TechTidBit - Tips and advice for small business computing - Tech Experts™ - Monroe Michigan

Brought to you by Tech Experts™

Passwords

What Is A Password Spraying Attack?

Password spraying is a complex type of cyberattack that uses weak passwords to get into multiple user accounts without permission. Using the same password or a list of passwords that are often used on multiple accounts is what this method is all about. The goal is to get around common security measures like account lockouts.

Attacks that use a lot of passwords are very successful because they target the weakest link in cybersecurity: people and how they manage their passwords.

What is password spraying and how does it work?

A brute-force attack called “password spraying” tries to get into multiple accounts with the same password. Attackers can avoid account shutdown policies with this method.

Attackers often get lists of usernames from public directories or data leaks that have already happened. They then use the same passwords to try to log in to all of these accounts. Usually, the process is automated so that it can quickly try all possible pairs of username and password.

Password spraying has become popular among hackers, even those working for the government, in recent years. Because it is so easy to do and works so well to get around security measures, it is a major threat to both personal and business data security.

As cybersecurity improves, it will become more important to understand and stop password spraying.

How does password spraying differ from other cyberattacks?

Password spraying is distinct from other brute-force attacks in its approach and execution. While traditional brute-force attacks focus on trying multiple passwords against a single account, password spraying uses a single password across multiple accounts.

Understanding brute-force attacks

Brute-force attacks involve systematically trying all possible combinations of passwords to gain access to an account. These attacks are often resource- intensive and can be easily detected due to the high volume of login attempts on a single account.

Comparing credential stuffing

Credential stuffing involves using lists of stolen username and password combinations to attempt logins.

How can organizations detect and prevent password spraying?

Detecting password spraying attacks requires a proactive approach to monitoring and analysis. Organizations must implement robust security measures to identify suspicious activities early on.

Implementing Strong Password Policies. Organizations should adopt guidelines that ensure passwords are complex, lengthy, and regularly updated.

Deploying Multi-Factor Authentication. Multi-factor authentication (MFA) significantly reduces the risk of unauthorized access by requiring additional verification steps beyond just a password.

Conducting Regular Security Audits. Regular audits of authentication logs and security posture assessments can help identify vulnerabilities that could facilitate password spraying attacks.

Enhancing Login Detection. Organizations should set up detection systems for login attempts to multiple accounts from a single host over a short period. Implementing stronger lockout policies that balance security with usability is also crucial.

Incident Response Planning. This plan should include procedures for alerting users, changing passwords, and conducting thorough security audits.

Taking action against password spraying

To enhance your organization’s cybersecurity and protect against password spraying attacks, contact us today to learn how we can assist you in securing your systems against evolving cyber threats.

How To Make The Pain Of Passwords Go Away

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

Passwords. They’re the keys to our digital kingdoms, but also the biggest pain in our necks.

They’ve been around since the dawn of the internet, and guess what? Even with replacements being introduced, they’re not going away anytime soon.

I’m sure you’ve felt the pain of managing a billion passwords for all your accounts. It’s exhausting and risky. Perhaps it’s time you considered using a password manager.

The real beauty of password managers is you only have to remember one password – the master password to log in to your manager. Then, it does everything else for you.

  • It creates long random passwords
  • It remembers them and stores them safely
  • And it will even fill them into the login page for you

That means no more wracking your brain trying to remember if your password is “P@ssw0rd123” or “Pa55w0rd123” (both are really bad and dangerously weak passwords, by the way). With a password manager, all the work is done for you.

We won’t sugar coat it – password managers aren’t invincible. Like all superheroes, they have their weaknesses. Cyber criminals can sometimes trick password managers into auto filling login details on fake websites.

But there are ways to outsmart criminals.

First, disable the automatic autofill feature. Yes, it’s convenient, but better safe than sorry, right? Only trigger autofill when you’re 100% sure the website is legit.

And when choosing a password manager, go for one with strong encryption and multi-factor authentication (MFA) where you generate a code on another device to prove it’s you.

These extra layers of security can make a big difference in making your accounts impenetrable.

Enterprise password managers offer useful features like setting password policies and analyzing your teams’ passwords for vulnerabilities. Plus, they often come with behavior analysis tools powered by machine learning tech. Highly recommended.

But here’s the thing – no matter how advanced your password manager is, it’s only as good as the person using it. So, do yourself a favor: Train your team to stay vigilant against scams, and always keep your password manager up to date.

