Cybersecurity Blog

Password Managers, myths and misconceptions – 12/09/20

 

Now a days it seems like no matter what you do online, you need to create an account. With all those accounts comes the impossible task of remembering all those passwords. It is understandable why many of you (71%), are reusing password across multiple accounts. Unfortunately, password reuse leaves you vulnerable to credential stuffing.

So how do you create dozens and dozens of strong, unique passwords? The answer is use a password manager. A password manager generates, stores and autofills passwords for you. It saves you time as well as your sanity while ensuring your accounts are secured. It is a win, win. So much so that 73% of security experts use one.

Unfortunately, there are a lot of misconceptions around password managers. As a result, only 24% of non security experts choose to use one. Most of the reluctance is around convenience and security. It is generally thought that password mangers are too cumbersome to bother using and they aren’t secure anyway.  Both of those assumptions are incorrect. I am going to set the record straight by debunking common password manager myths.

Myth #1 – Password managers aren’t secure

While no application is 100% secure, the odds that a password manager would be hacked is less than the odds that the sticky on your monitor will be read.  Password managers store passwords in an encrypted file that can only be unencrypted by the password used to login to the password manager. If a hacker gains access to your password file but doesn’t have the password for it, all they will see is a jumbled mess. So unless you reuse the password for your password manager or use a weak password, the rest of your passwords should remain secure.

Myth #3 – Letting my browser save my passwords is just as secure as a password manager

Unless your browser requires you to enter a separate password to access passwords it stores then no, it is not secure. Your passwords stored in your browser are linked to your browser account. That allows you to take them with you from one device to the next. However if you forget to logout of your browser on a shared device, the next person who uses the device will have access to them.  It is frightening the number of laptops that have been returned to the library displaying the last user’s passwords.

Myth #4 – Password managers are inconvenient to use

Every password manager has different features and works a little bit differently. If you find one that doesn’t work for you, try another. Almost all of them allow you to try them out for free for 30 days. Once you find one that you like, you will find that it actually saves you time and effort. You don’t have to wrack your brain to come up with strong, unique passwords anymore, the password manager does that for you. You don’t have to enter in your login credentials anymore, most password managers do that for you. You don’t have to sort through stickies to find the right password, the password manager finds it for you. You get the idea, all the annoying things you used to have to do to login to an account, website or application are done by the password manager. It makes life so much easier.

So there you have it. Password managers are secure, safer than using your browser and convenient. Most of all they make it easy for you to have a different password for every account. Now you just have to decide which one to use. KeePass is free to download and it is on all MRU workstations. However there are other web based tools that are a bit easier to sync between your devices. You can find a list of them on PC Mag’s website. I suggest that you take a look at them, compare features and pricing and then choose one or two to try for 30 days.

Unfortunately, IT Services does not reimburse you if you purchase a password manager. However, most are very affordable and can be used by your whole family.

 

Only you can use your MRU account – 02/26/20

 

When we tabulated our survey results, we were delighted to find a significant reduction in password sharing on campus. However, our victory lap did not last long. Password sharing is happening less but there are scary numbers of people logging in and letting someone else use their account.

We understand that you have guests that come on campus and need wifi access, that you have new employees that you need to train and that sometimes a colleague’s or friend’s account isn’t working.  However regardless of the reason, credentials should not be shared.   Your credentials are only for your use. They give you exactly what you need to have access to, no more and no less.  This protects you, your colleagues and the institution.

Stop for a minute and think about all the things only you can access with your login credentials that no one else has access to. Do you really want someone else to be able to access those things? Think about how embarrassing, uncomfortable or alarmed you would feel if a colleague or friend started exploring. I know what you are thinking, I can trust them. They wouldn’t do anything malicious with my account.

Regularly we hear about horror stories of friendships gone wrong, bitter colleagues, bad breakups and the resulting fallout.  When things go bad it is impossible to predict how someone will react. You would be unpleasantly surprised to know the damage that has been caused when these things occur.

Even if letting someone else use your account doesn’t result in data armageddon,  it is against the Acceptable Use of Computing and Communication Resources Policy. The good news is there is no reason to do so. IT Services can arrange access for anyone for any reason. We have a solution for every situation.  Find yours in the Credential Use Guidelines. If you aren’t sure what to do, just call the IT Service Desk and let them know what your time frame is. They will get back to you right away and provide you with a solution.

Don’t give up control by logging in for someone else. Reserve your account for your use only, not the other 114 people who are looking for access.

