Monthly Archives: February 2018

New credit card skimmer worked in plain sight at Aldi stores

Police in Lower Pottsgrove, Pennsylvania have spotted a group of thieves who are placing completely camouflaged skimmers on top of credit card terminals in Aldi stores. The skimmers, which the gang placed in plain sight of surveillance video cameras, look exactly like the original credit card terminals but would store debit card numbers and PINs of unsuspecting shoppers.

“While Aldi payment terminals in the United States are capable of accepting more secure chip-based card transactions,” writes security researcher Brian Krebs. “The company has yet to enable chip payments (although it does accept mobile contactless payment methods such as Apple Pay and Google Pay). This is important because these overlay skimmers are designed to steal card data stored on the magnetic stripe when customers swipe their cards.”

Interestingly, commenters reported that many Aldi stores support chipped EMV credit cards but that they would often tape over the slots and ask users to swipe instead.

“The Aldi stores near me got chip readers early last year with Apple Pay and everything enabled. After ~5 months they taped over the card insertion slot and now require customers to swipe again,” wrote one commenter. “I asked one of the managers and he said corporate required them to switch back because ‘swipes are faster.’”

I love these stories primarily because point of sale terminals are widely unguarded and offer the best of security theatre – you think you’re safe because they look like the egg sacs of some armored beast but, with a quick addition of a skimmer, you create something that is deeply unsafe. That this skimmer ended up at a town of just 12,000 souls is particularly poignant.

 

 

via:  techcrunch

Scribd’s new unlimited plan for audiobooks and e-books might be an avid reader’s dream

Avid audiobook nerds tired of dealing with Audible’s nonsense or long library queues now have a new way to get a steady stream of the good stuff.

Scribd just announced it will be reinstating an unlimited plan offering relatively unfettered access to e-books, audiobooks, news, magazines, documents and sheet music. Unfortunately, the service sounds like it won’t be truly unlimited, capping downloads and streams at a certain point, but given how hard it can be to download a damn audiobook, it might still be a good option for those who prefer the digital or spoken page.

Whatever that hidden cap is, the new plan bumps Scribd users up from the previous three e-book and one audiobook monthly limit. (Any audiobook fan could tell you that one a month just isn’t enough to get by!)

TechCrunch has reached out to Scribd to clarify the limits on their unlimited plans and will update when we hear back. According to an interview with Fast Company, the service axed the plans the first time around after a small amount of “superusers” consumed hundreds of titles per month, ruining the fun for everyone. Hopefully Scribd sets the limits low enough to keep the offering alive but high enough to not punish the normal sort of voracious reader that might read a ton of books per month but would never approach the century mark. Still, it’s a dumb trend to call things unlimited when there are in fact hard limits, even if a company is evasive about the details (looking at you, mobile carriers).

Scribd in its announcement post reassures existing users that little will change:

You’ll notice a slight change to your browsing experience: the Scribd Selects catalog has been removed and you will no longer see the unlimited toggle in search filters. Without the need for Monthly Credits for full access to titles available on Scribd, there’s no longer a need for a separate Scribd Selects or unlimited catalog! If you find a book or audiobook that strikes your fancy, just start reading or listening – we’ll handle everything else on our end.

As someone who is getting more into audiobooks (and reading a lot more because of it!), I downloaded Scribd to try out the 30-day free trial. Of the five genre-hopping books that I’m reading elsewhere through a patchwork of systems (Hoopla and Overdrive via my local library and Audible’s paid service), a Scribd search shows all of them are available… all in one place, for once. While I’ve only used Scribd in the past for PDF embeds in stories (like those here on TechCrunch dot com), their iPhone app is already vastly more pleasant to browse than something like Audible or Hoopla. At $9 a month, I’d be happy to pay for a pleasant, navigable user interface, assuming the hidden cap doesn’t hamstring the whole service — and I’m sure other people will feel the same way.

 

via:  techcrunch

A CISO’s Guide to Minimizing Healthcare Risk

There are many actionable items and methods a CISO can use to minimize risk in the healthcare industry. After all, there are all kinds of tools, project management resources, and resource management solutions that can help keep businesses in order and safe. However, there just a few areas in which action should be taken.

As simple as it might sound, having radical transparency within the security department is a must. Where security operations may fall short is when the department does not know what they really do for the company and/or organization.

Setting a clear tone, mission, and overall open doors (within reason) of the overall objectives would help check egos, false impressions, and roadblocks from negatively affecting operations.

I have seen both small and big companies suffer from these issues. The same questions always arise: “What do they really do here?” and “Why are they even here?”

They create high amounts of toxicities, all of which can separate teams and cause cross-department tension.

The observation can be made that smaller companies are better at this than bigger companies because the former do not have the time and/or overall money/energy to spend dealing with this. In small-to-mid-sized companies, the tone of “either you know it or you do not” is strong, and no one has time for egos to get in the way.

Bigger companies have layers that just get in the way, and sometimes, no one knows what each other really does. Establishing pillars for focus areas expertise and running them in parallel with the overall arching mission of “protecting this home” helps to shed light on all the areas of information security.

CISOs need to understand and really understand from a topical and technical level how their environments work and function with their organizations’ line of business.

Cyber thieves have their eyes set on not only the information they can obtain but also the value of obtaining the information along with what they can do with it. Selling the information is a byproduct of stealing the information; causing the pain and damage by using the information is the root agenda.

CISOs might want to implement not only multiple secure layers but also adhere to different rules and regulations such as HIPAA to ensure most of their organizations’ bases are covered.

So, what can be done?

From a leadership point of view, I say knock down the walls, open up the floors, and get out of your offices as much as you can.

I understand there might be certain areas like incident response and digital forensics that might not be able to do so easily. However, implementing into action the above advice would go miles. General McChrystal did this approach when he was head of Special Operations in Iraq/Afghanistan; his actions prove that even working in some of the most secret and high-tempo industries, implementing transparency can help drive better performance.

This “no BS and no one hides” approach regardless of rank or title helps bring issues, concerns, and projects to the forefront and helps to quickly address anything that needs to be handled.

From a technical point of view, it’s useful to consider adopting different tools that would monitor the interactions of doctors and other professionals regarding their access to PHI/PII. Using multiple layers of security stacked upon multi-factor authentication would also provide a deeper, more secure platform of operations.

Adopting a mixture of the above would provide any CISO with a great opportunity to be ahead of the power curb and be ready to respond to  any unknown security threat. Applying these elements in a unified manner will help shed some light on the moving target to ensure adjustments can be made, measured, and marked for success.

 

via:  tripwire

Eligible Hospitals Must Now Use QNet for Meaningful Use Attestation

The Centers for Medicare & Medicaid Services (CMS) has recently issued a reminder that eligible hospitals and Critical Access Hospitals (CAHs) participating in Electronic Health Record Incentive Schemes must use the QualityNet Secure Portal (QNet) to submit Meaningful Use attestations in 2018.

Back in October, CMS announced it was transitioning Meaningful Use attestations to QNet. Previously two separate systems had been used for attestations and reporting clinical quality measures; but, in order to simplify reporting requirements and streamline data submissions, the QNet portal would be used for both from January 2nd 2018.

From October, eligible hospitals and CAHs new to QNet had the opportunity to enroll on the system and get used to how it worked, while existing QNet users were advised to add an MU role to their accounts. From the beginning of this month, the QNet system opened for attestations relating to the 2017 calendar year. The attestation period closes on February 28th.

