Tag Archive for Password

| October 9, 2024
Comments Off on Passkeys: The Future of Online Security

Passkeys: The Future of Online Security

Passkeys: The Future of Online SecurityI have been writing about the impact of bad passwords since 2010. One of the most appalling bad password statistics comes from the Identity Theft Resource Center (ITRC). They have tracked over 1 billion data breach victims in the first half of 2024. Enough is enough, there is finally a workable answer to passwords: passkeys.

Passkeys were developed by the Fast Identity Online (FIDO) Alliance to log in to apps and websites without using a username and password combination. Instead, a passkey uses a pair of cryptographic keys generated by your device to unlock your account. Google and Apple will store your unique public key. Your private key is only stored on your device, and after your device authenticates your identity, the two keys combine to grant you access to your account.

According to FIDO research, 38% of consumers (PDF) are not familiar with passkey technology. A significant percentage of users do not understand passkeys, let alone trust them to protect their data and identities.

How passkeys work: A step-by-step guide

passkeys utilize public-key cryptography.Unlike traditional passwords, passkeys utilize public-key cryptography. That means every passkey has two parts: a public key and a private key. Together, they keep your accounts secure by allowing websites and apps to check that you are who you say you are. Here’s an overview of the passkey process:

  1. Creation: When you create a passkey, your device generates a pair of cryptographic keys – a public key and a private key.
  2. Storage: Apps or websites store your unique public key, while your private key is only stored on your device. After your device authenticates your identity, the two keys combine to grant you access to your account.
  3. Authentication: When you log in, the app or website sends a challenge to your device. Your device uses the private key to sign this challenge, proving your identity without revealing the private key.
  4. Verification: The app or website verifies the signed challenge using the public key. If it matches, you’re granted access.

The benefits of passkeys:

  • The benefits of passkeysStrong by default: You don’t have to create anything manually or worry about whether your private key is long or random enough.
  • No Need to Remember: You only need to authenticate with biometrics (or your device passcode) to sign in to your account.
  • Private Keys Are Never Shared: You don’t have to worry about how the website is storing your credentials.
  • Public Keys Can’t Be Used to Figure Out Your Private Key: If a criminal breaches a website’s servers, the best they can hope to find is your public key. The public key cannot be used to sign in to your account. Nor can it be reverse engineered to reveal your private key.
  • Strong Defense Against Malware: Criminals often create fake but seemingly authentic websites to trick you into sharing your login details.
  • Protection Against Ransomware: Many ransomware attacks start with social engineering emails. Once in, they continue by installing keystroke sniffing software that can watch people enter their IDs and passwords.
  • Improved User Experience: Signing in with a passkey is more convenient, faster, and smoother than using traditional passwords.

Why you should use a passkey instead of a password

Securing your online accounts is more important than ever in today’s digital age. Traditional passwords have been the go-to method for authentication for decades, but they come with several drawbacks. Here’s why you should consider using passkeys instead of passwords:

  • Enhanced Security: Passkeys use public-key cryptography, which involves a pair of cryptographic keys: a public key and a private key.
  • Convenience and Ease of Use: Remembering multiple complex passwords can be a hassle.
  • Protection Against Phishing: Phishing attacks are a common method used by cybercriminals to steal passwords.
  • Reduced Risk of Data Breaches: Data breaches often result in the exposure of millions of passwords.
  • Seamless Cross-Platform Experience: Passkeys are designed to work seamlessly across different devices and platforms.
  • Future-Proof Technology: As technology evolves, so do the methods used by cybercriminals.

Some consumers still don’t trust this form of security because they assume that anyone stealing their phone could log into their accounts. This isn’t true, as the criminal would still need your face, fingers, or eyes.

rb-

Even if you don’t fully trust passkeys, you should distrust your passwords more. It’s likely that your credentials have already been stolen and are on the dark web.

There is wide consensus in the tech community that passwords are an unsustainable security framework. Even password managers that let you use one strong master password could be at risk. First, some of them have been hacked and then there is the risk that those protected passwords are no longer secure.

A reasonable answer

A passwordless system is the only reasonable answer.

There is not a single passkey to solve all problems. You will have different passkeys for different systems and platforms.

