a regular schedule based on the data that is being protected. It is also a good idea to make sure you are aware of the latest issues and/or updates for your password manager of choice.

It is your security that is at stake and you must take every reasonable step to protect it in this ever-changing digital landscape.

Interesting News

NIST Says SMS-Based Two-Factor Authentication Isn’t Secure

ACCESS TO SOCIAL MEDIA USERNAMES AND PASSWORDS

If you enjoy this newsletter and know anyone that would be interested in the information contained, please pass this along or subscribe here.

Share

Privacy and Security News and Tips 20160330

“This is my password,” said the King as he drew his sword. “The light is dawning, the lie broken. Now guard thee, miscreant, for I am Tirian of Narnia.” — C.S. Lewis

Weekly Tip

This week I thought I would bring you some ideas about usernames, passwords, passphrase vaulting, and online accounts.

When you think about all of the accounts we have online and the number of information leaks, think about how often you reuse the same username or worse, password. Best practice is to use unique passwords for everything you do, and not to share them unless absolutely necessary, and then change it as soon as the other party no longer needs it. Remember, a secret is no longer a secret when a second person knows it. A password manager like 1Password or Lastpass helps to organize and maintain unique passwords, but Protecting your Personally Identifiable Informationconsider using unique usernames too to make it that much harder for someone to even attempt to access a second account with the information from the first. The links this week are to my site and give a much longer explanation on passwords and vaulting with password managers.

A bonus idea is to consider using disposable email addresses for sites that may share your information. Gmail and Google Apps both allow you to create unlimited aliases on the fly. If your email is user@gmail.com, you can use user+facebook@gmail.com, etc.

Interesting News

Passwords And Passphrases, Your Most Common Security Measure

Passphrase Vaulting

Lastpass

If you enjoy this newsletter and know anyone that would be interested in the information contained, please pass this along or subscribe here.

Share

Passphrase Vaulting

Not so long ago, if you needed money from the bank you walked inside and interacted with a teller. Eventually, you got to know the bank teller, and proving who you were was rather easy. Then, banks realized that customers were willing to accept less personal interaction with a teller in exchange for the 24-hour convenience of an ATM. With an ATM, there are two elements of security: you need both an ATM card (that is, something you have) and a PIN number (something you know) to access your account.

The internet made things even easier: you no longer have to drive around to find an ATM; instead, the bank has a website that customers can use from anywhere in the world via a web browser. The problem with this system is that the only thing protecting your account on the web is the passphrase you have selected (something you know). When the only thing required to access your bank account is something you know, anyone else who knows your passphrase can access your account. Some banks and companies offer two-factor authentication services using text messages or a token device that can also assist in protecting your accounts.

Faced with this security problem, you might think about just selecting a really long and complicated passphrase. That is a great solution when you have only one passphrase to remember, but consider all the other accounts you access online: your credit union, your retirement account website, Hotmail, Facebook, the lawn service, the newspaper, the gas company, the electric company, etc. Before you know it, you have over a dozen unique, difficult-to-remember passphrases.

How do most people cope with this problem? One method is to use the same passphrase everywhere. However, the problem with this is that if any one of the places where you use the passphrase is compromised, or if you use the passphrase on a compromised computer with a keystroke logger, you have just given an attacker the passphrase to all of your online accounts.

Another common method is to write all the passphrases down on a piece of paper. All too often this is a sticky note attached to the monitor of the computer or left under the keyboard. Even worse, frequently these notes do not just contain the passphrases, but also usernames and even the associated services. Anybody that finds the paper gets a list of all your important accounts and how to access them. Variations on this method, such as only writing down clues to help you remember what passphrase you need are sometimes successful, but these successes are the exception to the rule.

So, since you probably cannot remember all of your passphrases (the most secure option), and you should not repeat them or write them all down (the most convenient options), what can you do? Balance the need for security and convenience by storing your passphrases in a secure manner. Fortunately, numerous programs exist to do this for you. They are known as passphrase vaults.

Passphrase Vaults

A passphrase vault is a program that balances the security of multiple passphrases with the convenience of recording them. You create a single strong passphrase to protect the passphrase vault, and then the vault program takes care of securely storing the rest of your hard-to-remember passphrases. Think of a passphrase vault as being similar to a bank vault; only with the vault combination (passphrase) can you unlock the protected items inside (other passphrases).

Passphrase Vault Best Practices

Protect the passphrase vault with a strong passphrase.

A good passphrase vault is encrypted with a passphrase of your choosing. Since the passphrase keeping program stores passphrases using reversible encryption, if an attacker is somehow able to obtain the raw password vault file, your password vault passphrase is the only thing stopping her from decrypting the contents of the file.

Use a passphrase to protect the password vault that is different from any of the passphrases stored inside the vault.

All of the passphrases in the passphrase vault can be displayed on the screen for the user or placed in memory (as clear text) for the computer. The only passphrase that is not stored this way is the one used to protect the passphrase vault itself.

If a passphrase used for a particular web site is compromised, this prevents the malicious person from using that passphrase to gain access to the rest of the passphrases in the vault.

Protect the password vault file.

