If your password has recently been compromised, you are not alone.
The number of password attacks has risen to an estimated 921 per second. According to the most recent Microsoft Digital Defense Report, this represents a 74% increase in one year.
Big technology companies like Microsoft would like to see the end of passwords, and they've been making changes to prepare for an online future that is less reliant on the vulnerable security step.
Microsoft users can already gain secure access to Windows, Xbox, and Microsoft 365 without entering a password using apps like Microsoft Authenticator and technologies such as fingerprint or facial recognition. However, many people still rely on passwords and do not use the two-factor authentication that is now considered essential.
“As long as passwords are still part of the equation, they’re vulnerable,” Joy Chik, Microsoft’s vice president of identity, wrote in a September 2021 company blog post.
Here are some precautions to take.
Change identical user names and passwords on key accounts quickly and first
Many people use the same username and password across accounts for convenience, but this puts their information at significant risk of being compromised. According to the Microsoft report, approximately 20% of more than 39 million IoT and OT devices used identical usernames and passwords.
If you fall into this category, now is the time to act. Start with the most serious threats first, such as email, financial, health care, and social media sites, according to Chris Pierson, founder and CEO of BlackCloak, a cybersecurity firm that specializes in preventing targeted attacks on company employees and executives.
According to him, telling someone who has many identical website logins and passwords to change them all at once is akin to telling them to lose 50 pounds by running 20 miles a day and going cold turkey on sweets. A more manageable first step would be a daily 15-minute walk around the block and minor dietary changes. The same is true for password protection, according to Pierson. "Do not change every password you have." Concentrate on the accounts with the highest risk and damage."
Encrypt your data with a password manager
Security experts recommend using a secure password manager such as 1Password or KeePass to keep track of passwords safely and efficiently. The user only needs to remember one long, strong password, and the manager keeps the others encrypted. Password managers can also be used to generate secure, randomly generated passwords that are extremely difficult to crack. Password managers generally do a good job of protecting customer data, according to Justin Cappos, an associate professor at NYU Tandon School of Engineering whose research interests include cybersecurity and data privacy.
If you are not going to use random password generation, choose strong passwords
While randomly generated passwords are a best practice, not everyone prefers them, so at the very least, use credentials that cannot be easily hacked. For example, you could string together four random words like sun, water, computer, and chair for one account and another set of four words for another, according to Roy Zur, founder and CEO of cybersecurity training company ThriveDX.
According to Security.org, a website that reviews security products, the phrase "moneycashcheckbank" would take a computer about 23 million years to crack. According to the website, the password "jesus" could be cracked instantly, while the same word with a capital "J" could be cracked in about 9 milliseconds.
Turn on multi-factor authentication
Some services, such as Apple Pay, require this extra layer of account security. Even if a provider does not require it, security professionals believe that multi-factor authentication is a valuable security tool that is underutilized.
The goal of multi-factor authentication, which requires two or more pieces of identifying information, is to make it more difficult for criminals to gain access to your accounts. "Hackers target the weakest link," Zur explained, "and your role is not to be the weakest link."
When possible, Cappos recommends using an app like Google Authenticator or a hardware token like a YubiKey instead of SMS for these purposes. SMS is vulnerable to SIM swapping and other hacks because of this. "It's not difficult for a determined hacker to circumvent SMS," he said.
Google Voice e-commerce scam demonstrates why you should never share your password
According to the Identity Theft Resource Center's 2022 Business Impact Report, this is a problem that occurs far too frequently. When asked what caused an account takeover, 45% of businesses said someone clicked on a phishing link or shared account credentials with someone posing as a friend; 29% said someone shared account credentials with a hacker posing as a potential customer, vendor, or prospect.
“Passwords are like gum. People shouldn’t share,” Cappos said.
Similarly, never give out a one-time code — even if scammers make the reason for sharing appear legitimate, according to Eva Velasquez, president and CEO of the Identity Theft Resource Center.
One growing scam involves fraudsters posing as interested buyers on online marketplaces. They instruct a seller to read a one-time code allegedly sent by the buyer, often with the stated goal of "verifying the seller's identity and legitimacy," which lures victims in, according to Velasquez. In reality, it's a method for hackers to set up a Google Voice account using the seller's phone number. This enables scammers to conduct other scams using a Google Voice number that cannot be traced back to them, according to her. The fraud has become so widespread that the ITRC has created an instructional video on how affected consumers can reclaim their phone number.
Do you want Apple or Microsoft to contact you? It was most likely not them
People are prone to falling for tech support scams based on computer pop-ups or phone calls, in addition to having their passwords or other sensitive information compromised by clicking on seemingly legitimate links in their email, texts, or social media. Hackers may pose as representatives of reputable companies such as Apple or Microsoft and offer assistance with a security issue they claim to have discovered. Consumers are duped into granting unrestricted access to their computers, allowing thieves to steal their passwords and other personal data or demand payment for bogus services rendered, according to Pierson.
Remember that reputable companies do not contact consumers at random and offer to assist with computer-related issues. Consumers, according to Pierson, should avoid engaging with strangers who reach out, especially if their information is not verifiable through independent and reliable means. "Googling a phone number is simply not something we would recommend," he added.
(Source:www.digitalinformationworld.com)
The number of password attacks has risen to an estimated 921 per second. According to the most recent Microsoft Digital Defense Report, this represents a 74% increase in one year.
Big technology companies like Microsoft would like to see the end of passwords, and they've been making changes to prepare for an online future that is less reliant on the vulnerable security step.
Microsoft users can already gain secure access to Windows, Xbox, and Microsoft 365 without entering a password using apps like Microsoft Authenticator and technologies such as fingerprint or facial recognition. However, many people still rely on passwords and do not use the two-factor authentication that is now considered essential.
“As long as passwords are still part of the equation, they’re vulnerable,” Joy Chik, Microsoft’s vice president of identity, wrote in a September 2021 company blog post.
Here are some precautions to take.
Change identical user names and passwords on key accounts quickly and first
Many people use the same username and password across accounts for convenience, but this puts their information at significant risk of being compromised. According to the Microsoft report, approximately 20% of more than 39 million IoT and OT devices used identical usernames and passwords.
If you fall into this category, now is the time to act. Start with the most serious threats first, such as email, financial, health care, and social media sites, according to Chris Pierson, founder and CEO of BlackCloak, a cybersecurity firm that specializes in preventing targeted attacks on company employees and executives.
According to him, telling someone who has many identical website logins and passwords to change them all at once is akin to telling them to lose 50 pounds by running 20 miles a day and going cold turkey on sweets. A more manageable first step would be a daily 15-minute walk around the block and minor dietary changes. The same is true for password protection, according to Pierson. "Do not change every password you have." Concentrate on the accounts with the highest risk and damage."
Encrypt your data with a password manager
Security experts recommend using a secure password manager such as 1Password or KeePass to keep track of passwords safely and efficiently. The user only needs to remember one long, strong password, and the manager keeps the others encrypted. Password managers can also be used to generate secure, randomly generated passwords that are extremely difficult to crack. Password managers generally do a good job of protecting customer data, according to Justin Cappos, an associate professor at NYU Tandon School of Engineering whose research interests include cybersecurity and data privacy.
If you are not going to use random password generation, choose strong passwords
While randomly generated passwords are a best practice, not everyone prefers them, so at the very least, use credentials that cannot be easily hacked. For example, you could string together four random words like sun, water, computer, and chair for one account and another set of four words for another, according to Roy Zur, founder and CEO of cybersecurity training company ThriveDX.
According to Security.org, a website that reviews security products, the phrase "moneycashcheckbank" would take a computer about 23 million years to crack. According to the website, the password "jesus" could be cracked instantly, while the same word with a capital "J" could be cracked in about 9 milliseconds.
Turn on multi-factor authentication
Some services, such as Apple Pay, require this extra layer of account security. Even if a provider does not require it, security professionals believe that multi-factor authentication is a valuable security tool that is underutilized.
The goal of multi-factor authentication, which requires two or more pieces of identifying information, is to make it more difficult for criminals to gain access to your accounts. "Hackers target the weakest link," Zur explained, "and your role is not to be the weakest link."
When possible, Cappos recommends using an app like Google Authenticator or a hardware token like a YubiKey instead of SMS for these purposes. SMS is vulnerable to SIM swapping and other hacks because of this. "It's not difficult for a determined hacker to circumvent SMS," he said.
Google Voice e-commerce scam demonstrates why you should never share your password
According to the Identity Theft Resource Center's 2022 Business Impact Report, this is a problem that occurs far too frequently. When asked what caused an account takeover, 45% of businesses said someone clicked on a phishing link or shared account credentials with someone posing as a friend; 29% said someone shared account credentials with a hacker posing as a potential customer, vendor, or prospect.
“Passwords are like gum. People shouldn’t share,” Cappos said.
Similarly, never give out a one-time code — even if scammers make the reason for sharing appear legitimate, according to Eva Velasquez, president and CEO of the Identity Theft Resource Center.
One growing scam involves fraudsters posing as interested buyers on online marketplaces. They instruct a seller to read a one-time code allegedly sent by the buyer, often with the stated goal of "verifying the seller's identity and legitimacy," which lures victims in, according to Velasquez. In reality, it's a method for hackers to set up a Google Voice account using the seller's phone number. This enables scammers to conduct other scams using a Google Voice number that cannot be traced back to them, according to her. The fraud has become so widespread that the ITRC has created an instructional video on how affected consumers can reclaim their phone number.
Do you want Apple or Microsoft to contact you? It was most likely not them
People are prone to falling for tech support scams based on computer pop-ups or phone calls, in addition to having their passwords or other sensitive information compromised by clicking on seemingly legitimate links in their email, texts, or social media. Hackers may pose as representatives of reputable companies such as Apple or Microsoft and offer assistance with a security issue they claim to have discovered. Consumers are duped into granting unrestricted access to their computers, allowing thieves to steal their passwords and other personal data or demand payment for bogus services rendered, according to Pierson.
Remember that reputable companies do not contact consumers at random and offer to assist with computer-related issues. Consumers, according to Pierson, should avoid engaging with strangers who reach out, especially if their information is not verifiable through independent and reliable means. "Googling a phone number is simply not something we would recommend," he added.
(Source:www.digitalinformationworld.com)