Different Processes for Medicare and Medicaid Hospitals

Although attempting to simplify the reporting requirements, the new system has caused some confusion about the different processes for Medicare-eligible and Medicaid-eligible hospitals. This has prompted CMS to issue a reminder detailing the different process for each type of incentive program. From January 2nd 2018:

  • Medicare-eligible hospitals and qualifying Critical Access Hospitals will use the QNet process as described above to submit Meaningful Use attestations.
  • Medicaid-only hospitals and CAHs need to update their registration through the Medicare & Medicaid EHR Incentive Program Registration and Attestation System and coordinate with their respective State Medicaid agencies in order to submit their Meaningful Use attestations.
  • Dually eligible hospitals and CAHs (both first-time participants and returning participants) will need to register or update their registration with both QNet and the Medicare & Medicaid EHR Incentive Program Registration and Attestation System.
  • Medicaid-only clinicians should coordinate with their respective State Medicaid agencies to submit Meaningful Use Attestation, while Medicare Part B clinicians eligible to participate in the Merit-based Incentive Payment System (MIPS) should visit qpp.cms.gov for more information.

CMS also stated that a QNet Help Desk will be available to eligible hospitals and CAHs starting January 2nd 2018. Providers are instructed to use the QNet Help Desk instead of the EHR Incentive Program Information Center for assistance with the registration and attestation process. Further information and points of contact can be found in the QNet User Guide and the Transition Overview Factsheet.

 

via:  hipaajournal

Foundational Controls for Integrity Assurance

Among organizations today, there’s not enough focus on where digital security matters, that is, setting up the challenge/risk. Let’s come right out and say it: if you haven’t been hacked yet, you soon will be.

This is not a surprise to you. You know this. We know this. Other companies know this. And yet, we saw WannaCry spread to hundreds of thousands of organizations via unpatched Microsoft vulnerabilities, Verizon and Dow Jones suffer data leaks due to misconfigured servers, and Equifax weather a breach at the hands of an unpatched vulnerability.

Many companies aren’t just standing idly by, however. They are now spending more and more trying to combat the ever-present threat of cybercrime. Worldwide, cybersecurity spending is increasing year on year and is expected to reach $170 billion by 2020.

So what’s going wrong?

No matter how big a fish you are, how big your budget is, or how much you spend on bolstering your defenses, if you’re not spending it in the right place, you are leaving yourself vulnerable to attack. Where should you be spending your budget? The basics would be a good place to start

Why is this so? Craig Lawson said it perfectly at Gartner Security & Risk Management Summit 2016:

New technology is interesting, but not at the expense of the basics. Look at what simple, fast and relatively easy things you should revisit. The data shows this actually will put a big dent in the problem.

At the end of the day, close to all commodity attacks can be prevented just by fixing the basics. And yet, too many organizations are letting foundational controls get away from them.

Too many companies think that by focusing on the latest, most advanced technologies, they can keep ahead of new cyber threats.

Of course, advanced technologies can be important as well and should be evaluated in the future, but foundational controls are where you need to start first to assure integrity and reduce the biggest portion of risk. Once these foundational controls are in place, you can add additional control capabilities – as your organization matures and your budgets allow/increase.

Companies should specifically look to foundational controls because they assure the integrity of their systems. Integrity is one pillar of the information security’s Confidentiality-Integrity-Availability (CIA) Triad.

Of the three pillars, integrity is the least understood and most nebulous because the original focus of integrity was limited to data.  What many people don’t realize is it’s the greatest threat to businesses and governments today because an integrity compromise can mean far more than data loss or corruption – it can result in catastrophic system failure (think critical infrastructure).

The cybersecurity industry remains overwhelmingly focused on confidentiality. Its mantra is “encrypt everything.” The security paradigm remains focused on perimeter defense, and network security seeks to protect those endpoints with firewalls, certificates, passwords, and the like, creating a secure perimeter to keep the whole system safe.

This is noble and essential to good security. But without integrity, or assessing whether the software and critical data within your networks and systems are compromised with malicious or unauthorized code or bugs, the keys that protect encrypted data are themselves vulnerable to malicious alteration. To address threats, security experts should assume compromise – that hackers and malware already have breached their defenses or soon will – and instead classify and mitigate threats.

