IT Support Tips – Use A Secure Password

Equifax reportedly used ‘admin’ as password in Argentina

September 2017

Not only did the firm suffer one of the largest data breaches in history — 143 million people’s names, social security numbers, home addresses and more hacked, experts keep managing to poke holes in the company’s security.

The latest comes from Argentina, where Equifax reportedly used the word “admin” as both the username and password for an employee web portal designed to protect both employees and customers who submitted credit disputes. (It doesn’t take Edward Snowden to know that’s a bad idea.)

According to cybersecurity expert Brian Krebs — perhaps best known for his role in revealing the 2013 Target data breach that resulted in the theft of around 40 million credit card numbers — the Argentinian site was secured so poorly that anyone could theoretically impersonate an employee by simply reading their username and password off the site, or even add themselves as a new “employee” to the database.

Perhaps worse, they would have been able to read some 14,000 credit dispute complaints from ordinary Argentinian citizens, which were stored in plain text instead of being encrypted. After being contacted by Krebs about the vulnerability, the company took the portal down.

Equifax wouldn’t fact-check specific details for us, but provided this statement:

We learned of a potential vulnerability in an internal portal in Argentina which was not in any way connected to the cybersecurity event that occurred in the United States last week.  We immediately acted to remediate the situation, which affected a limited amount of public information strictly related to consumers who contacted our customer service center and the employees who managed those interactions. We have no evidence at this time that any consumers, customers, or information in our commercial and credit databases were negatively affected, and we will continue to test and improve all security measures in the region.

Other recent reported Equifax screw-ups include: A tool to check if you’ve been hacked that didn’t seem to work, and a credit-monitoring site that itself appears to be hackable.

On Monday, two US senators demanded that Equifax answer detailed questions about how, precisely, Equifax was hacked, how long the company was aware, and to shed light on three Equifax executives who sold stock after the hack was discovered but before it was made public. Read the original Cnet article here.

How to choose safe passwords—and remember them too

Password security

Forget fingerprints—the right password can provide robust protection for your account

Another day, another major data breach (Yesterday, security consultant Mark Burnett released 10 million passwords and corresponding usernames in a data set he made using existing information)m and another article advising you to strengthen your passwords. These secret bits of information act as the keys to all of our important online accounts, from social networks to email inboxes to bank accounts.

That’s why choosing strong passwords, and managing them well, is so important. It could be the difference between keeping your identity safe and landing your information in hackers’ hands. Your password not the only security measure you need to think about, but it’s one of the most crucial.

Unfortunately, a lot of us are pretty bad at choosing passwords. We tend to pick ones that are easy to remember, and therefore easy to guess, and we tend to reuse them again and again. If you want to toughen up your personal password security, read on.

Best password practices

Choosing a password for your online accounts is no different than choosing a password for a secret society: It needs to be difficult to forget for members, and impossible to guess for anyone planning to gatecrash.

If you’re using “123456” or “password” then you’re putting yourself at risk, because millions of other people are also using these obvious combinations. These are the first options that most hackers will try, right before “password1” and “passw0rd”.

It’s also important to choose combinations of letters and numbers that aren’t easily guessable from public data about you. For example, a quick scan of your Facebook page can tell a hacker what date you were born or even the road you live on. So working those pieces of information into a password won’t make it impossible to guess.

Another best-practice is to choose a password that’s at least 10 characters long. The longer the password, the better; the denser the mix of letters, numbers and special characters, the better; and the more nonsensical, the better. Think about a four-digit code, using only numbers and nothing else: there are 10,000 possible combinations, but add just one more digit and that goes up to 100,000. Add in letters and special characters, and extend your password up to 10 characters and beyond, and you can see how each extra letter helps.

So how do you choose this mystical combination? Security expert Bruce Schneier suggests turning a random sentence (not a famous quotation or phrase) into your password. For example, “We love getting e-mail from Grandma, but she rarely writes one.” is a unique sentence that can become “Wlge-mfG,bsrw0.” by taking the first letter of every word (except for “e-mail,” which becomes “e-m”, and “o”, which becomes “0”). The result is a password with random letters, numbers, symbols, and plenty of digits—and one that you can easily call to mind by remembering the full sentence.

Of course, now that I’ve written this potential password in a published article, it’s no longer secure—but you can easily do this trick yourself with your own sentence. You don’t need to take the first letter of every word either. Instead of turning “love” into “l”, I could have made it “<3.” Some other examples from Schneier include:

  • WIw7,mstmsritt… = When I was seven, my sister threw my stuffed rabbit in the toilet.
  • Wow…doestcst = Wow, does that couch smell terrible.
  • Ltime@go-inag~faaa! = Long time ago in a galaxy not far away at all.

Managing your passwords

If you’re now thinking you’ll never remember all the passwords you need to keep on top of, don’t panic—help is at hand. Your web browser includes some basic password management options to take the strain off your overloaded brain, and you’ve got the option to upgrade to a standalone password manager as well.

First of all, it’s a good idea to add two-step verification to all of the accounts you can. It’s an extra layer of protection that makes your password less important, because it can only be used with an additional code (usually sent to your verified mobile phone). It’s like needing a ticket as well as a password to get inside your secret club, and most online accounts, from Google to Facebook, now support it.

Firefox passwords

Most web browsers, including Firefox, include a password manager.

The Best Free Password Managers of 2017

PC Mag released this article in 2017 listing the features and benefits of different password managers in the UK.
IT Services Cardiff Bridgend pcmag.com Password Apps