Some of the strongest passwords you can use are the ones you don’t have to remember. Strange as that may sound, it’s true, if you use a password manager. A password manager creates and securely stores strong, unique passwords for each of your accounts—and does all the remembering for you. And remembering is the root of the problem when it comes to insecure passwords. Consider how many passwords you have across all your accounts. Then consider the old passwords for accounts and online forums you no longer use, along with all the times you created a password for an online store that you only shopped at once or twice. All those passwords, it’s too much to keep track of, let alone manage. And that leads to insecure passwords. Simple passwords. Or passwords that get used again and again across several accounts. Hackers count on that. They love it when people use simple passwords, reuse passwords, grab passwords out of the dictionary, or base their passwords on their pet names that a hacker can easily glean from a victim’s social media posts. They also love “brute force” tools that help them break into accounts by quickly feeding account logins with thousands of potential passwords in minutes. So when you make your life easier with simple or reused passwords, you make life easier for hackers too. That’s where a password manager comes in. It makes life easy for you to stay secure while still making it tough on hackers—particularly tough with strong, unique passwords for each of your accounts that can you update on a regular basis, which offers some of the strongest protection you have against hackers hijacking your accounts.
First up, let’s look at password practices in general while keeping a few things in mind. Hackers will look for the quickest payday. In some cases they’ll work with a long list of accounts that they’re trying to break into. If a password on that list proves difficult to crack they’ll move on to the next in the hope that it’ll have a poor password that they can easily crack. It’s a sort of hacker economics. There’s often little incentive for them to spend extra time on a strong password when there are plenty of weak ones in the mix. So what do poor passwords look like? Here are a few examples:
On the flip side, here’s what a strong password looks like:
Long, complex, unique, and updated, all described as above—how do you manage all that without creating a string of gobbledygook that you’ll never remember? You can do so with a passphrase. A phrase will give you those 12 or more characters mentioned above, and with a couple extra steps, can turn into something quite unique and complex. Here’s a three-step example:
Now you have a password that you can remember with a little practice, one that still challenges the tools that hackers use for cracking passwords.
When you consider the number of accounts you need to protect, creating strong, unique passwords for each of your accounts can get time consuming. Further, updating them regularly can get more time consuming still. That’s where a password manager comes in. A password manager does the work of creating strong, unique passwords for your accounts. These will take the form of a string of random numbers, letters, and characters. They will not be memorable, but the manager does the memorizing for you. You only need to remember a single password to access the tools of your manager. A strong password manager also stores your passwords securely. Ours protects your passwords by scrambling them with AES-256, one of the strongest encryption algorithms available. Only you can decrypt and access your information with the factors you choose. Additionally, our password manager uses MFA—you’ll be verified by at least two factors before being signed in.
Whether it’s the passwords you’ve created or the master password for your password manager, consider making an offline list of them. This will protect access to your accounts if you ever forget them. Be sure to store this list in a safe, offline place—recognizing that you want to protect it from physical theft. A locking file cabinet is one option and a small fireproof safe yet more secure. A password manager is just part of your password security solution. For example, you’ll also want to use comprehensive online protection software to prevent you from following links in phishing attacks designed to steal your account login information. The same goes for malicious links that can pop up in search. Online protection software can steer you clear of those too. In some cases, bad actors out there will simply shop on the dark web for username and password combos that were stolen from data breaches. An identity monitoring service such as our own can alert you if your information ends up there. It can monitor the dark web for your personal info, including email, government IDs, credit card and bank account info, and more. Ours provides early alerts and guidance for the next steps to take if your data is found on the dark web, an average of 10 months ahead of similar services.
A password manager takes the pain out of passwords. It creates strong, unique passwords for every account you have. That includes banking, social media, credit cards, online shopping, financial services, or what have you. The entire lot of it. And remember, remembering is the thing with passwords. Hackers hope you’ll get lazy with your passwords by creating simple ones, reusing others, or some combination of the two because that makes it easier to remember them. That’s the beauty of a password manager. It does the remembering for you, so you simply go on your way as you go online. Safely.
The post The Strongest Passwords and the Best Way to Create (and Remember) Them appeared first on McAfee Blog.
