Privacy and Security News and Tips 20160726

Treat your password like your toothbrush. Don’t let anybody else use it, and get a new one every six months.Clifford Stoll

Weekly Tip

We all have numerous passwords that we count on in our daily lives, but how safe and secure is that password? Have you shared it with anyone? Were you aware that a federal court has made sharing passwords illegal? Do you use a password manager? Today I saw news of a zero-day vulnerability on Lastpass.

Protecting your Personally Identifiable InformationWe must be ever-vigilant with our passwords and password managers as well as two-factor authentication (2FA) (see links for more). Despite a federal ruling on sharing passwords, one of our presidential candidates asked their potential VP and his entire family, including grown children, to share all of their social media passwords with the campaign. California has ruled in favor of employers demanding the social media passwords of employees (long-standing ruling). There are numerous other examples of overreaching attempts at circumventing your privacy and security, so we all must be fully aware of what is and is not legal as well as what we will and will not allow when it comes to our data and privacy. It is best practice to use a password manager, 2FA, secure passwords, unique passwords for each and every location that requires a password, and to change passwords on a regular schedule based on the data that is being protected. It is also a good idea to make sure you are aware of the latest issues and/or updates for your password manager of choice.

It is your security that is at stake and you must take every reasonable step to protect it in this ever-changing digital landscape.

Interesting News

NIST Says SMS-Based Two-Factor Authentication Isn’t Secure

ACCESS TO SOCIAL MEDIA USERNAMES AND PASSWORDS

If you enjoy this newsletter and know anyone that would be interested in the information contained, please pass this along or subscribe here.

Share

Privacy and Security News and Tips 20160330

“This is my password,” said the King as he drew his sword. “The light is dawning, the lie broken. Now guard thee, miscreant, for I am Tirian of Narnia.” — C.S. Lewis

Weekly Tip

This week I thought I would bring you some ideas about usernames, passwords, passphrase vaulting, and online accounts.

When you think about all of the accounts we have online and the number of information leaks, think about how often you reuse the same username or worse, password. Best practice is to use unique passwords for everything you do, and not to share them unless absolutely necessary, and then change it as soon as the other party no longer needs it. Remember, a secret is no longer a secret when a second person knows it. A password manager like 1Password or Lastpass helps to organize and maintain unique passwords, but Protecting your Personally Identifiable Informationconsider using unique usernames too to make it that much harder for someone to even attempt to access a second account with the information from the first. The links this week are to my site and give a much longer explanation on passwords and vaulting with password managers.

A bonus idea is to consider using disposable email addresses for sites that may share your information. Gmail and Google Apps both allow you to create unlimited aliases on the fly. If your email is user@gmail.com, you can use user+facebook@gmail.com, etc.

Interesting News

Passwords And Passphrases, Your Most Common Security Measure

Passphrase Vaulting

Lastpass

If you enjoy this newsletter and know anyone that would be interested in the information contained, please pass this along or subscribe here.

Share

Phishing

Quick Facts

Phishing is a scam where Internet fraudsters send spam or pop-up messages to lure unsuspecting victims into providing passphrases, personal, and/or financial information. To avoid getting hooked:

  • Realize that no one should ask for your passphrase.
  • Don’t reply to email or pop-up messages that ask for passphrases, personal, or financial information, and do NOT click on links in such messages. Don’t cut and paste a link from the message into your Web browser — phishers can make links look like they go one place, but that actually send you to a different site.
  • Some scammers send an email that appears to be from a legitimate business and ask you to call a phone number to update your account or access a “refund.” Because they use Voice over Internet Protocol technology, the area code you call does not reflect where the scammers really are. If you need to reach an organization you do business with, call the number on your financial statements or on the back of your credit card.
  • Use anti-virus and anti-spyware software, as well as a firewall, and update them all regularly.
  • Don’t email passphrases, personal, or financial information.
  • Review credit card and bank account statements as soon as you receive them to check for unauthorized charges.
  • Be cautious about opening any attachment or downloading any files from emails you receive, regardless of who sent them.
  • Forward phishing emails to spam@uce.gov – and to the company, bank, or organization impersonated in the phishing email. You also may report phishing email to reportphishing@antiphishing.org. The Anti-Phishing Working Group, a consortium of ISPs, security vendors, financial institutions and law enforcement agencies, uses these reports to fight phishing.
  • If you’ve been scammed, visit the Federal Trade Commission’s Identity Theft website at www.consumer.ftc.gov/features/feature-0014-identity-theft.