Simply put, the passphrases must be saved in a file somewhere. Place the passphrase vault file on a small USB drive (e.g., thumbdrive, mp3 player, or iPod) that you always keep with you. Storing this vault file on a system other than your computer’s hard drive adds an additional layer of complexity; many viruses (and other forms of malicious software) just search the hard drive or the logical drive of the Operating System and do not look for other drives).

Also pay attention to where any temporary files are stored. If your passphrases are stored in a clear text file on the hard drive while the passphrase vault is in use, that temporary file may leave traces behind that an attacker would be able to find.

Clear the clipboard.

Some programs will copy your passphrase into the clipboard and allow you to simply paste it into a form. This can be incredibly convenient, but the passphrase is stored in the clipboard as clear text. Therefore, you need to be sure that the passphrase is removed from the clipboard as soon as it is used.

Never leave your computer logged in and unattended.

Again, because passphrases are stored using reversible encryption, if your vault is unlocked anyone can sit down at your computer and read or write down your passphrases. This makes logging off or locking your computer when you step away critical. In less than the time it takes you to walk to the restroom and back, a malicious person can find and export your password vault passphrases.

Select a vault program that works with all your platforms.

Increasingly mobile computing devices (tablets, smart phones, etc) are being used for day-to-day tasks such as shopping or banking. Storing passwords on these devices unencrypted exposes you to additional risk as they are more likely to be lost or stolen then a desktop computer. Many passphrase vault applications offer mobile versions that work with various platforms.

Passphrase Vault Programs

Personal Use:

Enterprise:

Subscribe to get new posts in your mailbox.

Share

Passwords And Passphrases, Your Most Common Security Measure

The first and most common piece of security everyone is aware of and using is a password or hopefully a passphrase.  Today I will outline the differences between the two along with some guidelines and suggestions.  In part 2 of my coverage about passwords I will go into more detail about some things to look out for when creating and using passwords.

About passwords and passphrases

Passwords are short sequences of letters, numbers, and symbols that you enter to verify your identity to a system, which then allows you access to secure data or other resources.

Passphrases operate on the same principle as passwords, and are used in exactly the same way. However, they differ from traditional passwords in two aspects:

  • Passphrases are generally longer than passwords. While passwords can frequently be as short as six or even four characters, passphrases have larger minimum lengths and, in practice, typical passphrases might be 20 or 30 characters long or longer. This greater length provides more powerful security; it is far more difficult for a cracker to break a 25-character passphrase than an eight-character password.
  • The rules for valid passphrases differ from those for passwords. Systems that use shorter passwords often disallow actual words or names, which are notoriously insecure; instead, your password is usually an apparently random sequence of characters. The greater length of passphrases, by contrast, allows you to create an easily memorable phrase rather than a cryptic series of letters, numbers, and symbols.

What makes a password or passphrase strong?

A strong password:A strong passphrase:
  • Is at least eight characters long.
  • Does not contain your user name, real name, or company name.
  • Does not contain a complete word.
  • Is significantly different from previous passwords.
  • Is 20 to 30 characters long.
  • Is a series of words that create a phrase.
  • Does not contain common phrases found in literature or music.
  • Does not contain words found in the dictionary.
  • Does not contain your user name, real name, or company name.
  • Is significantly different from previous passwords or passphrases.

Strong passwords and passphrases contain characters from each of the following four categories:

Character categoryExamples
Uppercase lettersA, B, C
Lowercase lettersa, b, c
Numbers0, 1, 2, 3, 4, 5, 6, 7, 8, 9
Symbols found on the keyboard (all keyboard characters not defined as letters or numerals) and spaces` ~ ! @ # $ % ^ & * ( ) _ – + = { } [ ] \ | : ; ” ‘ < > , . ? /

A password or passphrase might meet all the criteria above and still be weak. For example, Hello2U! meets all the criteria for a strong password listed above, but is still weak because it contains a complete word. H3ll0 2 U! is a stronger alternative because it replaces some of the letters in the complete word with numbers and also includes spaces.

 

Help yourself remember your strong password or passphrase by following these tips:

  • Create an acronym from an easy-to-remember piece of information. For example, pick a phrase that is meaningful to you, such as My son’s birthday is 12 December, 2004. Using that phrase as your guide, you might use Msbi12/Dec,4 for your password.
  • Substitute numbers, symbols, and misspellings for letters or words in an easy-to-remember phrase. For example, My son’s birthday is 12 December, 2004 could become Mi$un’s Brthd8iz 12124, which would make a good passphrase.
  • Relate your password or passphrase to a favorite hobby or sport. For example, I love to play badminton could becomeILuv2PlayB@dm1nt()n.

If you feel you must write down your password or passphrase to remember it, make sure you don’t label it as such, and keep it in a safe place.

Guidelines for keeping your passwords and passphrases secure

  • Consider using passphrase vaulting.
  • Do not write your username and password or passphrase in the same place.
  • Never share your password or passphrase with anyone.
  • Never send anyone your password or passphrase via email, even if the message requesting your password seems official. A request for a password or passphrase is very likely a phishing scam.
  • Change your password or passphrase at least every six months.
  • Do not use the same password or passphrase over multiple services or web sites.

Subscribe to get new posts in your mailbox.

Share