SplashData has released their latest annual report on the most commonly used passwords. Unfortunately, the more things change, the more they stay the same. By now, everyone knows that the number of hacking attempts and high-profile data breaches are on the rise. Everyone has heard, on more than one occasion, how important it is to not use the same password across multiple web properties, to enable two-factor authentication if and where it is offered and to use passwords that contain a combination of letters, numbers and symbols in order to make them more difficult to crack. Although these are things that everyone knows, the wisdom embedded in the advice above often goes unheeded. According to the data collected by aggregating passwords leaked in data breaches over the past year, the most commonly used password for 2017 is "123456," followed closely by the ubiquitous "password." These are unchanged from last year. The rest of the top 25 list contains a mix of the old and the new, including:
SplashData's CEO Morgan Slain had this to say on the topic: "Unfortunately, while the newest episode may be a fantastic addition to the Star Wars franchise, 'starwars' is a dangerous password to use. Hackers are using common terms from pop culture and sports to break into accounts online because they know how many people are using those easy-to-remember words." Do yourself a favor and use a password manager. I highly recommend LastPass. It will store all of your passwords and it even allows you to generate completely random passwords that no one can remember. Use a long secure password for LastPass, and it'll be the "Last Pass"word you will ever need to remember.
0 Comments
If you can't trust your friends, who can you trust? No one, apparently. There's a new scam on Facebook that's making waves, and it's one you should be mindful of. You may get an "urgent message" from someone you know, asking for your help in recovering their Facebook account. This is a tried and true phishing scam, relying on some basic psychology. After all, if you get an earnest sounding message from someone you know explaining that you're listed as one of their "Trusted Friends" and as such, uniquely positioned to help verify their identity so they can get access to their account back, who wouldn't instinctively respond? This is exactly what the scammers are hoping for. The message goes on to explain that they're sending an unlock code to your email address, and they just want you to reset the password for them. Unfortunately, the unlock code is nothing of the sort. Instead, it triggers a password reset for your own account. If you click the link and "reset your friend's password," then reply back, helpfully telling him or her what the new password is, you've inadvertently given your own login information to the hackers. From there, the sky's the limit. What makes this latest scam particularly problematic is that so many other web properties allow you to use your Facebook login details to access them, which is a roundabout way of saying that you're using the same login credentials across multiple websites - one of the most basic and pervasive problems of user security in existence. There's no real defense for this other than vigilance, and if you see a message like this, simply ignore it. If your "trusted friend" genuinely needs help regaining control of their account, Facebook has resources to assist. Security researchers have found a new critical security flaw dubbed "Krack" (Key Reinstallation Attacks) that affects literally every WiFi router and smart phone in use today. The reason? The security flaw resides in the WiFi standard itself, rather than in a third-party product. In addition to being vast in scope and scale, Krack is a particularly nasty, versatile flaw, allowing hackers to intercept credit card numbers, passwords, photos and a whole host of sensitive personal information. It works like this: A hacker finds a vulnerable WPA2 network, and then makes an exact copy of it, including impersonating the MAC address. This clone then serves as a "man in the middle" allowing the hacker who controls it to intercept everything passing through it. WPA2 encryption requires a unique key to encrypt each block of plain text, but because Krack attacks make a copy that's indistinguishable from the original, they're able to use the same encryption key. As bad as that is, it gets worse for Android and Linux users. Thanks to a bug in the WPA2 standard, these devices don't force the client to demand a unique encryption key with each use. Instead, they allow the key to be "zeroed out," literally creating an encryption key containing all zeroes, which interferes with a key part of the handshake process. In addition to that, hackers can deploy specialized scripts that can cause the connection to bypass HTTPS, which leaves passwords and other normally protected data exposed. If there's a silver lining, it is that the attack can't be used to target routers directly, but honestly, that's not much of a silver lining, because the potential damage this new vector could cause is virtually without limit. Unfortunately, until a patch is released, there's not much you can do, short of turning off WiFi altogether. This may work for smartphone users, but it is simply impractical for routers. There's some good news, though. The fix should be relatively easy to implement, although no ETA has been given at this point. Equifax's problems just keep getting worse. Not long ago, the company suffered a major data breach that ultimately resulted in the CEO stepping down and a painful congressional grilling. Initial estimates placed the number of impacted users at some 143 million, but as the investigation has continued, it turns out that the numbers are even higher than initially feared. Based on the forensic teams final report, as many as 145.5 million users were impacted. In our modern society, there are many who would argue that your credit score is as important, if not more important than your social security number. To arrive at your score, the Big Three credit reporting agencies necessarily have to collect a large amount of sensitive information about people, so when they suffer from a breach, it's bad, and in Equifax's case, it just keeps getting worse. Based on the latest information, the compromised data included names, social security numbers, birthdays, and addresses. If that wasn't bad enough, some 200,000 customers saw their credit card information exposed, along with an unknown number of electronic documents containing Personally Identifiable Information (PII). To put these numbers in full context, Equifax maintains files on more than 800 million people around the world, along with more than 90 million businesses, so the breach, while catastrophic in size, wasn't nearly as bad as it could have been. That's a small consolation to the millions who have been impacted, but it's important to understand that as bad as the breach was, it was quite far from the worst case scenario. In the aftermath of the breach, the company has come under fire by the US Government, which has charged that the company actually stands to profit from it by selling a credit monitoring service after giving impacted consumers one year free. In light of the recent congressional hearings on the matter, the future of that program is unclear, but this breach, and its root cause (an unpatched Apache Struts 2 vulnerability) serves to underscore how easy it is for even big multinational companies to fall victim to a determined hacker. Late last year, Yahoo announced that it was the victim of the largest data breach in history. It impacted, by their initial estimates, fully one third of their user base, some one billion users. As it turns out, Yahoo’s estimates were wildly inaccurate. Literally every person who had a Yahoo account in 2013 was impacted, making the total in the neighborhood of three billion accounts (yes, that’s billion, with a “B”). If you’re a Yahoo user, and have had your account since 2013 or before, then your account was impacted, regardless of if you received a notification from the company. You may be tempted to simply delete your account, especially if it’s one you no longer use on a regular basis, but don’t. Yahoo’s policy is to recycle defunct accounts after thirty days, meaning your account can be hijacked by anyone if you delete it. The best bet is to change your password immediately and enable two-factor authentication to provide an added layer of protection. Also, if you’re in the habit of using the same password across multiple websites, be sure to change any that share your Yahoo.com account’s password. One of the first things a hacker will try is to use compromised credentials on other accounts. If you don’t take immediate action, you’re essentially handing the hackers the keys to your digital kingdom and opening yourself up to identity theft, compromised bank accounts and credit cards and more. In fact, this would be a great time to simply get out of the habit of using the same password across multiple web properties. It’s a bad habit, and if it’s one you’ve developed, then it’s time to make a change. True, it’s not as convenient, and having to remember multiple passwords can sometimes be annoying, but isn’t your digital security worth it? And the best way to maintain different passwords for each site is to use a password manager. I recommend LastPass. Click the link for a free month of premium. |
Ronnie MorganHi! I'm Ronnie, your PC Tech for Hire for the Montgomery, AL area! Let me know if you need my 25+ years of experience to help you with your computer needs. Archives
January 2018
Categories
All
|