For general information about phishing, see: What are phishing scams and how can I avoid them?

How not to get hooked by phishing scams

“We suspect an unauthorized transaction on your account. To ensure that your account is not compromised, please click the link below and confirm your identity.”

“During our regular verification of accounts, we couldn’t verify your information. Please click here to update and verify your information.”

“Your e-mail (or passphrase) will expire soon. To avoid any interruption please click the link below and upgrade your email.”

Have you received email with a similar message? It’s a scam called “phishing” — and it involves Internet fraudsters who send spam or pop-up messages to lure personal information (credit card numbers, bank account information, Social Security number, passwords, or other sensitive information) from unsuspecting victims.

According to OnGuard Online, phishers send an email or pop-up message that claims to be from a business or organization that you may deal with — for example, an Internet service provider (ISP), bank, online payment service, or even a government agency. The message may ask you to “update,” “validate,” or “confirm” your account information. Some phishing emails threaten a dire consequence if you don’t respond. The messages direct you to a website that looks just like a legitimate organization’s site. But it isn’t. It’s a bogus site whose sole purpose is to trick you into divulging your personal information so the operators can steal your identity and run up bills or commit crimes in your name.

We suggest these tips to help you avoid getting hooked by a phishing scam:

Don’t reply
If you get an email or pop-up message that asks for personal or financial information, do not reply. And don’t click on the link in the message, either. Legitimate companies don’t ask for this information via email. If you are concerned about your account, contact the organization mentioned in the email using a telephone number you know to be genuine, or open a new Internet browser session and type in the company’s correct Web address yourself. In any case, don’t cut and paste the link from the message into your Internet browser — phishers can make links look like they go to one place, but that actually send you to a different site.
Area codes can mislead
Some scammers send emails that appear to be from a legitimate business and ask you to call a phone number to update your account or access a “refund.” Because they use Voice over Internet Protocol technology, the area code you call does not reflect where the scammers really are. If you need to reach an organization you do business with, call the number on your financial statements or on the back of your credit card. And delete any emails that ask you to confirm or divulge your financial information.
Use anti-virus and anti-spyware software, as well as a firewall, and update them all regularly
Some phishing emails contain software that can harm your computer or track your activities on the Internet without your knowledge.Anti-virus software and a firewall can protect you from inadvertently accepting such unwanted files. Anti-virus software scans incoming communications for troublesome files. Look for anti-virus software that recognizes current viruses as well as older ones; that can effectively reverse the damage; and that updates automatically.A firewall helps make you invisible on the Internet and blocks all communications from unauthorized sources. It’s especially important to run a firewall if you have a broadband connection. Operating systems (like Windows or Linux) or browsers (like Internet Explorer or Netscape) also may offer free software “patches” to close holes in the system that hackers or phishers could exploit.
Don’t email personal or financial information.
Email is not a secure method of transmitting personal information. If you initiate a transaction and want to provide your personal or financial information through an organization’s website, look for indicators that the site is secure, like a lock icon on the browser’s status bar or a URL for a website that begins “https:” (the “s” stands for “secure”). Unfortunately, no indicator is foolproof; some phishers have forged security icons.
Review credit card and bank account statements to check for unauthorized charges
If your statement is late by more than a couple of days, call your credit card company or bank to confirm your billing address and account balances.
Be cautious of attachments and downloads
Be cautious about opening any attachment or downloading any files from emails you receive, regardless of who sent them. These files can contain viruses or other software that can weaken your computer’s security.
Forward phishing emails to spam@uce.gov
You can also forward emails to the company, bank, or organization impersonated in the phishing email — especially if it’s particularly realistic. Most organizations have information on their websites about where to report problems. You also may report phishing email to reportphishing@antiphishing.org. The Anti-Phishing Working Group, a consortium of ISPs, security vendors, financial institutions and law enforcement agencies, uses these reports to fight phishing.
File a complaint
If you believe you’ve been scammed, file your complaint at ftc.gov, and then visit the FTC’s Identity Theft website at ftc.gov/idtheft. Victims of phishing can become victims of identity theft. While you can’t entirely control whether you will become a victim of identity theft, you can take some steps to minimize your risk. If an identity thief is opening credit accounts in your name, these new accounts are likely to show up on your credit report. You may catch an incident early if you order a free copy of your credit report periodically from any of the three major credit reporting companies. See www.annualcreditreport.com for details on ordering a free annual credit report.