 

Just for fun, try out The Passive Aggressive Password Machine – 07/04/19

 

 

Two enterprising and fun loving fellas, Tim Holman and Tobias van Schneider have obviously lost their patience when it comes to crappy passwords. They have created The Passive Aggressive Password Machine , a website that tells you how secure your password is. However instead of rating the password on a scale, like other websites, it pretends to be your in-laws and gives some very unkind but entertaining feedback.

If you want a good chuckle, check it out. Just remember not to enter your actual password. If you do, make sure you change it afterwards.

 

Authenticator apps, the good, the bad and the ugly 04/03/19

 

With compromised passwords floating around the dark web like masses of lemmings, two-factor authentication is moving from  nice-to-have to a must. Unfortunately, the most commonly used second factor is a SMS text message. Although this method is easy for account providers to implement, it can also be compromised.

Fortunately, more and more account providers are recognizing this and they are integrating with authenticator apps. An authenticator app is a phone app that either generates an authorization code for you or provides the user with a prompt they can respond to. As the phone number is not used to deliver the code, the 2FA cannot be bypassed by a SIM swap.

There are several well known authenticator apps on the market. The top ones are Google Authenticator, Microsoft Authenticator, 1PasswordLastPass Authenticator and Authy. All are free to try out. For the most part, they work pretty much the same way. You set them up by either scaning a QR code or entering a key to register your account with the app. When you go to login, the code appears in the app with a count down showing you how long it is valid for. You enter the code and shazam, you are in!

What sets them apart are the added features. Lets start with Google Authenticator. As it is free, simple to use. As it is by Google it is often highly rated by reviewers. However, the devil is in the details and one huge detail is you cannot backup your authenticator keys. This is a big problem if you get a new phone. It is also the reason why it is so poorly rated on the Apple Store. No one wants to spend days re-authenticating dozens of sites. This puts it squarely in the category of ugly.

Next up is Microsoft Authenticator. It works pretty much like the Google one for non Microsoft accounts. However, with Microsoft accounts you can use your phone’s biometrics or PIN to login instead of entering a password. This is a slick feature if you use a lot of Microsoft products and its free. Unlike Google Authenticator you can backup your authorization keys, but you must have a Microsoft account to do it. I put this one in the good category for Microsoft users and in the bad category for everyone else.

On to 1Password. This app is actually a password manager with an authenticator built in. If you are looking for a full feature password solution, this would be your tool. It is free to try, but you have to purchase it once your trial is over. Like the Microsoft app you can backup your keys and it generates authentication codes for its second factor. This one is also rated good.

We finally arrive at my favorite, LastPass Authenticator. The free version functions on its own like the Microsoft and Google products. However, if you purchase the LastPass password manager you can backup your keys plus you get this nice little feature that lets you respond to a prompt instead of entering in a code. Winner, winner chicken dinner!! No more entering codes puts this one at the top of my list. Not only is it a full feature password solution, but it makes securing your accounts way less work.

Lastly, is Authy. This little app is free to use, does the job and you can backup your codes. It is a solid solution that is always highly rated. if you don’t want to pay for an authenticator, this is your app. It definitely falls on the good side.

As determining which app is better for you can largely depend on your personal likes and dislikes I recommend you try them out before you commit long term.

On a final note, although authenticator apps may be more secure they still use your phone for the authentication process. If you lose your phone or forget it, you won’t be able to get into your account. Therefore before you enable any type of phone based two-factor authentication, make sure you can print off backup codes and store them in your wallet or purse. If you lose or forget your phone, you can use the the codes to get into your account.  Not all accounts have backup codes, the LastPass password manager is one of them, so do your homework before you enable 2FA.

 

Don’t want to rely on a phone for 2FA? Use a security key – 03/11/19

 

A security key is a small plastic fob that you carry with you or leave plugged into your computer. It replaces your phone as the second factor in  two factor authentication (2FA).  The keys can be used with most accounts that offer 2FA and some can be used to login to your Mac or PC.  Each key has it’s own advantages and disadvantages however the most popular keys available in Canada are made by Yubico.  While there are other manufacturers out there, their keys work with more accounts than any other.

They offer a variety of models, each one with its own set of features. Some stay plugged into your computer. Others you carry on your key chain. Some you can use with mobile devices while others are just for computer use.  It can get a bit confusing trying to determine which key is the best fit for you, however their website does have a quick quiz that can help.

Their most popular and least expensive model is the Security Key. At only $20 US it does everything the average home user needs a security key to do. The only thing it is missing is NFC capability. In fact it is so popular it is currently out of stock.  The good news is they have decided to offer their upgraded key with NFC capability for the same low price.

