Cellular security

T-Mobile quietly upgrades 2G network security

We teach you

How Microsoft Account two-step verification works

Here we go again

Dropbox accounts hacked, service not to blame for leak

Hypothetical threat watch

New malware exploits USB, but isn't really that scary

Microsoft News

Microsoft issues security advisory affecting all versions of Windows, Windows Phone

General News

UK government set to rush through emergency surveillance legislation

General News

UK officials follow US counterparts by banning electronics that have no charge from boarding flights

Microsoft News

Microsoft restores control of seized domains to No-IP

Windows 8 Apps+Games

1Password for Windows gets much needed 4.0 update

General News

First smartphone 'kill switch' bill in the US passed by… Minnesota

Apps

Secure your passwords and critical information with Enpass Password Manager

General News

Bitly alerts users of widespread account compromises, claims no accounts have been accessed

Apps

John McAfee's Chadder aims to keep your messages private, lands on Windows Phone before iOS

Windows

Microsoft issues security patch for Internet Explorer

Microsoft News

Microsoft issues warning about limited, targeted attack vulnerability in Internet Explorer

How To

Get secure by encrypting your PC with Microsoft BitLocker for Windows 8 Pro

Microsoft News

Microsoft Store giving away $100 credit; simply trade up your Windows XP dinosaur (US and Canada Only)

Microsoft News

Microsoft says it's really time to dump Windows XP thru this clever infograph

Editorials

So, you want to adopt BYOD?

Microsoft News

From a Bill Gates memo to an industry practice: The story of Security Development Lifecycle

< >
80

Using strong passwords and keeping your online self secure

Earlier today, eBay issued a press release letting users know that a cyberattack "compromised a database containing encrypted passwords and other non-financial data." Users will be asked to change their passwords just in case, though they noted that eBay "has seen no indication of increased fraudulent account activity." This is sadly just one of many attacks recently, and something that won't be going away anytime soon, if ever.

Attacks like this are nothing new, over the years plenty of big-name sites have become victim to similar cyberattacks. Retial chain Target has been all over the news lately, and there's also vulnerabilities like the recent Heartbleed Bug that affected Google, Facebook, Yahoo and dozens of other sites.

As we go further and further, putting more and more of our personal information and lives online, it's even more important to keep that data safe. Your personal life (and data) is strewn out across the web in more places than you really know, so keeping what you can private and safe is more important now than ever before. At Mobile Nations we've always been big on security and keeping yourself protected online, but what are you really doing to make that happen?

Hack me once, shame on me

I was never big on passwords. In fact, the two passwords I used for everything were ones that were given to me by my original ISP nearly 20 years ago. I memorized them at the time and since they were a random jumble of letters and numbers, didn't give much thought to using anything else for any site. These were my go-to passwords, one I used more than the other, but I never considered just how bad of a practice this was until the day I almost lost my Gmail account.

A few years back I woke up to a slew of password verification notes from Google, and I instantly dove into a panic. I scrambled to login to my account with no luck. After a few hours of work, I managed to reclaim my account. I noticed that all of my account info was changed by the hacker, and the sent spam messages that numbered in the hundreds. I then realized that if finding my password here was this easy, I was extremely lucky it wasn't taken to the number of other sites that all shared the same password.

It was then that I started using a password manager and spent the next few days making sure my passwords were different across all of the sites I frequented. I only had to remember my master password, which I made so long it took me over a week to memorize. Since then I've had no issues with hacking and I've been sleeping soundly know that my online life is (mostly) safe.

Two-factor Authentication

Recently I've even taken things a step further by enabling two-factor authentication (or two-factor verification) where available. I use this now across all of my Google accounts as well as other services like Facebook, Twitter and Dropbox. Two-factor authentication adds an extra layer of security to your accounts, requiring you to enter a code provided either in an app (like Google Authenticator) or as a text message. The ensures that only you can get into the account, even if someone has your password.

Password Managers

The best bet for keeping your passwords secure, while also keeping them organized, is a good password manager. There are a few options available depending on your platform, but all are great choices and offer values far beyond writing all of your passwords down in a "safe place".

Strong Passwords!

