50 Ways to Avoid (or Deal With) a Cyberattack

None of us want to think about it — but here are 50 "just in case" ideas to help you avoid or deal with a cyberattack.

In case you missed it, a major cyberattack swept the globe Friday. Per pretty much every major news outlet here in the U.S., hackers locked computer systems worldwide, then threatened to destroy data if the victim did not pay to be let back in.

In other words, they executed a large scale ransomware attack, targeting companies, government agencies, public institutions and ordinary citizens across continents. The attack comes just one week after Google Docs users were hit by a large-scale phishing scam. Google reacted swiftly to shut it down, but hackers are digital whack-a-moles: There’s no way to guarantee another won’t immediately pop up in your inbox.

Fortunately, there are steps that, taken together, can minimize your odds of falling victim — or mitigate the damages if you do get got. Here are 50 ways to avoid or deal with a cyberattack.

1. Update Your Computer Regularly

The recent ransomware attack exploited a vulnerability in Microsoft Windows servers. But here’s the thing: Microsoft released a security update to patch the vulnerability back in March. The lesson here: Enable updates when prompted. This goes for other devices, like smartphones and tablets, too.

“As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems,” Microsoft president and chief legal officer Brad Smith wrote in a blog post. “Otherwise they’re literally fighting the problems of the present with tools from the past.”

2. Turn on Your Firewall

That’ll help keep malware off your computers by stopping suspicious programs from downloading or accessing the internet, should one get onto your machine.

3. Install & Update Security Software

If you don’t have anti-virus or anti-malware software on your laptop or desktop, change that sooner rather than later. Otherwise, you’re making yourself an easier target. There’s a lot of truth in the statement “it’s not a matter of if, but when” when it comes to hacking and identity theft. Still, it’s best to make it as hard as possible for the scammers out there.

4. Set Software Limits

To block malware attempts, both Microsoft and Apple suggest limiting what software, programs or applications can do to your computer. You can set these limitations via your PC’s User Account Control or Mac’s Security and Privacy preferences.

5. Install Security Add-Ons for Your Internet Browser

There are free tools that tell you the safety of webpages you’re browsing, like Web of Trust or McAfee Secure Safe browsing plugins.

6. Check for HTTPS

When browsing, make sure URLs start with ‘https.’ The s means any data going back and forth between you and the site is encrypted.

7. Heed the Warnings

Google’s Safe Browsing is designed to flag unsafe websites and URLs you happen to stumble upon. Similarly, many providers flag potential scam emails either by sending them to spam or issuing a warning at the top of an email. While it can be tempting to write said warnings off, it’s in your best interest to take them seriously and, if you do proceed, do so with caution.

8. Learn How to Recognize a Phish

Phishers pose as legitimate entities to get users to click on a malicious link in their inbox. Their emails can look legit, but there are often tell-tale signs you’re dealing with a scammer, including typos, misspellings, generic salutations and sketchy urls, which you can spot by hovering over embedded links in the email. (Check out this story about a reader who received a scam email that included his friend’s Social Security number.)

9. Don’t Click the Links …

Even if you don’t readily spot any red flags. Instead, call the company or person sending the email directly to verify legitimacy. You don’t want to unwittingly download malware onto your computer that can spam your friends or hijack any personal information or passwords you type post-click.

10. … Enter Sensitive Personal Information …

In lieu of malware, some phishers simply prompt you to enter info directly on a spoofed website once you click. Consider the request for bank account digits, Social Security numbers or other sensitive data a big red flag. After all, financial institutions and government agencies, like the IRS, aren’t known to conduct urgent business over email. (Note: The IRS reported an approximate 400% surge in phishing/malware incidents early last year, so it’s important to be careful what information you share and where.)

11. … or Download Phishy Email Attachments

They can be yet another way in which the phisher is trying to install malware on your device.

12. Really, Just Avoid Unknown Emails

Even emails that seem safe can be dangerous. It’s common for attackers to impersonate someone you know, and if a contact of yours got hacked, they may unwittingly be spamming their entire address book. If you’re not expecting an email, do not know the sender or are unsure, do some research before opening the email.

13. Unsubscribe From Email Lists

If you aren’t interested in getting emails from certain mass distribution lists, take your name off. This way, your inbox is cleaner and you’re reducing the likelihood you’ll get an email from somewhere that got hacked. (Want to declutter your life even more? Here’s how to opt out of mailed credit card offers.)

14. Review Ads & Emails

Smart consumers never assume an ad or email is from a reputable company. Always verify if the information is legitimate by doing some research online (type the company or product into a search browser along with the terms “review,” “complaint” or “scam”). If something looks shady, it probably is. That said …

15. … Let Yourself Get Suspicious

Seriously, it’s OK to be extra cautious. Delete any emails, texts or anything else you’re not sure about.

16. Read the Privacy Policy

Don’t click “agree” and ignore the policy — take time to read it, as it will explain how your personal information is collected and used by the site. You’ll find out whether your information is shared with third parties and how that data is accessed. If something gives you pause, consider taking your business elsewhere.