I’ve been phished! What should I do?

This depends — mostly on how much information you accidentally provided to the phishers.

In addition to reporting the phishing scam, this guide should help:

I accidentally sent…You should…
My email/username & password/passphraseChange your password/passphrase immediately.If you’re using a free provider (Gmail, Hotmail, etc) and you find an increasingly and uncontrollable amount of spam, you may wish to change your email address as well.
Personal information, such as:

  • Address
  • Bank/financial account number
  • Credit Card number or information
  • Answers to security questions
  • Other personal information that can be changed
  • Driver’s license / license plate
While there’s no way to “unsend” the email, many of these pieces of information are changeable (especially credit card numbers). Contact the appropriate organization or financial institution. You should also report this as identity theft.Please note: the theft of a credit card (or credit card number) alone does not constitute identity theft (as determined by the FTC). You should, however, promptly call the financial institution and have the number changed. You can also work out any erroneous charges on your account.Also, technically, yes — your address is changeable, if you move. However, consider that only as a last resort; most identity thieves attempt to collect thousands (even millions) of individuals’ information during phishing scams; they’re likely not singling you out as a target. If you feel your personal safety threatened, contact your local police department.
Personal information that isn’t changeable — such as:

  • Social Security number
  • Mother’s maiden name
  • Date &/or city of birth
  • Health/medical information
Unfortunately, there’s not much you can do about this except defend yourself (electronically). Being proactive and staying alert/aware of your credit is your best defense.

How to Report a phishing scam

Forward spam that is phishing for information to spam@uce.gov – and to the company, bank, or organization impersonated in the phishing email. Most organizations have information on their websites about where to report problems.

If you believe you’ve been scammed, file your complaint with the FTC, and then visit the FTC’s Identity Theft website at www.consumer.ftc.gov/features/feature-0014-identity-theft. Victims of phishing can become victims of identity theft.

You also may report phishing email to reportphishing@antiphishing.org. The Anti-Phishing Working Group, a consortium of ISPs, security vendors, financial institutions and law enforcement agencies, uses these reports to fight phishing.

Other types of phishing

IVR or phone phishing
This criminal technique uses a rogue (IVR) system to recreate a legitimate sounding copy of a bank or other institution’s IVR system. The victim is prompted (typically via a phishing e-mail) to call in to the “bank” via a (ideally toll free) number provided in order to “verify” information. A typical system will reject log-ins continually, ensuring the victim enters PINs or passwords multiple times, often disclosing several different passwords. More advanced systems transfer the victim to the attacker posing as a customer service agent for further questioning.A criminal could even record the typical commands (“Press one to change your password, press two to speak to customer service” …) and play back the direction manually in real time, giving the appearance of being an IVR without the expense.
Quid pro quo
Quid pro quo means something for something:

  • An attacker calls random numbers at a company claiming to be calling back from technical support. Eventually they will hit someone with a legitimate problem, grateful that someone is calling back to help them. The attacker will “help” solve the problem and in the process have the user type commands that give the attacker access or launch malware
  • In a 2003 information security survey, 90% of office workers gave researchers what they claimed was their password in answer to a survey question in exchange for a cheap pen. Similar surveys in later years obtained similar results using chocolates and other cheap lures, although they made no attempt to validate the passwords

Subscribe to get new posts in your mailbox.

