PASSWORD SECURITY

As an IT professional, one thing I deal with every day is passwords. When I'm helping a customer setup a new computer or a new account for e-mail, Facebook, or the like, I notice that people tend to underplay the importance of setting an effective password. I often even get questions like "Do I have to set a password?" or "Can't you set that to login automatically". Also, they often choose a password that only meets the minimum requirements.

Unfortunately, I also see the impact weak passwords. Often clients only realize the significance, when suddenly they can no longer access, sometimes permanently, their e-mail or Facebook accounts. When their friends and family receive virus-ridden e-mails from them, or they discover someone has accessed bank account or personal information.

All the major e-mail providers and social networking sites are constantly under attack from people who wish to exploit your personal information. In addition, the rapid increase in processing power in today's computers has made it much easier for the nefarious to attack your password. In years past, it was less feasible for an attacker without personal information about his target to attempt to break a password, or at least an attacker was limited to a list of a few thousand common passwords to try. Now, it is not unusual for computers to be capable of guessing several million (or even billion) combinations per hour. This allows an attacker to try every combination of characters for short passwords.

In years past security experts recommended that you do things like add capital letters or symbols to your passwords thus increasing the number of characters a computer would have to try. This led to passwords that looked like, alpha#12 or Aze344Sdi. Unfortunately, this made it incredibly difficult for people to remember their passwords and ultimately makes little difference to a computer, trying to guess your password.

In today's world, the best protection against a computer obtaining your password is to lengthen it, beyond the typical 8-12 digits commonly used. There are a few techniques that can be used to help remember long passwords. One easy way is to use a "passphrase" instead of a "password". An example of a "passphrase" that I actually used in years past is BlueBirdsEatBlackSeeds. As you can guess, I created this password while watching a fat blue bird eating from a birdfeeder. Since the sentence is fairly literal it becomes easy to remember, and the memory of the moment in which it came to me also helps me remember.

Another password creation technique is to string a few reasonably long words together like, PrimateCommandoConcussionHeaven, then associate those words with a mental picture that describes them to you. In this case I visualize a Primate and a Commando locked in an epic battle, one ends up with a concussion, and the other ends up in heaven. Making that mental image helps you remember, and it definitely works.

This all sounds great, but how are you supposed to remember 20 different phrases or word strings? Well to be honest you're not, if you have too many passwords to remember, I suggest getting a password manager. A password manager will store all your usernames and passwords inside an encrypted database. That is locked by one master password; then you only have to remember your master password.


Links:

https://howsecureismypassword.net (password tester)
http://keepass.info (and excellent password manager)

Bad password examples:

Buckey123 (could take a computer as few as 11 minutes to break)
alpha#12 (could take a computer approximately few as 3 days to break)
Aze344Sdi (could take a computer approximately 39 days to break)

Good password examples:

Theskyisbluewithclouds (could take a computer as long as 100 trillion years to break)
BlueBirdsEatBlackSeeds (could take a computer as long as 400 quintillion years to break)
PrimateCommandoConcussionHeaven (could take a computer as long as 100 decillion years to break)

Works Cited

Xkcd: Password Strength." Xkcd: Password Strength. N.p., n.d. Web. 9 Dec. 2013.
<http://xkcd.com/936/>.

MANY EXPERIENCE TECH SUPPORT SCAM

It's Sunday afternoon, and maybe you're watching TV, or doing housework, when the phone rings. It's a well-mannered caller with urgency in his voice as he explains that he is from Microsoft, and that his team has detected the presence of a dangerous virus on your computer. He continues telling you not to be alarmed he can definitely remove this virus if you follow his instructions.

Regardless of what this person tells you there is most likely nothing wrong with your computer. This is a recent type of scam affecting computer users nationwide. There are several known companies, typically in countries like India or Russia that perpetrate this scam and others like it. They use scare tactics and misinformation to convince people to allow them remote access to their computer. Then after performing some unneeded and likely useless actions they will request your bank account or credit card information for payment. Usually this payment significantly exceeds a typical service charge for this type of repair.

So what are the dangers? The main danger comes from the fact that you receive no confirmation of identity from the person on the phone. They say they are from Microsoft or some other reputable company, but they initiated the call, and could be anyone, anywhere. Once you allow them into your computer, they have full control of it and can change security settings making you vulnerable, copy personal files and information, or even install malicious software that could allow them to monitor or connect to your computer at a later time. In addition if you give them financial information there is nothing to prevent them from billing your accounts for whatever they desire. Then, because you don't really know who or where they are, you have little, if any, recourse.

So what should you do? If you have fallen victim to a scam like this, take your computer to a local, computer professional and have them check it for malware, and viruses. Then monitor your bank account and credit cards for unusual or unauthorized charges. If you still can, have your credit card company or bank dispute the charges, even the original services charges. If you receive one of these calls, report it to the company they were claiming to be, and to law enforcement. You may not see any results directly, but if you report, it is more likely that these scams will be stopped. Finally, never allow someone you do not know to connect remotely to your computer. There are many reputable companies who use remote administration to help customers, but a reputable company will never call you unsolicited, and they will always have a physical location where you can go in case of a problem. In short, make sure you are confident that the person you are speaking with is the person they are claiming to be.

How to prevent Malware Infection

Unbelievably, some estimates claim that up to 50% of computers worldwide are infected with some form of malware. Here are some tips on preventing viruses or other malicious software from invading your computer.

Never read email or open an attachment from an unknown source.
You have probably been told this for years, and it is still a very good practice. If it doesn't look or sound right put it directly in the trash bin.
Avoid ALL advertisements.
When we see an advertisement, on TV or in print we are often very skeptical. But often an advertisement on the internet that tells you your computer is slow or broken, gets mistaken as an important message. It pays to know what real warning messages look like, and to be able to identify them over advertisements. Most web pages sell advertising space, so even when you're on a known webpage, it may contain advertisements from a third party. Advertisers will often sell you expensive, unnecessary software that actually contributes to the problem rather than fixes it.
Be wary of "Free" offers.
This really belongs in the above category, but it happens so often I gave it its own category. On the internet, as in life free rarely means truly free. Free offers often include spyware, adware, or even viruses, and should be viewed with extreme scrutiny or avoided all together.
Always download software directly from the source.
Software on the internet can be distributed in many ways, some legitimate, some not. Always make sure that products you download or purchase come directly from the author. Software distributed by a third party may include unwanted advertisements or worse.
Always read all the "fine print".
Even software that does come directly from the author can sometimes include additional software from the author, or partnering companies. There is almost always a way to disallow the installation of additional product if you read carefully.
Keep your computer updated.
While it may sometimes seem that your computer requires updates continuously. It is extremely important to complete these updates in a timely manner. Their primary purpose is to fix security issues and correct bugs which could leave you vulnerable to malicious software or hackers.
Educate yourself.
You do not need to know everything about your computer to operate it safely. Knowing what software is installed on your computer and what it is for or knowing which results from your favorite search engine are advertisements and which are not, goes a long way in preventing malware.