Pelland Blog

Securing Your Digital Identity

June 25th, 2018

In recent months, I have been taking the 10 Steps for Securing Your Digital Identity seminar – that I first presented at the National ARVC Outdoor Hospitality Conference & Expo in Raleigh in 2017 – on the road, with presentations before several state association meetings. The information in the seminar, drawing parallels between the 2017 Equifax security breach and the risks that face small businesses like yours and mine, seems to continually grow timelier with each presentation.

Equifax has admitted that more data was compromised than was originally disclosed, the Internal Revenue Service (which cancelled a no-bid contract with Equifax) urged taxpayers to file their returns as early as possible in 2018 because a stolen identity can lead to a stolen tax refund, and Facebook admitted that it profited from personal data that was exploited by Cambridge Analytica for nefarious marketing purposes. That latter instance forced Facebook CEO Mark Zuckerberg to uncomfortably don a suit and tie, and led to the May 1, 2018 announcement by Cambridge Analytica that it was shutting its doors and initiating bankruptcy filings in both the United Kingdom and the United States.

Some people have suggested disconnecting from the Internet and deleting their social media accounts. The former suggestion is highly impractical in today’s interconnected world, and the latter suggestion – perhaps laudable – in unnecessary if some common sense precautions are exercised. Let me share just two of the highlights from my seminar that will help you to secure your digital identity.

Passwords

There is no easier way to ensure that your identity will be compromised than by using weak passwords, the same password for more than one account, or a password that you have not changed since the sun started rising in the East. A weak password is like the old skeleton keys that could open every door in the neighborhood when I was a child. If you think that your password is secure, you can quickly test its strength online at https://howsecureismypassword.net/. You do not want a password that can be cracked in seconds, minutes, days, weeks, months or even years, but a password that would require millions, billions or trillions of years to crack. I recommend tools that generate secure random passwords, such as the one at https://passwordsgenerator.net/, where secure passwords typically consist of a minimum of 16 characters that mix upper and lower case letters, numbers, and special characters.

Another option is to use four totally random and unrelated words in succession, such as kitten, faucet, maple, and magnet: kittenfaucetmaplemagnet. According to the online test, that example would take 277 trillion years to crack. The only problem is that most of us find it difficult to think in such a random manner. However, if you make a conscious effort, you can generate a highly secure password that should be relatively easy to enter into a keypad. The most common complaint even then is that secure passwords are difficult to remember.

The solution is to use one of several available password safes, including LastPass, Dashlane, and Keeper. These all work with Windows, Mac, iOS, and Android operating systems, have plugins for popular browsers, include two-factor authentication, offer fingerprint login on mobile devices, and have free versions which are usually all that you need. You only need to remember one highly secure master password. Even if that master password could somehow be hacked, nobody could log into your account thanks to two-factor authentication. If somebody attempts to log into my own password safe (which has happened more than a dozen times from hackers around the globe), they would have to know my master password (good luck!), then – because they would be logging in from an unrecognized device or IP address – they would also need to steal my phone AND know how to unlock that device in order to enter the two-factor authentication.

Software Updates

The massive Equifax security breach was the result of the company’s failure to install a patch in universally used Apache Struts open-source software in a timely manner. The Apache Foundation discovered a vulnerability in its software on March 7, 2017, announcing and patching that vulnerability the same day and issuing a subsequent patch three days later. Equifax failed to apply those urgent security patches for at least two months, resulting in a hack that compromised virtually every consumer in America, including at least 209,000 credit card numbers. Offering free identity theft protection and credit card monitoring service is a poor substitute for basic responsibility. In the fallout, Equifax’s CEO was forced to resign, its stock value plummeted by over 30% almost overnight (only recovering half of that loss at the time of this writing), it lost that multi-million dollar no-bid contract to provide taxpayer identity services for the IRS, and the company’s name is now almost always followed by the words “security breach.”

What are the lessons to be learned by your small business? First and foremost, it is critical to run the latest operating system and updates on all of your computers and mobile devices. If you are running a Windows computer, this means running the latest version of the Windows 10 operating system. Microsoft’s support for Windows Vista ended on April 10, 2012; support for Windows 7 ended on January 13, 2015; and support for Windows 8/8.1 ended on January 9, 2018. If you are running any of those operating systems, your computer and the files that it contains are at high risk. It is also important to be running the latest version of Internet browsers, such as Chrome, Firefox, Edge, and Safari; plug-in software such as Adobe Reader, Adobe Flash Player, and Java; and a reliable anti-virus software suite from companies like Avast, Trend Micro, Webroot, or Bitdefender.

Hack attacks are continuous and ongoing, seeking out vulnerable passwords and vulnerabilities in software. Without taking basic precautions, you could become the next victim of identity theft, be subjected to ransomware demands, have your credit card information stolen, or compromise the personal information of every one of your customers. The resulting impact could be devastating for your business. The days have long past when any business, large or small, can afford to take anything less than a vigilant stance when it comes to securing its digital identity.

This post was written by Peter Pelland

Keep Your Passwords Secure

November 26th, 2017

If you attended my “10 Steps for Securing Your Digital Identity” seminar at the 2017 Outdoor Hospitality Conference & Expo, you learned that my lead segment involved the importance of keeping your passwords secure. Passwords have been around since ancient times, when the first sentry asked “Who goes there?”, becoming essential for admission to a speakeasy during Prohibition, and playing a vital role in military security during World War II.

When I was growing up in the 1960s, the doors to our house had old mortise locks and keys that gave our family a sense of security. I recall that the logic when the doors were locked at night was to keep the key turned 90 degrees in the keyhole on the inside of the lock, under the presumption that this would prevent a thief from inserting a key into the outside of the lock and gaining entry. Of course, if somebody got locked inside, we knew that it would only take a couple of minutes to jimmy the key out of the lock. When we were away from home, the key came with us, leaving the lock even more vulnerable.

If a key got lost or broken, we simply walked to the neighborhood hardware store (yes, they existed back then!) and bought a skeleton key for 50¢ that would probably open every lock in our house, including the outside entry doors, as well as the locks on most every other house in the neighborhood. It is no wonder that we relied on neighbors to keep an eye on our houses back then. Sadly, many people today do not even know the names of their neighbors.

Nowadays, passwords are almost exclusively associated with computers and Internet security, and a lame password is essentially the equivalent of a skeleton key. Like those families sleeping soundly behind the security of a mortise lock, a majority of computer users think that their passwords are securely protecting their accounts from getting hacked.

Before I go any further, I would like you to test one of your passwords. Go to this URL and enter your password: https://howsecureismypassword.net/. As an example, I just tested “JBDayton62”, which is exactly the type of password that many people use, so falsely confident in its security that they use it on every account that requires a password. According to the test, a computer could crack this 10-digit password in only 8 months; however, anybody who researched the Internet and social media and already knew that John Brown was born in Dayton, Ohio in 1962 could crack this password in no time flat. If a password is convenient to remember, it is easy to crack!

What Constitutes a Secure Password?

Quite simply, for a password to be secure it should consist of a minimum of 16 characters; never contain a word or a combination of words found in the dictionary; never contain the names of family members, friends, pets, sports teams, and the like; and be made up of a random combination of uppercase letters, lowercase letters, numbers, and special characters. You can also often use spaces in passwords, although it is unfortunate that many websites still prevent users from choosing truly secure passwords, by precluding the use of special characters, for example.

The next rule is to always use a unique password for each and every site, and then to change each password on a routine and frequent basis. Apply even stricter standards for sites that provide access to highly secure information, such as your online banking or the IRS’s Electronic Federal Tax Payment System (EFTPS) website. The time to change your old, reused, vulnerable, weak, or compromised passwords is now, not next week or “when you get around to it.”

Before you naively presume that nobody is out there trying to crack your password, consider the fact that password cracking software is readily available online for use by hackers (and occasionally by companies that are on the lookout for weak passwords being used by employees.) Those programs include L0phtCrack, Cain, and John the Ripper … all designed to crack passwords (and sometimes credit card numbers) using brute force, dictionary attacks, rainbow tables, and other means.

How to Create a Secure Password

Never trust yourself to generate your own secure password. Our brains are simply not programmed to think randomly, and any password that makes sense to you is easy to crack. Some people even think that including a foreign-language word in their password will make it secure, perhaps presuming that hackers only reference English language dictionaries (even though English may be far from their native languages.) My recommendation is to use a secure online password generator such as the Secure Password Generator: https://passwordsgenerator.net/

The Secure Password Generator will allow you to choose any length of characters (from 6 to 2,048) and choose the types of characters that will be allowed (or excluded, if a site does not permit certain characters), then generate it on your own computer.

How to Store Your Passwords

Once you generate a highly secure password, keeping it written down on a sheet of paper or in a Word document on your computer is like leaving the keys for Fort Knox at a lost and found counter. You need a way to store and access your passwords safely, relatively easily, and securely. I recommend the use of a password safe. Three of the best are LastPass, Dashlane, and Keeper.

LastPass – https://www.lastpass.com/
Dashlane – https://www.dashlane.com/
Keeper – https://keepersecurity.com/

All three work with Windows, Mac, iOS, and Android operating systems; have plugins for popular browsers; include two-factor authentication; include form-filling; offer fingerprint login on mobile devices; and have free versions.

The idea with a password safe is that you have only one highly secure master password to remember. Thanks to geolocation, if you login to your account from an unfamiliar IP address, the two-factor authentication will kick in, requiring you to confirm your identity before being allowed access. In my own instance, 12 attempts to login to my account over the last 6 months have been thwarted – 3 from Vietnam, 2 from China, 2 from Brazil, and one each from Argentina, Georgia, Ukraine, The Philippines, and the United States (North Carolina). Do not think for a moment that there are not people out there actively trying to hack into your accounts. They are out there and they are everywhere.

Access to our personal data is far too important to be left to chance, and I am hoping that this article might help to open the eyes of a few disbelievers. People who are ahead of the curve when it comes to planning are already taking measures to ensure the longevity of access to their data, even as new biometric methods such as fingerprint and iris recognition are coming into play. According to a survey taken by the University of London and cited in Wikipedia, one in ten people are now including password access or recovery information in their wills. My best advice is to think toward the future, but to start changing your way of thinking today.

This post was written by Peter Pelland