However, this doesn’t really matter. The signup for passkeys is easy and consistent on all platforms in that there will never be a password attached to it. It will use the same biometrics you use for your other platforms, services, and their respective passkeys. In other words, it can feel like it’s one passkey for all online systems.

While passwords have served us well for decades, it’s time to embrace a more secure and convenient alternative. Passkeys offer enhanced security, ease of use, and protection against phishing and data breaches. By making the switch to passkeys, you can enjoy a safer and more seamless online experience. It’s true that the industry is still doing a poor job of explaining why you should embrace passkeys, you should like it because passkeys will ultimately save your data and digital identity.

Are you ready to make the switch to passkeys? Let us know your thoughts!

 

Related article

 

Ralph Bach has been in IT for a while and has blogged from the Bach Seat about IT, careers, and anything else that has caught my attention since 2005. You can follow me on Facebook or Mastodon. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , ,
| May 24, 2024
Comments Off on Creating Strong Passwords is Good For You

Creating Strong Passwords is Good For You

Creating Strong Passwords is Good For YouYou can buy a small padlock for less than a dollar—but you shouldn’t count on it to protect anything of value. A thief could pick a cheap lock without much effort, or break it. Yet, many people use weak passwords. They use them to “lock up” their most valuable assets, such as money and secrets. Fortunately, everyone can learn how to make and manage stronger passwords. It’s an easy way to strengthen security both at work and at home.

What makes passwords ‘Strong’?

What makes passwords ‘Strong’?We all hate the dreaded “you must change your password” email from IT. It must be at least 12 characters long. It must include numbers, symbols, and upper- and lowercase letters. You think of a word you can remember, capitalize the first letter, add a digit, and end with an exclamation point. The result: Strawberry1!

Unfortunately, hackers have advanced tools. They can easily defeat passwords based on dictionary words. These are words like “strawberry” and common patterns. An example is capitalizing the first letter.

Increasing the complexity, randomness, and length of a password makes it stronger. These changes make it more resistant to hackers’ tools. You can see in the table below from MyITRisk.com. An attacker could guess an eight-character password in 8 seconds. But, a 12-character password would take four years to guess.

Password space charactersLength required charactersDefeted in.
26 (a-z)8.0077 Seconds
52 (a-z, A-Z)82 Seconds
62 (a-z, A-Z, 0-9)88 Seconds
26 (a-z)1259 Minutes
52 (a-z, A-Z)12168 Days
62 (a-z, A-Z, 0-9)124 Years
26 (a-z)1651 Years
52 (a-z, A-Z)1691 Years
62 (a-z, A-Z, 0-9)1655,988.220 Years
MyITRisk.com

 

It is also important to pay attention to password complexity. Also you should also pay attention to password unpredictability. You want to avoid common substitutions (e.g., ‘a’ to ‘@’, ‘s’ to ‘$’).

Why Uniqueness Matters

Why Uniqueness MattersPeople reuse passwords for many accounts. This risky behavior opens the door for attackers. Even a single password, even a strong one, can lead to access to valuable accounts. Password reuse can lead to a domino effect of account breaches.

Reusing passwords, even strong ones, can leave accounts exposed to attacks.

Here’s a real-life example

Ten years ago, Daisy joined an online gardening forum. She also created an online payment account and used the same password. She soon forgot about the gardening forum. But, someone accessed her payments account years later and stole a lot of money.

Daisy didn’t know someone had hacked the gardening forum. The hackers leaked users’ logins online. An attacker likely tried reusing Daisy’s leaked password on popular sites. Eventually, the attacker got lucky.

Guarding your passwords

  1. Don’t write them down. Many write passwords on post-it notes and leave them in plain sight. Even if you hide your password, someone could still find it. Similarly, don’t store your login information in a file on your computer, even if you encrypt that file.
  2. Don’t share passwords – You can’t be sure someone else will keep your credentials safe. While at work, you may have to take responsibility for anything that occurs when someone is logged in as you.
  3. Don’t save login details in your browser. Some browsers store this info in unsafe ways. Another person could access your accounts if they get your device.

Tips for keeping passwords secure

Consider sharing these password tips with family and friends.

  1. Never reuse passwords – Create a unique, strong password for each account or device. This way, a single hacked account doesn’t endanger other accounts.
  2. Create long, complex passwords. Don’t use passwords based on dictionary words, pets’ names, or personal information. Attackers can guess them.
  3. Use a password manager. These tools can store and manage your passwords. They can also generate strong new passwords. Some can also notify you when a password might be compromised.

rb-

A strong password is the main barrier keeping most of your online accounts from being hacked. Without up to date practices, you might be using passwords that cyber-frauds can easily guess within minutes.

The average user creates passwords to fight data theft. The user could switch up the characters in your passwords and “Tr1Ck” your way into security. However. in today’s environment you need to create passwords that can fight modern password theft methods. Today, cyber-criminals use sophisticated technology to get your passwords. Users must consider the hackers software that is designed to account for user behavior as it guesses your passwords.

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , ,
| April 17, 2024
Comments Off on Artificial Intelligence – Impact on Passwords

Artificial Intelligence – Impact on Passwords

Artificial Intelligence-Driven Strategies for Password ProtectionArtificial intelligence (AI) is revolutionizing our lives. Brookings, says it is transforming every walk of life, including cybersecurity. In this blog post, we will explore how emerging AI technologies affect password protection. We also discuss strategies to enhance the security of our personal and professional data.

AI adds additional complexity to the security landscape. ISC2 found that 75% of cybersecurity professionals reported that artificial intelligence is already being used to launch cyberattacks and other malicious criminal acts. The threats include advanced password-cracking techniques like brute-force attacks and social engineering. Furthermore, AI-generated phishing attacks can deceive users into revealing sensitive information. Here are some strategies to bolster your defense mechanisms and protect your digital assets.

Enhanced Security Measures for Passwords

Let’s take a pragmatic look at some advanced security protocols:

Adapting CAPTCHA

CAPTCHACAPTCHA was originally designed in 2000 at Carnegie Mellon, to distinguish humans from bots. It is evolving to stay effective amidst developing threats. The efficacy of traditional puzzles is diminishing as bots become more sophisticated. Google has revised the original CAPTCHA to reCAPTCHA.

Traditional CAPTCHAs face vulnerabilities including accessibility issues, automation bypass, user frustration, and limited effectiveness. Google’s reCAPTCHA addresses these by employing advanced risk analysis, adaptive challenges, and improved accessibility features. It also supports integration with Google services, enhancing security against automated attacks while ensuring a smoother user experience.

Multi-Factor Authentication (MFA) Adoption

two factor authenticationYou can fight artificial intelligence based attacks by implementing MFA and 2FA. These mechanisms offer an additional layer of protection beyond passwords. They require users to provide multiple forms of authentication such as biometrics or security tokens. This extra layer of verification significantly reduces the risk of unauthorized access, even if one factor is compromised. While effective, the implementation of MFA requires careful consideration of usability and security trade-offs.

Single Sign-On (SSO) Solutions

Another way to fight artificial intelligence is to implement a single sign-on (SSO) user authentication solution. SSO’s enable seamless access to multiple applications using a single set of credentials. While convenient, SSO implementations must be carefully configured to balance ease of use with security considerations. SSOs require careful configuration and monitoring. Single sign-on solutions pose risks like a single point of failure. If an SSO is compromised, access to multiple systems is jeopardized

Passwordless Authentication to fight Artificial Intelligence hacks

Here are some alternative authentication methods:

One-Time Passwords (OTP)

A one-time password (OTP) can be a defense against artificial intelligence based attacks. OTP is an automatically generated string of characters that authenticates a user for a single transaction or login session. OTPs offer temporary authentication codes delivered via email, text, or authenticator apps. While effective, the reliance on external communication channels introduces potential vulnerabilities.

Magic Links

Sites set up with magic links are another way to fight artificial intelligence threats. Magic links ask users for an email address, not a password. Then the application generates a link with an embedded token and sends it via email. The user then opens the email, clicks the link, and is granted access to the given app or service. Magic links provide an alternative to traditional username/password authentication by leveraging email verification.

While user-friendly, this method may introduce security risks associated with email interception. They are weak because email accounts remain prime targets for phishing and credential-stuffing attacks. An attacker who gains access to a victim’s email account can fraudulently use magic links to access other applications.

Biometric Authentication

BiometricsBiometric solutions, such as fingerprint or facial recognition, offer convenient and secure authentication. However, the reliance on hardware and platform compatibility may limit widespread adoption.

Biometric authentication relies on specialized hardware like fingerprint scanners or facial recognition sensors, leading to dependency on device compatibility and reliability. Ensuring consistent performance across various platforms and mitigating vulnerabilities in hardware are essential to maintain security and user trust.

Navigating the Transition

While the transition to passwordless authentication holds promise, it presents practical challenges and considerations:

Technological Investment

Adopting advanced authentication methods requires investment in new technologies and infrastructure. Organizations must weigh the benefits of enhanced security against the costs of implementation and maintenance.

User Acceptance

User acceptance plays a crucial role in the adoption of passwordless authentication methods. Organizations must prioritize user experience and provide adequate support and education to facilitate the transition.

Regulatory Compliance

EU PrivacyCompliance with industry regulations and standards, especially in Europe, may influence the adoption of passwordless authentication methods. Organizations must ensure alignment with regulatory requirements while enhancing security measures.

rb-

In conclusion, the battle against artificial intelligence based cybersecurity threats is already here. Some steps can taken to fight these challenges. Many of the new protections require changes to the business as usual. By carefully evaluating the benefits and considerations of alternative authentication methods, organizations can navigate this transition effectively and safeguard their digital assets in an increasingly complex threat landscape.


Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , ,
| December 16, 2023
Comments Off on How to Stay Safe While Christmas Shopping

How to Stay Safe While Christmas Shopping

How to Stay Safe While Christmas ShoppingThe last minute rush to finish your Christmas holiday shopping in here! The cyber-criminals know that too. so you better make sure you’re not being silly with your cybersecurity. There are amazing deals to be found on the innerwebs as well as online scams. The bad guys want to take advantage of the holiday season to steal your important information.

Mashable recommends that you do your own due diligence and use common sense while shopping online. Here are some basics steps to take while buying your last minute Christmas holiday gifts.

Use familiar websites

To protect yourself while Christmas shopping online, start with a trusted website. Search results can be rigged. If you know the site, Mashable says chances are it’s less likely to be a rip-off. Do not trust results past the first few pages of links.

Most popular browsers will display a small lock icon in the URL bar to identify a secure website, so be sure to look out for that. Also beware of misspellings or sites using a different top-level domain (.gq instead of .com .au, for example)—those are the oldest tricks in the book, and are likely phishing scams, designed to fool you trusting them by dressing up as a website or service you trust. Yes, sales on these sites might look enticing, but that’s how they trick you into giving up your info.

Don’t overshare online

Be wary when online stores ask for more than they need. If a site’s checkout form includes data fields that aren’t in any way necessary for the transaction, that’s a sign you may want to reconsider the purchase. If those fields are marked as required, that’s worse. But if you are desperate to go ahead, Mashable recommends just lie! Fill the irrelevant required fields with made-up data.

Avoid public Wi-Fi

Do not connect to public Wi-Fi to do your holiday shopping. You are better off using your own Wi-Fi home to shop. If you use public Wi-Fi like in a cafe or shopping center, there’s a chance your transaction could be being captured by hackers. Even if you think you’ve connected to a known, safe Wi-Fi network, nothing prevents a scammer from setting up a portable Wi-Fi hotspot with an SSID that’s the same as that of your favorite coffee shop. Sometimes circumstances may require that you do your shopping while out and about. Mashable says you can improve your security by turning off Wi-Fi and just using cellular data (4G/5G) while shopping.

Use a VPN

Even if you’re shopping on a familiar website, from your home computer, there is still valuable information that can be scraped from your online interactions. Mashable says your IP Address is often visible to anyone who knows where to look. This can provide cyber criminals with not only your exact location, but often all the other devices that are connected to your network at any given time. To avoid this, the simplest solution is to install a VPN (or Virtual Private Network). This will encrypt your communications and prevent any possibility of snooping. It’s also just a great habit to get into, as a good VPN will provide protection without slowing down your network speeds too much.

Be password smart

Some shopping sites let you check out as a guest, just giving the one-time information needed for your transaction. Others require you to create a login identity complete with password and username. Remembering passwords is tough, so you may be tempted to just recycle the same password over and over. Don’t! Hackers know that many people indulge in password recycling. When attackers get credentials from one retailer, they quickly try the credentials at other, similar sites. If you don’t want to remember multiple passwords, the best solution to create strong, secure ones is to use a password manager.

Watch your back

Another benefit to shopping from home: nobody potentially looking over your shoulder. When you whip out your credit card and start typing the number into a website, nearby snoops have an opportunity to see and memorize the number. You can foil shoulder-surfers by staying alert, sitting with your back to the wall, and keeping your screen shielded. Better yet, use your password manager to fill in saved credit card data, while the card itself stays safe in your wallet.

Check your bank statements regularly

Don’t wait for your bill to come at the end of the month. Go online regularly during the holiday season and look at electronic statements for your credit card, debit card, and checking accounts. Look for any fraudulent charges, even originating from payment sites like PayPal and Venmo. (After all, there’s more than one way to get your money.) Always keep track of your purchases online, and you will know straight away if something is wrong.

Stay informed

Once you have yourself and your devices fully protected, take the next step. Online threats are becoming more and more sophisticated every year, and you need to ensure you’re up to date with all the latest threats, as well as tips and tricks from cybersecurity professionals. Follow a security blog that is consistently updated as the industry shifts and threats evolve.

 

How you can help Ukraine!

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , ,
| May 4, 2022
Comments Off on World Password Day Tips and Tricks

World Password Day Tips and Tricks

World Password Day Tips and TricksWorld Password Day is May 5th. It’s the perfect time to educate yourself on best practices to build better online behaviors around password use. World Password Day is meant to remind everyone about the importance of protecting themselves through strong passwords.

Under lock and key

ProofPoint logoCreating strong passwords offers greater security for minimal effort. Proofpoint uses the example of a padlock. You can buy a small padlock for less than a dollar—but you shouldn’t count on it to protect anything of value. A thief could probably pick a cheap lock without much effort, or simply break it. And yet, many people use similarly flimsy passwords to “lock-up” their most valuable assets, including money and confidential information.

Fortunately, everyone can learn how to make and manage stronger passwords. It’s an easy way to strengthen security both at work and at home.

What Makes a Password ‘Strong’?

What Makes a Password ‘Strong’?Let’s say you need to create a new password that’s at least 12 characters long, and includes numerals, symbols, and upper- and lowercase letters. You think of a word you can remember, capitalize the first letter, add a digit, and end with an exclamation point. The result: Applejacks1!

Unfortunately, hackers have sophisticated password-breaking tools that can easily defeat passwords based on dictionary words (like “applejacks”) and common patterns, such as capitalizing the first letter.

Increasing a password’s complexity, randomness, and length can make it more resistant to hackers’ tools. For example, an eight-character password could be guessed by an attacker in less than a day, but a 12-character password would take two weeks. A 20-character password would take 21 centuries.

Uniqueness Matters

Many people reuse passwords across multiple accounts, and attackers take advantage of this risky behavior. If an attacker obtains one password—even a strong one—they can often use it to access other valuable accounts.
Here’s a real-life example: Ten years ago, Becky joined an online gardening forum. She also created an online payment account and used the same password. She soon forgot about the gardening forum, but someone accessed her payments account years later and stole a large sum of money.

Becky didn’t realize the gardening forum had been hacked, and that users’ login credentials had been leaked online. An attacker probably tried reusing Becky’s leaked password on popular sites—and eventually got lucky.

Guarding Your Passwords

  1. Don’t write them down – Many make the mistake of writing passwords on post-it notes and leaving them in plain sight. Even if you hide your password, someone could still find it. Similarly, don’t store your login information in a file on your computer, even if you encrypt that file.
  2. Don’t share passwords – You can’t be sure someone else will keep your credentials safe. At work, you could be held responsible for anything that happens when someone is logged in as you.
  3. Don’t save login details in your browser – Some browsers store this information in unsafe ways, and another person could access your accounts if they get your device.

Password tips for family and friends

Consider sharing what you’ve learned about passwords and ask family and friends about their cybersecurity knowledge or experiences.

  1. Never reuse passwords – Create a unique, strong password for each account or device. This way, a single hacked account doesn’t endanger other accounts.

Create complex, long passwords

 

2. Create complex, long passwords – Passwords based on dictionary words, pets’ names, or other personal information can be guessed by attackers.

3. Use a password manager – These tools can securely store and manage your passwords and generate strong new passwords. Some can also alert you if a password may have been compromised.

How you can help Ukraine!

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , ,
« Older Entries