Share

Social Engineering

Don’t get tricked out of your information

In computer security, social engineering is a term that describes a non-technical kind of intrusion that relies heavily on human interaction and often involves tricking or manipulating other people to divulge confidential information or break normal security procedures.

A social engineer runs what used to be called a “con game”. For example, a person using social engineering to break into a computer network would try to gain the confidence of someone who is authorized to access the network in order to get them to reveal information that compromises the network’s security. They might call the authorized employee with some kind of urgent problem; social engineers often rely on the natural helpfulness of people as well as on their weaknesses. Appeal to vanity, appeal to authority, and old-fashioned eavesdropping are typical social engineering techniques.

Another aspect of social engineering relies on people’s inability to keep up with a culture that relies heavily on information technology. Social engineers rely on the fact that people are not aware of the value of the information they possess and are careless about protecting it. Frequently, social engineers will search dumpsters for valuable information, memorize access codes by looking over someone’s shoulder (shoulder surfing), or take advantage of people’s natural inclination to choose passwords that are meaningful to them but can be easily guessed. Security experts propose that as our culture becomes more dependent on information, social engineering will remain the greatest threat to any security system. Prevention includes educating people about the value of information, training them to protect it, and increasing people’s awareness of how social engineers operate.

All social engineering techniques are based on specific attributes of human decision-making known as cognitive biases. These biases, sometimes called “bugs in the human hardware,” are exploited in various combinations to create attack techniques, some of which are listed here.

Pretexting

Pretexting is the act of creating and using an invented scenario (the pretext) to persuade a targeted victim to release information or perform an action and is typically done over the telephone. It’s more than a simple lie as it most often involves some prior research or set up and the use of pieces of known information (e.g. for impersonation: date of birth, Social Security Number, last bill amount) to establish legitimacy in the mind of the target.

This technique is often used to trick a business into disclosing customer information, and is used by private investigators to obtain telephone records, utility records, banking records and other information directly from junior company service representatives. The information can then be used to establish even greater legitimacy under tougher questioning with a manager (e.g., to make account changes, get specific balances, etc).

As most U.S. companies still authenticate a client by asking only for a Social Security Number, date of birth, or mother’s maiden name, the method is effective in many criminal situations and will likely continue to be a security problem in the future.

Pretexting can also be used to impersonate co-workers, police, bank, tax authorities, or insurance investigators — or any other individual who could have perceived authority or right-to-know in the mind of the targeted victim. The pretexter must simply prepare answers to questions that might be asked by the victim. In some cases all that is needed is a voice that sounds authoritative, an earnest tone, and an ability to think on one’s feet.

For more information about pretexting, visit:
http://www.consumer.ftc.gov/articles/0272-how-keep-your-personal-information-secure

Phishing

Phishing is a scam where Internet fraudsters send spam or pop-up messages to lure personal and financial information from unsuspecting victims.

For more information about phishing, see our topic about phishing.

Subscribe to get new posts in your mailbox.

Share

What Are Phishing Scams And How Can I Avoid Them?

On this page:

  • Phishing explained
  • Specific types of phishing
  • Avoiding phishing scams
  • Warnings
  • Reporting phishing attempts
  • Example of a phishing scam

Phishing explained

Phishing scams are typically fraudulent email messages appearing to come from legitimate enterprises (e.g., your university, your Internet service provider, your bank). These messages usually direct you to a spoofed web site or otherwise get you to divulge private information (e.g., password, credit card, or other account updates). The perpetrators then use this private information to commit identity theft.

One type of phishing attempt is an email message stating that you are receiving it due to fraudulent activity on your account, and asking you to “click here” to verify your information.

Phishing scams are crude social engineering tools designed to induce panic in the reader. These scams attempt to trick recipients into responding or clicking immediately, by claiming they will lose something (e.g., email, bank account). Such a claim is always indicative of a phishing scam, as responsible companies and organizations will never take these types of actions via email.

Specific types of phishing

Phishing scams vary widely in terms of their complexity, the quality of the forgery, and the attacker’s objective. Several distinct types of phishing have emerged.

Spear phishing

Phishing attacks directed at specific individuals, roles, or organizations are referred to as “spear phishing”. Since these attacks are so pointed, attackers may go to great lengths to gather specific personal or institutional information in the hope of making the attack more believable and increasing the likelihood of its success.

The best defense against spear phishing is to carefully, securely discard information (i.e., using a cross-cut shredder) that could be used in such an attack. Further, be aware of data that may be relatively easily obtainable (e.g., your title at work, your favorite places, or where you bank), and think before acting on seemingly random requests via email or phone.

Whaling

The term “whaling” is used to describe phishing attacks (usually spear phishing) directed specifically at executive officers or other high-profile targets within a business, government, or other organization.

Avoiding phishing scams

Reputable organizations will never use email to request that you reply with your password, Social Security number, or confidential personal information. Be suspicious of any email message that asks you to enter or verify personal information, through a web site or by replying to the message itself. Never reply to or click the links in a message. If you think the message may be legitimate, go directly to the company’s web site (i.e., type the real URL into your browser) or contact the company to see if you really do need to take the action described in the email message.

When you recognize a phishing message, delete the email message from your Inbox, and then empty it from the deleted items folder to avoid accidentally accessing the web sites it points to.

Always read your email as plain text.

For help, see Microsoft Support.

Phishing messages often contain clickable images that look legitimate; by reading messages in plain text, you can see the URLs that any images point to. Additionally, when you allow your mail client to read HTML or other non-text-only formatting, attackers can take advantage of your mail client’s ability to execute code, which leaves your computer vulnerable to viruses, worms, and Trojans.

Warnings

Reading email as plain text is a general best practice that, while avoiding some phishing attempts, won’t avoid them all. Some legitimate sites use redirect scripts that don’t check the redirects. Consequently, phishing perpetrators can use these scripts to redirect from legitimate sites to their fake sites.

Another tactic is to use a homograph attack, which, due to International Domain Name (IDN) support in modern browsers, allows attackers to use different language character sets to produce URLs that look remarkably like the authentic ones. See Don’t Trust Your Eyes or URLs.

Reporting phishing attempts

For more about phishing scams, see Phishing.

Subscribe to get new posts in your mailbox.

Share

Passphrase Vaulting

Not so long ago, if you needed money from the bank you walked inside and interacted with a teller. Eventually, you got to know the bank teller, and proving who you were was rather easy. Then, banks realized that customers were willing to accept less personal interaction with a teller in exchange for the 24-hour convenience of an ATM. With an ATM, there are two elements of security: you need both an ATM card (that is, something you have) and a PIN number (something you know) to access your account.

The internet made things even easier: you no longer have to drive around to find an ATM; instead, the bank has a website that customers can use from anywhere in the world via a web browser. The problem with this system is that the only thing protecting your account on the web is the passphrase you have selected (something you know). When the only thing required to access your bank account is something you know, anyone else who knows your passphrase can access your account. Some banks and companies offer two-factor authentication services using text messages or a token device that can also assist in protecting your accounts.

Faced with this security problem, you might think about just selecting a really long and complicated passphrase. That is a great solution when you have only one passphrase to remember, but consider all the other accounts you access online: your credit union, your retirement account website, Hotmail, Facebook, the lawn service, the newspaper, the gas company, the electric company, etc. Before you know it, you have over a dozen unique, difficult-to-remember passphrases.

