Password Sharing

Yes, we should guard our passwords like gold bars in Fort Knox. But at the same time, it’s prudent for individuals to ensure trusted people have access to their accounts. We discussed it before, but it’s worth doing it again, especially when it can prevent more heartache with the death of a loved one or a catastrophic event.

Password problems crop up all the time for both commercial and individual clients. They can be annoying, especially when spouses or kids constantly forget passwords, sending you on a hunt. They can be disruptive, especially when an employee leaves and you need to change passwords for accounts they used for your business. They can be downright heart-rending, especially when you need to handle the affairs of family members or friends who have become incapacitated or have passed away.

That last group of problems takes on particular urgency because you’re out there alone. There’s nobody to help you know what to look for and where to find it – especially while you’re working in a highly emotional atmosphere.

All these problems are avoidable, with or without technological solutions.

Unfortunately, we learned about the non-tech side of it when our friend committed suicide. In his deep depression, he knew his family would be devastated. Yet he had the presence to leave detailed information about what his survivors would need to close his affairs and carry on with their lives. It probably made things easier, though nobody involved could know how much while dealing with their grief.

Because we depend on website access to manage just about every aspect of our personal and professional lives, a trusted person or small group of people must have complete information for all usernames and passwords. The info can be on a list that’s printed out or written in a notebook and stored in a safe place. Most of you probably have a fireproof storage box or a safe for important documents such as birth certificates or passports anyway. There’s nothing wrong with hard copies.

However, we can’t emphasize strongly enough that you can set up a password manager with a family-and-friends feature that solves just about all password and web-based account access problems. You only need to remember one strong master password to access all your websites. We like Dashlane for its reliability and ease of use, but it’s not the only one. And regardless of whether it’s for personal/family use or business, certain principles still apply.

Here’s what to look for:

  1. The ability to work across multiple devices and platforms. Everyone depends on being able to use computers, phones, tablets, and even smart watches seamlessly. Many people use Windows, Apple, and Android systems individually and in corporate networks. Your password manager must be able to work on all devices and platforms.
  2. Facial recognition. We believe this is the most efficient biometric for speed and security, especially when you’re on the go and using a mobile device. In some cases, you don’t even need your master password. That’s a great convenience.
  3. The ability to share passwords with a family-and-friends capability or a corporate plan. Whether it’s another annoying request from a family member or a critical request from a business associate who needs instant access, you can find the password they need and give it to them. It can also make it much easier to oversee the affairs of loved ones when necessary.

We look forward to the day when biometrics or some other technology will eliminate the need for passwords. When that day comes, all of our information will be more secure, and easier to access our websites and online accounts. Until that day comes, a password manager is your best bet to handle everyday online life and emergencies.

We can help you select the password manager that best meets your needs, and we can help you configure an individual plan or a multi-user plan. Call us – 973-433-6676 – or email us to discuss your needs or for configuration help.

Cookies, Passwords, and Computerless Invasions

We disdain cookies and passwords so much that we expose our sensitive data to hackers who never need to invade our computers, phones, or tablets to get it. There’s so much information about each of us out in there, yet we use skeleton keys instead of padlocks to protect what we can.

You can adjust your cookie settings to limit tracking cookies, but website operators make it cumbersome – because they want advertisers and merchants to pay them for ways to track you across the internet and sell you stuff. Cookies get a lot of notoriety because of that, but they also serve useful purposes. They enable a site to direct you properly to the areas you need to go to and display appropriately for your browser and device.

Tracking cookies are another matter. They can tell anyone who plants a tracking cookie on your device where you go, and that’s creepy on the one hand and dangerous on the other.

I generally ignore all those cookie messages or just accept all cookies. I feel that many trackers already have information on me, and I am confident I’m savvy enough to avoid online traps. You should be, too, if you follow us regularly. The ads and even the phishing expeditions are a royal annoyance, but you’re safe if you’re smart.

Tracking cookies get dangerous when they converge with weak passwords. This affects business and personal internet use, and here’s how cybercriminals get you.

Once cyberstalkers know where you go, they can make some guesses about your username, which usually has an element of your name or your entire email address, and they have software to try to crack passwords. If you have a weak password – such as the first initial, last name, and 123 that a friend who got hacked used – they’ll crack it. And if you use it at multiple sites, they’ll get into every one of them. And they never had to get into your computer to get into your accounts. The clues were out there to find your bank account or credit card number to clean you out or go on a shopping spree.

The problem, of course, is with a weak password and the lack of a password manager. As an aside, if you are hacked, we use your cookies to see where you’ve been and see if something there has led to someone getting your info and maybe your money.

Finding a strong, unique password or several really strong passwords that you can easily remember is not that hard. What’s an odd association with your name or something you see when you look out the window? What’s a number that’s not tied to your birthday, phone number, or something else that could be part of your public record? What’s a random word that relates to nothing? Where can you substitute a number or special character for a letter? Following that process, any combination of 12 to 16 characters should give you a strong password.

If you combine a strong password with a password manager, you can let the password manager generate random strings of letters, numbers, and characters that become strong passwords. And if your password manager and the websites you visit have facial recognition capability, it’s simpler, stronger, and even faster.

We can help you configure a password manager for individuals or groups, and we can help with improving your password security. Call us – 973-433-6676 – or email us to discuss your needs and develop a plan.

Is LastPass’s Hack the Last Word?

In a word: hardly. LastPass getting breached seems like the equivalent of Fort Knox getting breached; it’s not supposed to happen. So far as we know, none of the gold, which represented the monetary value of US currency in circulation, was ever taken from Fort Knox. But password manager LastPass was breached, and data was taken.

The implications are stunning, to say the least. We’ve put our trust in password manager programs, and LastPass compounded the problem for its customers by being breached twice and not being as quick or transparent about it. From all reports, the latest breach occurred in late August when access was gained to parts of their developer environment through an individual compromised developer account. They said the intruder took some source code and proprietary technical information. In mid-September, they reported that the intruder was in their system for four days, but the incident did not involve any access to customer data or encrypted password vaults.

Just after Thanksgiving, LastPass reported that the knowledge gained from the first breach was used to breach the system again, and that the hacker gained access to certain elements of customer information. Just before Christmas, the hacker got customer account information such as names, billing addresses, email addresses, telephone numbers, and their encrypted vaults. They hastened to add the data was strongly encrypted and required decryption of the customer’s master password.

The bad news is that this was a series of breaches; not good. Over time, the attacker was able to target a separate employee to gain two critical pieces of information: access keys to a cloud environment and decryption keys for that cloud environment. This means the attacker was able to easily download copies of those vaults and the other customer data there.

Although each customer’s vault was encrypted, the vaults contained unencrypted information. The attacker likely downloaded all the available information from each and could the unencrypted info to try to crack the master password by brute force.

LastPass doesn’t have the best track record in the industry, and what happened there can happen to any password manager. But you can take steps to minimize the impact if it happens to your password manager.

We highly recommend that you activate two-factor authentication (2FA) for every web-based account you have. Some will give you the option to verify a specific computer, phone or tablet one time, while others will require verification every time you log in. Most systems work through text messages to cell phones because you’re most likely to have your phone with you. Some 2FA systems will send you an email with a code to enter or a link to click. They’re good if your email is secure.

So, make sure you secure your email accounts. Require 2FA – to your cell phone if possible – to access your email account from the web. List a secondary email address in case there’s a problem. It can be through another email provider, or it can be a person you trust.

2FA works with password managers, and it’s effective if the PW manager hasn’t been hacked. If the data is unencrypted, it could have been stolen (another good reason to set up 2FA for a text).

You can manage your password manager and enhance security by keeping it updated. You can change your master password at any time, and you can use the manager to change your passwords at any time. The programs offer random generation of passwords, and you can take advantage of that. It takes away any excuse you have for using the same password for multiple websites.

You can back up your password manager by downloading your website login info from the manager. Most people download the info to a .csv or .xls spreadsheet file. It’s a good idea to do this periodically and store a hard copy in a safe place. If you decide to change password managers, you can export your file to a new password manager. We suggest you create a new master password if you do that and then create new passwords for each account.

There are ways to download your password list with encryption, but they can be a little complicated. Call us – 973-433-6676 – or email us to set up a time for us to walk you through it. You can also contact us with any questions you have about password managers – selecting one or installing one.

Understanding MFA and Other Security Measures

We recently added a new home-user client through the Nextdoor website, and during our initial conversations, we covered a lot of security issues. The new client, an elderly gentleman, had a really good handle on his online security. There’s a lot for us to unpack as individuals and as those who have elderly parents – though some of this can apply to everyone.

First, let’s look at passwords. While this discussion is inspired by our new client, our conversation can apply to anyone because we never know when someone will not be able to access vital personal information either stored on a computer or device or in the cloud.

When we take on a new elderly client, we spend a lot of time talking about online security, including passwords, password managers and MFA. We were heartened to learn our new client knew all about using his passwords properly. He seemed to understand the system better than many of our younger clients.

When he asked about using a password manager, a subject he brought up, we advised against it. While password managers can greatly enhance online security and can be extremely convenient (think about accessing a website from your mobile phone when you’re in an urgent situation), everyone needs to know the law of unintended consequences. Every password manager has an encryption key, and if you don’t have the master password with that encryption key, you won’t get in. That includes you as the account owner and anyone who might need to get into a website.

We told him it would be preferable to write all his passwords in a book. It doesn’t need to be locked in a safe, but it should be kept in a secure place – and at least one other trusted person should know where it is. This is critically important for the elderly or anyone else who may need someone to manage their affairs because of some impairment or death.

Second, let’s look at forms of security generally known as two-factor authorization (2FA) or multi-factor authorization (MFA).

We discussed using MFA for his online banking and financial activity, and he said: “That is so easy, everyone should be doing it.”

I agree wholeheartedly. It’s not that complicated to use it once you set it up. In most cases, you can link the authorization to a specific device or devices, such as a computer, tablet or phone. When you do that, you can sign into a website account from the authorized device(s) without going through the authorization every time – or you can set it up to require authorization every time. It becomes difficult if somebody is trying to sign into your account from another device, but of course, this is what the process is designed to do.

The way most MFA processes work is that when you sign in from a device, a code is sent by text message to a phone or to an email address. Once you receive the code, you enter it on a designated page associated with the website. The complication will come if someone is truly signing in on your behalf from an “unknown” device. That person will need access to the authorization message.

Another security measure that works for iOS devices is Apple’s iCloud Keychain. Functioning like a password manager to some extent, it allows you to use your device access code to activate a complex password to enter a secure website.

We can help you understand all the benefits and pitfalls of using MFA. The big problems, obviously, are to make sure you don’t lock yourself out of your account and know what do to if your phone is not working. Call us – 973-433-6676 – or email us to get comprehensive information about MFA and password managers and to configure your systems to work best for your needs.

Password Problems Revisited

To take our discussion of vanishing passwords one step farther, some recent service calls for clients who’ve been hacked – some multiple times – have provided still more reasons to move on to newer technologies.

We are getting numerous calls from clients to help them set up Dashlane, including one client who has been hacked seven times. We tried to get them to use Dashlane or Password Keeper. Now, they’re ready to do it the right way. They’re ready to move beyond the annoyance of having to remember or look up passwords for security and type them into a website. For now, Dashlane or another password manager can resolve the issue for most people who are fearful of trading passwords for newer password-less technologies.

As we’ve noted, people set up passwords that are easy to remember or type. There’s generally enough repeatability that a code cracker can solve the puzzle you’ve tried to create. That happened with our client, whose bank account was hacked. As we were setting up Dashlane and downloading emails, we noticed the client had been getting alerts that the password had been changed. They had not made those changes. It took a phone call to resolve that issue, and it took Dashlane to ward off the hackers.

We should note here that there are a couple of important side lessons to learn from this experience. The first is on you: Call the company – and don’t necessarily use the phone number in the email; get one from their website. The second is on the companies: Make it easier to get a human on the phone when somebody has a security issue. We went through five layers of voice prompts before talking to a person.

Once the “alert” issue was resolved, we were able to fully install Dashlane. The process does take time. Installing any password manager requires you to pay attention to details and maybe some repetition. For financially sensitive accounts, you may want to generate another round of new random-pattern passwords as an extra layer of security. A password management program should allow you to print a copy of your database with all of your passwords – just in case there’s a mistake or if you decide to stop using the program. It should also work across all of your devices: computers, phones, tablets, etc. If you are one of the growing number of people who use an infotainment system in your car like a computer, you might want to change sensitive passwords frequently – as often as once a week.