If you're not up to using two-factor authentication or a password manager — at least use a strong password. Mix up numbers, lowercase letters, capital letters and special characters. The longer the better. And never use the same password twice. If a hacker does track down your password, the last thing you want is for them to have access to all of your accounts, just because you used the same password across the board. Stay clear of using passwords like your kids name, birthday, anniversary, "1234567", or the ever popular, "password". Apps like LastPass even offer a secure password generator so you don't have to do any thinking on the matter.

Are you using a password manager to cover your bases? What are some of your favorite tips for staying secure? Hit up the comments and let us know!

9
loading...
0
loading...
0
loading...
0
loading...

Reader comments

Using strong passwords and keeping your online self secure

80 Comments

I was a doubter until I tried it, now I swear by it. The best part about LastPass is that it is on everything I use daily.

I use Lastpass. I am also a subscriber for it. $12 a YEAR for really good service. I was a long time user already, and recently got the subscription. For me, its worth it. I'm on Lastpass like everyday.

Did this article have anything to do with me asking if wpcentral had ever written an article on security apps? ;) probably not. #eBay article

I used mostly two way authentication and app password security in some apps like tumblr,facebook. I think adam you should mention about it too

Most store data using encryption that never leaves your computer.  So LastPass could get hacked all day long and the hacker wouldn't get anything useful from them as long as you've used a secure master password.

Use numbers but not by replacing E with 3 or things like that. Also, in case of MD5, you can check if it's already decrypted. For example 1q2w3e4r can be easily decrypted.

This is quite funny, I just been switching to LastPass over the last few hours. Looks to be a great and very secure service for just a buck a month!

Tried LastPass...wasn't impressed. I've been using Password Padlock. Its available on WP and Win8. In addition, you can upload an encrypted file to your OneDrive with your password info , and download it, so it makes synchronizing the WP and Win8 apps easy.

Tried LastPass...wasn't impressed. I've been using Password Padlock. Its available on WP and Win8. In addition, you can upload an encrypted file to your OneDrive with your password info , and download it, so it makes synchronizing the WP and Win8 apps easy. Also, it can create passwords for you, though it seems to only use 6 characters, so you have the option of adding to it

Yes, that's why I wont use one. Its safer just to write your passwords on a piece of paper and keep it in a safe place (like in a safe with your passport)

No, I just refer to it if I forget a password. There's some sites I don't access that frequently.

I see your point, but how do you remember a unique (strong) password for each and every website / credit card / phone bill / blog / forum / computer login /  etc.?

The point behind a password keeper is to store each unique password in an encrypted file. This is because you should NEVER use the same password twice. For example, I have over 15 passwords just for my work place alone, and countless for my personal life. If I use the same password for all of them (or even most of them) I'm putting the entire works at risk of one successful hack.

If each password is unique there would be no way I could ever remember them all, and although I do print out a list and keep it in my safe with my passport, this is useless to me when I'm away from home. Hence the password keeper.

Would you rather one successful hack giving up the password that you use on 10 different sites, or the password used on only the site that was hacked?

There is no such thing as secure, period. All you can do is minimize the security threat. A password keeper is one way to do this.

Create a very strong master password that only you would know and can remember. Don't use your master password anywhere else, and then lock the rest of your UNIQUE passwords in a password keeper.

This way if one of your passwords is found out by someone hacking an online database, they can't open up your entire life. Since you only keep your master password in your head (with a backup copy in a safe if you're the forgetful type), no one can hack your master password.

That's why I first used hashapass.com and later created the hashapass app for Windows Phone. It generates, but does not store, a strong password based on a parameter and a master password. All you need to remember is a parameter (e.g. the name of the system/service) and the masterpassword. Given those, hashapass generates a password for you. Works for me.

I use LastPass and have two-factor authentication activated. Without my phone, no one can get in. Allegedly.

The big word here is "if". Yes IF it gets hacked, and "if" they could decrypted your database file, they would have all of your passwords. But it is more likely they would hack some other website to get your password, then use that password to unlock the other sites you used the same password on.

Which option is more likely to betray you?

Well, lets see...

If you use the same password on one site that gets hacked, and on... your bank account for example, the hacker now has access to your back account without having to hack the much higher security bank.

