6 Things You Should Do Immediately If You Have a Yahoo Account

Sunnyvale, CA, USA - Apr. 23, 2016: Yahoo Inc. Headquarters. Yahoo Inc. is an American multinational technology company that is globally known for its Web portal, search engine Yahoo! Search, and related services.

Yahoo says 500 million user accounts have been compromised, and they are telling users to change their passwords. That’s good advice, and below you’ll find better advice from security firm Sophos.

But first: For the next several days, or even weeks, beware emails that appear to come from Yahoo. Now will be a great time for phishers to trick users into following alleged “change your password” links that actually lead to hacker-controlled sites.

Now, onto the better advice:

  1. Change your Yahoo password immediately.
  2. Reset this password, if you’re reusing it on other online sites. Cybercriminals are now using tools that sniff out passwords reused on other, more valuable sites to make their work easier and to make the stolen passwords and other hacked data more lucrative on the dark web.
  3. Make all new passwords different and difficult to guess – yes, you need to create different passwords for every site you visit.
  4. Include upper and lower case letters, numbers and symbols to make passwords harder to crack – refer to the Sophos Password Quick Tips guide for creating stronger passwords.
  5. Don’t trust password strength meters – these are unreliable and inaccurate.
  6. In general, it’s always good practice to update your passwords, password manager and security questions if you hear of a potential data breach that might affect you. Even data breaches from several years ago could still impact you today.

I disagree about using a new password for every site. I mean, it’s a lovely idea, but it’s just not realistic.  Instead, I’m an advocate of having password families.

One simple password for throwaway accounts you don’t care about, like newsletters;  one medium-hard password for sites that require a registration, but don’t involve money; and then one really strong password for financial accounts that you change on a regular basis.

For that tough password, use something clever, like the first letter of every word in a sentence.  Like this: I Was Born on November 1 in North Dakota — IWBoN1iND (I wasn’t, by the way).  Change a number to a symbol and you are in good shape, like IWBoN!iND.

Now, as for how often you should change your password — I asked a bunch of experts that question not long ago and got some interesting answers.

Graham Cluley – Independent computer security analyst, formerly of Sophos and McAfee (more about him)

I only change my password if I’m worried a service has been hacked/compromised. I have different passwords for each site. In fact, I reckon I have over 750 unique passwords. I use password management software. I think requiring people to regularly change their password is a bad idea. it encourages poor password choices, (such as) ….passwordjan, passwordfeb, etc.

Depends.

Mikko Hypponen – Chief Research Officer, F-Secure (more about him)

For your corporate network account? Several times a year. For an online newspaper that requires registration in order to read it? Never.  As always, it’s about threat modelling: Figure out which services are the important services FOR YOU. Then use a strong, unique password on those, and change it regularly. For non-important sites: who cares.

James Lyne, Global Head of Security Research at Sophos, speaking specifically about corporation passwords (More about him)

The requirement to change your passwords is a preventive measure that is designed to minimize the risk of your already stolen password being cracked and used. Over 2014 there have been a huge number of attacks which have led to the loss of password hashes (or other representations). These password ‘representations’ require time and effort for attackers to crack and reverse to their plain text form. Depending on the hashing scheme in use and the resources of the attacker this can take little, or a very long time. Changing your password regularly helps manage the risk of an attacker stealing your password hash from the provider (without you knowing) by increasing the probability you have changed it before they use it.

There is a real balance to be struck with password rotations. Some enterprises set painful rotation rules that require staff to regularly learn a new password and commit it to memory – ironically this can lead to staff producing poor passwords to meet the requirement which again ironically makes it much easier for the attacker to break. Providing the service provider does their part and secures your password with an appropriate storage mechanism often using a significantly longer, complex and hard to guess password is a much better defence. Good luck to the cybercriminal going after a 128 character password stored as a (moderately poor) SHA1 hash.

Password managers help you generate long and complex passwords that will be hard to crack even if lost, that said, if you go this far and implement a manager you may as well rotate your passwords once in a while as you don’t need to remember them and it helps minimize the risk of attackers using stolen credentials (particularly on sites that store your password poorly).  Most enterprises would do well to consider how to improve their password storage security and the strength of the original password over a 30 day rotation period.