Imagine that you want to pull up a certain file on your computer. You click on the file and suddenly a notice flashes on your screen saying your computer is compromised and to get your files back, you need to pay up. This is known as ransomware, a nasty type of malware that is no longer reserved for multimillionaires and corporations. Cybercriminals are holding hostage computer files and sensitive personal documents of ordinary people for their own financial gain.
Here’s everything you need to know about how ransomware makes it on to your devices and seven digital safety habits you can start today to prevent it from happening to you.
Ransomware infects connected devices – smartphones, laptops, tablets, and desktops – when the device owners unknowingly click on links or popups that have malicious software embedded within them.
Phishing attempts are a common vehicle for spreading ransomware. The cybercriminal veils their malicious links in emails, texts, or social media direct messages that urge a quick response and threaten dire consequences. For example, a phisher may impersonate a bank and demand the innocent recipient click on a link to recover a large sum of money. Instead, the link directs not to an official bank website, but to a malware download page. From there, the ransomware software takes hold and allows the cybercriminal to stalk and lock your most important files.
If a cybercriminal reaches out to you and notifies you that they have your files hostage, do not engage with them and never pay the ransom. Even if you do pay the ransom, there’s no guarantee that the criminal will release your files. They’re a criminal after all, and you cannot trust them. Giving in and paying ransoms bolsters the confidence of cybercriminals that their schemes are successful, thus they’ll perpetuate the scam.
Remain calm and immediately disconnect your ransomware-infected device from the Wi-Fi. This will prevent the program from jumping from one device to another device connected to the same network. Then, on another device, visit the No More Ransom Project. This initiative, supported by McAfee, has a repository of advice and code that may rid your device of the malicious program. Additionally, report the event to the Cybersecurity & Infrastructure Security Agency. An agent may be able to help you unlock your device or advise you on how to proceed.
The best way to prepare for ransomware is to prevent it from happening in the first place. These seven online habits are a great way to keep your devices and the valuable personally identifiable information they store from falling into the hands of cybercriminals.
A cybercriminal has no leverage if your device doesn’t house anything of value. Back up your most important files every few months, either to the cloud or save them onto a hard drive. This way, if you do get a ransomware infection, you can wipe your device and reinstall your files from the backup. Backups protect your data, and you won’t be tempted to reward the malware authors by paying a ransom.
When updating your credentials, you should always ensure that your password is strong and unique. It’s dangerous to reuse the same password across accounts because all it takes to put your accounts at risk is for one data breach to leak your password onto the dark web. It’s nearly impossible to memorize all your different password and username combinations, so entrust a password manager to store them for you.
Two or multi-factor authentication provides an extra layer of security, as it requires multiple forms of verification to enter an online account. For instance, you’ll be asked to verify your identity through a one-time code sent to a cellphone or to answer a security question in tandem with a correct password. This additional step in the login process deters ransomware plots because if you store your important documents behind a multi-factor authentication-protected cloud program, the criminal has nothing of value to hold hostage.
Don’t click on links or respond to emails, social media direct messages, and texts from people you don’t know. This is important since phishers often trick people into downloading malware and ransomware software through disguised links.
Using a security extension on your web browser is one way to browse more safely. McAfee WebAdvisor, for instance, alerts you when you’ve ventured onto risky sites that could harbor malware. Websites that claim to have free TV shows, movies, and software are among the riskiest.
Public Wi-Fi networks – like those at libraries, coffee shops, hotels, and airports – are often not secure. Since anyone can log on, you can’t always trust that everyone on the network has good intentions. Cybercriminals often hop on public networks and digitally eavesdrop on the devices connected to it. So, you can either avoid public Wi-Fi altogether and only access the internet through 5G, or you can enable a virtual private network. A VPN is a truly private network that encrypts your internet traffic, making you completely anonymous online.
Don’t ignore your devices’ notifications to update your software. Keeping your software up to date is an excellent way to deter cybercriminals from forcing their way onto your device. Software updates usually include critical security patches that close any holes that a ransomware plot could squeeze through.
To boost your peace of mind, opt for an extra layer of security with a solution like McAfee+ Ultimate, which includes up to $25,000 in ransomware coverage. McAfee+ Ultimate also includes a VPN, password manager, and safe browsing extension to keep your online comings and goings private.