17. Be Careful When Downloading Apps

Like we said, read privacy policies, including those lengthy permissions before you download an app to your device. Think about all you do and say on your devices — do you really want a scammer to have access to that?

18. Channel Your Inner Ron Swanson

No one expects you to go fully off the grid (even Ron caved and got a cellphone), but remember every time you sign up for a new service or share your information with another entity, you’ve presented cyber criminals another way to get to you. Consider keeping some aspects of your life off the internet, apps and devices.

19. Don’t Overshare on Social Media

Past addresses, the names of people living in your household and photographs are useful to identity thieves. They can help thieves bypass security verification questions or create new accounts in your name. Always think before you share something online.

20. Know When Your Social Security Number Isn’t Required

Just because there’s a line on a form for your Social Security number doesn’t mean you have to fill it in. Here are five places you should never give your Social Security number.

21. Don’t Blindly Fill Out Forms at the Doctor’s Office

If you’re at a doctor’s office and aren’t sure if they need some of the personally identifiable information they’re asking for (like your Social Security number), ask about it. This is an especially smart move because medical providers are a big target for data breaches. Here are four things your doctor doesn’t need to know.

22. Safely Dispose of Personal Information

Disposing of a computer or smartphone isn’t as simple as tossing it in the trash bin. With computers, be sure to use a program that overwrites the hard drive. Before you throw out a mobile device, check your owner’s manual or the manufacturer’s website to learn how to save or transfer information to a new device before doing a hard reset. Be sure to remove the SIM card and things like your contacts, search history and photos.

23. Get the Team on the Same Page

Whether it’s a quarterly refresher course or something everyone does once a year, making sure all employees are on the same page about digital security can help prevent everyone from getting hit by an attack.

24. Tread Lightly With Open & Public Wi-Fi

Free internet in public spaces like coffee shops and hotels is great to have, but you don’t know the other people sharing the connection. Someone else could be “eavesdropping” on what you’re doing, so limit your internet use on public networks. For example, using online banking while you’re on an unsecured Wi-Fi is a bad idea. (We get it, though — free stuff, like these 50 things, is great. Just make sure you’re responsible about it.)

25. Be Selective About Using Shared Computers

Sometimes you have to get online on the computer at the library or FedEx. If that happens, make sure you log out on any sites and wipe your browser history before you go.

26. Be Careful With Data Share Folders

Cyber attacks aren’t limited to sketchy links or emails. Hackers have found ways to take over your system right from file share programs. It may be easy to leave these logged in constantly, especially if you’re using them for work, but logging out may save you in the long run.

27. Turn Off Your Computer

While leaving your computer on “Sleep” mode makes it easy to get back to work, constantly leaving your computer on makes it more susceptible to viruses. Turn your computer off when it’s not in use.

28. Remember to Log Out

Whether or not you share your computer or device, logging out after each use is a good practice.

29. Don’t Save Your Login Info … 

It’s so much easier to let your browser and apps save your login credentials, but it’s not just easier for you — you’re making thieves’ jobs easier, too. A lot of cybersecurity decisions require choosing between convenience and safety. If you choose convenience, be prepared for some potentially unpleasant consequences.

30. … Or Your Credit Card Details

It may be easier to click once and your order is on its way, whether it’s from your favorite online store or the local pizza delivery place, but storing your credit card information can leave you vulnerable.

31. Lock Up Your Phone …

It may seem inconvenient to enter a passcode or have your finger scanned to access your messages and apps, but if you ever lose your phone, having it locked could be the difference between shelling out for a new phone and shelling out for a new phone and trying to find the person who drained your bank account and hacked your social media accounts.

32. … & Your Laptop

Experts recommend keeping financial information on your laptop only when necessary. It also helps not to use an automatic login feature that saves your username and password so it’s harder for someone to get at your personal information if your laptop is stolen.

33. Use Built-In Biometric Authentication When Possible

Some thumb drives require your fingerprint to access the information stored on it. This is a great way to deter criminals and keep your data extra secure.

34. Create Strong ‘Phrase Passwords’

If you’re using a generic password like “Password123” or your dog’s name and your mailing address, it’s time to up your game. Have a favorite lyric, phrase, quote or poem? Use it. 2BorNOT2B is a lot harder to guess, and is still super easy to remember. (Not sure if you’re using a strong password? To start, make sure it isn’t on this list of 25 passwords you should never use.)

35. Don’t Reuse Passwords

Just because you’ve come up with a great phrase password doesn’t mean you should use it for your email, social accounts, bank app and everything else. Try to make a unique password for each of your accounts. At the very least, make sure your financial account passwords are different than your social media passwords.

36. Use a Password Manager

A password manager can generate strong, complex passwords to make hacking your accounts harder. Managers like LastPass can also store and remember them for you. (You can read this for more on remembering passwords.)

37. Update Your Passwords Often

The information exposed in a data breach may be old, but that won’t be much comfort to you if you’ve been using the same password for the last three years. Get in the habit of updating your login credentials every six months or so.

