09/17/2018
Newbie2Security: Passwords
0A reader recently asked: “Everyone is saying to create difficult to guess passwords and not reuse them, but it’s impossible to track different passwords for every site – much less complex ones for every single site. How do I make sure my passwords are good enough for security, but not forget them continuously?”
Well, passwords are a tough nut to crack these days. Since you’re not supposed to re-use a password for more than one application/website, and since passwords should be complex, you’re stuck with trying to remember dozens of complex passwords. Most people give up and re-use passwords or use simpler and easier-to-guess passwords, leaving them open to attack. There’s good news, though, so let’s talk about passwords:
Passwords should be:
1 – Difficult for an attacker to guess
2 – Easy for you to remember
3 – Never re-used
4 – Complex enough so that they can’t be brute-forced (i.e. resistant to attacks)
Brute-force password cracking is simply an attacker trying a series of different combinations of letters, numbers, and symbols in turn to an attempt to happen upon your actual password. Most – but not all – applications and sites have some method in place to stop this from working; either by limiting the number of attempts at a password before the account becomes locked, or progressively slowing down the time between attempts until it becomes too difficult to carry out the attack.
Unfortunately, normal humans have a lot of trouble keeping track of dozens – if not hundreds – of very complex passwords. They might be able to manage 1, 2, and 4; but only at the expense of 3. If they do keep 3 as the primary goal they often run afoul of 1, 2, or 4.
The good news is that there are several ways that you can follow all four rules without losing track of any sites or losing your mind:
1 – Use a Password Manager: A password manager is simply a piece of software that will allow you to store your usernames and passwords for various sites and applications in a vault that is securely protected. This means you only have to remember one password (the one that lets you access the vault) instead of all the passwords for your sites and apps. You do need to be sure the password manager vendor is reputable and has a good history at security, but otherwise you set them up and keep them updated, but don’t have to worry about forgetting passwords. Even better, most will generate strong passwords on demand, allowing you to have unique passwords for every site and app without having to think them up yourself. 1Password and LastPass are two examples of well-established password managers that work across PC, Mac, and Mobile; and are also easy to use and work with no matter what browser you use. They’re not free (at least for the full feature-set you need to be using), but they’re reasonably priced and worth every penny.
2 – Use a Pass Phrase Instead: Who says a password has to only be one word? Complex passwords can just as easily be phrases or sentences if the site doesn’t limit how many characters you can use. How about “ThisIsMySecureGooglePassword!” for your Google account? It’s the right length, has upper and lowercase letters, has a special character, etc. It can also be modified for each site – and those modifications can be hard to guess if you change which word gets modified in a way you’ll remember.
NOTE: Do not, and I really can’t stress this enough – do NOT use that particular sentence. Now that it’s posted to a blog that’s online, it is public information and will get added to databases that attackers use to guess passwords. PLEASE think up a passphrase or sentence of your own.
4 – Never Use Public Information: Your maiden name, mother’s maiden name, zip code, pet’s name, kids’ names, etc. are all public information and should never be used in a password ever. If you have to give that information to other people (on Social Media, to your bank, etc.) in the clear (i.e. in plain text or verbally); then it is not suitable for use as a password.
5 – Keep Your Passwords Secure: Remember that no reputable site, service, app, or business will ever – EVER – ask you to tell them your password either online or on the phone. It is never necessary for them to do so. They can access your information via their own methods, and don’t need you to tell them your password in order to do it. So, if anyone claims they’re from FaceBook, or Microsoft, etc. either via email or phone and asks for your password; they’re lying and trying to steal your info. Also, never keep passwords written down in the physical world, or stored in a file in the digital world unless that file is properly encrypted and secured. So, a password manager that encrypts its vault is fine, but an excel spreadsheet that isn’t protected is not.
Defending yourself with strong, non-reused, passwords is a critical part of online security. These tips are not difficult to use, and typically cost either little or nothing at all to take advantage of. Take some time to follow proper “password hygiene” and you’ll find yourself in a safer place.