The key is super easy to set up. Just login to your account and find the 2FA settings. Select security key as your second factor, insert the key and push the button. Voila, the key is setup for the account. When you want to login, you insert your key into your USB port and push the button or tap the key to the back of your NFC enabled phone.

No fussing with verification codes or phone prompts. You do however, have to keep your key with you. As with any other 2FA method. It is a good idea to have a backup plan should something happen to the key. It is recommended that you purchase a second one in case the first one is lost.  The good news is buying two will only set you back $36 US.

The key is water proof and super durable so it will survive being tossed around on your key chain. It is also nice and flat so it hangs easily with your other keys.  Here are just some of the accounts that it works with.

  • 1Password
  • Blogger
  • Dashlane
  • Digidentiy
  • Docusign
  • Dropbox
  • EA
  • Epic Games
  • Eve Online
  • Facebook
  • Google
  • Instagram
  • KeePass
  • Kickstarter
  • LastPass
  • LogonBox
  • MailChimp
  • macOS
  • Microsoft
  • Nintendo
  • PassPack
  • Reddit
  • Trello
  • Twitter
  • WordPRess
  • YouTube

For a complete list of accounts that use Yubicon’s Security Key, visit their website.  If you are serious about using 2FA and don’t want to use your phone, a security key is really the only way to go.

 

 

 

Enabling 2FA on LinkedIn – 03/07/19

 

Two-factor authentication (2FA) and it’s cousin two-step verification (2SV) ensure that your account stays secure even if your password is compromised.  Not all account providers offer 2FA or 2SV, however LinkedIn does.

To enable 2SV on your LinkedIn account you must first add your phone number to your LinkedIn profile. To add your phone number to LinkedIn:

  1. Login to LinkedIn.
  2. Click your photo. A menu drops down.
  3. Select Settings & Privacy.
  4. Click the Account tab.
  5. Under Login and security, select Phone numbers.
  6. Select Add phone number.
  7. Select Canada from the drop down list.
  8. Enter your phone number into the text box.
  9. Click Send code. A dialog box appears asking for your password.
  10. Enter your password.
  11. Press ENTER on your keyboard. The verification code is sent to your phone.
  12. Enter the verification code into the text box on your computer.
  13. Click Verify.

To enable two-step verification on LinkedIn:

  1. Login to LinkedIn.
  2. Click your photo. A menu drops down.
  3. Select Settings & Privacy.
  4. Click the Account tab.
  5. Select Two-step verification. You may have to scroll down to find it.
  6. Click Turn on. A dialog box appears asking for your password.
  7. Enter your password.
  8. Press ENTER on your keyboard. The verification code is sent to your phone.
  9. Enter the verification code into the text box on your computer.
  10. Click Verify.

Please note that although I have provided step by step instructions, account providers are constantly changing their privacy settings, features and procedures. They like to keep us on our toes. They certainly don’t want us to start feeling comfortable using their tool.  That might lead us to believing  we are in control of our own privacy and security, that would never do.  Am I sounding bitter? So sorry, that won’t do either. Let’s reset. Please check LinkedIn’s help files for the most accurate and up to date instructions on how to enable 2SV as these instructions may become obsolete before they are even published. Sorry, I tried to reset. I couldn’t do it. Happy enabling!

 

Why enabling two-factor authentication is more important now than ever – 02/28/19

 

Two-factor authentication (2FA) and it’s cousin, two-step verification is available on a variety of accounts such as Google, Facebook, LinkedIn, Yahoo, Twitter and Instagram. When it is enabled, after you successfully enter your password on a strange computer you are asked to respond to a prompt or enter a verification code sent to your phone.  This ensures that even if your password is compromised, your account will stay secure. That is unless the criminal has your phone as well.

If that is the case, you are having one heck of a day and require support that is outside the scope of this article. I hope your phone is password protected and I wish you good luck. I digress. Back to why enabling 2 FA has become so important.

Last month we saw enormous lists of login credentials popup on the dark web. While previously miscreants had to purchase this valuable information, these large collections of usernames and passwords are now available for free. Aspiring Kevin Mitniks the world over can now try their hand at cybercrime, no upfront credential purchase needed.