We can recommend the right password manager for your business and help you and your team use it in the right way. Get in touch at (734) 457-5000, or info@mytechexperts.com.

 

You’d Be Lost Without It, So Don’t Forget Email Security

Let’s talk about something super important: Email security. Yep, we know it might not sound like the most thrilling topic, but it’s a big deal. Businesses like yours face more cyber threats than ever.

We’ve seen our fair share of cyber attacks, and let us tell you, many of them start with a simple email (official figures say it’s a massive 90%!). Yep, that innocent-looking message in your inbox could be the gateway for cyber criminals to wreak havoc on your business.

So, why is keeping your business email secure so important? Well, for starters, it’s your first line of defense against cyber attacks. Think of it like locking the front door of your house to keep out intruders.

If your email is secure, you’re making it a whole lot harder for cyber criminals to sneak in and steal your sensitive data.

But implementing proper email security measures safeguards your valuable data from getting lost or falling into the wrong hands.

It’s not just cyber criminals you’re at risk from; an employee could accidentally leave a laptop on a train or in a coffee shop.

That could mean all your important business communications and documents were suddenly open for someone else to read. It would be a nightmare, right?

You might be thinking, “But I’m just a small business. Why would I be a target?” Ah, but here’s the thing – cyber criminals don’t discriminate based on business size.

In fact, small and medium-sized businesses are often seen as easier targets. That’s because they may not have the same level of security measures in place as larger corporations.

So, don’t think you’re off the hook just because you’re not a Fortune 500 company.

Now that we’ve established why email security is crucial, let’s talk about how you can ramp up your defenses.

First off, use strong, unique passwords for your email accounts. None of that “p@ssW0rd123” nonsense, please.

Better still, use a password manager to create and store uncrackable passwords.

Consider implementing two-factor authentication for an extra layer of security (where you generate a login code on another device to prove it’s you).

And don’t forget to keep your software and security patches up to date – those updates often contain important fixes for vulnerabilities that cyber criminals love to exploit.

Lastly, educate your employees about the importance of email security. They could be your strongest defense or your weakest link when it comes to keeping your business safe from cyber threats.

Teach them how to spot phishing emails (emails pretending to be from someone you trust) and what to do if they suspect something isn’t right.

Remember, a little prevention now can save you a huge headache, time, trouble (and money) later. If we can help with that, get in touch.

It’s Time To Fix Your Risky Password Habits

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

We all know how important it is to keep our data safe, but sometimes our best intentions fall short. And when you have employees, you’re at an increased risk of security threats and bad habits creeping in.

Here’s the deal: Even if you invest in cyber security training, changing long held password habits can be a tough nut to crack. People love convenience, and remembering a ton of complex passwords just isn’t their idea of a good time.

Your employees are juggling dozens of passwords for work and personal use. It’s a lot to handle, and sometimes they slip up and reuse passwords across different accounts. It’s a familiar story, right? And it’s where the trouble starts.

When passwords are reused, it’s like leaving the front door wide open for cyber criminals. If the password is breached on one site, they will try it to access other sites.

Here’s how you can make sure your team stays on top of their password game.

Password audit: Ask your IT partner to do an audit of passwords and look for weak ones that should be changed.

Block weak passwords: Ask your IT partner to implement a password policy that stops common passwords from being used.

Scan for compromised passwords: Even strong passwords can be compromised. Stay one step ahead by scanning for breached passwords and prompting employees to change them.

Use password managers: Password managers securely generate then store a unique password for every different account… and fill them into the login box so your team doesn’t have to.

Multi-Factor Authentication (MFA): Add an extra layer of security with MFA, where you get a code on a separate device. It’s like putting a deadbolt on your front door – double the protection, double the peace of mind.

With the right tools and guidance, password security doesn’t have to be hard work. If we can help you with that, get in touch – (734) 457-5000.

Six Immediate Steps You Should Take If Your Netflix Account Is Hacked

Netflix is one of the most popular and well-known streaming services. The platform has become an essential part of many people’s daily entertainment routines. Unfortunately, like any online service, Netflix accounts can be vulnerable to hacking.

You might not think something as benign as Netflix could represent a security risk to your business. In most cases, your company laptop (as well as any devices your spouse or children might use) are connected to the same home network as your streaming services. This gives cyber-criminals an easy way to gain a foothold into your equipment.