The post 7 Tips to Protect Your Devices and Private Information from Ransomware appeared first on McAfee Blog.
What if I told you... that you could run a website from behind Cloudflare and only have 385 daily requests miss their cache and go through to the origin service?
No biggy, unless... that was out of a total of more than 166M requests in the same period:
Yep, we just hit "five nines" of cache hit ratio on Pwned Passwords being 99.999%. Actually, it was 99.9998% but we're at the point now where that's just splitting hairs, let's talk about how we've managed to only have two requests in a million hit the origin, beginning with a bit of history:
Optimising Caching on Pwned Passwords (with Workers)- @troyhunt - https://t.co/KjBtCwmhmT pic.twitter.com/BSfJbWyxMy
— Cloudflare (@Cloudflare) August 9, 2018
Ah, memories 😊 Back then, Pwned Passwords was serving way fewer requests in a month than what we do in a day now and the cache hit ratio was somewhere around 92%. Put another way, instead of 2 in every million requests hitting the origin it was 85k. And we were happy with that! As the years progressed, the traffic grew and the caching model was optimised so our stats improved:
There it is - Pwned Passwords is now doing north of 2 *billion* requests a month, peaking at 91.59M in a day with a cache-hit ratio of 99.52%. All free, open source and out there for the community to do good with 😊 pic.twitter.com/DSJOjb2CxZ
— Troy Hunt (@troyhunt) May 24, 2022
And that's pretty much where we levelled out, at about the 99-and-a-bit percent mark. We were really happy with that as it was now only 5k requests per million hitting the origin. There was bound to be a number somewhere around that mark due to the transient nature of cache and eviction criteria inevitably meaning a Cloudflare edge node somewhere would need to reach back to the origin website and pull a new copy of the data. But what if Cloudflare never had to do that unless explicitly instructed to do so? I mean, what if it just stayed in their cache unless we actually changed the source file and told them to update their version? Welcome to Cloudflare Cache Reserve:
Ok, so I may have annotated the important bit but that's what it feels like - magic - because you just turn it on and... that's it. You still serve your content the same way, you still need the appropriate cache headers and you still have the same tiered caching as before, but now there's a "cache reserve" sitting between that and your origin. It's backed by R2 which is their persistent data store and you can keep your cached things there for as long as you want. However, per the earlier link, it's not free:
You pay based on how much you store for how long, how much you write and how much you read. Let's put that in real terms and just as a brief refresher (longer version here), remember that Pwned Passwords is essentially just 16^5 (just over 1 million) text files of about 30kb each for the SHA-1 hashes and a similar number for the NTLM ones (albeit slight smaller file sizes). Here are the Cache Reserve usage stats for the last 9 days:
We can now do some pretty simple maths with that and working on the assumption of 9 days, here's what we get:
2 bucks a day 😲 But this has taken nearly 16M requests off my origin service over this period of time so I haven't paid for the Azure Function execution (which is cheap) nor the egress bandwidth (which is not cheap). But why are there only 16M read operations over 9 days when earlier we saw 167M requests to the API in a single day? Because if you scroll back up to the "insert magic here" diagram, Cache Reserve is only a fallback position and most requests (i.e. 99.52% of them) are still served from the edge caches.
Note also that there are nearly 1M write operations and there are 2 reasons for this:
An untold number of businesses rely on Pwned Passwords as an integral part of their registration, login and password reset flows. Seriously, the number is "untold" because we have no idea who's actually using it, we just know the service got hit three and a quarter billion times in the last 30 days:
Giving consumers of the service confidence that not only is it highly resilient, but also massively fast is essential to adoption. In turn, more adoption helps drive better password practices, less account takeovers and more smiles all round 😊
As those remaining hash prefixes populate Cache Reserve, keep an eye on the "cf-cache-status" response header. If you ever see a value of "MISS" then congratulations, you're literally one in a million!
Full disclosure: Cloudflare provides services to HIBP for free and they helped in getting Cache Reserve up and running. However, they had no idea I was writing this blog post and reading it live in its entirety is the first anyone there has seen it. Surprise! 👋
I think I've pretty much captured it all in the title of this post but as of about a day ago, Pwned Passwords now has full parity between the SHA-1 hashes that have been there since day 1 and NTLM hashes. We always had both as a downloadable corpus but as of just over a year ago with the introduction of the FBI data feed, we stopped maintaining downloadable behemoths of data.
A little later, we added the downloader to make it easy to pull down the latest and greatest complete data set directly from the same API that so many of you have integrated into your own apps. But because we only had an API for SHA-1 hashes, the downloader couldn't grab the NTLM versions and increasingly, we had 2 corpuses well out of parity.
I don't know exactly why, but just over the last few weeks we've had a marked uptick in requests for an updated NTLM corpus. Obviously there's still a demand to run this against local Active Directory environments and clearly, the more up to date the hashes are the more effective they are at blocking the use of poor passwords.
So, Chief Pwned Passwords Wrangler Stefán Jökull Sigurðarson got to work and just went ahead and built it all for you. For free. In his spare time. As a community contribution. Seriously, have a look through the public GitHub repos and it's all his work ranging from the API to the Cloudflare Worker to the downloader so if you happen to come across him say, at NDC Oslo in a few months' time, show your appreciation and buy the guy a beer 🍺
Lastly, every time I look at how much this tool is being used, I'm a bit shocked at how big the numbers are getting:
That's well more than double the number of monthly requests from when I wrote the blog post about the FBI and NCA only just over a year ago, and I imagine that will only continue to increase, especially with today's announcement about NTLM hashes. Thank you to everyone that has taken this data and done great things with it, we're grateful that it's been put to good use and has undoubtedly helped an untold number of people to make better password choices 😊
Do you use any of these extremely popular – and eminently hackable – passwords? If so, we have a New Year’s resolution for you.
The post The world’s most common passwords: What to do if yours is on the list appeared first on WeLiveSecurity
There are no ifs, ands, or buts about it: A stolen identity creates a mess. Once they have a few key pieces of personally identifiable information (PII), an identity thief can open new credit lines, create convincing new identities, and ruin an innocent person’s good credit.
If you suspect you’ve been affected by identity theft, acting quickly is key to stopping the thief and repairing the damage. Here are the definitive five steps of identity remediation, or the process of restoring and protecting the privacy of your identity.
With a stolen identity in hand, thieves can open new lines of credit or apply for large loans using someone else’s excellent credit score for leverage. If undetected, fraudsters can run up huge bills, never pay them, and in turn, ruin the credit score that you spent years perfecting. When you suspect or confirm that your identity has been compromised and you’re in the United States, alert the three major credit bureaus: Equifax, TransUnion, and Experian.
Freezing your credit means that no one (not even you) can open a new credit card or bank account. This prevents criminals from misusing your identity. Initiating a credit freeze is free and it doesn’t affect your credit score.
Once you suspect a criminal has stolen your identity, file a report with the Federal Trade Commission. Its official identity theft website includes a form for you to detail the circumstances. From there, the FTC will investigate.
It’s important to file a report because law enforcement can get involved and hopefully stop the criminal from striking again. Also, an official document from law enforcement or the FTC may help your bank and the credit bureaus resolve the damage.
Whenever a company with which you have an account is breached, the first step you should take is to quickly change your password. The same goes for when your identity is compromised with the added step of getting in touch with your banks and asking their fraud department to issue you new credit and debit cards and put them on alert for possible suspicious charges.
Having unique passwords for all your accounts is crucial to keeping them secure. For instance, if one of your accounts is breached and a cybercriminal lifts that username and password combination, they may then attempt to use it on other sites. To ensure you have strong passwords and passphrases for every site, consider using password manager software. Password managers are incredibly secure and make it so you only have to remember one password ever again.
In addition to freezing your credit, you may have to sync up with each bureau to remedy any damage the identity thief may have done to your credit. Each bureau’s fraud department is very familiar with these scenarios, so their customer service department is experienced and more than willing to help you work through it.
Once you’ve cleaned up the immediate mess made by an identity thief, it’s important to continuously monitor your identity in case the thief is biding their time or pieces of your PII are still circulating on the dark web. Plus, the headache of one compromised identity incident is enough for someone to never want it to happen again. Identity monitoring is a very thorough process that will give you peace of mind that you’ll be protected and can enjoy your online life safely.