Towards that end, an integrity solution acts less like locks and more like an alarm. It monitors all parts of a network from the access points at the perimeter to the sensitive data within it and provides an alert if something changes unexpectedly.

Tripwire offers an integrated suite of foundational controls that deliver integrity assurance. Our solutions for vulnerability management, asset management, configuration management and change monitoring address the integrity management needs of IT Security. They also help IT in many other ways:

  • Know what assets you have and which ones to fix first
  • Know the environment is in a known and trusted state—detect changes in real-time
  • Detect and correct integrity drift
  • Automate compliance on a continuous basis and reduce related costs
  • Reduce MTTR by quickly identifying root causes of incidents

The simple fact is, when implemented properly, integrity management can prevent the majority of breaches from happening. The result you get from investing in foundational controls for integrity is FAR fewer incidents.

It’s time to stop looking for the silver bullet and focus on pragmatic actions. That process begins with assuring integrity via foundational controls.

As I noted in my previous article, companies should use foundational controls to assure integrity of their software and critical data – doing so can help prevent many data breaches and security incidents from occurring in the first place.

That’s not all that integrity driven by foundational controls can accomplish. Here are two more benefits organizations can enjoy when they give integrity the attention it deserves:

INTEGRITY CONNECTS SECURITY AND OPERATIONS

Security and operations personnel have different priorities. The former care about confidentiality, or the need to protect critical information in valued systems. Meanwhile, the latter cares about availability and uptime, all in an effort to keep those systems running.

Fortunately for companies, integrity connects operations and security together. It does so via foundational controls, security measures which both address vulnerabilities and changes that commonly cause downtime as well as reduce the attack surface that can lead to system compromise.

As a result, integrity can help both groups ensure that critical systems operate continuously in a known and trusted state.

INTEGRITY CAN HELP COMPANIES ADDRESS SECURITY AND COMPLIANCE

Enterprises commonly use frameworks to address their security and compliance needs with NIST, CIS, PCI, NERC, GDPR, and other standards. What they don’t know is that many of those frameworks focus on foundational controls that drive integrity.

For example, the first six of the Center for Internet Security’s (CIS) critical security controls (CSCs) can help an organization prevent incidents and reduce risk; five of those six measures align with integrity management as I’ve described it.

By implementing these tools first, an organization can prevent a majority of breaches, achieve compliance, and pass its regulatory audits.

Going the Distance

Many organizations do have at least some foundational controls in place but don’t go far enough with their implementation. These enterprises frequently embrace a strategy that focuses only on the critical assets like your PCI or PII servers. It ensures the integrity of these assets because of auditors’ greater degree of focus on them, but it doesn’t address the cumulative risk of leaving other assets uncovered.

Extending integrity management to more of the assets you manage enables you to reduce your overall attack surface and address more of the cumulative security and operational risk you have. With that said, those companies that have embraced suitable cloud-computing architecture need to ensure they’ve deployed the same level of security, compliance, and operational controls in the cloud as is required for their on-premises systems.

Why? The cloud is not secured by default. Cloud providers’ focus is security of the cloud. However, customers are responsible for security in the cloud.

As with on-premises systems, foundational controls are a great place to start when it comes to cloud security. Additional guidance on this matter can be found here and here.

FOUNDATIONAL CONTROLS SHOULD BE YOUR FIRST BUDGET CONSIDERATION

We know you have a hard choice to make when it comes to spending your security budget. Going back to basics might seem like a step in the wrong direction. But spending more and more money on the latest technology to solve security problems will often only lead to a false sense of security, a more complicated IT environment, and bigger problems in the long run.

When it comes to budget decisions, foundational controls for integrity assurance should be your first investment for effective security and operations. Tripwire recognizes this fact, which is why its integrity solutions are focused on three aspects of the organization:

  1. Security controls that leverage industry standard frameworks like NIST and CIS;
  2. IT operations controls that help organizations maintain their infrastructure and configurations for continuous operations; and
  3. Compliance coverage that offers one of the most extensive policy libraries in the industry.

 

via:  tripwire

The Five Stages of File Integrity Monitoring (FIM)

The benefits of a capable and properly deployed File Integrity Monitoring (FIM) solution are plentiful:

  • If you see unexpected or unexplained file changes, you can investigate immediately and resolve the issue quickly if your system has been compromised.
  • You can reconcile changes against change tickets or a list of approved changes in a text file or spreadsheet.
  • You can determine if changes take configurations out of policy (impact hardening standard).
  • You can automate responses to specific types of changes—for example, flag the appearance of a DLL file (high-risk) but auto-promote a simple modification to a DLL file (low-risk).

And the importance of FIM cannot be understated. Let’s not forgot what the Center for Internet Security (CIS)says in Critical Security Control 3.5:

Use file integrity checking tools to ensure that critical system files (including sensitive system and application executables, libraries, and configurations) have not been altered.  The reporting system should: have the ability to account for routine and expected changes; highlight and alert on unusual or unexpected alterations; show the history of configuration changes over time and identify who made the change (including the original logged-in account in the event of a user ID switch, such as with the su or sudo command). These integrity checks should identify suspicious system alterations such as: owner and permissions changes to files or directories; the use of alternate data streams which could be used to hide malicious activities; and the introduction of extra files into key system areas (which could indicate malicious payloads left by attackers or additional files inappropriately added during batch distribution processes).

But let’s face it, File Integrity Monitoring (FIM) can be “noisy” and a large time commitment if you let it get out of control. With a well-chosen solution, light care and feeding, and tuning to match environment changes, you can keep the Five Stages of FIM from overburdening your resources.

Let’s simplify (or look FIM for what value it provides an organization):

  1. Something in your monitored environment changed.
  2. Something changed, and it was unexpected.
  3. Something changed, it was unexpected, and it was bad.
  4. Something changed, it was unexpected, it was bad. and here’s how to get back to the known and trusted state.
  5. Something changed, it was unexpected, it was bad, here’s how to fix it, and let’s tune our solution to minimize noise in the future.

If you have no solution, or if your solution doesn’t help you quickly address these changes, it’s easy to understand how FIM can act like “the one that got away.”

One of the most important things you can do to advance FIM in your organization is to narrow its scope to the use cases that solve compliance, security, and operational problems. Probably in that order. And probably starting with the five opportunities/levels of complexity above.

A good example is SOX compliance where the organization has “locations” involved in producing SOX related content. Those may be files, directories, applications, even database fields. But NOT all files or all directories or all applications.

Organizations on the more mature side of FIM will say, “We have 135 locations associated with SOX data that could be audit points. We need to know what changes happened, including a baseline, to ensure there was not malfeasance in the creation of our financial reports in those (very specific) places.”

Organizations purchase FIM solutions for a few different reasons. Some are looking for an inexpensive “checkbox” solution to show due diligence against legal action, while others are concerned about the impact of change on operational uptime.

By recognizing the value of FIM, focusing your efforts where you HAVE to then WANT to, and narrowing your horizon to the critical few, you too can reap the advantages of FIM in your organization.

 

 

via:  tripwire

Apple says some iPhone 7s show “No Service” when they shouldn’t, will repair them for free

Does your iPhone 7 say “No Service” when you’re oh-so-certain the signal is fine? Good news! You might be totally right.

Reports and rumors of a “No Service” bug impacting iPhone 7s have been floating around for well over a year now — and as of this afternoon, Apple is acknowledging the issue.

The company says it’s determined that “a small percentage” of iPhone 7s will claim no service even when service is available.

The bad news: it’s not an easy fix. A software update won’t help this time. Apple says this issue stems from a faulty logic board, which means they’ll have to physically repair your device.

The less-bad news: Apple will repair it for free, and if you’ve paid for such a repair already at the Genius Bar, they’ll reimburse you. You can find details on that here. (One catch: if your device’s screen is busted, you’ll need to pay to have that fixed before they can get inside.)