Hackers take advantage of “phishing overload.” Once they breach your account, they’re usually quiet for a bit, hoping you’ll mistake the Netflix suspicious login warning for a fake.

Here are some things to do right away if you fear your account is hacked:
1. Go to the Netflix site & try to log in.
2. If you can log in, change your password immediately.
3. If you can log in, remove any strange payment methods
4. Contact Netflix support and let them know that you think you’ve been compromised (don’t skip this step).
5. Watch your bank statements.
6. Change the password for other accounts that used the same one as your Netflix account.

Is It Time To Ditch The Passwords For More Secure Passkeys?

Passwords are the most used method of authentication, but they are also one of the weakest.

Passwords are often easy to guess or steal. Also, many people use the same password across several accounts. This makes them vulnerable to cyber-attacks.

The sheer volume of passwords that people need to remember is large. This leads to habits that make it easier for criminals to breach passwords. Such as creating weak passwords and storing passwords in a non-secure way.

61% of all data breaches involve stolen or hacked login credentials.

In recent years a better solution has emerged – passkeys. Passkeys are more secure than passwords. They also provide a more convenient way of logging into your accounts.

Passkeys work by generating a unique code for each login attempt. This code is then validated by the server. This code is created using a combination of information about the user and the device they are using to log in.

You can think of passkeys as a digital credential. A passkey allows someone to authenticate in a web service or a cloud-based account. There is no need to enter a username and password.

This authentication technology leverages Web Authentication (WebAuthn). This is a core component of FIDO2, an authentication protocol. Instead of using a unique password, it uses public-key cryptography for user verification.

The user’s device stores the authentication key. This can be a computer, mobile device, or security key device. It is then used by sites that have passkeys enabled to log the user in.

More secure

One advantage of passkeys is that they are more secure than passwords.

Passkeys are more difficult to hack. This is true especially if the key generates from a combination of biometric and device data.

Biometric data can include things like facial recognition or fingerprint scans. Device information can include things like the device’s MAC address or location.

This makes it much harder for hackers to gain access to your accounts.

More convenient

Another advantage of passkeys over passwords is that they are more convenient. With password authentication, users often must remember many complex passwords. This can be difficult and time-consuming.

Forgetting passwords is common and doing a reset can slow an employee down. Each time a person has to reset their password, it takes an average of three minutes and 46 seconds.

Passkeys erase this problem by providing a single code. You can use that same code across all your accounts. This makes it much easier to log in to your accounts. It also reduces the likelihood of forgetting or misplacing your password, or worse, writing it down.

Phishing resistant

Credential phishing scams are prevalent. Scammers send emails that tell a user something is wrong with their account.

They click on a link that takes them to a disguised login page created to steal their username and password.

When a user is authenticating with a passkey instead, this won’t work on them. Even if a hacker had a user’s password, it wouldn’t matter. They would need the device passkey authentication to breach the account.

Why Should You Use Different Passwords For Different Accounts?

It’s common to have multiple online accounts for social media, online shopping, banking, and more. While having different accounts makes our lives more convenient, it also presents a security risk if we use the same password for all of them.

This is because if a hacker gains access to one of our accounts, they can potentially gain access to all of them if we use the same password. This is why it’s crucial to have different passwords on different accounts.

Having different passwords on different accounts is one of the most basic but important steps you can take to protect your online security.

By using unique passwords, you reduce the risk of a hacker gaining access to all of your accounts if they manage to crack one password. This is particularly important for accounts that contain sensitive information, such as online banking or medical records.

One reason why people tend to use the same password for multiple accounts is because it’s easier to remember.

However, there are ways to create strong and unique passwords without having to remember them all. One option is to use a password manager.

A password manager is a tool that generates and stores unique passwords for each of your accounts. All you have to do is remember one master password to access the password manager. Some popular password managers include BitWarden, Dashlane, and 1Password.

Another way to create strong and unique passwords is to use a passphrase instead of a single word. A passphrase is a combination of several words that are easy for you to remember, but difficult for others to guess. For example, instead of using the password “password123” you could use a passphrase like “MyDogate2BonesToday!”

It’s important to note that having different passwords is not enough to ensure complete security. It’s also important to use strong passwords that are difficult to guess or crack.

