'May the Fourth' remind users to choose a stronger password

Credit to Author: Matt Hamblen| Date: Mon, 01 May 2017 10:35:00 -0700

May 4 is coming up and has been designated as World Password Day to remind enterprise workers and consumers everywhere to use strong, updated passwords to protect cybersecurity.

The date was picked to align with one of the silliest puns yet: “May the Fourth Be with You” — also known as Star Wars Day. (Get it?) Well, maybe when Thursday, May 4 rolls around, it will still be a reminder for end-users to choose a stronger password and redouble security steps.

Security firm BullGuard cited recent studies showing that 90% of all passwords are vulnerable to attack in seconds. Also, 10,000 common passwords like “qwerty” or “12345678” allow access to 98% of all accounts, BullGuard said. Amazingly, 21% of online users rely on passwords that are 10 years old, the company said.

Given the high numbers of workers who still use personal email accounts to access private company information now and then, against the advice of their security teams, it’s worth taking the time to consider a strong password.

Here are some password and related online security tips:

Pick a password with nine or more characters, which includes upper- and lower-case letters, numbers and symbols. Also, use a different password for high-security accounts, like email, than for low-security accounts like social networks. If a fraudster steals a low security password, then he or she can’t use it for the high-security accounts.

Gartner analyst Avivah Litan also suggested not storing your passwords electronically in the clear. That means masking out at least most of the password content when it is written down electronically. “Bad guys can read anything you have stored electronically by taking over your machine, which they often do,” she said.

Litan also suggested not using password manager tool unless you or your security team is fully confident in the tool’s security practices.

Don’t overshare on social media. Set privacy settings in Facebook and other social media that are limited only to friends and family you trust.

This advice isn’t something workers should take lightly, experts said. Litan recently noted that sophisticated hackers have been known to scour private, social networking accounts of workers for access to insights about the networking vulnerabilities of their places of work. The information they glean can be used in phishing and related social engineering scams.

“Bad guys can and often do use information you post on social media to impersonate you well enough so that they can reset your password by calling or emailing a help desk,” she said. “The help desk with often ask an individual, including the fraudster, simple questions about his or her life history or situation, details which might be readily available on Facebook or other social networks. If answered successfully, the help desk will reset the password and the fraudster will have access to your account. Hackers can use this type of information in connection with a stolen password to conduct a sensitive transaction, like a money transfer.”

Because of the prevalence of this type of attack, the security agency Interpol has created a social engineering fraud website with further insights.

Take special care when shopping online. eMarketer and LexisNexis estimated e-commerce fraud reached $6.7 billion in 2016. Much of that came from losses related to phishing or fraudulent website attacks.

Purchases should be made from sites that use HTTPS in the prefix of the URL, instead of only HTTP, BullGuard said. The added “S” means the site is secured using an SSL certificate. That certification means a user’s data is secured as it moves from the user’s browser to the website’s server. Companies receiving the HTTPS validation go through a third-party certification process.

Also, e-shoppers should purchase through an e-retailer’s official app, which means the purchase is over a private network, not a public network that is more vulnerable to hacks. Some fraudsters have created not only fake websites, but fake apps, that will use a variant of a retailer’s logo and not the legitimate one.

Monitor your children’s online activities and gaming. One way to avoid problems is to set up a specific email account for game registration purposes. This is to separate gaming activity from email accounts with private information that includes contacts, bank account numbers and social media information, BullGuard advised.

http://www.computerworld.com/category/security/index.rss