It's hard to explain using text alone. All I can tell you is there is no perfect solution, all you can do is reduce the chances of some random site leaking a password that gives the hacker access to the rest of your life.

The best way to do this is to not use the same password more than once... ever. If you follow this advice, you'll quickly realize that you have hundreds of unique passwords, and you'll need a way to keep track of them all. Hence a password manager. Used correctly, a password manager is quite secure. Certainly more secure than some random website you gave your password to.

I've been using Roboform for years and it works great. And even though this article says it's only Android and iOS, there is a WP app also.

Having the strongest passwords possible won't prevent you from what happened with ebay - the hackers just downloaded the whole list. The best protection is changing your passwords more often.

It's not entirely true.  The hackers have the encrypted password list.  Your password strength (or more specifically, your password length) will help determine whether or not your password can be retrieved from that.

Longer, more random passwords are much harder to crack.

Most password discovery is done by utilizing word and leaked password lists, and combinations thereof.  The longer and more random your password the better, because if a password is truly random the only way to crack it is brute force -- no password list is going to be effective.  12 characters of truly random characters like KBn1ZNukij7o is effectively impossible to crack, as brute forcing (even on the fastest computers) would take millions or billions of years.

Changing passwords frequently basically does nothing for security unless hackers are using an old leaked password database (which they don't).  Most security experts are recommending that sites NOT enforce frequent changes these days because it just causes people to use passwords which are easier to remember, and are therefore inherently insecure.   Learning to remember KBn1ZNukij7o as your password one time is far more secure than using MyPassword01, MyPassword02, MyPassword03, etc. no matter how often you are forced to change that password.

The only cases where changing a password helps is when users have shared passwords with others, or a database has leaked.  Otherwise it's actually a bad idea to ask users to change their passwords since it encourages people to create passwords which are predictable.

The only things that matter with passwords are length and randomness.

Read these articles for a little more insight... 

http://arstechnica.com/business/2011/10/when-passwords-attack-the-proble...

http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-ou...

LastPass all the way. Added a YubiKey and I'm super secure now. Last I checked, the security rating test that LastPass can perform on your account had me in the 97th percentile. LastPass is a great tool.

I use LastPass, too, with the autenticator app. It's kind of quirky sometimes, but works for me (I don't use metro version of IE). And for $10 a year, the price isn't bad, so I pay it so I can use the mobile app.

I wish Lastpass would just integrate with IE11 Desktop and Metro version. Makes my life across devices secure and hassle free.

Trouble with that (and I can see why you would want it) is that its a plugin

Plugins=bad

No more flash. No more Silverlight. No more ActiveX. No more Java VM.

They must all die, and the web must be clean and beautiful and HTML5 only. We will never have a fast loading web agnostic across devices without that.

Metro IE is beautiful, and am using it to type this. Its free of any cr*p round the screen. Its fast, and so far more reliable thatn IE desktop or Chrome (I can kill Chrome with only 8 to 9 *cough* webcams open ;) and you all know what i mean)  Viva la plugin free web

 

I don't want it as a plugin. I meant Lastpass be bought and just become a functionality of IE itself. (Integrate with IE completely).

I don't mind losing the Lastpass name, as long as I have the same service then I'm happy.

Well the alternative is remembering passwords yourself.

You shouldn't ever trust the password storage features of browsers.  It's trivial to get past it in every browser today.  (That's why new browser installers and password manager plugins can import the passwords you've stored in your browsers.)

I have a lot more faith in the plugins.  At least they're using industry standard encryption technologies.

Yeah I do this for certain accounts. But adding an extra layer by encrypting it which I decipher using my mind. Not the most secure but better than having it out in the cloud.

I'm pretty happy with LastPass. Signed up last fall after Dan showed me how awesome it was on our flight to Abu Dhabi.

Two-factor authentication adds an extra layer of security to your accounts, requiring you to enter a code provided either in an app (like Google Authenticator) or as a text message.

There is also a native WP8 app in the store that works with the services listed as well.

 

The sad part is now that we have all these apps on our phones, it's an absolute PITA to type a reasonably secure password.
 