This means avoiding common words, phrases, or personal information that could be easily guessed.
Instead, use a combination of upper and lowercase letters, numbers, and symbols.

In addition to having different and strong passwords, it’s also important to update them regularly. This is because if a hacker gains access to an old password that you no longer use, they can still potentially use it to gain access to other accounts if you’ve used the same password for multiple accounts. It’s recommended to update your passwords every six months to a year.

One thing to keep in mind is that while having different passwords on different accounts is important, it’s not the only step you should take to protect your online security. It’s also important to enable two-factor authentication whenever possible.
Two-factor authentication adds an extra layer of security by requiring a second form of authentication, such as a code sent to your phone or an app.

While it may seem daunting to remember multiple passwords, password managers can help significantly.

By taking these basic steps, you can greatly reduce the risk of a security breach and protect your sensitive information online.

Are You Still Using That Same Old Password?

We talk a lot about strong passwords. It’s kind of our job. But they’re really important if you want to protect your online accounts and keep your data safe.

So why are we hearing that ‘123456’ is still the most common password? Researchers found it used more than 100,000 times in a recent study.

‘Admin’ is another popular choice, found 17,000 times, followed by the highly creative ‘root’ and ‘guest’. Often these are pre-set default passwords which you’re supposed to change when you first login – but too many people don’t bother.

Names – personal names, celebrities, even football teams – are also common, as are profanities. One swearword cropped up 300,000 times in the study (we’ll let you guess which word it was).

But popular choices make for weak passwords. A brute force attack involves throwing thousands of passwords at a system.

So if you’re using any of these examples, it wouldn’t take long for an attacker to gain access to your account.

A good solution is to use a password manager. This will create long, strong, random passwords that are impossible to guess. It also stores them securely and auto fills them, saving you time.

An even safer solution is Passkeys. These could take over from passwords entirely – Apple and Microsoft are already rolling them out across their apps and accounts. Passkeys consist of two ‘keys’: One on your device and one within the application.

When they connect and recognize each other as the right fit, you gain access to your account… all without clicking a button.

The best part is that you never have to remember a password. It’s all done within your device and the application, so it’s unlikely that a cyber criminal will ever be able to get their hands on your log in credentials. And there are 123456 reasons why that’s a good thing.

Need help to find the right password manager? Get in touch.

Do You Know Exactly What Services Your Staff Are Signing Up For?

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

Whatever problem, need, or want you have… there’s a cloud application out there that can help you.

We’ve never lived in a such a rich time for problem solving. Every day, hundreds of new services launch to make our lives easier and help us be more productive.

These applications all live in the cloud. They’re known as Software as a Service – or SaaS – because you don’t load any software onto your device. You use them in your browser.

We would argue this SaaS revolution over the last 15 to 20 years has played a critical part in shaping the way we work today.

However, there’s an issue. Many businesses aren’t 100% aware of what new services their staff have signed up for. And this problem isn’t a financial one; it’s a security one. [Read more…] about Do You Know Exactly What Services Your Staff Are Signing Up For?

The Way We Use Passwords Is Finally Changing

Passwords are a problem that companies are always trying to fix, but they are still essential for accessing pretty much anything online. And even now people aren’t changing them after a breach and then still use the same password to access multiple sites.

Reused passwords are a potential security problem because if a password has been compromised once, then hackers can use it to access other accounts if it’s been used as the sign-in for another site.

Truth be told, passwords are annoying for most people. If you look at the best practice password advice, it’s creating work for everyone:

  • Generate long random character passwords rather than using everyday words that can be guessed by cyber criminals’ automated software
  • Use a different password for every single application
  • Never write passwords down or share with a colleague

This is why we tell our clients to use a password manager. It’s a safe way to generate highly secure passwords, store them, and fill in login boxes so you don’t have to.

Recently we’ve heard that tech giants Microsoft, Apple and Google have joined forces to kill off the password and introduce its replacement.

That’s called a passkey.

It’s very simple. To login to something, you’ll use your phone to prove it’s really you.

Your computer will use Bluetooth to verify you’re sat nearby. Because Bluetooth only works a short distance, this should stop many phishing scams.

Then it’ll send a verification message to your phone. You’ll unlock your phone in the usual way, with your face, fingerprint, or PIN.

And that’s it. You’re logged in.

We could see this new no-password login being introduced to some of the world’s biggest websites and applications over the coming year. Exciting!