Is It Time To Ditch The Passwords For More Secure Passkeys?

Passwords are the most used method of authentication, but they are also one of the weakest.

Passwords are often easy to guess or steal. Also, many people use the same password across several accounts. This makes them vulnerable to cyber-attacks.

The sheer volume of passwords that people need to remember is large. This leads to habits that make it easier for criminals to breach passwords. Such as creating weak passwords and storing passwords in a non-secure way.

61% of all data breaches involve stolen or hacked login credentials.

In recent years a better solution has emerged – passkeys. Passkeys are more secure than passwords. They also provide a more convenient way of logging into your accounts.

Passkeys work by generating a unique code for each login attempt. This code is then validated by the server. This code is created using a combination of information about the user and the device they are using to log in.

You can think of passkeys as a digital credential. A passkey allows someone to authenticate in a web service or a cloud-based account. There is no need to enter a username and password.

This authentication technology leverages Web Authentication (WebAuthn). This is a core component of FIDO2, an authentication protocol. Instead of using a unique password, it uses public-key cryptography for user verification.

The user’s device stores the authentication key. This can be a computer, mobile device, or security key device. It is then used by sites that have passkeys enabled to log the user in.

More secure

One advantage of passkeys is that they are more secure than passwords.

Passkeys are more difficult to hack. This is true especially if the key generates from a combination of biometric and device data.

Biometric data can include things like facial recognition or fingerprint scans. Device information can include things like the device’s MAC address or location.

This makes it much harder for hackers to gain access to your accounts.

More convenient

Another advantage of passkeys over passwords is that they are more convenient. With password authentication, users often must remember many complex passwords. This can be difficult and time-consuming.

Forgetting passwords is common and doing a reset can slow an employee down. Each time a person has to reset their password, it takes an average of three minutes and 46 seconds.

Passkeys erase this problem by providing a single code. You can use that same code across all your accounts. This makes it much easier to log in to your accounts. It also reduces the likelihood of forgetting or misplacing your password, or worse, writing it down.

Phishing resistant

Credential phishing scams are prevalent. Scammers send emails that tell a user something is wrong with their account.

They click on a link that takes them to a disguised login page created to steal their username and password.

When a user is authenticating with a passkey instead, this won’t work on them. Even if a hacker had a user’s password, it wouldn’t matter. They would need the device passkey authentication to breach the account.

Why Should You Use Different Passwords For Different Accounts?

It’s common to have multiple online accounts for social media, online shopping, banking, and more. While having different accounts makes our lives more convenient, it also presents a security risk if we use the same password for all of them.

This is because if a hacker gains access to one of our accounts, they can potentially gain access to all of them if we use the same password. This is why it’s crucial to have different passwords on different accounts.

Having different passwords on different accounts is one of the most basic but important steps you can take to protect your online security.

By using unique passwords, you reduce the risk of a hacker gaining access to all of your accounts if they manage to crack one password. This is particularly important for accounts that contain sensitive information, such as online banking or medical records.

One reason why people tend to use the same password for multiple accounts is because it’s easier to remember.

However, there are ways to create strong and unique passwords without having to remember them all. One option is to use a password manager.

A password manager is a tool that generates and stores unique passwords for each of your accounts. All you have to do is remember one master password to access the password manager. Some popular password managers include BitWarden, Dashlane, and 1Password.

Another way to create strong and unique passwords is to use a passphrase instead of a single word. A passphrase is a combination of several words that are easy for you to remember, but difficult for others to guess. For example, instead of using the password “password123” you could use a passphrase like “MyDogate2BonesToday!”

It’s important to note that having different passwords is not enough to ensure complete security. It’s also important to use strong passwords that are difficult to guess or crack.

This means avoiding common words, phrases, or personal information that could be easily guessed.
Instead, use a combination of upper and lowercase letters, numbers, and symbols.

In addition to having different and strong passwords, it’s also important to update them regularly. This is because if a hacker gains access to an old password that you no longer use, they can still potentially use it to gain access to other accounts if you’ve used the same password for multiple accounts. It’s recommended to update your passwords every six months to a year.