09/25/2018
Hold off on updating to Mojave – a good rule of thumb for any new OS
0by Mike Talon • Uncategorized
MacOS Mojave has been released to the public, and everyone wants the shiny new toy, but hang on before you click update. As with any OS, you should always wait for the first round of bugs and flaws to be fixed.
Mojave brings a lot of great security features to MacOS – like locking down Documents and other user folders most often targeted by malware and ransomware. It also brings some cool features to MacOS outside the security realm, like Dark Mode. In time, this OS will no doubt become the new standard for Apple’s desktops and laptops; just like High Sierra and Sierra before it. But that doesn’t mean you should run out and immediately upgrade to the new OS today, or even in the next few weeks.
Unlike iOS, which is a much more limited (from a technical perspective) platform, MacOS is much more open. I say this because a desktop or laptop running any OS can load and run software from thousands of sources – where an iPhone or iPad can only run software that has been at least somewhat vetted by Apple themselves before it is available in the app store. The system isn’t perfect, but for the most part updating to iOS 12 is safe because attackers have to first find a way to execute their code on the device, and they have a really hard time doing that through a downloaded app. iOS vendors (those that are still in business, anyway) also tend to update their stuff for the new iOS way ahead of time – since iOS typically allows for more backwards compatibility. MacOS, on the other hand, can run Chrome, Firefox, and other 3rd-party browsers alongside Safari – all of which can easily download malware. Since MacOS does allow non-signed applications to run, that means that a Mac-specific payload can easily find its way onto your machine. MacOS software developers also seem to require a few weeks to update their apps to either take advantage of new features, or to just plain work on the new version of MacOS – this is even more of a problem since Mojave is starting the process of ending 32-bit applications, making many apps that rely on 32-bit components rendered semi- or totally-non-functional until the vendor moves off those bits. So while iOS security and updating isn’t bulletproof by any stretch of the imagination, it’s far easier for a malware developer to get a Mac infected when compared to an iPhone or iPad, and for some reason more likely that your apps will be ready for a new version if iOS than MacOS.
What does this have to do with Mojave? Simple; both security researchers and malware developers have been pouring over the betas of the new desktop/laptop OS for months. There have already been several security holes found – and that’s before the OS officially even launched. Since malware makers can find many more ways to trick you into launching their code on MacOS, that’s where they will focus their time and effort, and most likely already have. A brand new OS will always have flaws that take some time to find. This is mostly because what happens in the lab isn’t always representative of what happens on hundreds of thousands of computers out in the real world. Developers can only check for so many things, and often they don’t even think of some of the ways that users and attackers find to break things.
Software developers have also been working with Mojave betas, but major software packages like Zoom web conferencing and others still haven’t ditched all the 32-bit code and are already experiencing major problems. Since Apple doesn’t test these apps, it’s up to the developers – who may often be focused on Windows or other platforms – to correct any conflicts with the new MacOS, and that takes time. In many cases, especially with enterprise apps, developers themselves may not have a full contingent of MacOS testers; and may not even realize how big the problem is until users start screaming.
When a new version of any OS (Windows, Linux, MacOS, etc.) is released, you should always wait until at least the first major patch. That means waiting for TWO “patch Tuesdays” on Windows (the first usually squashes bugs, while the second will include more security fixes); and until the 10.x.1 update for MacOS. It only takes 2-3 weeks, and you’re not missing out on much in the meantime. In fact, since there are always at least a few major non-security bugs and tons of application issues in the first few weeks of a new OS, waiting will make life a lot easier for you on many different levels beyond just safety and security.
So hang in there, and stick to High Sierra for a few more weeks. Everything still works just fine, and you don’t need Dark Mode today. Your frustration levels will be lower, and overall security will be higher, if you hold off for just a little time now.
Share this: