The Newest Way to Beat the Password Paradox

It’s time to refresh your sense of what makes a password safe. Some of the old standards for passwords are changing, and rules you have been following for years may not be keeping your accounts secure any more. Learn the new password rules now, before the hackers break in.

Do all of your passwords contain special numbers and characters? Do you change them every 90 days? Chances are you’ve been following this password advice for many years—but it may not be keeping your accounts safe anymore.

In 2003, engineer Bill Burr authored what came to be known as the official guidance on password security published by the U.S. National Institute of Standards and Technology (NIST). In it, he suggested that users strengthen passwords by incorporating uppercase letters, numbers, and characters. Burr also recommended changing passwords frequently.

Quickly, Burr’s recommendations became the gold standard on password security. But now Bill Burr regrets the password advice in his original guide. In a recent interview with the Wall Street Journal, Burr acknowledged that his suggestions may actually have led people to use less secure passwords.

Asking people to change a password every 90 days typically results in users making a minor change, such as adding a number to the end of the existing password. That change does little to increase password security. And all the characters, numbers, uppercase letters and lowercase letters make it harder for people to remember their passwords without offering much increase in security value. Once masses of people adopted this trend, the hackers caught on and they can now break these types of passwords in a couple of days.

So what can you do to create hard-to-hack but easy-to-remember passwords?

THE NEW PASSWORD CREATION METHOD

As we mention in Hack-Proof Your Life Now!, Security experts and the NIST now say stringing five random words together is the best method for password creation. Believe it or not, the password “Twins July Motor Buckle Add” would most likely take longer to hack compared to the password “C0mpu+3r45.”

Why? For one, five-word passwords tend to be longer than our old passwords. Also, choosing five words tends to create more random passwords, which add security. Password strength is determined by a factor called entropy—the amount of randomness or uncertainty your password contains.

But to truly create a strong five-word password, you shouldn’t choose the words yourself. Studies have shown that even when we think we are choosing random words, we are strongly influenced by how often that word occurs in regular conversation, as well as grammatical rules.

Security experts recommend the Diceware method to create your strong passwords.

Here, you roll a die five times to create a random number. For example, say you roll a 2, 6, 3, 1, 1. Then you do that five more times so you have five five-digit numbers, such as:

26311

14563

44452

12556

22215

Then use the 7,776-word Diceware list to match each 5-digit number to the corresponding word on the list. Using the numbers above, your password would be Frame Booth Orr Assort Cutlet—and leaving those spaces increases security.

Now you may be thinking, “I won’t remember a bunch of random words strung together—especially for multiple passwords!” It’s nearly impossible to remember unique passwords for the ever-growing number of online accounts we accumulate.

THE KEY TO REMEMBERING

That’s why you must also use a password manager. A password manager is a digital device that stores all of your username and passwords in an encrypted file on your computer and/or in “the cloud.” Your passwords are protected by one master password—the only one you need to remember.

Once you are signed into your manager with your master password, the program will autofill the username and password fields for any known website. If you visit a new site that is not yet stored, you can easily save your login credentials to your password vault. You can also easily update passwords in the manager so you can update all of your passwords usingthe Diceware method.

Some people may question the security of password managers, but those fears are unfounded. Password managers use strong encryption to secure your password files. Your passwords are so secure that if you forget your master password, not even the company can retrieve your passwords. Password managers typically cost $10-$30 annually and most allow you to access your manager and sync your passwords across your various devices, including your smartphone and tablet. Free versions exist, but typically those only work for one device and have limited features. There are many password managers to choose from and it’s best todo some research to see which program best fits your needs. Some options you may consider are Dashlane, LastPass,1Password, and KeePass.

BOOST YOUR SECURITY, RELAX YOUR BRAIN

The combination of the Diceware method and a password manager will significantly boost your account security across the Internet. Your multi-word passphrases would take millions of years for hackers to guess. And adding a password manager takes away the issue of having to remember these long passwords for your hundreds of accounts. Instead, enter your new passwords and protect them with one strong password—the only one you have to commit to memory.

© 2017 Horsesmouth, LLC. All Rights Reserved.

How to Protect Yourself Against Identity Theft

Massive computer hacks and data breaches are now common occurrences — an unfortunate consequence of living in a digital world. Once identity thieves have your information, they can use it to gain access to your bank and credit card accounts, make unauthorized transactions in your name, and subsequently ruin your credit.

Now more than ever, it's important to safeguard yourself against identity theft. Here are some steps you can take to protect your personal and financial information.

 

CHECK YOURSELF OUT

It's important to review your credit report at least once a year and make sure that all the information in it is correct. Every consumer is entitled to a free credit report every 12 months from each of the three reporting agencies: Equifax, Experian, and TransUnion.Besides the annual report, you may be entitled to an additional free report under certain circumstances. Visit annualcreditreport.com for more information.

If you find an error in your credit report, contact the appropriate credit reporting agency to let it know that you are disputing information on your report. The agency usually must investigate the dispute within 30 days of receiving it. Once the investigation is complete, the agency must provide you with a written result of its investigation and remove/correct any errors. You can generally file your dispute with the agency either online or by mail. However, it may be more helpful to dispute the error in writing with supportive documents, preferably by certified mail. That way you'll have a paper trail to rely on if the investigation does not resolve the disputed error. If you believe that the error is the result of identity theft, you can also file a complaint with the Federal Trade Commission at identitytheft.gov.

In addition to checking out your credit report, you should regularly review your bank and debit/credit card accounts for suspicious charges or account activity. If you discover signs of unauthorized transactions, contact the appropriate financial institution as soon as possible — early notification not only can stop the identity thief but may limit your financial liability.

As you monitor your credit report and financial accounts, keep an eye out for the following possible signs of identity theft:

  • Incorrect personal and account information on your credit report, including suspicious credit inquiries
  • Money that is missing from your bank account, no matter how small the amount
  • Missing bills or other mail from financial institutions and credit card companies

 

CONSIDER A FRAUD ALERT AND/OR SECURITY FREEZE IF NECESSARY

If you discover that your personal and/or financial information has been exposed to identity theft, you should consider placing a fraud alert and/or security freeze on your credit report.

A fraud alert requires creditors to take extra steps to verify your identity before extending any existing credit or issuing new credit in your name. A fraud alert lasts for 90 days and can be renewed once it expires (an extended fraud alert that lasts for seven years is also available). To request a fraud alert, you only have to contact one of the three major credit reporting agencies, and the information will be passed along to the other two.

A security freeze prevents new credit and accounts from being opened in your name. Once you obtain a security freeze, creditors won't be allowed to access your credit report and therefore cannot offer new credit. This helps prevent identity thieves from applying for credit or opening fraudulent accounts in your name. Keep in mind that if you want to apply for credit with a new financial institution in the future, open a new bank account, and even apply for a job or rent an apartment, you will need to "unlock" or "thaw" the security freeze. In addition, you must contact each credit reporting agency separately to place a security freeze on your credit report.

 

MAINTAIN STRONG PASSWORDS

Most of us have a large amount of personal and financial information that's readily accessible through the Internet, in most cases protected by nothing more than a username and password.

A strong password should be at least eight characters long, using a combination of lower-case letters, upper-case letters, numbers, and symbols or a random phrase. Avoid dictionary words and personal information such as your name and address. Also create a separate and unique password for each account or website you use, and try to change passwords frequently.

If you have trouble keeping track of all your password information or you want an extra level of password protection, consider using password management software. Password manager programs generate strong, unique passwords that you control through a single master password.

 

STAY ONE STEP AHEAD

The best way to avoid becoming the victim of identity theft is to stay one step ahead of the identity thieves. Here are some extra precautions you can take to help protect your sensitive data:

  • Consider using two-step authentication. Two-step authentication, which involves using a text or email code along with your password, provides another layer of protection for your information.
  • Think twice before clicking. Beware of emails containing links or asking for personal information. Never click on a link in an email or text unless you know the sender and have a clear idea where the link will take you.
  • Search with purpose. Typing one word into a search engine to reach a particular website is easy, but it sometimes isn't enough to reach the site you are actually looking for. Scam websites may look nearly identical to the one you are searching for. Pay attention to the URL, which will be intentionally misspelled or shortened to trick you.

  • Be careful when you shop. When shopping online, look for the secure lock symbol in the address bar and the letters https: (as opposed to http:) in the URL. Avoid using public Wi-Fi networks for shopping, as they lack secure connections.

  • Beware of robocalls. Criminals often use robocalls to collect consumers' personal information and/or conduct various scams. Newer "spoofing" technology displays fake numbers to make it look as though calls are local, rather than coming from overseas. Don't answer calls when you don't recognize the phone number. If you mistakenly pick up an unwanted robocall, just hang up.
  • Be on the lookout for tax-related identity theft. Tax-related identity theft occurs when someone uses your Social Security number to claim a fraudulent tax refund. You may not even realize you've been the victim of identity theft until you file your tax return and discover that a return has already been filed using your Social Security number, or the IRS sends you a letter indicating it has identified a suspicious return using your Social Security number. If you believe that you are the victim of tax-related identity theft, contact the Internal Revenue Service at irs.gov.

Because of the amount of paperwork and steps involved, fixing a credit report error can be a time-consuming and emotionally draining process. If at any time you believe your credit reporting rights have been violated, you can file a complaint with the Consumer Financial Protection Bureau (CFPB) at consumerfinance.gov.

Remember that the IRS will never contact you by email to request personal or financial information. This includes any type of electronic communication, such as text messages and social media. If you get an email claiming to be from the IRS, don't respond or click any links; instead, forward it to phishing@irs.gov

What happens to our stolen information after a cyber breach?

After a cyber breach, we tend to think in terms of what the victim needs to do next. Can any of the stolen data be protected after the fact? What can the victim do to secure confidential information going forward? But for a change, let’s talk about the crime from the cyber thief’s point of view. What does the crook do with our data once he or she has stolen it? 

 

THE GOING RATES ON THE BLACK MARKET

First, cyber criminals use our stolen information for individual gain, opening lines of credit with our social security numbers or draining our bank accounts. They also look to make still more money by selling our information. In fact, there’s a vast and complex underground marketplace where our stolen information is offered for sale.

The table below shows what crooks can get on the cyber black market for commonly stolen confidential data.                  

 

TYPE OF DATA STOLEN & AVERAGE PRICE:

Social security numbers  - $30 each*

Credit card information (i.e., card numbers, expiration dates, CVV codes) - $4–$8 each*

Bundles of 100 credit cards - $150**

Physical credit cards with strip or chip data -  $12 each*

Health insurance credentials - $20 each*

Bank, PayPal, or other financial account credentials or numbers - Depends on the account balance

*Bankrate

**The Guardian   

 

On their own, stolen pieces of credit card information command relatively low prices. That’s because thieves can’t do much damage, for example, with numbers alone; they also need to have names or billing addresses associated with the numbers. So it’s no wonder that hackers look to make big scores by breaching the websites of major corporations from which they can steal thousands of pieces of information and turn a large profit by selling bundles of credit card numbers and associated data. 

Prepaid cards and gift cards. Hackers also use our account information to purchase prepaid cards. They then sell the cards on the black market—in addition to actual account information—which makes for a bigger hacker payday. Other tactics include using credit card information to buy gift cards. The crooks then purchase expensive electronics or other goods with the cards and sell them at discounted prices to people who don’t care where the products came from because they’re getting “such a great deal.”

Bank and PayPal accounts. As for the going rates on bank account or PayPal credentials, it all depends on the bank account balance. Some hacker marketplaces sell phished PayPal credentials for a price much smaller than the account balance. The buyer purchases the stolen login ID and password from the hacker for a fee and then is free to do what he or she wants with the information.

Medical ID information. Health insurance credentials are worth even more than credit card numbers on the cyber black market because thieves can use the data to wreak greater financial damage. With stolen medical ID information, a criminal can pretend that he or she is someone else and obtain a host of expensive medical services under the real customer’s name. For example, such criminals could spend beyond an actual patient’s benefit limit so that, when the patient needs medical services, he or she would have to pay for those services out of pocket.  

 

THE DEEP WEB—WHERE THE STOLEN INFORMATION IS SOLD

The Deep Web is the part of the World Wide Web that is undiscoverable through basic search engines like Google or Bing. Usually only accessed through anonymous browsers and operating systems, the Deep Web masks the identity of thieves and those willing to purchase stolen information, putting these crooks completely off the radar of legal authorities. Deep Web underground markets are awash in counterfeit documents, stolen credit card data, hacker software, financial account information, and almost anything else a criminal could dream of.

 

PROTECTING YOURSELF

Although anyone can be a victim of a major data breach—which makes it difficult for you to stop your information from getting out there—following some cyber security best practices can help keep your information secure even if it is stolen: 

  • Enable multifactor authentication (MFA) on your online accounts. With MFA, you’re prompted to enter an additional piece of identifying information—typically a passcode sent to your smartphone—after you submit your username and password. That way, if your password is compromised, a hacker still won’t be able to access your account without your phone and the code. (Password managers come in handy here, helping you keep all your passwords organized, so you won’t have to worry about remembering them.)
  • Enroll in identity protection services and keep close tabs on your credit reports.
  • Audit your medical and insurance statements regularly. By doing so, you at least can keep tabs of any changes. If something isn’t right, you can contact your health insurer and perhaps at least minimize any misuse of your information. 

 

Questions?

If you have any questions about the information shared here, please feel free to contact us.