Apple says devices made between September 2016 and February 2018 (basically the entire lifespan of the iPhone 7) might be impacted, particularly those sold in the US, China, Japan, Hong Kong, or Macao.

 

via:  techcrunch

Tesla looks to take solar mainstream with Home Depot partnership

While Elon Musk is preparing for this week’s launch of the Falcon Heavy rocket, his other company is also preparing for a launch. Tesla has made a deal with Home Depot to sell both the PowerWall and Tesla’s solar panels at 800 Home Depot locations.

The retail spaces will be Tesla branded and Tesla employees will be on hand to assist with service and sales.

Bloomberg first reported the news after confirming the move with Tesla.

Home Depot has some 2,200 stores across the country, but the 800-store roll out is still the largest retail presence Tesla has ever known for its energy products. They will be put on display, quite literally — Bloomberg reports that the Tesla retail displays will be 12 feet tall and 7 feet wide, and that some locations will have visual demonstrations of the products.

Tesla first unveiled the solar roof in October of 2016. Unlike most after-market solar panels, which don’t offer much by way of aesthetics, Tesla’s solar roof tiles come in four styles that closely resemble current roofing materials.

Tesla also sells solar panels, and both products work with the PowerWall 2, where energy can be stored after being diffused through the panels/tiles.

The move into Home Depot will be the first true test of mainstream interest in solar energy.

 

via:  techcrunch

Autosploit marries Shodan, Metasploit, puts IoT devices at risk

Autosploit, a new tool that basically couples Shodan and Metasploit, makes it easy for even amateurs to hack vulnerable IoT devices.

“As the name might suggest AutoSploit attempts to automate the exploitation of remote hosts,” its creator, who goes by the handle “Vector,” wrote on Github.

Using the Shodan.io API, the program automatically collects targets and lets users enter platform-specific search queries, for instance, Apache. Based on the search criteria it retrieves a list of candidates.

The tool then runs a set of Metasploit modules – selected by programmatically comparing module names to the search query – against the potential targets in an effort to exploit them. “I have added functionality to run all available modules against the targets in a ‘Hail Mary’ type of attack as well,” Vector wrote, adding that “the available Metasploit modules have been selected to facilitate Remote Code Execution and to attempt to gain Reverse TCP Shells and/or Meterpreter sessions.”

The pseudonymous security researcher explained that “workspace, local host and local port for MSF facilitated back connections are configured through the dialog that comes up before the ‘Exploit’ component is started.

“Metasploit reduced the barrier of skill required to hack over a decade ago. Shodan is search engine that can find and identify any and every system connected to the internet,” Chris Morales, head of security analytics at Vectra, explained. “The ability to find and exploit systems isn’t new. The idea that these two highly automated tools are combined to make life even easier for someone to hack systems lowers the bar much more.”

While Autosploit “makes being a script kiddie infinitely easier” by “combining a whole set of automated tools for identifying exposed hosts and then executing exploits,” Morales said that where it likely “will have the most dramatic effect, and what scares me most, is with IoT,” predicting there will be “a rash of new IoT DOS attacks, cryptocurrency mining, and general debauchery.”

Saying it was “good to know we’ve weaponized for the masses now” and that “everyone can now be a script kiddie simply by plugging, playing and attacking,” Chris Roberts, chief security architect at Acalvio, cautioned that “before we hang this out to dry and assassinate the bearer of the tool, let’s take an introspective look at two facts – the tools have been out there for a while AND other folks have built very nice interfaces for all sorts of tools over the years; and the tools ONLY exist because bad products, code, systems and infrastructures are constantly acceptable and justified by everyone.”

 

via:  scmagazine

Few Americans Are Taking Proper Password Security Precautions

Thursday was “Change Your Password Day,” a national observance of password security and best practices. Passwords are often the first line of defense protecting users from criminals with the malicious intent of invading systems and stealing data, a threat which emphasizes the importance for people to use strong and diverse passwords.