One thing to keep in mind is that while having different passwords on different accounts is important, it’s not the only step you should take to protect your online security. It’s also important to enable two-factor authentication whenever possible.
Two-factor authentication adds an extra layer of security by requiring a second form of authentication, such as a code sent to your phone or an app.

While it may seem daunting to remember multiple passwords, password managers can help significantly.

By taking these basic steps, you can greatly reduce the risk of a security breach and protect your sensitive information online.

Do You Know Exactly What Services Your Staff Are Signing Up For?

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

Whatever problem, need, or want you have… there’s a cloud application out there that can help you.

We’ve never lived in a such a rich time for problem solving. Every day, hundreds of new services launch to make our lives easier and help us be more productive.

These applications all live in the cloud. They’re known as Software as a Service – or SaaS – because you don’t load any software onto your device. You use them in your browser.

We would argue this SaaS revolution over the last 15 to 20 years has played a critical part in shaping the way we work today.

However, there’s an issue. Many businesses aren’t 100% aware of what new services their staff have signed up for. And this problem isn’t a financial one; it’s a security one. [Read more…]

Lessons Learned From The Colonial Oil Pipeline Attack

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

May 6, 2021 will be a day that goes down in history. This is the day the Colonial Oil Pipeline went down, causing a nationwide disruption. Even though the pipeline only services a portion of the east coast, the effects of the shutdown was felt across the country.

Gas prices skyrocketed, lines at gas stations were so long it took hours to get through, and gas stations were pumped dry as people bought gas and put it in whatever container they could gather just to assure themselves they would have enough to get through the closure.

If you think about it, this type of ripple effect is not confined to energy and utility providers. While the scale of the effect would not be at the level of the pipeline, the devastation it could leave in its wake for your business and your customers is just as likely. [Read more…]

An Easier Way To Secure Your Password

Mark Funchion is a network technician at Tech Experts.

Between new threats and new tech, security is something that can always be improved upon to make sure your systems are as secure as possible. Passwords are the first level of security, and the area that seems to cause the most headache for end users and IT managers.

In an ideal world, every password would be super complex. For example, a 32-character randomized password with capital letters, lowercase letters, special characters, and numbers. This is possible with a password manager – or if you’re really skilled at memorizing random character strings (unlikely).

The reality is that this does not occur, leading to most of us using a password that is not as secure as hoped. There are a few ways that attackers gain access to our passwords, and the most common methods are an algorithm that “cracks” the password and guessing. Usually, these two are combined, creating databases that nefarious individuals can use for gaining access to your accounts.

The biggest issue with passwords is the human factor. We like things to be simple, so we use things that are familiar. When we have to change a password, we change it in predictable ways, and usually write it on a sticky note.

Let’s look at “Password” as a password. Yes, it’s terrible, but really, it’s eight characters with one capital letter. A password cracker will break “Password” the same as it will break “ushtGsgt.” The second example will just take a little longer to crack because programs try common words and phrases first, then start brute-forcing every combination.

Again, looking at human nature, if one hundred people are asked to make the word “Password” harder to guess, most will swap the “o” for a zero. That’s then added to the list of words and phrases checked first. If the same one hundred people are asked to add a special character and a number, most will probably create something like “Password1!”

Why? Because it is easy to remember, and the “1” and “!” are convenient. Since so many of us will use the same variations of passwords, these become common and therefore are more easily broken.

These reasons are why it’s recommended to use three uncommon, unassociated words as a password (and to not use that combination for all your passwords). For example: “GiraffeDiamondCoffee.” An algorithm will still crack this eventually, but it’s easier to remember and not easily guessed so it will take a while to crack.

The longer it takes, the less likely they will actually get to your data. By using three different random words for your passwords, it is much less likely that your combination of words ends up in the frequently used list, adding more security. You can also easily add numbers and special characters to meet security requirements as needed.

The best practice is to use a password manager and use super complex passwords. Otherwise, using three-word passwords like “GiraffeDiamondCoffee” can boost your security. It may look easy – but it is a 20-character password, so it’s more secure than “P@$$w0rd1!”

Computers that are cracking passwords will try every combination and can test over 100-million per second, so a 10-character password (even with numbers and special characters) only has so many combinations. However, a 20-character password using only capital and lowercase letters like “GiraffeDiamondCoffee” has even more. While the second password seems much easier to crack to the human eye, it’s much more complex in reality.

Do yourself a favor: change how you create your passwords and make your information that much more secure – without making it impossible for you to login to your applications and websites.

Changing Your Password Has Changed

If you didn’t know, changing your password regularly is so 2018. No, as ever in the world of tech, things have moved on and there are better, easier ways of doing it now.

We’re not suggesting you stick with the same password you’ve been using for the last 10 years. And certainly not suggesting you use the same password across multiple apps.

Today, the most secure way to keep your passwords un-hackable is to utilize a random generator for each new password. And then use a password manager to keep them all safe for you.

A random generator will create passwords you couldn’t possibly remember yourself – even if you could recite pi to 100 digits. They’re really… random. Which is perfect for keeping your accounts secure.

The password manager comes in and stores these passwords safely for you. So no more jotting down random characters in the back of a notebook.

Together, they make the perfect team. And we suggest that you get your own team to use them, now.

If you’re unsure how to set this up, or you would like some help to find the password manager that would be best for your business, call us at 734-457-5000. We’d love to help.

Make Remembering Passwords A Thing Of The Past

Using weak passwords is risky. So is using the same password across different services.

If you do this, it means that once somebody has your email address and password, they’ll find it incredibly easy to access your other accounts.

This can wreak havoc on your digital life and within your business. And the damage can spill over into serious real-world inconvenience too.

This is especially true if identity theft is involved, or if they’ve managed to break into your social media or bank accounts.

Data breaches happen every day. And once your passwords and email addresses are out there, you never know whose hands they’ll end up in (many get sold on something called the
Dark Web, a kind of hidden internet for criminals).

But what can you do to keep your passwords safe and your digital accounts secure?

Use a password manager
Instead of scratching your head to come up with a new password for each account, use a password manager to automatically generate long, random, strong passwords.

It’ll also remember them for you. You only need to remember one password… the master password to access the password manager.

The best password managers let you customize how long your passwords are, and what kind of characters they should include. And will keep them 100% safe while still giving you easy access across all your devices.

We can set you up with an Enterprise Password Manager (the one we use) and train you and your team on how to best use it – simply get in touch!

Turn on multi-factor authentication (MFA)
As well as setting up a password manager, turn on multi factor authentication (MFA) wherever possible. When you log in to your accounts, you’ll need to enter an additional security code as second means of keeping your account secure.

These codes can be sent to you by text message or email. Better still, you can set up an authentication app on your phone that refreshes with unique codes every few seconds. Some applications also support a hardware security key that you plug into your computer or that displays security codes that rotate every 60 seconds.

Multi-factor authentication is available on most software and is considered a highly effective tool against hackers.

Even if they’ve got your login details they can’t get in without your phone.

We recommend you implement this for all apps your staff use.

After an initial bit of discomfort, they’ll soon get used to it. We can guide you and your team through the whole process – just give us a call!

Password Security: Lock Your Digital Doors Too

Mark Funchion is a network technician at Tech Experts.

Password security may not be on the forefront of everyone’s minds – but it’s more important and easier than ever.

Password security issues have been going on for a long time. Back in November 2014, a webpage started livestreaming security cameras from around the world that had not updated the default credentials. In the US alone, there were over 11,000 cameras livestreaming; a year later in December 2015, there were still almost 6,000 cameras live. [CSOonline.com]

Then in December 2019, many Ring camera accounts were hacked – not with default passwords this time, but actual hacks on accounts without two-factor authentication. [vice.com]

What exactly is two-factor authentication? Two-factor authentication means a second confirmation after your password. This second method is often sent to your cell phone as a text or through an app, which you then input or confirm. Many banks require this, but there are also lots of other sites which have it as an option, like Ring.