Some things that I do are replace the letter s with $, H with #, o with 0, a with @, and other things. Also, like always mentioned, capital letters and numbers in the mix.

They are already on to this. Read an article on Ars Technica where they showed how easily a dictionary attack can break through these kinds of tricks. If the stolen database is only hashed with MD5they can try millions if not billions of passwords, including such letter swaps, in a few hours.

If you use a common word like shout ($#0ut) then yes it could be easy to break. But if you use multiple random words with capital letters, special symbols, numbers, lower case letters then it won't be so easy for them to guess.

The advice I give to people is to take a word they find is easy to remember, replace the vowels with numbers and add two symbols which they find easy to remember and insert them into a pattern. Then take another symbol also which they find easy to remember and place that in beginning, middle and end of the word. Write this down, memorize and once confident it's memorized - shred the paper with other rubbish.
Personally i use capital letters and spaces as well in a mixture, unfortunately though some websites don't accept symbols, spaces or capital letters.

Awww crap lol,

Edit: thanks for the link... I guess i need to come up with something else now T_T and will keep that to myself.

Should we be worried if apps sync our password data with SkyDrive ? What if the information is intercepted while syncing with any online drive? Also, isn't it pretty much a "Trust us" sort of thing with the devs if these apps to not have a back door into our info?

Remarkable that there are so many LastPass advocates when LastPass was among the most prominent that was affected by HeartBleed.

 

Change strong passwords periodically as previously mentioned is the best strategy. 

Where did you get that information?  LastPass data is encrypted in such a way that not even they can decrypt it -- they don't have access to the decryption key.  Everything is decrypted locally using a key that is based on your username and master password.  Since they don't ever store (or even transmit) your master password, even they don't ever have a way to decrypt the data.  HeartBleed would have had no effect on your data with them whatsoever.  So even though they did use a vulnerable version of OpenSSL, anything that might have leaked would be completely useless.  It would just be random garbage to anyone without your username and master password, assuming of course that enough of that data had been seized, recognized, and pieced together in the first place before attempting decryption.

To the contrary, they have been one of the more proactive sites about finding and notifying of HeartBleed issues. They've even setup a site (https://lastpass.com/heartbleed/) to help you know if your password needs to be changed based on the HeartBleed aftermath.

They made a pretty comprehensive post on their blog about it...

http://blog.lastpass.com/2014/04/lastpass-and-heartbleed-bug.html 

I started using LastPass a few weeks ago, and I like it well enough.  One thing I don't understand is that it is free via the web and Windows 8 App, but they charge for the Windows Phone App, which is much less functional.  I don't get that at all.

Does Microsoft have two step verification with just using cell phone and not the long digit password?

I copy and paste from Lastpass in my WP. I can't even tell you what the majority of my passwords are as Lastpass auto generated for me

RoboForm is available on a lot more than you list lol
I used to use it and loved the ' to go' feature (usb key).
I switched to LastPass because at the time RoboForm lacked a Windows phone / modern app, and I can't be arsed to switch back now they do.
So, that makes it x86, modern, Windows phone, android, IOS just of the top of my head.

What good are strong passwords if businesses keep leaving the back door unlocked so hackers can swoop in and steal the databases. Back when, guessing passwords was an art. Now it's easier to just lift the whole file. Less work, better return. This can only be solved with bullets.You know what they did to horse thieves in the wild, wild west. We need some of that to stop this thievery.

LastPass is the big kahuna and very secure. LastPass Enterprise is even better, with real SSO, shared folders of sites to share across teams of users within the same company or even to external groups and SAML capabilities for integrating with cloud services like Office 365, SalesForce, DropBox, Box, etc. Additionally, it has extremely granular policy-based controls for true administration across every browser, every PC, every Mac, and every mobile device. Finally, it can integrate with ActiveDirecrory, so disabling a user means automatically blocking access to every single site, product, etc across all computers and mobile devices. It's an admin's dream, really. This is not to speak of the secure note capabilities, credit card storage, and work/business/other profiles that can fill forms including those credit card numbers. Try it out, you wont be disappointed. I've used the personal product for many years and the company I own now deploys the enterprise product across our client base. It's good for you, America! :-)