Again, you only need to remember your master password for the password manager, and that can be a tremendous time saver, especially if you need to access a website from a mobile device.

But again, we believe you should use password-less technologies. They’re more secure, and they are easier to use than many perceive. For example, many Windows 10 computers have Windows Hello, and you can use that to add a fingerprint reader. The reader itself is about the size of a wireless mouse device and plugs into a USB port. Similarly, many mobile devices can use your fingerprint to verify you are the owner and user. If your computer or device has this capability, we strongly urge you to use it.

Many computers and devices also have built-in cameras that can be used for biometrics, and some advanced security measures use locations and usage patterns in place of passwords. As a backup, all of these measures have provisions for a PIN or a password if the biometric program can’t be used or if you don’t want to use it.

We can help you set up a password manager or – better still – go password-less. Call us – 973-433-6676 – or email us to get answers to your questions or to set up an appointment to manage your online security.

Generated Passwords Resolve Two Issues

During the recent holidays, I decided to get around to that one project I’d been meaning to do: change all my passwords. I have 241 unique passwords, and even though my password manager at the time gave them strong scores, I just wasn’t happy with the whole situation. So, I dived into a project for the generations.

As you should expect, I’ve read all the security alerts and everything I could find out about layers of security at the websites I visit for personal matters and those I use to serve clients. Each site is different, and that includes the two-factor authentication steps. It should give you comfort to know that using website passwords can be as complex as nuclear-launch codes – though it’s not comforting to think that any code can be cracked.

Randomly generated passwords that are frequently changed offer the best protection against cracking, which is why nuclear-launch codes always change – and why codes for keyless-entry systems for homes, cars and garages are essentially one-time codes designed to thwart anyone with a code scanner who sits near your car or home. Some password managers can change random passwords automatically when a website requires. No matter which one you use, you’ll need to have a master password – and that’s the only password you’ll need to remember.

Changing all of your passwords is not a task for the faint-of-heart. You’ll need to have a password manager program, such as Dashlane, LastPass or 1Password, and you’ll need to pay attention to details. I happen to like Dashlane for two of its features: random password generation and its integration with all browsers and operating systems. I consider those features to be critical.

When you use a password manager to generate random passwords, you need to pay attention to the requirements of each website. Some websites require the use of symbols, but many of them restrict you to certain symbols. Some require upper- and lower-case letters, and some require numerals. Many websites specify a certain number of characters in a password, such as 8 to 12 or 12 to 16. Just be mindful of all requirements when you set up the random password generator for each website.

One of the steps I took – and something highly recommended for financial websites – was to create a randomly generated password, log in to the site to make sure it worked, and then change it almost immediately. Each randomly generated password should be impossible to remember because it should lack any kind of pattern. For example, there doesn’t appear to be anything meaningful to me in FdXKCX9ZKsw. When a website requires you to change the password, you should have a password manager that does this automatically. Dashlane and LastPass do this, but they handle the process differently.

If you want to change your password manager, you can download all of your passwords so that you can re-enter them in your new password manager.

You should also know that your master password resides locally on your computer or mobile device. If you change computers, phones or tablets, you’ll need to re-enter your master password manually, not all your passwords – and it’s probably a good idea to do so to protect your data.

There are two keys to making a password manager and randomly generated passwords work. One is to make sure that the password manager itself is the latest version available and that you install all updates. Remember, as we’ve said so many times before, updates almost always include security patches and bug fixes.

The other key is to have a strong master password – really a passphrase. An effective passphrase should be something long – 20 to 30 characters – that you can remember and that doesn’t contain any information about you that’s available in public records. It should include upper- and lower-case letters, at least one number and at least one special character. Even if you change it every two or three months, it’s the only one you need to remember.

We can help you evaluate password managers and help you with the installation process. We think passwords have to become extinct as other security measures take hold, but for now, passwords are deeply ingrained in our online lives. Call us – 973-433-6676 – or email us for password manager help.