Menu

Monthly Archives2017 September

Home / Blog
Forget Everything You Knew about Safe Passwords

Forget Everything You Knew about Safe Passwords

Last month, the father of the 2003 NIST password guidelines said that he got it wrong and the way we are creating passwords to be a completely random string of characters and the frequency we change our passwords is making it harder on all of us but easier for cyber-criminals to crack.

The complexity of the old password guidance led to many bad password habits such as just replacing letters with the equivalent in numbers (‘o’ for zeros, e for threes, etc) and letters for characters (@ for a, $ for s) so that they could more easily be remembered. In fact, it was found that the standard eight-character password with special characters could be cracked faster than a 20-character password without special characters.

The old requirement to change passwords so often also led to many users simply reusing their passwords on multiple sites which again, made things easy for cyber-criminals when there was a breach. There has not been any evidence that your password becomes more hackable because it’s in use for more than 90-days. Plus, when we were forced to change our password too frequently, many times users would just shift one letter in the password which cyber-criminals quickly caught on to.

And believe it or not, a completely random password that does not use words are actually easier for hackers to crack than long, weird words or phrases that you can easily remember.

New guidelines throw everything we’ve been told to the wind like using a mix of upper & lower case letters, the use of special characters, and changing your password frequently. Now the password experts say that we should make our passwords long and memorable. Using a phrase that is unique to you, in conjunction of special characters if you are forced to use them (within the phrase, not within words), will make it harder for hackers and their cracking software to compromise your passwords.

Also, think about the system you are accessing and whether or not it needs a strong, unique password or is it ok to reuse a password for a site that just has your name, email, and password? For instance, do you really mind it if a hacker got access to your online recipe lists?

You might think that the password to your online bank is the most important password but you may be surprised to find that your email and social media passwords may be more sensitive because of the “Forgot Password” feature in systems that would allow a hacker that compromised your email account to reset your online banking access.

But passwords and one-time multi-factor authentication (like a SMS), are not bullet-proof protection as they can be hacked and hijacked. A recent, terrible example of account take-overs has been in the crypto-currency space where hackers are compromising email and mobile telephone accounts and emptying crypto-currency wallets. Users will need to continue to be vigilant and take every precaution to secure their most sensitive accounts.

What You Need to Know about the Equifax Breach

What You Need to Know about the Equifax Breach

Data breaches are bad but the Equifax data breach may be one of the worst. When hackers stole the data on potentially 143 million American consumers from the credit reporting bureau they took everything they needed to unlock the identities of 44% of the American population. And ironically, Equifax was one of the companies that other companies turned to when they were breached. As their website states: “You’ll feel safer with Equifax. We’re the leading provider of data breach services…”

Hackers reportedly used a website vulnerability to steal everything from social security numbers to credit card numbers from May until the breach was discovered on July 29thmeaning the hackers had access for at least two full months. No reason for the delay in informing the public has been given but in some recent large investigations law enforcement has requested companies to wait to disclose the information.

What makes this data breach one of the worst, even though the scale isn’t as large as say Yahoo’s 500 million, is that consumers did not have to directly give their information to Equifax, instead it was provided to them by nearly every bank, credit card, and loan company to make credit decisions. So if you have ever applied for a credit card, loan, or mortgage, your data may have been compromised.

As standard with breaches, Equifax has offered free credit monitoring services for a year if you sign up by November 21st whether your data was accessed or not. But wait, don’t leave and sign up right now! A caveat to signing up for Equifax’s offer of free credit monitoring service from TrustedID, which is also owned by Equifax, is that the terms of service of TrustedID states that if you sign up you cannot partake in any class action lawsuits against the company. And not wasting any time at all, two Oregon residents have filled a lawsuit against Equifax alleging negligence in securing the personal information of consumers.

While a nice gesture and possibly giving Equifax some legal relief as people scramble to sign up for credit monitoring, the data stolen from Equifax can be sold on the DarkWeb for years to come to steal identities. There is no expiration date on information like name, address, date of birth, and social security number… all of which the hackers took. Consumers will need to remain vigilant in checking bank account information and making sure their identities are not stolen for the near and far future. Signing up for a credit monitoring service is definitely a good idea, perhaps not with TrustedID, but as you look, try to find one that doesn’t just look for new account creation. Find a service that monitors open accounts for changes as well as new account creation. You can also look into identity protection insurance services, such as LifeLock, as an additional layer of protection.

As a notable side note: Questions have been raised about the sale of $1.8 Million in stock by three executives of Equifax following discovery of the breach before it was disclosed to the public. The company reports that none of them knew about the breach. That does make one question the cyber-security incident reporting policies of such a large organization.

(AP Photo/Mike Stewart)