38. Use Two-Factor Authentication

If a service you use offers two-factor authentication for logging in, take advantage of it. This usually requires entering your password, then entering a confirmation code that will be sent to you by text, phone call or email. If someone gets their hands on your password, chances are they don’t also have your cellphone, leaving them locked out of your account.

39. Answer Security Questions Creatively

Sometimes it’s OK to lie, especially when coming up with answers to security questions. This way, a crook can’t guess their way into your finances. Don’t get so creative you can’t remember the answer, and create a cheat sheet to help you keep track. You can store it on an encrypted thumb drive. On that note…

40. Store Your Personal Information on an Encrypted Thumb Drive

Important documents and login information (for those who don’t use password managers) should be stored on an air-gapped device, such as the thumb drive. Experts recommend keeping one at home and storing the other in a safety deposit box or a safe.

41. Make Sure You Trust That Thumbdrive

We get it — sometimes curiosity can get the best of you. But if you find a USB or external hard drive, think twice before just putting it in your computer.

42. Don’t Forget About Old-School Back-Ups

A cyberattacker can’t get into your filing cabinet, and there are some things you really don’t want to lose. Consider keeping a hard copy of important documents like your last few years of tax returns, mortgage paperwork, student loan documents and insurance policies, so you still have the records even if digital forms have been compromised.

43. Backup Your Data Externally …

If something happens to your computer or other device, knowing your files are saved elsewhere can reduce the headache.

44. … & Then Backup Your Backups

Remember, no system is ever completely secure. Make it a habit to copy important files, especially financial documents you need for things like mortgages and student loans. Place the data on a removable disk or backup drive and store it somewhere safe.

45. Take a Deep Breath

It’s understandable to freak out if you’ve been hit by a cyberattack or are being asked to pay a ransom for stolen files, but try to stay calm. Disconnect from the internet, and call someone for help, whether that’s your work’s help desk or a reputable cybersecurity firm familiar with the technology you’re using.

46. Report the Problem

In the wake of the Google doc scam, the tech giant urged users to report suspicious email and content to it directly. You can report scams to your local attorney general and the Better Business Bureau to help prevent others from similarly falling prey.

47. Consider a Credit Freeze …

Fell for a phish? Consider freezing your credit reports so scammers can’t use the personal information they pilfered to open fraudulent credit accounts in your name. You can learn more about credit freezes — and when to use them — here.

48. … or Request Alerts

A credit freeze can be cumbersome, particularly if you’re in the process of applying for a loan yourself. If you don’t believe a thief scored any seriously sensitive info, you could at least request that the credit bureaus put a fraud alert on your credit report. That’ll prompt creditors to take extra steps to verify your identity before extending credit.

49. Accept That You May Not Get Back What You Lost

In the case of ransomware, you may be tempted to pay what the thief is asking so you can have your files back. Some experts recommend against paying because it further incentivizes ransomware attacks, and you may not get your files back even if you do pay.  

50. Monitor Your Credit

Haven’t spotted any cyberattacks recently? It’s still a good idea to regularly monitor your credit for signs of identity theft. You can pull your credit reports for free each year at AnnualCreditReport.com and view your free credit report summary, updated every 30 days, on Credit.com.

Image: jacoblund

The post 50 Ways to Avoid (or Deal With) a Cyberattack appeared first on Credit.com.

How to Remember All the Passwords You Need in Your Life

Passwords need to be complicated to be secure. A password manager can create strong passwords and help you remember them.

It seems like everything you do on any of your digital devices requires a password and the requirements for these security codes are getting more and more extensive. Some sites don’t allow words that can be found in dictionaries, while others don’t want any logical sequences or personal elements like a house number, street name, zip code, birth date, birth year, child’s name or pet’s name. Many accounts require your password to have both uppercase and lowercase letters, as well as numbers, special characters and a specific minimum and maximum length. The list goes on and on.

So while you might still use poodle1234 to log into your old email account, that password may not get approved for more current accounts. (You probably don’t want to be using the same password across multiple accounts, anyway.)

The strongest passwords are typically long and random, as this makes them harder for hackers to guess. Because of this, passwords often end up looking like gibberish, like: (&cR=x?fae~c[R5GAs3AN4?.

Remembering Complex Passwords

It isn’t easy to remember all of these long, random, complex passwords and some websites disable password saving on their login screens, but there are password managers that can help. They’re available from a variety of sources, including anti-virus software providers and standalone password services. If you’re looking to try out a password manager tool, but aren’t sure where to start, we’ve highlighted four common ones below to help you get started researching your options.

It’s important to make sure you feel safe with any of these options, as you don’t want your passwords to fall into the wrong hands. A weak password could help make you a victim of identity theft, which can wreak havoc on your finances. While you’re beefing up your passwords, another good practice is to regularly monitor your credit for signs of identity theft, like a sudden drop in your scores. You can check two of your credit scores for free on Credit.com. (Note: The password managers below all use encryption to protect your data.)

LastPass

LastPass, a free password manager, generates random passwords using a browser toolbar extension. You can access the passwords using your LastPass account menu, stored right in your browser bar. However, once you’ve saved credentials for a particular site, it will show up automatically in a popup when you click the icon. Do you have three different Gmail accounts? No problem. You can save multiple login credentials for any site. You can also edit the credentials and you can share passwords with others if you want someone else to have access to one of your accounts, even if the password changes. (Just make sure you’re selective about who you share personal information with.) You can use LastPass across multiple devices, and your password vault is available even if you’re offline.

Google Smart Lock

Google Smart Lock runs in the Chrome web browser and will automatically log you into the sites you visit if you turn on this feature. Once active, Google will ask you if you want to save the account info when you log into sites.

To get an overview of your saved information, visit myaccount.google.com. Start at “Sign-in & security,” click on “Connected apps & sites” and scroll down to “Saved passwords.” Click on “Manage passwords” to see options. If you turn on Smart Lock, Google will log you into saved websites and bypass the login screen. You don’t want to turn this feature on if you’re uncomfortable being removed from the login process.

Your Google account is the master login for the Smart Lock feature. That makes password management extremely convenient, but it also means that if someone gains access to your Google account, they can also access and control your passwords. Google Smart Lock does not include a password generator and it doesn’t work on iPhones or browsers other than Chrome.

Norton Identity Safe

Norton Identify Safe is a free password manager made by Symantec, the company behind the well-known Norton AntiVirus products. It is installed on your computer and any other device you choose, as well as your browser. You’ll find a link to a random password generator right at the top of the Norton Identity Safe website.

When you set it up, you’ll need two passwords: one for your account and one for your password vault. Both passwords should be complex but memorable because your stored passwords will be inaccessible until you open the vault.

Once you enter your various login credentials in the app, the sites appear in an alphabetical list in your password vault. A colored bar tells you whether your password is weak (red), moderate (yellow) or strong (green).

Norton Identity Safe can also securely store your credit card numbers for easy online payments. (It’s important to be careful when you’re sharing personal information like credit card numbers online, as this can open you up to credit card fraud.)

SecureSafe

SecureSafe is a cloud storage service for sensitive files and passwords. File storage is its standout feature. If you need to store a digital copy of a sensitive file (like one of these seven documents you need to fill out before you die), a SecureSafe free account includes 100 MB of file storage space and can save up to 50 passwords. Paid accounts (starting at $18/year) get unlimited passwords and more file storage space. The app includes a variety of security features for file storage, including a free, secure PDF viewer for smartphones.

When you open the app on desktop or mobile, passwords are listed alphabetically. If you’ve entered the URL, you can click the arrow icon to go straight to the site. The password is copied to your clipboard automatically so you can paste it into the field on the login screen. The clipboard is erased after a short period of time; the time period is customizable.

SecureSafe doesn’t run as a browser extension, so you need to log into your account to access your passwords. This is an advantage for people who don’t want extension clutter or popups, or for people who use shared devices. The extra steps are cumbersome, though, for anyone who wants passwords to automatically populate.

Want to learn more about how to keep your information safe? Here are eight ways to protect your privacy online.

Image: pixelfit

The post How to Remember All the Passwords You Need in Your Life appeared first on Credit.com.

6 Things You Should Do Immediately If You Have a Yahoo Account

Sunnyvale, CA, USA - Apr. 23, 2016: Yahoo Inc. Headquarters. Yahoo Inc. is an American multinational technology company that is globally known for its Web portal, search engine Yahoo! Search, and related services.

Yahoo says 500 million user accounts have been compromised, and they are telling users to change their passwords. That’s good advice, and below you’ll find better advice from security firm Sophos.

But first: For the next several days, or even weeks, beware emails that appear to come from Yahoo. Now will be a great time for phishers to trick users into following alleged “change your password” links that actually lead to hacker-controlled sites.

Now, onto the better advice:

  1. Change your Yahoo password immediately.
  2. Reset this password, if you’re reusing it on other online sites. Cybercriminals are now using tools that sniff out passwords reused on other, more valuable sites to make their work easier and to make the stolen passwords and other hacked data more lucrative on the dark web.
  3. Make all new passwords different and difficult to guess – yes, you need to create different passwords for every site you visit.
  4. Include upper and lower case letters, numbers and symbols to make passwords harder to crack – refer to the Sophos Password Quick Tips guide for creating stronger passwords.
  5. Don’t trust password strength meters – these are unreliable and inaccurate.
  6. In general, it’s always good practice to update your passwords, password manager and security questions if you hear of a potential data breach that might affect you. Even data breaches from several years ago could still impact you today.

I disagree about using a new password for every site. I mean, it’s a lovely idea, but it’s just not realistic.  Instead, I’m an advocate of having password families.

One simple password for throwaway accounts you don’t care about, like newsletters;  one medium-hard password for sites that require a registration, but don’t involve money; and then one really strong password for financial accounts that you change on a regular basis.

For that tough password, use something clever, like the first letter of every word in a sentence.  Like this: I Was Born on November 1 in North Dakota — IWBoN1iND (I wasn’t, by the way).  Change a number to a symbol and you are in good shape, like IWBoN!iND.

Now, as for how often you should change your password — I asked a bunch of experts that question not long ago and got some interesting answers.

Graham Cluley – Independent computer security analyst, formerly of Sophos and McAfee (more about him)

I only change my password if I’m worried a service has been hacked/compromised. I have different passwords for each site. In fact, I reckon I have over 750 unique passwords. I use password management software. I think requiring people to regularly change their password is a bad idea. it encourages poor password choices, (such as) ….passwordjan, passwordfeb, etc.

Depends.

Mikko Hypponen – Chief Research Officer, F-Secure (more about him)

For your corporate network account? Several times a year. For an online newspaper that requires registration in order to read it? Never.  As always, it’s about threat modelling: Figure out which services are the important services FOR YOU. Then use a strong, unique password on those, and change it regularly. For non-important sites: who cares.

James Lyne, Global Head of Security Research at Sophos, speaking specifically about corporation passwords (More about him)

The requirement to change your passwords is a preventive measure that is designed to minimize the risk of your already stolen password being cracked and used. Over 2014 there have been a huge number of attacks which have led to the loss of password hashes (or other representations). These password ‘representations’ require time and effort for attackers to crack and reverse to their plain text form. Depending on the hashing scheme in use and the resources of the attacker this can take little, or a very long time. Changing your password regularly helps manage the risk of an attacker stealing your password hash from the provider (without you knowing) by increasing the probability you have changed it before they use it.

There is a real balance to be struck with password rotations. Some enterprises set painful rotation rules that require staff to regularly learn a new password and commit it to memory – ironically this can lead to staff producing poor passwords to meet the requirement which again ironically makes it much easier for the attacker to break. Providing the service provider does their part and secures your password with an appropriate storage mechanism often using a significantly longer, complex and hard to guess password is a much better defence. Good luck to the cybercriminal going after a 128 character password stored as a (moderately poor) SHA1 hash.

Password managers help you generate long and complex passwords that will be hard to crack even if lost, that said, if you go this far and implement a manager you may as well rotate your passwords once in a while as you don’t need to remember them and it helps minimize the risk of attackers using stolen credentials (particularly on sites that store your password poorly).  Most enterprises would do well to consider how to improve their password storage security and the strength of the original password over a 30 day rotation period.

Harri Hursti – independent security researcher, famous for “The Hursi Hack” of voting machines (more about him)

This is not (an easy question) … because also changing the password too often can become a security risk

It greatly depends. Passwords I use more often, over the internet and are in sensitive sites are changed 2-3 times a year. Then there are very important passwords which are either used very seldom or are used in more secure environment and those I change once a year, or not even then.

Chester Wisniewski and Paul Ducklin, senior security advisors at Sophos. (More about Chester and Paul)

The answer, loosely, is this.

Change a password if any one of these is true:

  1. You suspect (or know) it has been compromised.
  2. You feel like changing it.
  3. You have been re-using passwords and have decided to mend your ways.

We explain better in the podcast “busting password myths,” I think.

The podcast is 15 minutes, however, the first two minutes address this very question and may be worth your time.

 

The post 6 Things You Should Do Immediately If You Have a Yahoo Account appeared first on MagnifyMoney.

How Your Favorite Song Lyrics Can Protect Your Identity

how-to-make-strong-passwords

What if someone told you that you could use some of the words from your all-time favorite song as your password? Not only that, but that it could actually be as effective as some difficult-to-remember imbroglio like Ge0rg34m@gr!|| — you know, something like what your IT department sends you as a start-up password.

Would you doalittledancemakealittlelovegetdowntonight?

If your answer is yes, yes, you would do a little dance … and get down tonight, good news! A recent study by some really smart people at Carnegie Mellon University found that the use of long, sentence-like or phrase-like passwords like the one above is increasing among people looking for easier-to-remember passwords. Not only that, but it could be “a promising user authentication mechanism.”

The really smart people, otherwise known as researchers, looked at the role of “grammatical structures underlying such passwords in diminishing the security of passwords.” Or in layman’s terms, they questioned whether they were easier to hack than the letter-number-symbol jumbles we’re all so familiar with. The answer was no, not really. It turns out that hacking programs find a lengthy password almost as difficult to crack as a seemingly random one.

The researchers went into the study viewing text-based passwords involving a trade-off between usability and security. “System assigned passwords and user-selected passwords subject to complex constraints (e.g. including mixed-case, symbols and digits) are harder to guess, but less usable,” the researchers wrote. “Conversely, simple, memorable user-selected passwords offer poor resilience to guessing.”

In order to find a compromise, researchers and organizations have begun recommending the use of longer user-selected passwords with simpler composition.

The idea isn’t particularly new. Security pros have been using similar passphrases for years, albeit somewhat differently. This trick takes a sentence and then uses the first letter of every word. For example: “I love pizza 3 times a week″ would be ilp3taw. You can be really clever and add capital letters and a special character or two, like iLp3T@w.

“If one could use biometric encryption, that’s certainly better, but even biometrics have been spoofed,” said Adam Levin, co-founder of Credit.com and author of “Swiped: How to Protect Yourself in a World Full of Scammers, Phishers, and Identity Thieves.” “But in situations where biometrics are not available, a passphrase is probably a better option than a typical password.”

Also, with a phrase, you could create a variety of different passwords out of that single phrase, Levin explained. Add a couple of letters in the front for a particular website and a couple of numbers in the back, and you can have a different password for every site, all of which will be fairly easy to remember.

“Also, there’s less tendency to use an overly simple or flat-out bad password like ‘password’ if you use phrases,” Levin said.

It’s also important to remember that a significant percentage of identity theft occurs among family and friends, Levin warned, so “if it’s a phrase you use frequently that someone could guess, it’s probably not a good option.”

As the really smart people at Carnegie Mellon wrote: “More research is necessary to fully understand the effect of structures on long passwords,” but they’re definitely worth considering to keep your accounts secure.

Remember, identity thieves can strike at any time. To guard against identity theft, it’s important not just to keep your passwords or passphrases strong and secure, it’s also wise to monitor all of your financial accounts on a regular basis, as well as your credit. If an identity thief has stolen some of your information to open a new account in your name, it will impact your credit scores.

You can monitor your credit scores for free twice a month on Credit.com. Any unexpected changes in your score could signal identity theft, and you should pull copies of your credit reports (you can do that for free once a year) to investigate further. Acting fast can help protect your credit and your finances.

Image: PeopleImages

The post How Your Favorite Song Lyrics Can Protect Your Identity appeared first on Credit.com.

7 Steps to Safer Passwords for All Your Online Accounts

password_security

Some passwords are funny. Some are pretty weird. Some can be a math problem. Many can be laughably easy to hack (I give you “dadada, ”“qwerty,” “password” and”123qwe” to name a few.) — or very tricky. But one thing is for sure, they are never really 100% hack proof.

Earlier this month, news broke that a significant number of Twitter passwords had been compromised and were being offered to anyone willing to fork over 10 bitcoins, or roughly $6,700, as of this writing. More than 32 million users were included in the cache of information on the cyber creep auction block. Hacked information database Leaked Source said in a blog post that it received the data set from a user under an alias.

Your Information Is Out There

The first takeaway: Anyone can scavenge and rumor-chase to find purloined login credentials. The second: You are not safe, and identity-related crimes are the third certainty in life, right behind death and taxes. (You can monitor your credit for signs of identity theft by viewing two of your credit scores for free each month on Credit.com.)

Twitter has told multiple news outlets that its systems were not breached. Leaked Source said the passwords appeared to have been grabbed by malware.

How to Keep People Out of Your Stuff

While knowing that your information is out there is an important piece of the personal data security puzzle, keeping your accounts safe is even more crucial.

While there has been much innovation in the world of data security, nothing has proven foolproof yet. Biometric authentication using fingerprint and iris scans is promising, but their adoption is far from universal and not without some spoofing issues.

There are tokens and cards that can complement passwords, but those are fallible for the reason that they can be stolen or lost.

Multi-factor authentication is probably the best way to deal with security issues, but it does not necessarily strike the best workplace balance between security and convenience. The Pixar movie “Monsters vs. Aliens” provides a comical scene that demonstrates why it’s not the most practical approach (the character has to provide a hand, foot, tongue, elbow and butt scan to gain access to the president’s situation room).

Passwords Are Still the Best Option

As things stand now, a password coupled with a second factor of authentication known only to the user — like a visual prompt — is the best personal security solution.

Because we have many accounts and they should all have separate passwords, most consumers have a problem keeping all that information straight. There are apps for that, of course, and if you are OK with cloud-based solutions — bearing in mind that nothing is un-hackable — you might want to check out a service like 1Password, which allows you to store all your passwords, PINs, credit card numbers, and more. PasswordWallet 4 and Dashlane provide similar services. Bear in mind that they are not the only good games in town. So do your research and read reviews. Keep in mind, too, some password managers charge for their services.

The upside to password valets is clear — you only have to remember one password. If that’s of interest, you still need to make sure that password is very strong.

Rules of the Road for Effective Passwords

If you decide not to use a password manager, never store your passwords and user names in a document that resides on your computer. Save them on an encrypted thumb drive. Then you need only remember two things: Where you keep it and the password (hopefully long and strong) required for access.

The best practices here include a number of things you shouldn’t do:

1. Try to avoid single words, since many password-cracking programs use the dictionary.

2. Avoid letters and numbers that are close to each other on the keyboard.

3. Never use a password based on personal information that could well be available on social media or via a data breach. This would include your birthday or the birthdays of loved ones, children’s names, pet names, your high school or college mascots and the like.

4. Never use a password on a retail site that you use anywhere else. If that site gets hacked and the same login information is on a bank account, you’re toast.

And a few things you should do:

5. Create an easier password for sites that don’t have a great deal of your personal information, like news sites, video streaming services and the like.

6. Consider using a password generator. (Bear in mind this generally requires using a password management system, bought or homemade.)

7. Create long and strong passwords containing a phrase at their core. One thing that a brute force attack cannot do is guess the first line of a poem you wrote in fourth grade, especially if you have a simple math problem embedded in the middle of a word of two.

Most of us have day jobs. Identity thieves and scammers view grabbing our information and exploiting it for their gain as their day job. Always assume there is a never-ending riot overflowing with looters happening just outside your cyber house. That’s why you must be thoughtful, inventive and vigilant when creating passwords, for they are the locks to all your virtual doors and windows — even when you are home.

More on Identity Theft:

Image: PeopleImages

The post 7 Steps to Safer Passwords for All Your Online Accounts appeared first on Credit.com.

You May Not Have to Remember Your Passwords Anymore If This Google Plan Takes Off

password_security

You may soon be able to log into your Android devices without entering a password, thanks to the new “trust scores” Google announced at its annual I/O conference last week.

The trust scores, also referred to as the Trust API (application program interface) or Project Abacus, started development last year and The Verge reports the security updates are expected to be rolled out to a test group of “several very large” financial institutions next month. If all goes according to plan, Google expects Android users to have access to the scores at the end of the year and then potentially other operating systems after that.

How it Works

The API runs in the background and utilizes user-specific factors to develop a user’s trust score each time they log on, which could help prevent unauthorized users from accessing your personal information. According to TechCrunch, the API will factor in personal indicators, like face shape and voice recognition, as well as behavioral data, like how you move and type to compute the score.

Eventually, The Verge reports, trust scores could play a factor in logging into any apps or programs on mobile devices. Qualifications would vary based on what you’re trying to do, like banking apps requiring a higher trust score than a social media app.

Replacing Passwords

Until this security measure is implemented on devices, all users will continue logging in with standard passwords. If you think you have a weak password on any of your accounts, or use the same one for multiple logins, you may want to consider changing them. In fact, it’s a good idea to change your passwords often for better internet safety.

If you believe one of your accounts or passwords has been compromised, especially if it’s something that can be tied back to your finances, checking your credit report can help you see if anything damaging has occurred. (You can get your free annual credit report from AnnualCreditReport.com and view two of your credit scores for free, updated monthly, on Credit.com.) If you see any signs that your identity has been stolen, like new accounts you didn’t open or addresses that aren’t yours, you should dispute the information with the credit bureaus and report the fraud to the proper authorities.

[Offer: If you need help fixing errors on your credit report, Lexington Law could help you meet your goals. Learn more about them here or call them at (844) 346-3296 for a free consultation.]

More on Managing Debt & Credit:

Image: Petar Chernaev

The post You May Not Have to Remember Your Passwords Anymore If This Google Plan Takes Off appeared first on Credit.com.

The Worst Passwords of 2015

worst passwords

Despite all of the data breaches and scams that have proliferated over the last few years, we sure love our bad passwords.

For the fifth year in a row, “123456” and “password” topped password manager provider SplashData’s annual “worst passwords” list. Its latest version was compiled from more than 2 million leaked passwords mostly held by users in North America and Western Europe during the year. New and notable entrants include “starwars,” “solo” and “princess”  — undoubtedly tied to the massively successful debut of Star Wars: The Force Awakens this year.

Meanwhile, other repeat offenders were “dragon” (No. 16), “111111” (No. 14), and “letmein” (No. 19).

Of course, it wasn’t all bad news on the password front this year, as SplashData notes that websites and users were at least trying to be a bit more secure by lengthening their terrible passwords.

“For example, ‘1234567890’, ‘1qaz2wsx’ (first two columns of main keys on a standard keyboard), and ‘qwertyuiop’ (top row of keys on a standard keyboard) all appear in the top 25 list for the first time,” SplashData wrote in a press release, before pointing out that “they are each based on simple patterns that would be easily guessable by hackers.”

The top 10 worst passwords of 2015 are:

  1. 123456
  2. password
  3. 12345678
  4. qwerty
  5. 12345
  6. 123456789
  7. football
  8. 1234
  9. 1234567
  10. baseball

How to Set Strong Passwords

Strong passwords are important because they help keep hackers from getting into important accounts and/or getting a hold of sensitive personal information that can be used to steal your money or, worse, your identity. A strong password generally mixes letter, numbers and special characters, uses both upper- and lowercase letters and is at least 10 characters long. They also don’t include your name, birthdate, common words, simple pop culture references (ahem, The Force Awakens) or any information (like, say, the name of your dog or cat) that can be easily found on social media.

Remember, it’s also in your best interest to change passwords often and to refrain from using the same one across accounts. Plus, if you have any reason to believe your personal or payment information has been compromised, you should keep a close eye on your financial accounts and your credit report. You can do the latter by pulling your credit reports for free each year at AnnualCreditReport.com and viewing your two free credit scores each month on Credit.com. Signs your identity has been stolen include a sudden drop in credit scores, mysterious lines of credit you’ve never opened and unfamiliar addresses.

More on Identity Theft:

Image: gpointstudio

The post The Worst Passwords of 2015 appeared first on Credit.com.

8 Predictions for 2016: Drones, Mobile Pay & the Internet of Things

crystal_ball

Will 2016 be the year people really start buying things with their phones? The year a hacker finally turns the lights off? Or a self-driving car causes an accident? Maybe, maybe not. Maybe some of these things won’t happen until January 2017 — the 12-month time horizon is pretty arbitrary — but these are the things that are listed in almost every prediction story about the new year.

While it might be silly to talk about 2016 guarantees, New Year’s Eve is always a natural time to think about the future, and the exercise of imagining what troubles we’ll soon confront is certainly worthwhile. So I’m not limiting this year’s predictions to the new calendar. Instead, I’m going to discuss what I think is “coming soon.”

1. Things Vs. People

Everyone is correctly predicting that smart gadgets will soon infiltrate our lives (wired crockpots? Of course!), and few of them will be built to protect privacy or care for security. So our homes will likely be hacked and our privacy may erode. But here’s a remarkable data point from Gartner: The number of devices we need to protect will exceed 200 billion by 2020 — 200 billion! “Wearables, gadgets, sensors and other things on the Internet are creating new connections and exposing new vulnerabilities,” warns McAfee. “Every new product that connects to the Internet faces the full force of today’s threats, and we have a long way to go to keep up with the speed and complexity of attack.”

2. People vs. … Robots?

All that is scary, but the real potential looming problem in the things vs. people conflict is this: the robot workforce. Gartner also predicts that by 2018, more than 3 million workers globally will be supervised by a “robo-boss.” And that same year, nearly half of the fastest-growing companies in the world will have “fewer employees than instances of smart machines.” That’s a polite way of saying you can forget about your job being shipped overseas. Instead, it could be done by a robot soon, unless you can work cheaper than a robot. This conflict is real and arriving much sooner than we expected. If I ran a ride-sharing service, for example, I’d be pushing the limits of self-driving cars as far as I could.

3. Paying by Phone

Adoption rates for mobile payment schemes like Apple Pay have been very slow — but that’s temporary. Over time, consumers will likely see value adds from these services, such as the loyalty benefits we already see from Starbucks. There’s a wide-open door now, as consumers are a bit irritated by delays when using the new chip-enabled credit cards. Mobile pay can be faster in some cases.

4. Your Phone as Your Password

One development that will help mobile pay will be the increased use of mobile devices in two-factor authentication schemes, like the one Amazon just implemented. Users will get a temporary passcode by text or use token-generating software to log in to many financial sites soon. As they get used to whipping out their phones during these transactions, they’ll be more apt to use them to buy things. The phone-as-password development will also hasten the end of old-fashioned passwords. Good riddance.

5. Your Money or Your Data

If you don’t know someone who’s been hit by a ransomware virus, you will soon. Brazen hackers keep finding ways to take control of computers and data and force payment by consumers or organizations to free them. There’s no end in sight for this threat, which means you should keep your security software up to date. However …

6. File-Less Attacks Grow

One of the most alarming developments in the security space has been the growth of cyber attacks that completely bypass computers’ software (and thus, antivirus software). “File-less” attacks involve techniques like injecting malicious code directly into a computer’s memory space. They are much harder to prevent and detect; they are similar to the point-of-sale device memory attacks that have been rampaging through big retailers, stealing millions of credit card account numbers. You should be hearing much more about these soon.

Thanks to increased risk to our personal and payment data, it’s important to monitor your credit for signs of identity theft, You can do so by pulling your credit reports for free each year on AnnualCreditReport.com and viewing your credit scores for free each month on Credit.com.

7. Drones Everywhere

As drones continue to come down in price and become easier to operate, our skies will likely be filled with them. Sure, there’s some great potential for drones, which are now a staple in news coverage of big events. But Heaven help us if they start crashing into each other, taking pictures of us in our homes or becoming a fixture in life-casting videos on the Kardashians.

8. The Campaign

Finally, the one thing I can guarantee during 2016 is that noise will dominate signal on social media during the presidential campaign. The Internet is the best tool ever invented for spreading mistruths. Knowing this, you can be part of the solution by simply not forwarding or posting lists of bad things about Donald Trump’s hair or Hillary Clinton’s bathroom breaks. Heck, Americans showed incredible restraint during the release of Star Wars as millions managed to avoid posting spoilers. Let’s show similar restraint during the election, too.

This story is an Op/Ed contribution to Credit.com and does not necessarily represent the views of the company or its partners.

More Money-Saving Reads:

Image: oneinchpunch

The post 8 Predictions for 2016: Drones, Mobile Pay & the Internet of Things appeared first on Credit.com.