As a result we have seen a big jump in credential stuffing attacks. Some of them on home security cameras with terrifying results.  Ideally you should have a unique password for each account. However if this particular habit has not yet been entrenched, two-factor authentication will save your bacon

Although registering your email on Have I Been Pwned, will let you know if your password has been compromised, it takes time before a data breach shows up on their radar. With 2FA as soon as you receive a verification code or prompt on your phone,  you know someone has stolen your password. This early warning system allows you to change the passwords on your accounts that don’t have 2FA before any damage is done.

Hopefully I have convinced you that two-factor authentication is no longer something that is nice to have, but is essential to securing your data. The next question is, “How do I start using it?”. Thankfully, there is this really great quick reference guide that walks you through the steps on how to enable 2FA on your Mount Royal email account. And yes, I wrote it…that’s why it’s really great. If you have any questions or need some help with the process, please feel free to contact me.

You can also come down to Main Street on March 13, April 10 or May 7. I will be there with my prize wheel. If you talk to me about two-factor authentication, you can spin and win.

 

What is credential stuffing and why should you care? – 02/14/19

 

Credential stuffing is where hackers take a list of usernames and passwords and use them to try and login to a site.  They use computer programs that allows them to test thousands of login credentials in minutes.  If someone is reusing passwords or using common or weak passwords they will have no problem accessing those accounts.

So how do you protect yourself against credential stuffing?

  1. Use unique passwords for every account. I know it is inconvenient and a pain but it really is the only way to protect yourself.
  2. Use a password manager. This takes the sting out of my first recommendation. Password managers not only store your passwords, but make generating them and logging in a breeze.
  3. Register with haveibeenpwned.com. If you register your email with them, they will email you when your email address shows up in a data breach. If you are still reusing passwords, this gives you time to change it. Credentials stolen in data breaches often show up on the dark web for sale before the breached company even knows their user’s data has been compromised.
  4. Enable  multi-factor authentication on every account that has it available. Multi-factor authentication and its cousins two-step verification and two factor authentication requires you to enter an authentication code, respond to a prompt from an authentication app or insert an authentication key when you enter your password.

Updated 03/01/22

Your IoT devices are vulnerable even if you have a firewall – 01/08/19

 

If you have been reading this blog at all, you will have seen my plea to change your default password on any device that connects to the internet. Those of you who are more on the ball may have wondered why this is necessary if you have a firewall on your router.  Won’t the firewall keep an intruder out? The answer is yes and no.

Lets look at how an internet connected device works and then it will become more clear. What makes internet connect devices or IoT devices so handy, is through the internet they connect to a server that provides extra functionality. This allows the IoT device to stay small and less expensive as it doesn’t need a bunch of computing power.  It uses the computing power of the server instead. This also allows you to benefit from the data sent by other people’s IoT devices.

All traffic in and out of your network goes through a router which is protected by a firewall. The firewall blocks most malicious traffic, but it can’t stop everything. If it did you wouldn’t be able to connect to the internet at all.  The router acts like a mailman making sure the  data it receives gets sent to the right device. The first time the data is sent the router  doesn’t know who the data is from or where it goes.  It has to check the routing information on the data to figure this out.  This  can slow traffic down considerably if it has to be done every time data is transferred.

To speed the process up, the router remembers the routing information for certain types of data coming from certain types of devices. Once it is remembered, all data from that remembered device outside your network is delivered automatically to the remembered device inside your network . Hackers take advantage of this efficiency by impersonating a remembered device. In the case of an IoT device, the router thinks the data is coming from the IoT server but it is really coming from the hacker’s computer. If this happens the only thing protecting  your IoT device and your network is the device’s password.

So ,yes, your firewall will protect all your devices from an attacker trying to get into your network. However, no, it won’t protect you once an IoT device has communicated with it’s server. This is why it is so important to change the device’s default password and to make sure the new passwords are strong.

 

 

Facebook is abusing your phone number – 10/04/18

 

All of you who have been on the ball and enabled two factor authentication on your Facebook account are about to get really annoyed.  Some researchers have discovered that the same phone number you gave Facebook to secure your account, is being used to target you with advertising.

When Facebook were called out on the practice, they defended it by suggesting users could simply turn off two factor authentication and opt out of the data sharing.  I know what you are thinking. You shouldn’t have to choose between privacy and security. Fortunately, there is a better solution. In May they released a feature called Code Generator.  It allows you to use two factor authentication without using your phone number.

If you are currently using your phone number for two factor authentication  on your Facebook account and don’t want it used for targeting adds, I suggest you switch to the Code Generator.  The added bonus, it works even if you don’t have text messaging or an Internet connection available.

This week’s contest entry code for the Cyber Security Challenge is n1wsl4tr.