How do most people cope with this problem? One method is to use the same passphrase everywhere. However, the problem with this is that if any one of the places where you use the passphrase is compromised, or if you use the passphrase on a compromised computer with a keystroke logger, you have just given an attacker the passphrase to all of your online accounts.

Another common method is to write all the passphrases down on a piece of paper. All too often this is a sticky note attached to the monitor of the computer or left under the keyboard. Even worse, frequently these notes do not just contain the passphrases, but also usernames and even the associated services. Anybody that finds the paper gets a list of all your important accounts and how to access them. Variations on this method, such as only writing down clues to help you remember what passphrase you need are sometimes successful, but these successes are the exception to the rule.

So, since you probably cannot remember all of your passphrases (the most secure option), and you should not repeat them or write them all down (the most convenient options), what can you do? Balance the need for security and convenience by storing your passphrases in a secure manner. Fortunately, numerous programs exist to do this for you. They are known as passphrase vaults.

Passphrase Vaults

A passphrase vault is a program that balances the security of multiple passphrases with the convenience of recording them. You create a single strong passphrase to protect the passphrase vault, and then the vault program takes care of securely storing the rest of your hard-to-remember passphrases. Think of a passphrase vault as being similar to a bank vault; only with the vault combination (passphrase) can you unlock the protected items inside (other passphrases).

Passphrase Vault Best Practices

Protect the passphrase vault with a strong passphrase.

A good passphrase vault is encrypted with a passphrase of your choosing. Since the passphrase keeping program stores passphrases using reversible encryption, if an attacker is somehow able to obtain the raw password vault file, your password vault passphrase is the only thing stopping her from decrypting the contents of the file.

Use a passphrase to protect the password vault that is different from any of the passphrases stored inside the vault.

All of the passphrases in the passphrase vault can be displayed on the screen for the user or placed in memory (as clear text) for the computer. The only passphrase that is not stored this way is the one used to protect the passphrase vault itself.

If a passphrase used for a particular web site is compromised, this prevents the malicious person from using that passphrase to gain access to the rest of the passphrases in the vault.

Protect the password vault file.

Simply put, the passphrases must be saved in a file somewhere. Place the passphrase vault file on a small USB drive (e.g., thumbdrive, mp3 player, or iPod) that you always keep with you. Storing this vault file on a system other than your computer’s hard drive adds an additional layer of complexity; many viruses (and other forms of malicious software) just search the hard drive or the logical drive of the Operating System and do not look for other drives).

Also pay attention to where any temporary files are stored. If your passphrases are stored in a clear text file on the hard drive while the passphrase vault is in use, that temporary file may leave traces behind that an attacker would be able to find.

Clear the clipboard.

Some programs will copy your passphrase into the clipboard and allow you to simply paste it into a form. This can be incredibly convenient, but the passphrase is stored in the clipboard as clear text. Therefore, you need to be sure that the passphrase is removed from the clipboard as soon as it is used.

Never leave your computer logged in and unattended.

Again, because passphrases are stored using reversible encryption, if your vault is unlocked anyone can sit down at your computer and read or write down your passphrases. This makes logging off or locking your computer when you step away critical. In less than the time it takes you to walk to the restroom and back, a malicious person can find and export your password vault passphrases.

Select a vault program that works with all your platforms.

Increasingly mobile computing devices (tablets, smart phones, etc) are being used for day-to-day tasks such as shopping or banking. Storing passwords on these devices unencrypted exposes you to additional risk as they are more likely to be lost or stolen then a desktop computer. Many passphrase vault applications offer mobile versions that work with various platforms.

Passphrase Vault Programs

Personal Use:

Enterprise:

Subscribe to get new posts in your mailbox.

Share

Passwords And Passphrases, Your Most Common Security Measure

The first and most common piece of security everyone is aware of and using is a password or hopefully a passphrase.  Today I will outline the differences between the two along with some guidelines and suggestions.  In part 2 of my coverage about passwords I will go into more detail about some things to look out for when creating and using passwords.