These five steps, while important, can be tedious. It may require a lot of patience to sit on hold and sift through all the relevant forms. Luckily, McAfee is an excellent partner who can help you with all your identity remediation needs with just one service: McAfee+ Ultimate. For example, security freeze is an easy way to put a halt on your credit. McAfee’s identity monitoring service monitors up to 60 unique types of personal details. If your PII appears on the dark web, Personal Data Cleanup can remove it.
Recover and move forward confidently after an identity theft with McAfee by your side.
The post Everything You Need to Know About Identity Remediation appeared first on McAfee Blog.
Oh, the scammers online are frightful, and the deals they offer seem delightful. No matter what you think you know, let it go, let it go, let it go (to the tune of 1945’s Let it Snow by Vaughn Monroe with the Norton Sisters).
‘Tis the season to find ourselves awash in good tidings and, well, consumerism. While it’s only partly tongue in cheek, we must be honest with ourselves. We spend a lot of money online. Often, we find ourselves leaving things to the last minute and hope that the delivery folks can make the magic happen and send us all the widgets and grapple grommets while we surf the Internet from the safety of our sofas with coffee in hand.
But, not every deal is what it appears to be. Scammers are always lurking in the void of the Internet waiting for a chance to fleece the unexpecting from their hard-earned money. This can manifest itself to the unsuspecting in many ways. There are shipping frauds, gift card giveaways and vishing (phone-based scams).
Scams tend to rely on generating a false sense of urgency. The shipping scam emails often show up in our inboxes as a warning about a missed or delayed package that will be sent back to the point of origin if we don’t answer quickly. Of course, this requires a payment to receive the fictitious package.
These types of shipping scam emails are quite effective this time of year when more often than naught many people have enough orders coming to their house to make a fort with the empty boxes.
The other kinds of attacks are the gift card scams and vishing. The first of which taps into the sense of excitement that a person might receive something for free. “Fill out this form with your credit card information for a chance to win a $200 gift card.” Sadly, this attack works well for older generations for which giveaways were more common and they aren’t as accustomed to spotting digital swindlers.
The last scam that we will tackle here is often labeled as vishing or voice phishing. This is a method whereby the attackers call a victim and attempt to convince their target that they need to do something which will lead to the exposure of financial information while pressuring the victim to think if they don’t act quickly that they will miss an opportunity for personal gain.
Unfortunately, the aforementioned scams really bring in a lot of return for the criminal element. In 2021, over 92,000 victims over the age of 60 reported losses of $1.7 billion. This represents a 74 percent increase in losses over losses reported in 2020.
One additional scam that plays on the heart strings is the romance scams. A lot of single people find themselves lonely during the holidays and can be manipulated into thinking that they’ve found a romantic match. But this can drain the bank accounts as well.
In 2021, the IC3 received reports from 7,658 victims who experienced over $432 million in losses to Confidence Fraud/Romance scams. This type of fraud accounts for the highest losses reported by victims over the age of 60.
All these attacks prey on people’s emotional responses. So, how do we prepare ourselves? We need to make knowledge a capability and arm ourselves with information that will help us avoid being taken advantage of by criminals.
Passwords are a significant exposure. They are the digital equivalent of a house key. A password will work for anyone that has access to it. We need to utilize technologies such as multi-factor authentication (MFA) on websites where it is possible to do so. So even if bad actors have our password, the victim still needs to approve the login.
If we don’t have the option to use MFA it would be an excellent idea to make use of a password manager. This is a way to safely store passwords and not fall into the trap of reusing passwords on multiple sites. Attackers bank on human nature and if we use the same credentials on multiple sites there is a high possibility that the criminals could gain access to other sites if they compromise just one.
I’m usually one to eschew the practice of New Year’s resolutions but I’ll make an exception. Keep a keen sense about yourselves whenever you receive an email or SMS that you were not expecting. If a deal is too good to be true then, well, it most likely is a scam. If you’re in doubt, try to look up the phone number, email address, person or “organization” offering the “deal.” More often than not, you’ll find lots of people reporting that it’s a scam.
Rather than being visited by the three ghosts of holiday scams, make sure you and your loved ones are prepared for a happy holiday and a prosperous New Year.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels