Tag Archives: Password
Dumpster diving. A huge trove of data spilled onto the web and has been helpfully uploaded to HaveIBeenPwned, a leaked password-checking database for consumers, by security researcher Troy Hunt, the site’s proprietor. The leak, dubbed “Collection #1,” contains nearly 773 million unique email addresses and more than 21 million unique passwords—making it Hunt’s largest-ever upload. It’s unclear where exactly the data originated, although the anonymous person(s) who posted them online claim they came from many different sources. Best use the opportunity to clean up your password hygiene.
Be yourself. Facebook is still combatting disinformation. Nathaniel Gleicher, Facebook’s head of cybersecurity policy, said the media giant booted two Russian operations—including one involving Sputnik, a Moscow-based news agency—off Facebook and Instagram on Thursday. Facebook suspended hundreds of accounts and pages that he said engaged in “coordinated inauthentic behavior.” He noted that the fight against fakers is “an ongoing challenge.”
Chinese finger trap. Federal prosecutors are probing Huawei for allegedly stealing intellectual property from U.S. companies, including components from a T-Mobile phone-testing robot called “Tappy,” reports the Wall Street Journal. The investigation is “at an advanced stage and could lead to an indictment soon,” the Journal’s unnamed sources said. Add this development to the mess of controversies entangling the Chinese company.
Demand a recount. The Financial Times said it discovered evidence of “huge fraud” in the Democratic Republic of Congo’s December presidential election. The paper claims that its own independent tally of votes, based on data leaked by an unnamed source close to Martin Fayulu, the contest’s loser (but actual winner?), exposes the fraud. The report corroborates the view of the Catholic Church, which earlier denounced the election’s “results” after conducting its own audit.
Look; don’t touch. A California judge recently ruled that police officers are not authorized, even in possession of a search warrant, to force suspects to unlock their phones using biometrics, like a fingerprint or facial scan, Forbes reports. Judges had already ruled that passcodes were protected against such coercion, meaning people could refuse to supply them, thereby preventing self-incrimination. The judge, who called the original law enforcement request “overbroad,” wrote, “If a person cannot be compelled to provide a passcode because it is a testimonial communication, a person cannot be compelled to provide one’s finger, thumb, iris, face, or other biometric feature to unlock that same device.”
Just your friendly neighborhood NSA.
Share today’s Cyber Saturday with a friend:
Looking for previous Data Sheets? Click here
Your passwords are a first line of defense against many internet ills, but few people actually treat them that way: Whether it’s leaning on lazy Star Wars references or repeating across all of your accounts—or both—everyone is guilty of multiple password sins. But while they’re an imperfect security solution to begin with, putting in your best effort will provide an immediate security boost.
Don’t think of the following tips as suggestions. Think of them as essentials, as important to your daily life as brushing your teeth or eating your vegetables. (Also, eat more vegetables.)
1. Use a password manager. A good password manager, like 1Password or LastPass, creates strong, unique passwords for all of your accounts. That means that if one of your passwords does get caught up in a data breach, criminals won’t have the keys to the rest of your online services. The best ones sync across desktop and mobile, and have autocomplete powers. Now, rather than having to memorize dozens of meticulously crafted passwords, you just have to remember one master key. How do you make it as robust as possible? Read on.
2. Go long. Despite what all those prompts for unique characters and uppercase letters might have you believe, length matters more than complexity. Once you get into the 12-15 character range, it becomes way harder for a hacker to brute force, much less guess, your password. One caveat: Don’t just string together pop culture references or use simple patterns. Mix it up! Live a little! A quick for instance: “[email protected]$ ” does you way less favors than “chitown banana skinnydip.”
3. Keep ’em separated. If and when you do deploy those special characters—which, if you opt against a password manager, lots of input fields will force you to—try not to bunch them all together at the beginning or end. That’s what everyone else does, which means that’s what bad guys are looking for. Instead, space them out throughout your password to make the guesswork extra tricky.
4. Don’t change a thing. You know how your corporate IT manager keeps making you change your password every three months? Your corporate IT manager is wrong. The less often you change your password, the less likely you are to forget it, or to fall into patterns—like just changing a number at the end each time—that make them easier to crack.
5. Single-serve only. If you’re on the password manager train, you’re already all over this. But if you can’t be bothered, at the very least make sure that you don’t reuse passwords across different accounts. If you do, a retailer breach you have no control over could end up costing your banking password. See for yourself: The website Have I Been Pwned has nearly 5 billion compromised accounts on file—if yours is one of them, there’s a chance your favorite password might already be toast.
6. Don’t trust your browser. A convenient shortcut to remembering all those passwords, or getting a paid password manager account, is letting your browser remember them for you. You’ve seen the option yourself. You probably even use it on at least one site. Don’t! The option is convenient, but the underpinning security is often undocumented, and it doesn’t require that your password actually be, you know, good. If you need a free and easy option, go with a password manager like Dashlane instead of trusting everything to Chrome.
7. Add two-factor too. Hate to say it, but these days not even a password is enough. Many of the services you use today—social networks, banks, Google, and so on—offer an added layer of protection. It can come in the form of a code sent to your phone via SMS, or if you want to step it up, through software solutions like Google Authenticator or hardware like a YubiKey. SMS should be enough for most people; just know that like many entry level security precautions, it’s not perfect.
Activist? Journalist? Politician? Consider Yourself a Target: Start by encrypting everything, sign up for Google Advanced Protection, take a tour of Tor, and deploy physical measures to increase your digital security.