Harri Hursti – independent security researcher, famous for “The Hursi Hack” of voting machines (more about him)

This is not (an easy question) … because also changing the password too often can become a security risk

It greatly depends. Passwords I use more often, over the internet and are in sensitive sites are changed 2-3 times a year. Then there are very important passwords which are either used very seldom or are used in more secure environment and those I change once a year, or not even then.

Chester Wisniewski and Paul Ducklin, senior security advisors at Sophos. (More about Chester and Paul)

The answer, loosely, is this.

Change a password if any one of these is true:

  1. You suspect (or know) it has been compromised.
  2. You feel like changing it.
  3. You have been re-using passwords and have decided to mend your ways.

We explain better in the podcast “busting password myths,” I think.

The podcast is 15 minutes, however, the first two minutes address this very question and may be worth your time.

 

The post 6 Things You Should Do Immediately If You Have a Yahoo Account appeared first on MagnifyMoney.

How Your Favorite Song Lyrics Can Protect Your Identity

how-to-make-strong-passwords

What if someone told you that you could use some of the words from your all-time favorite song as your password? Not only that, but that it could actually be as effective as some difficult-to-remember imbroglio like Ge0rg34m@gr!|| — you know, something like what your IT department sends you as a start-up password.

Would you doalittledancemakealittlelovegetdowntonight?

If your answer is yes, yes, you would do a little dance … and get down tonight, good news! A recent study by some really smart people at Carnegie Mellon University found that the use of long, sentence-like or phrase-like passwords like the one above is increasing among people looking for easier-to-remember passwords. Not only that, but it could be “a promising user authentication mechanism.”

The really smart people, otherwise known as researchers, looked at the role of “grammatical structures underlying such passwords in diminishing the security of passwords.” Or in layman’s terms, they questioned whether they were easier to hack than the letter-number-symbol jumbles we’re all so familiar with. The answer was no, not really. It turns out that hacking programs find a lengthy password almost as difficult to crack as a seemingly random one.

The researchers went into the study viewing text-based passwords involving a trade-off between usability and security. “System assigned passwords and user-selected passwords subject to complex constraints (e.g. including mixed-case, symbols and digits) are harder to guess, but less usable,” the researchers wrote. “Conversely, simple, memorable user-selected passwords offer poor resilience to guessing.”

In order to find a compromise, researchers and organizations have begun recommending the use of longer user-selected passwords with simpler composition.

The idea isn’t particularly new. Security pros have been using similar passphrases for years, albeit somewhat differently. This trick takes a sentence and then uses the first letter of every word. For example: “I love pizza 3 times a week″ would be ilp3taw. You can be really clever and add capital letters and a special character or two, like iLp3T@w.

“If one could use biometric encryption, that’s certainly better, but even biometrics have been spoofed,” said Adam Levin, co-founder of Credit.com and author of “Swiped: How to Protect Yourself in a World Full of Scammers, Phishers, and Identity Thieves.” “But in situations where biometrics are not available, a passphrase is probably a better option than a typical password.”

Also, with a phrase, you could create a variety of different passwords out of that single phrase, Levin explained. Add a couple of letters in the front for a particular website and a couple of numbers in the back, and you can have a different password for every site, all of which will be fairly easy to remember.

“Also, there’s less tendency to use an overly simple or flat-out bad password like ‘password’ if you use phrases,” Levin said.

It’s also important to remember that a significant percentage of identity theft occurs among family and friends, Levin warned, so “if it’s a phrase you use frequently that someone could guess, it’s probably not a good option.”

As the really smart people at Carnegie Mellon wrote: “More research is necessary to fully understand the effect of structures on long passwords,” but they’re definitely worth considering to keep your accounts secure.

Remember, identity thieves can strike at any time. To guard against identity theft, it’s important not just to keep your passwords or passphrases strong and secure, it’s also wise to monitor all of your financial accounts on a regular basis, as well as your credit. If an identity thief has stolen some of your information to open a new account in your name, it will impact your credit scores.

You can monitor your credit scores for free twice a month on Credit.com. Any unexpected changes in your score could signal identity theft, and you should pull copies of your credit reports (you can do that for free once a year) to investigate further. Acting fast can help protect your credit and your finances.

Image: PeopleImages

The post How Your Favorite Song Lyrics Can Protect Your Identity appeared first on Credit.com.

7 Steps to Safer Passwords for All Your Online Accounts

password_security

Some passwords are funny. Some are pretty weird. Some can be a math problem. Many can be laughably easy to hack (I give you “dadada, ”“qwerty,” “password” and”123qwe” to name a few.) — or very tricky. But one thing is for sure, they are never really 100% hack proof.

Earlier this month, news broke that a significant number of Twitter passwords had been compromised and were being offered to anyone willing to fork over 10 bitcoins, or roughly $6,700, as of this writing. More than 32 million users were included in the cache of information on the cyber creep auction block. Hacked information database Leaked Source said in a blog post that it received the data set from a user under an alias.

Your Information Is Out There

The first takeaway: Anyone can scavenge and rumor-chase to find purloined login credentials. The second: You are not safe, and identity-related crimes are the third certainty in life, right behind death and taxes. (You can monitor your credit for signs of identity theft by viewing two of your credit scores for free each month on Credit.com.)

Twitter has told multiple news outlets that its systems were not breached. Leaked Source said the passwords appeared to have been grabbed by malware.

How to Keep People Out of Your Stuff

While knowing that your information is out there is an important piece of the personal data security puzzle, keeping your accounts safe is even more crucial.

While there has been much innovation in the world of data security, nothing has proven foolproof yet. Biometric authentication using fingerprint and iris scans is promising, but their adoption is far from universal and not without some spoofing issues.

There are tokens and cards that can complement passwords, but those are fallible for the reason that they can be stolen or lost.

Multi-factor authentication is probably the best way to deal with security issues, but it does not necessarily strike the best workplace balance between security and convenience. The Pixar movie “Monsters vs. Aliens” provides a comical scene that demonstrates why it’s not the most practical approach (the character has to provide a hand, foot, tongue, elbow and butt scan to gain access to the president’s situation room).

Passwords Are Still the Best Option

As things stand now, a password coupled with a second factor of authentication known only to the user — like a visual prompt — is the best personal security solution.

Because we have many accounts and they should all have separate passwords, most consumers have a problem keeping all that information straight. There are apps for that, of course, and if you are OK with cloud-based solutions — bearing in mind that nothing is un-hackable — you might want to check out a service like 1Password, which allows you to store all your passwords, PINs, credit card numbers, and more. PasswordWallet 4 and Dashlane provide similar services. Bear in mind that they are not the only good games in town. So do your research and read reviews. Keep in mind, too, some password managers charge for their services.

The upside to password valets is clear — you only have to remember one password. If that’s of interest, you still need to make sure that password is very strong.

Rules of the Road for Effective Passwords

If you decide not to use a password manager, never store your passwords and user names in a document that resides on your computer. Save them on an encrypted thumb drive. Then you need only remember two things: Where you keep it and the password (hopefully long and strong) required for access.

The best practices here include a number of things you shouldn’t do:

1. Try to avoid single words, since many password-cracking programs use the dictionary.

2. Avoid letters and numbers that are close to each other on the keyboard.

3. Never use a password based on personal information that could well be available on social media or via a data breach. This would include your birthday or the birthdays of loved ones, children’s names, pet names, your high school or college mascots and the like.

4. Never use a password on a retail site that you use anywhere else. If that site gets hacked and the same login information is on a bank account, you’re toast.

And a few things you should do:

5. Create an easier password for sites that don’t have a great deal of your personal information, like news sites, video streaming services and the like.

6. Consider using a password generator. (Bear in mind this generally requires using a password management system, bought or homemade.)

7. Create long and strong passwords containing a phrase at their core. One thing that a brute force attack cannot do is guess the first line of a poem you wrote in fourth grade, especially if you have a simple math problem embedded in the middle of a word of two.

Most of us have day jobs. Identity thieves and scammers view grabbing our information and exploiting it for their gain as their day job. Always assume there is a never-ending riot overflowing with looters happening just outside your cyber house. That’s why you must be thoughtful, inventive and vigilant when creating passwords, for they are the locks to all your virtual doors and windows — even when you are home.

More on Identity Theft:

Image: PeopleImages

The post 7 Steps to Safer Passwords for All Your Online Accounts appeared first on Credit.com.

You May Not Have to Remember Your Passwords Anymore If This Google Plan Takes Off

password_security

You may soon be able to log into your Android devices without entering a password, thanks to the new “trust scores” Google announced at its annual I/O conference last week.

The trust scores, also referred to as the Trust API (application program interface) or Project Abacus, started development last year and The Verge reports the security updates are expected to be rolled out to a test group of “several very large” financial institutions next month. If all goes according to plan, Google expects Android users to have access to the scores at the end of the year and then potentially other operating systems after that.

How it Works

The API runs in the background and utilizes user-specific factors to develop a user’s trust score each time they log on, which could help prevent unauthorized users from accessing your personal information. According to TechCrunch, the API will factor in personal indicators, like face shape and voice recognition, as well as behavioral data, like how you move and type to compute the score.

Eventually, The Verge reports, trust scores could play a factor in logging into any apps or programs on mobile devices. Qualifications would vary based on what you’re trying to do, like banking apps requiring a higher trust score than a social media app.

Replacing Passwords

Until this security measure is implemented on devices, all users will continue logging in with standard passwords. If you think you have a weak password on any of your accounts, or use the same one for multiple logins, you may want to consider changing them. In fact, it’s a good idea to change your passwords often for better internet safety.

If you believe one of your accounts or passwords has been compromised, especially if it’s something that can be tied back to your finances, checking your credit report can help you see if anything damaging has occurred. (You can get your free annual credit report from AnnualCreditReport.com and view two of your credit scores for free, updated monthly, on Credit.com.) If you see any signs that your identity has been stolen, like new accounts you didn’t open or addresses that aren’t yours, you should dispute the information with the credit bureaus and report the fraud to the proper authorities.

[Offer: If you need help fixing errors on your credit report, Lexington Law could help you meet your goals. Learn more about them here or call them at (844) 346-3296 for a free consultation.]

More on Managing Debt & Credit:

Image: Petar Chernaev

The post You May Not Have to Remember Your Passwords Anymore If This Google Plan Takes Off appeared first on Credit.com.

The Worst Passwords of 2015

worst passwords

Despite all of the data breaches and scams that have proliferated over the last few years, we sure love our bad passwords.

For the fifth year in a row, “123456” and “password” topped password manager provider SplashData’s annual “worst passwords” list. Its latest version was compiled from more than 2 million leaked passwords mostly held by users in North America and Western Europe during the year. New and notable entrants include “starwars,” “solo” and “princess”  — undoubtedly tied to the massively successful debut of Star Wars: The Force Awakens this year.

Meanwhile, other repeat offenders were “dragon” (No. 16), “111111” (No. 14), and “letmein” (No. 19).

Of course, it wasn’t all bad news on the password front this year, as SplashData notes that websites and users were at least trying to be a bit more secure by lengthening their terrible passwords.

“For example, ‘1234567890’, ‘1qaz2wsx’ (first two columns of main keys on a standard keyboard), and ‘qwertyuiop’ (top row of keys on a standard keyboard) all appear in the top 25 list for the first time,” SplashData wrote in a press release, before pointing out that “they are each based on simple patterns that would be easily guessable by hackers.”

The top 10 worst passwords of 2015 are:

  1. 123456
  2. password
  3. 12345678
  4. qwerty
  5. 12345
  6. 123456789
  7. football
  8. 1234
  9. 1234567
  10. baseball

How to Set Strong Passwords

Strong passwords are important because they help keep hackers from getting into important accounts and/or getting a hold of sensitive personal information that can be used to steal your money or, worse, your identity. A strong password generally mixes letter, numbers and special characters, uses both upper- and lowercase letters and is at least 10 characters long. They also don’t include your name, birthdate, common words, simple pop culture references (ahem, The Force Awakens) or any information (like, say, the name of your dog or cat) that can be easily found on social media.

Remember, it’s also in your best interest to change passwords often and to refrain from using the same one across accounts. Plus, if you have any reason to believe your personal or payment information has been compromised, you should keep a close eye on your financial accounts and your credit report. You can do the latter by pulling your credit reports for free each year at AnnualCreditReport.com and viewing your two free credit scores each month on Credit.com. Signs your identity has been stolen include a sudden drop in credit scores, mysterious lines of credit you’ve never opened and unfamiliar addresses.

More on Identity Theft:

Image: gpointstudio

The post The Worst Passwords of 2015 appeared first on Credit.com.

8 Predictions for 2016: Drones, Mobile Pay & the Internet of Things

crystal_ball

Will 2016 be the year people really start buying things with their phones? The year a hacker finally turns the lights off? Or a self-driving car causes an accident? Maybe, maybe not. Maybe some of these things won’t happen until January 2017 — the 12-month time horizon is pretty arbitrary — but these are the things that are listed in almost every prediction story about the new year.

While it might be silly to talk about 2016 guarantees, New Year’s Eve is always a natural time to think about the future, and the exercise of imagining what troubles we’ll soon confront is certainly worthwhile. So I’m not limiting this year’s predictions to the new calendar. Instead, I’m going to discuss what I think is “coming soon.”

1. Things Vs. People

Everyone is correctly predicting that smart gadgets will soon infiltrate our lives (wired crockpots? Of course!), and few of them will be built to protect privacy or care for security. So our homes will likely be hacked and our privacy may erode. But here’s a remarkable data point from Gartner: The number of devices we need to protect will exceed 200 billion by 2020 — 200 billion! “Wearables, gadgets, sensors and other things on the Internet are creating new connections and exposing new vulnerabilities,” warns McAfee. “Every new product that connects to the Internet faces the full force of today’s threats, and we have a long way to go to keep up with the speed and complexity of attack.”

2. People vs. … Robots?

All that is scary, but the real potential looming problem in the things vs. people conflict is this: the robot workforce. Gartner also predicts that by 2018, more than 3 million workers globally will be supervised by a “robo-boss.” And that same year, nearly half of the fastest-growing companies in the world will have “fewer employees than instances of smart machines.” That’s a polite way of saying you can forget about your job being shipped overseas. Instead, it could be done by a robot soon, unless you can work cheaper than a robot. This conflict is real and arriving much sooner than we expected. If I ran a ride-sharing service, for example, I’d be pushing the limits of self-driving cars as far as I could.

3. Paying by Phone

Adoption rates for mobile payment schemes like Apple Pay have been very slow — but that’s temporary. Over time, consumers will likely see value adds from these services, such as the loyalty benefits we already see from Starbucks. There’s a wide-open door now, as consumers are a bit irritated by delays when using the new chip-enabled credit cards. Mobile pay can be faster in some cases.

4. Your Phone as Your Password

One development that will help mobile pay will be the increased use of mobile devices in two-factor authentication schemes, like the one Amazon just implemented. Users will get a temporary passcode by text or use token-generating software to log in to many financial sites soon. As they get used to whipping out their phones during these transactions, they’ll be more apt to use them to buy things. The phone-as-password development will also hasten the end of old-fashioned passwords. Good riddance.

5. Your Money or Your Data

If you don’t know someone who’s been hit by a ransomware virus, you will soon. Brazen hackers keep finding ways to take control of computers and data and force payment by consumers or organizations to free them. There’s no end in sight for this threat, which means you should keep your security software up to date. However …

6. File-Less Attacks Grow

One of the most alarming developments in the security space has been the growth of cyber attacks that completely bypass computers’ software (and thus, antivirus software). “File-less” attacks involve techniques like injecting malicious code directly into a computer’s memory space. They are much harder to prevent and detect; they are similar to the point-of-sale device memory attacks that have been rampaging through big retailers, stealing millions of credit card account numbers. You should be hearing much more about these soon.

Thanks to increased risk to our personal and payment data, it’s important to monitor your credit for signs of identity theft, You can do so by pulling your credit reports for free each year on AnnualCreditReport.com and viewing your credit scores for free each month on Credit.com.

7. Drones Everywhere

As drones continue to come down in price and become easier to operate, our skies will likely be filled with them. Sure, there’s some great potential for drones, which are now a staple in news coverage of big events. But Heaven help us if they start crashing into each other, taking pictures of us in our homes or becoming a fixture in life-casting videos on the Kardashians.

8. The Campaign

Finally, the one thing I can guarantee during 2016 is that noise will dominate signal on social media during the presidential campaign. The Internet is the best tool ever invented for spreading mistruths. Knowing this, you can be part of the solution by simply not forwarding or posting lists of bad things about Donald Trump’s hair or Hillary Clinton’s bathroom breaks. Heck, Americans showed incredible restraint during the release of Star Wars as millions managed to avoid posting spoilers. Let’s show similar restraint during the election, too.

This story is an Op/Ed contribution to Credit.com and does not necessarily represent the views of the company or its partners.

More Money-Saving Reads:

Image: oneinchpunch

The post 8 Predictions for 2016: Drones, Mobile Pay & the Internet of Things appeared first on Credit.com.