Passwords: should you use the one you want?

If you are looking for a password, you can check to see if the password you want to use has ever been used. Just go to the Have I Been Pwned website and look at the Passwords link. They now have a list of the passwords that have been breached. You can test your password against it and it will tell you if it’s been breached but it will also tell you it may not be a good password even if it’s not been breached.

Here is what you get if your password has been used before and found on a breach list:

Have I been pwned Pwned Passwords - yes

Here is what it looks like if it hasn’t:

Have I been pwned Pwned Passwords - no

Another Data Breach

By now you have heard there was another data breach reported … from Yahoo. This is the biggest breach to date. A while ago they reported a breach of 500 million accounts after which they had contacted people asking them to change their passwords. It turns out there were more than a billion accounts hacked. This included names, usernames, passwords, phone numbers, emails, security questions/answers, backup emails.

If you haven’t already after the breach reported in September, you need to change your password. NOW. If you are using this email account for any other account, you need to change the other accounts as well. People tend to use the same username/email/password combinations. The Victor crew also advises you to turn on 2-step verification. That way if anyone does get into your account, you can be notified.

Bottom line, if your identity and information means anything to you, make sure to keep your information secure as you possibly can. Use a password manager. Use a different password for every site.

Here is what the latest email from Yahoo looked like:

NOTICE OF DATA BREACH

Dear [Name of User],
We are writing to inform you about a data security issue that may involve your Yahoo account information. We have taken steps to secure your account and are working closely with law enforcement.

What Happened?
Law enforcement provided Yahoo in November 2016 with data files that a third party claimed was Yahoo user data. We analyzed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data. Based on further analysis of this data by the forensic experts, we believe an unauthorized third party, in August 2013, stole data associated with a broader set of user accounts, including yours. We have not been able to identify the intrusion associated with this theft. We believe this incident is likely distinct from the incident we disclosed on September 22, 2016.

What Information Was Involved?
The stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers. Not all of these data elements may have been present for your account. The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system we believe was affected.

What We Are Doing
We are taking action to protect our users:
• We are requiring potentially affected users to change their passwords.
• We invalidated unencrypted security questions and answers so that they cannot be used to access an account.
• We continuously enhance our safeguards and systems that detect and prevent unauthorized access to user accounts.

What You Can Do
We encourage you to follow these security recommendations:
• Change your passwords and security questions and answers for any other accounts on which you used the same or similar information used for your Yahoo account.
• Review all of your accounts for suspicious activity.
• Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information.
• Avoid clicking on links or downloading attachments from suspicious emails.
Additionally, please consider using Yahoo Account Key, a simple authentication tool that eliminates the need to use a password on Yahoo altogether.

For More Information
For more information about this issue and our security resources, please visit the Yahoo Security Issues FAQs page available at https://yahoo.com/security-update.

Protecting your information is important to us and we work continuously to strengthen our defenses.

Sincerely,

Bob Lord
Chief Information Security Officer
Yahoo

Passwords

Yes, another article about passwords. There seems to be new breaches every week of major sites where passwords are compromised. The Victor crew wants to bring home some information about this.

Only 29 percent of consumers change their password for security. The reason most people change their password is because they forgot it. In an interesting study, Type A and Type B personalities offer different insights.

Type A
Bad password behavior stems from their needing to be in control. They believe they are organized but this puts them at risk. 35% of them reuse passwords because they want to remember them all. Detail oriented people have a system to remember passwords (maybe not such a bad thing).

Type B
Their bad password behavior comes from convincing themselves that their accounts matter little to hackers. They prefer a password easy to remember.

Many people know their password is bad yet they use it anyway. Many were found to include initials, names, pet’s names, important dates, and other information readily available on social media sites.

The longer and more complex the password, the harder it is to crack.

The Victor crew

https://www.helpnetsecurity.com/2016/09/29/risky-password-practices/

In the News …

Some items the Victor crew came across this week:

Netflix
The government has now ruled that sharing passwords for Netflix can be considered a federal crime in the ruling of the Ninth Circuit Court of Appeals.

Netflix already allows two screens to play in a regular account with two household users. It costs another $2 per month to add two more household members.

The sharing limitations also apply to HBO go.

Avast
Avast just acquired AVG. For the uninformed, they are both computer security companies that you can run for free. The companies have been confused with each other in the past because of the similarities of their names (both start with AV.) (There is yet another free antivirus program starting with AV – Avira started in the 1980s in Germany.) Both were originally from the two different cities in the Czech Republic. AVG came first; both were started in the late 1980s.

In the News…

Sometimes we just like to give a few tidbits of info. Here are some that the Victor crew has found.

Windows 10 free upgrade ends July 29. After that you will have to shell out $119. How-to Geek has a fix for you if you decide to try it later on but don’t want to pay for it. www.howtogeek.com/

Last week there were articles about over 250 million email accounts being breached including Google, Yahoo, and Hotmail. It was later reported that most of the stolen information accounts didn’t match up with the passwords. If you are ever in doubt if you’ve been compromised, here is a handy little tool to check: haveibeenpwned.com/. Better yet, turn on 2-step verification. It may be a little bit of a pain to get started but once your device is authorized, there is nothing more to do.

This isn’t really news but a bit of trivia. You may see sites that have TL;DR popping up here and there. What does this mean? It means Too Long; Didn’t Read. It is editor shorthand notation when they indicate a passage is too long to invest the time to read it.

Password security

The Victor crew has written about passwords several times in the past. Here is an older article that can stand the test of time regarding security and passwords: http://www.wired.com/2012/11/ff-mat-honan-password-hacker/. Even though this was about 3 1/2 years ago, the knowledge and wisdom Mat imparts is timeless.

Through these years, there hasn’t been much more change to secure passwords. You should probably consider what is called 2-step or 2-factor verification to secure your most used sites like Apple or Google. You can also get it for Facebook, twitter and other sites.

What you will need to do is make sure they have a phone number that they can send a verification code to. Then you will put use this code to register this device. You won’t be asked for this code again once the device is registered.

Are Smartphones taking too much from us?

Recently in the news, the Victor Crew have seen a few articles that should cause concern over the way we let smartphones take over our lives.

The first is that a university in Utah have gone so far as to make a separate lane on the stairs and halls just for those texting while walking. Utah Valley University actually has three lanes, one for walking, one for running, and one for texting. While they say the students don’t actually follow the lines, it has stirred up a lot of buzz across the internet. http://blogs.uvu.edu/newsroom/2015/06/17/uvu-photograph-goes-viral/

Another articles tells about a security flaw in Apple’s iOS and OS X systems, found by six university researchers, that allows malicious apps to gain access to anything saved in the Keychain. The apps containing the malware were uploaded to Apple’s App Store without triggering alarms. When installed, it can raid the Keychain and steal passwords as well as those saved in Google Chrome browser, as well as password vaults. The Google Chromium team has responded by removing Keychain integration for Chrome. http://www.theregister.co.uk/2015/06/17/apple_hosed_boffins_drop_0day_mac_ios_research_blitzkrieg/

The third and most startling article is about a teenager in Canada that had his life taken over a stolen smartphone. Jeremy Cook lost his phone in a taxi and tracked to a strip mall through his tracking app. He went to approach the car where he believed his phone to be and confronted the the people in the car. As they started to drive away, he held onto the handles of the car and was shot to death in the parking lot. They later found the phone in the car, crashed and abandoned.

If something happens, sure you can use your tracking app to try to find it, but call the police before attempting to retrieve it. Use your app to lock it and wipe the data as well.

Some words of wisdom concerning passwords

Strong passwords are not easy to come up with and even harder to remember. Komando.com has some suggestions.

Don’t make passwords easy to guess. People are still using passwords like 123456 or other easy passwords.
Make passwords 8 characters or more. They should be different types of characters and include upper case, lower case, numbers, and symbols.
Don’t use the same passwords everywhere. Use a unique password for every account.

Consider a password manager like LastPass, KeePass, Dashlane, or 1Password. You can even have your password manager generate a strong password for you. As long as you make your main password for the manager complex, you won’t even have to know your passwords.

Jody Victor

The Worst Password list

Every year, SplashData comes out with a new list of “worst passwords” for the year. The list for 2013 is out now. Their data is taken from “millions of stolen passwords posted online.” Is yours one of them?

The password “password” has fallen to #2 this year as “123456” has taken the number one spot. In light of the recent credit card numbers being breached from retailers, are they able to use your number to try to log into your accounts too?

They suggest you use a different password for every site. Don’t use the same password for entertainment sites as you do for email or banking sites. Too hard? try a password manager like SplashID Safe or LastPass.

~ Jody Victor

Passwords and Chrome

If you are using Chrome and haven’t signed out of the browser, and you share your computer or your computer is stolen, then you have shared any passwords you have saved in the browser. Anyone can simply go to chrome://settings/passwords to view the passwords you have saved. There is no other security applied.

Unlike Firefox. You can set a master password that you have to enter before you can see the saved password. This adds a layer in Firefox’s security.

IE encrypts passwords and you can’t easily view them. You can download IE Passview to see them.

The bottom line is, if you share a computer or travel with your laptop, make sure you are logged out of all your browsers and logged out of the operating system. Make sure all user accounts are password protected.

~ Jody Victor

Jody Victor® finds tools to simplify your life

Jody found a site with some great tools to make your time on your computer more productive.

Here are the highlights:

Jody hopes you will the time to read this article from LifeHacker.

Jody Victor® warns against using the worst passwords

Jody Victor found there is an annual list of the Internet’s Worst Passwords.

Here is this year’s top 25 worst passwords for 2012 ranked in order:
1. password
2. 123456
3. 12345678
4. abc123
5. qwerty
6. monkey
7. letmein
8. dragon
9. 111111
10. baseball
11. iloveyou
12. trustno1
13. 1234567
14. sunshine
15. master
16. 123123
17. welcome
18. shadow
19. ashley
20. football
21. jesus
22. michael
23. ninja
24. mustang
25. password1

This list was compiled by SplashData from files containing millions of stolen passwords posted online by hackers.