Unfortunately, many Americans continue to use weak, insecure and easy-to-crack passwords. After compiling more than 5 million leaked passwords from 2017, password management application provider SplashData released its 100 Worst Passwords of 2017. According to the report, “123456” and “password” held the top two spots as the most-used and cracked passwords for the fourth consecutive year.

Americans’ seeming disregard of password security best practices is even more alarming when we consider that the number of U.S. data breaches in 2017 topped the all-time record set the year prior. Data Breach Cybersecurity reported in July that more than 6 billion records were exposed in the first half of 2017 alone, up from 1.5 billion in 2016.

While the Data Breach Cybersecurity report found that the business sector accounted for more than half (56.5 percent) of the total breaches, University of Phoenix’s annual cybersecurity survey found that 43 percent of U.S. adults have experienced a personal data breach in the past three years. However, when it comes to password security, the majority are doing very little to keep themselves secure.

The survey found that only 42 percent of Americans diversify their passwords across websites, 35 percent update their passwords on a regular basis, and less than a quarter (24 percent) change or update their passwords before traveling. The survey also found that workplace cybersecurity is also at risk: only 29 percent consider password protecting part of their company’s cybersecurity policy.

Most Americans are aware that they should avoid using anniversaries, pet’s names, or their favorite sports team as their passwords, but more should be done to keep information safe. Read below for three tips to strengthen passwords.

1. Use long phrases or sentences

Hackers have become more sophisticated and inventive in their ability to crack passwords. Some will scour dictionaries and phonetic patterns, while others will attempt thousands of different passwords, often based on information known about the victims like significant dates and interests. To protect yourself, aim to create long passwords that contain sentences or phrases; these are harder to decipher.

According to SplashData’s Worst Passwords of 2017 list, nearly all of the top 100 used passwords from last year were seven characters or less. A good rule of thumb is to use passwords that are at least eight characters and even up to 12.

“Football” was the ninth most popular password in 2017. Alone, “football” is a weak password, but adding it to a phrase, like “footballismyfavoritesport” makes it stronger. Phrases can also be made more secure by adding numbers and symbols (for example: “f0otb@llisMYfaVOrit3spOrt”).

2. Adopt a password manager

Another rule for creating smart passwords is to diversify them across multiple sites. Once a criminal is able to crack one password, he/she is likely to try that same password on other accounts. If your passwords are the same, it is much easier for criminals to access your information.

Understandably, it can be difficult to memorize a unique password for each of your devices and accounts. While some people may write them down or store all of their passwords in their smartphone, there is a more secure way to protect and store them. Password security tools like 1Password or LastPass will securely store and encrypt passwords for all accounts under a single master password.

Since the master password is the only line of security between hackers and all of your passwords, make it nearly impossible to crack. You will only have to memorize one password; opt to make it long and appear random. For this password, consider using a sequence of random numbers, letters, capitalization and symbols. The sequence can be made into a phonetic phrase to aid memorization, as long as it is not too simple.

3. Install multi-factor authentication

Long passwords that include phrases and password security managers are great solutions for advanced password protection, but it is best if people take it one step further. Many accounts and programs will offer multi-factor authentication options. Through this method, users are only granted access to an account after providing two factors of authentication or evidence that they are the correct user. Authentication can include a security question, fingerprint I.D., or additional confirmation from a mobile device.

Some programs may provide users the option to reset a forgotten password through the email address linked to the account. Without multi-factor authentication enabled, sometimes all it takes is opening an emailed link. Email addresses are often easy for hackers to acquire, making strong passwords moot if additional security is not added.

The majority of accounts and devices offer multi-factor authentication, but many do not provide it by default. To enable it, visit the security settings and turn on the option. While providing additional information to log in can be tedious, multi-factor authentication adds another layer of security to keep your data protected.

 

 

 

via:  tripwire