While many people see this as an inconvenience, it is a safety feature and it’s becoming the new standard for security.

A good analogy for this is a deadbolt on your door. Your door handle has a working lock, but it is not too hard to get through that lock.

As a second security method, you turn your deadbolt to make it much harder to access your home. That is your physical two-factor authentication – and if it is important enough for entry physically into your home, it should be important for virtual access as well.

Even if you do not have two-factor authentication, at least changing the default passwords and using different passwords across all your accounts are vital steps to more secure accounts. While it’s very convenient to have one password for all your accounts, it also means that if one account is compromised, they are all compromised.

If a hacker gains access to an account and you use the same password for your email, they can “verify” account ownership and change your passwords to lock you out.

That’s why your method of two-factor has to be secure too. If you have verification codes sent to your email and your email password is “password,” that second factor is not helping. It’s just a second “door” that a hacker can walk right through. Not much of a defense.

Going back to the importance of changing default passwords, most of us own a lot of devices in our house that are network-connected. And it is very easy to plug them in, take all the defaults, and go on with your day.

If you live in an area with a lot of neighbors nearby, take a look at the wireless networks you can see.

From my desk at work, I can see over ten networks that are outside of our office. The signals from unsecure devices aren’t kept within the walls of your own home.

A quick Google search can tell you the default username and password of almost anything, including unsecure devices that might be in your own home. In the Symantec Internet Security Threat Report for 2019 [https://docs.broadcom.com/doc/istr-24-2019-en], 60 percent of the IOT attacks (Internet of Things – meaning everything Internet-connected) used a username of “root” or “admin” and over 40 percent of the attacks used a password of “123456” or left that field blank. Not the work “blank” – an actual password of nothing.

People almost always worry about security in some form: we lock our cars, our houses, our cell phones. The same philosophy should be applied to our technology.

Take the time to change your passwords, use varying passwords, and change them periodically. It does not take much of a hacker if we don’t bother to lock our own doors.

Password Versus Passphrase… Which Is Best?

Passwords are something you use almost every day, from accessing your email or banking online to purchasing goods or accessing your smartphone.

However, passwords are also one of your weakest points; if someone learns or guesses your password they can access your accounts as you, allowing them to transfer your money, read your emails, or steal your identity. That is why strong passwords are essential to protecting yourself.

However, passwords have typically been confusing, hard to remember, and difficult to type. In this newsletter, you will learn how to create strong passwords, called passphrases, that are easy for you to remember and simple to type.

Passphrases
Passphrases are a simpler way to create and remember strong passwords.

The challenge we all face is that cyber attackers have developed sophisticated and effective methods to brute force (automated guessing) passwords. This means bad guys can compromise your passwords if they are weak or easy to guess.

An important step to protecting yourself is to use strong passwords. Typically, this is done by creating complex passwords; however, these can be hard to remember, confusing, and difficult to type.

Instead, we recommend you use passphrases-a series of random words or a sentence. The more characters your passphrase has, the stronger it is. The advantage is these are much easier to remember and type, but still hard for cyber attackers to hack.
Here are two different examples:
Sustain-Easily-Imprison
Time for tea at 1:23

What makes these passphrases so strong is not only are they long, but they use capital letters and symbols. (Remember, spaces and punctuation are symbols.) At the same time, these passphrases are also easy to remember and type.

You can make your passphrase even stronger if you want to by replacing letters with numbers or symbols, such as replacing the letter ‘a’ with the ‘@’ symbol or the letter ‘o’ with the number zero.

If a website or program limits the number of characters you can use in a password, use the maximum number of characters allowed.

Using Passphrases Securely
You must also be careful how you use passphrases. Using a passphrase won’t help if bad guys can easily steal or copy it.

Use a different passphrase for every account or device you have. For example, never use the same passphrase for your work or bank account that you use for your personal accounts, such as Facebook, YouTube, or Twitter. This way, if one of your accounts is hacked, your other accounts are still safe.

If you have too many passphrases to remember (which is very common), consider using a password manager.

