Pelland Blog

Keep Your Passwords Secure

November 26th, 2017

If you attended my “10 Steps for Securing Your Digital Identity” seminar at the 2017 Outdoor Hospitality Conference & Expo, you learned that my lead segment involved the importance of keeping your passwords secure. Passwords have been around since ancient times, when the first sentry asked “Who goes there?”, becoming essential for admission to a speakeasy during Prohibition, and playing a vital role in military security during World War II.

When I was growing up in the 1960s, the doors to our house had old mortise locks and keys that gave our family a sense of security. I recall that the logic when the doors were locked at night was to keep the key turned 90 degrees in the keyhole on the inside of the lock, under the presumption that this would prevent a thief from inserting a key into the outside of the lock and gaining entry. Of course, if somebody got locked inside, we knew that it would only take a couple of minutes to jimmy the key out of the lock. When we were away from home, the key came with us, leaving the lock even more vulnerable.

If a key got lost or broken, we simply walked to the neighborhood hardware store (yes, they existed back then!) and bought a skeleton key for 50¢ that would probably open every lock in our house, including the outside entry doors, as well as the locks on most every other house in the neighborhood. It is no wonder that we relied on neighbors to keep an eye on our houses back then. Sadly, many people today do not even know the names of their neighbors.

Nowadays, passwords are almost exclusively associated with computers and Internet security, and a lame password is essentially the equivalent of a skeleton key. Like those families sleeping soundly behind the security of a mortise lock, a majority of computer users think that their passwords are securely protecting their accounts from getting hacked.

Before I go any further, I would like you to test one of your passwords. Go to this URL and enter your password: https://howsecureismypassword.net/. As an example, I just tested “JBDayton62”, which is exactly the type of password that many people use, so falsely confident in its security that they use it on every account that requires a password. According to the test, a computer could crack this 10-digit password in only 8 months; however, anybody who researched the Internet and social media and already knew that John Brown was born in Dayton, Ohio in 1962 could crack this password in no time flat. If a password is convenient to remember, it is easy to crack!

What Constitutes a Secure Password?

Quite simply, for a password to be secure it should consist of a minimum of 16 characters; never contain a word or a combination of words found in the dictionary; never contain the names of family members, friends, pets, sports teams, and the like; and be made up of a random combination of uppercase letters, lowercase letters, numbers, and special characters. You can also often use spaces in passwords, although it is unfortunate that many websites still prevent users from choosing truly secure passwords, by precluding the use of special characters, for example.

The next rule is to always use a unique password for each and every site, and then to change each password on a routine and frequent basis. Apply even stricter standards for sites that provide access to highly secure information, such as your online banking or the IRS’s Electronic Federal Tax Payment System (EFTPS) website. The time to change your old, reused, vulnerable, weak, or compromised passwords is now, not next week or “when you get around to it.”

Before you naively presume that nobody is out there trying to crack your password, consider the fact that password cracking software is readily available online for use by hackers (and occasionally by companies that are on the lookout for weak passwords being used by employees.) Those programs include L0phtCrack, Cain, and John the Ripper … all designed to crack passwords (and sometimes credit card numbers) using brute force, dictionary attacks, rainbow tables, and other means.

How to Create a Secure Password

Never trust yourself to generate your own secure password. Our brains are simply not programmed to think randomly, and any password that makes sense to you is easy to crack. Some people even think that including a foreign-language word in their password will make it secure, perhaps presuming that hackers only reference English language dictionaries (even though English may be far from their native languages.) My recommendation is to use a secure online password generator such as the Secure Password Generator: https://passwordsgenerator.net/

The Secure Password Generator will allow you to choose any length of characters (from 6 to 2,048) and choose the types of characters that will be allowed (or excluded, if a site does not permit certain characters), then generate it on your own computer.

How to Store Your Passwords

Once you generate a highly secure password, keeping it written down on a sheet of paper or in a Word document on your computer is like leaving the keys for Fort Knox at a lost and found counter. You need a way to store and access your passwords safely, relatively easily, and securely. I recommend the use of a password safe. Three of the best are LastPass, Dashlane, and Keeper.

LastPass – https://www.lastpass.com/
Dashlane – https://www.dashlane.com/
Keeper – https://keepersecurity.com/

All three work with Windows, Mac, iOS, and Android operating systems; have plugins for popular browsers; include two-factor authentication; include form-filling; offer fingerprint login on mobile devices; and have free versions.

The idea with a password safe is that you have only one highly secure master password to remember. Thanks to geolocation, if you login to your account from an unfamiliar IP address, the two-factor authentication will kick in, requiring you to confirm your identity before being allowed access. In my own instance, 12 attempts to login to my account over the last 6 months have been thwarted – 3 from Vietnam, 2 from China, 2 from Brazil, and one each from Argentina, Georgia, Ukraine, The Philippines, and the United States (North Carolina). Do not think for a moment that there are not people out there actively trying to hack into your accounts. They are out there and they are everywhere.

Access to our personal data is far too important to be left to chance, and I am hoping that this article might help to open the eyes of a few disbelievers. People who are ahead of the curve when it comes to planning are already taking measures to ensure the longevity of access to their data, even as new biometric methods such as fingerprint and iris recognition are coming into play. According to a survey taken by the University of London and cited in Wikipedia, one in ten people are now including password access or recovery information in their wills. My best advice is to think toward the future, but to start changing your way of thinking today.

This post was written by Peter Pelland

Passwords: First Line of Defense against Identity Theft

February 14th, 2017

Passwords have come a long way since the days of Prohibition, when a knock on the door of a speakeasy required the necessary password for entry and the consumption of illegal liquor. Today, we use passwords and personal identification numbers for just about everything online, in an effort to protect the privacy of our personal information.

Identity theft has grown rampant, proliferating at a time when almost every personal or business transaction passes through one or more computer network. According to the Federal Trade Commission’s latest annual report (covering the 2015 calendar year, with the 2016 report due out in February 2017), there were 480,000 identity theft complaints filed during that time period. Of these, 45% involved tax- or wage-related fraud, 16% involved credit card fraud, 10% involved phone or utilities fraud, 6% involved bank fraud, and 4% involved loan fraud.

One recent report surmised that 15 million Americans have become the victims of identity theft in 2016. That means that 7% of all adults have been victimized in this year alone, with an approximate per-instance loss of $3,500.00. On average, these people spend an additional $500.00 and 30 hours of time trying to recover their identities and make their private information less vulnerable.

Start with Your E-Mail Passwords

My company provides e-mail hosting services through Google and Rackspace for our website hosting clients, and it is rare for a few days to pass without being contacted by a client who has purchased a new computer or mobile device but has misplaced an e-mail account password. For obvious reasons, we do not store those passwords, and we strongly advise our clients to keep records of their passwords in a secure location. Our only option is to assist with changing the lost password, which will then require that passwords be updated on any other actively used devices.

When setting up those e-mail accounts (or updating a password), clients are often annoyed that we will not agree to use a weak password like 123456, abc123, password, passw0rd, qwerty, steelers, yankees, football, baseball, camaro or firebird. (Yes, those are actual passwords that consistently show up on compiled lists of weak passwords.) In fact, Google’s Gmail will not allow an admin to use a password that is made up of fewer than 8 characters (although there are no further password security requirements beyond this minimum length.)

Some people make an attempt at generating a secure password that they can still remember. For example, they might concoct “AIwfCim2ft” from “All I want for Christmas is my 2 front teeth.” The rule of thumb is to use something that is both easy to remember and difficult to guess. This is definitely a step in the right direction, but something totally random that also uses special characters and spaces would be even better, although far less memorable.

Secure passwords will provide a layer of protection against some bad character obtaining your password and hacking into one of your accounts, but they are of far less value in protecting your identity should your account be one of thousands (or millions) compromised in a major data breach.

Hacks Happen

You do not need to be Sony Pictures getting under the skin of Kim Jong Un. Big companies are routinely targeted by hackers from around the globe, putting the security of their subscribers at risk when a breach occurs. In general, big businesses take extraordinary measures to attempt to maintain the utmost security standards, but it is an ongoing game of cat and mouse. For example, Facebook alone has paid out over $5 million to date in its not-highly-publicized Bug Bounty program, where it pays independent “white hat” hackers to identify and repair security vulnerabilities.

That is an example of what one big online business is doing; however your own personal security is to a great degree your own responsibility. You will want to check (and often disable) routinely loose security settings when you buy a new computer or mobile device or when you upgrade one of those to a new operating system. Keep in mind that settings that benefit convenience and ease of use are very often directly at odds with the safeguarding of your personal security.

There are many ways that passwords can be hacked online. The most common technique is the use of dictionary attacks, where commonly used words are highly vulnerable and easily uncovered. Another technique consists of using the brute force of computing power and sophisticated software to run through every possible combination of characters. The more bits of data involved (directly proportional to the number and random nature of characters), the longer it will take to hack a password. Complex character combinations and the use of encryption slow down, but will not prevent, the disclosure of a password to a determined intruder.

There are actually times when a company or individual needs to recover a lost password, and there are other instances where law enforcement needs to crack a password in order to uncover criminal activity. We are all familiar with the FBI vs. Apple Computer encryption debate, involving a cell phone owned one of the shooters in the December 2015 San Bernardino, California terrorist attack. Whether used for good or bad, there are dozens of free, open-source brute force hacking tools that can be easily found and downloaded online. Their existence and ease of access should provide a wake-up call to any computer or mobile device user.

Just in case you think that one of your own passwords is “secure enough”, enter it into this online tool for what will probably be a rude awakening:
https://howsecureismypassword.net/

HowSecureIsMyPassword_600x205_100
Minimum Standards

The minimum standards for password security that are generally considered acceptable today involve the use of at least 12 (preferably 16) entirely random characters (a mix of upper and lower case letters, numbers, spaces and special characters), never including a dictionary word or a repeated sequence, and with no password used in more than one application.

There are several online tools that will assist you in generating secure random passwords. Using one of these tool, I just generated a random 16-character password that I then entered into the secure password test site (shown above.) According to that site, the password that I entered would take 41 trillion years to crack. Here are two such password generator tools. Give one of them a try:
Password Generator
https://passwords-generator.org/
Bitwarden Password Generator
https://bitwarden.com/password-generator/

Storing Passwords

The best advice for keeping track of your cryptic passwords is to always maintain a written paper record in a very secure location. To simplify your life, you can also use one of several password managers that will allow you to encrypt and store all of your passwords in one secure location. You will only have to remember one password to access your files. (If you have been following along and learning from what I have written, that password will meet the standards that I have outlined above.)

The following are some of the best free password managers. They all work across multiple devices. Compare their features and choose one:

LastPassDashlaneKeePass

Bear in mind that even these password managers are vulnerable to hackers; however, in one documented security breach, only users with weak passwords were impacted. We are over a month into a New Year. Resolve to at least take a step in a positive direction when it comes to your online security.

This post was written by Peter Pelland

10 Ways to Avoid Identity Theft

December 19th, 2014

If you follow the news, you are aware of massive security breaches that have taken place at major retailers in recent months. And then there is the Sony Pictures nightmare that has been in the news this week. You are probably also aware that your own personal identity is at risk in so many ways. Short of withdrawing from society and moving into a cave or feasting off coconuts on your own private island, it is probably a good idea to take some reasonable precautions to help to prevent hackers from cloning your personal identity or making you a victim of cyber-crime. Here are a few precautions that will help you to survive in this threatening environment.

CyberCriminal_237431281_600x400_90

  1. Always choose a strong password. It should never be a common word or an easily recognized string of numbers like your phone number or birthday. Use a randomly generated string of at least 8 characters that include a combination of upper and lower case letters, numbers, and special characters such as ^, #, _ and $. Use a unique password for every account, avoiding the tendency to use a common password. My rule is that, if the password involves a secure account that allows online transactions, give it an extremely strong, unique password. If the account involves online banking, stock trading, or tax filing, make your password ridiculously secure.
  2. If an account (such as your online banking) uses security questions, choose the most bulletproof options available, not questions with answers that are commonly known. You want to go with things like your maternal grandmother’s middle name, not the name of the city where you were born.
  3. Steer clear of unsolicited e-mails and unknown websites. Never download a file from an unfamiliar site, and do NOT open attachments, click on links, or unsubscribe from unsolicited e-mails. Any of those actions can lead to the installation of spyware, malware, botnets or viruses on your computer.
  4. Look for secure sites and the https protocol. Be sure that the URL begins with https before EVER entering your credit card number for payment.
  5. Keep your computer and mobile devices clean by promptly installing updates for your hardware, operating system, software and Web browsers. To run old versions of any of these represents a high level of risk. If you are running a Windows computer, there will usually be daily updates, and a major pack of security updates is issued the second Tuesday of every month, commonly known as “Patch Tuesday”. These updates are essential to your online security.
  6. If your business conducts e-commerce or accepts online payments, you have additional responsibilities that could impact your customers. For example, an Internet security issue commonly referred to as POODLE was identified in October. If your Web server was running SSL V3 (an outdated version), visitors using Internet Explorer 6 (an outdated browser) were vulnerable to allowing hackers to gain access to their otherwise presumably secure connection.
  7. Be sure that your office meets PCI (payment card industry) compliance standards. Never keep records of your customers’ credit card numbers. If you ever have to write down a customer’s credit card information – for example, if you are provided with that information over the phone – do not leave your desk before that information has been completely destroyed in a cross-cut paper shredder.
  8. How do you recycle or dispose of old computers? If you simply give them away or pay a disposal or recycling fee at your local landfill, where does your computer go? What kind of data are you leaving behind on its hard drive … for somebody to later recover? Before you ever part with a computer, it is essential that you first totally wipe all content from its hard drive(s). You cannot simply delete files or format the drive and then think that your data is gone. It is essential that you use a disk wiping or data shredding application that supports the latest Department of Defense standards. Even then, you would be amazed at how much data will still remain recoverable, if you were a criminal and your computer was being used by law enforcement to gather evidence. In your case, you want to protect your personal data from a hacker, who could be across town or scavenging a cyber-landfill across the globe. Some of the best software to use includes Disk Wipe, Darik’s Boot and Nuke, and Hard Drive Eraser … all free downloads that can be easily found online.
  9. What did you do with that old broken office copier? Did you realize that nearly every digital copier, fax, or multi-purpose office machine built since 2002 contains a hard drive? Like most people, you have probably made copies of your tax returns, credit applications, and other documents that contain your social security number and other highly personal information. A CBS News investigative report from back in 2010 exposed this vulnerability and how easy it was for anybody to purchase a used copier and then have full access to the contents of its hard drive. In the report, used copiers were purchased at bargain prices from a warehouse in New Jersey (one of 25 throughout the country), some of which contained classified law enforcement and private health records. The lesson learned was that, if your office has an MFP (multi-function peripheral) device that is at its end-of-life, take measures to ensure that its hard drive is destroyed.
  10. Finally, every computer in your office and every mobile device that you own should be running the latest version of a robust anti-virus software package that will be continually updated, typically several times per day. Sadly, the most common anti-virus products that come pre-installed on many computers or sold over the counter at office supply and computer stores are highly ineffective. I use (and highly recommend) Avast, a full-featured security suite for Windows computers, Macs, and the full range of mobile devices. It is available as a free download, with free updates (although, if you are not careful, you might click on a link for a paid upgrade that you do not need.)

If you know anybody who has ever been the victim of cyber-crime or identity theft, you know how important security measures such as these can be. If you were unfamiliar with one or two of these ten security tips – and implement the recommended precautions – you will be on your way to enhancing both your personal security and that of your business.

This post was written by Peter Pelland