About passwords and passphrases

Passwords are short sequences of letters, numbers, and symbols that you enter to verify your identity to a system, which then allows you access to secure data or other resources.

Passphrases operate on the same principle as passwords, and are used in exactly the same way. However, they differ from traditional passwords in two aspects:

  • Passphrases are generally longer than passwords. While passwords can frequently be as short as six or even four characters, passphrases have larger minimum lengths and, in practice, typical passphrases might be 20 or 30 characters long or longer. This greater length provides more powerful security; it is far more difficult for a cracker to break a 25-character passphrase than an eight-character password.
  • The rules for valid passphrases differ from those for passwords. Systems that use shorter passwords often disallow actual words or names, which are notoriously insecure; instead, your password is usually an apparently random sequence of characters. The greater length of passphrases, by contrast, allows you to create an easily memorable phrase rather than a cryptic series of letters, numbers, and symbols.

What makes a password or passphrase strong?

A strong password:A strong passphrase:
  • Is at least eight characters long.
  • Does not contain your user name, real name, or company name.
  • Does not contain a complete word.
  • Is significantly different from previous passwords.
  • Is 20 to 30 characters long.
  • Is a series of words that create a phrase.
  • Does not contain common phrases found in literature or music.
  • Does not contain words found in the dictionary.
  • Does not contain your user name, real name, or company name.
  • Is significantly different from previous passwords or passphrases.

Strong passwords and passphrases contain characters from each of the following four categories:

Character categoryExamples
Uppercase lettersA, B, C
Lowercase lettersa, b, c
Numbers0, 1, 2, 3, 4, 5, 6, 7, 8, 9
Symbols found on the keyboard (all keyboard characters not defined as letters or numerals) and spaces` ~ ! @ # $ % ^ & * ( ) _ – + = { } [ ] \ | : ; ” ‘ < > , . ? /

A password or passphrase might meet all the criteria above and still be weak. For example, Hello2U! meets all the criteria for a strong password listed above, but is still weak because it contains a complete word. H3ll0 2 U! is a stronger alternative because it replaces some of the letters in the complete word with numbers and also includes spaces.

 

Help yourself remember your strong password or passphrase by following these tips:

  • Create an acronym from an easy-to-remember piece of information. For example, pick a phrase that is meaningful to you, such as My son’s birthday is 12 December, 2004. Using that phrase as your guide, you might use Msbi12/Dec,4 for your password.
  • Substitute numbers, symbols, and misspellings for letters or words in an easy-to-remember phrase. For example, My son’s birthday is 12 December, 2004 could become Mi$un’s Brthd8iz 12124, which would make a good passphrase.
  • Relate your password or passphrase to a favorite hobby or sport. For example, I love to play badminton could becomeILuv2PlayB@dm1nt()n.

If you feel you must write down your password or passphrase to remember it, make sure you don’t label it as such, and keep it in a safe place.

Guidelines for keeping your passwords and passphrases secure

  • Consider using passphrase vaulting.
  • Do not write your username and password or passphrase in the same place.
  • Never share your password or passphrase with anyone.
  • Never send anyone your password or passphrase via email, even if the message requesting your password seems official. A request for a password or passphrase is very likely a phishing scam.
  • Change your password or passphrase at least every six months.
  • Do not use the same password or passphrase over multiple services or web sites.

Subscribe to get new posts in your mailbox.

Share

Privacy And Security In Uncertain Times

Recently I was at a conference and the subject of computer and Internet security came up.  That, coupled with all that has been in the news lately, helped me decide to do a series of posts covering some of my general security suggestions.  I will try to make at least one post a week, and will be posting some suggestions on 7th Circle Designs as well.

Topics will include (and will be amended as we go):

Stay tuned for our first post on hard drive encryption.

Subscribe to get new posts in your mailbox.

Share