This is a special program that securely stores all your passphrases for you. That way, the only passphrases you need to remember are the ones to your computer or device and the password manager program. Never share a passphrase or your strategy for creating them with anyone else, including coworkers or your supervisor. Remember, a passphrase is a secret; if anyone else knows your passphrase, it is no longer secure.

If you accidentally share a passphrase with someone else, or believe your passphrase may have been compromised or stolen, change it immediately. The only exception is if you want to share your key personal passphrases with a highly trusted family member in case of an emergency.

Do not use public computers, such as those at hotels or Internet cafes, to log in to your accounts. Since anyone can use these computers, they may be infected and capture all your keystrokes. Only log in to your accounts on trusted computers or mobile devices.

Be careful of websites that require you to answer personal questions. These questions are used if you forget your passphrase and need to reset it. The problem is the answers to these questions can often be found on the Internet, or even on your Facebook page.

Make sure that if you answer personal questions you use only information that is not publicly available or fictitious information you have made up.

Can’t remember all those answers to your security questions? Select a theme like a movie character and base your answers on that character. Another option is, once again, to use a password manager. Most of them also allow you to securely store this additional information.

Many online accounts offer something called two-factor authentication, also known as two-step verification.

This is where you need more than just your passphrase to log in, such as a passcode sent to your smartphone. This option is much more secure than just a passphrase by itself. Whenever possible, always enable and use these stronger methods of authentication.

Mobile devices often require a PIN to protect access to them. Remember that a PIN is nothing more than another password. The longer your PIN is, the more secure it is. Many mobile devices allow you to change your PIN number to an actual passphrase or use a biometric, such as your fingerprint.

If you are no longer using an account, be sure to close, delete, or disable it. (This article is reprinted with permission from the SANS Security Center OUCH! newsletter.)

How Google Password Checkup Can Protect Your Data

Jason Cooley is Support Services Manager for Tech Experts.

While the terminology between a data breach and data leak may not seem very important, being prepared to react to compromised data is. Let’s start with knowing the difference between a breach and a leak.

A data breach is an unauthorized intrusion into any private system to access any sensitive data. Data breaches are typically the work of hackers.

A data leak may result in the same end game scenario, but differs greatly in that a leak is data left exposed or accessible, often accidentally.

While the hope is that you are protected and that your passwords are all secure, this realistically isn’t the case. You can have the strongest password possible, but depending on what information may be sold or accessible, the security can be entirely out of your hands.

Worse, a breach or leak won’t always make national news or show signs of unauthorized access.

If you see an out of state charge on your debit card, you’ll have a good idea that you didn’t make the purchase and suspect that you’ve been compromised. In the case of seeing unauthorized charges, the issue is clear.

However, say your email is compromised. It isn’t so obvious.

Perhaps the person with your credentials will monitor for a time in order to find valuable information on you or others.

There are so many ways to be compromised and so many types of information that someone with access to your account may be looking for.
In the past, I have used a few different websites to periodically check. This is obviously problematic, as reputable sources for compiling breached information are not overly abundant.

Being an IT professional, I felt comfortable looking for these sources. I do not recommend the same for just anyone.

Luckily, you no longer have to search to find any potentially compromised accounts. Google’s new extension “Password Checkup” is here to help.

Google Password Checkup is a browser extension that alerts you to any potentially compromised accounts.

While the browser extension is installed and enabled, it checks any account you log into using Google Chrome.

Now, this is not a foolproof protection blanket. While this is a great tool, it only checks against any data breaches that Google is aware of.

These are the same type of searches I mentioned earlier. While I would have to search before, Google Chrome can handle the work here.

If there is potential that your account is compromised, you should ensure you take steps to recover the account and change the passwords.

While there is no surefire way to remain safe, stay diligent. Remember to make sure your computer isn’t compromised by regularly running your anti-virus software.

Much like you lock your door at home, make sure you are taking care of your personal information.

Using Google’s Password Checkup is a great start, but it’s only a start. Change your passwords regularly and keep them unique.

A passphrase is a great way to have a password that is easy to remember but difficult to guess.