Skip to main content
Cogent Technology Solutions

Password Best Practices

Written by Larry Strunk


Passwords have become an essential part of our daily lives. We use passwords for everything from social media accounts to online banking. With your banking and medical information available online, the need for secure passwords is more important than ever.

Here are our top 5 password practices.

  1. Use a unique password for each account. This way, if one of your passwords leaked in a data breach, it will not affect your other accounts. Don’t cheat, the bad guys know all about substituting a 3 for B and adding numbers or special symbols at the end.
    If your “ILoveSummer!” password is leaked, any variation can be tried in fractions of a second. In no time, the identity thief will find that you used “!lov3summer2” for your bank account password.
  2. Enable multi-factor authentication (MFA) whenever possible. MFA adds an extra layer of security by requiring you to enter a code or use another device to verify your identity when logging in to an account. At a minimum, your primary email account, banking, financial, health care and password manager accounts should require MFA.
  3. Make your passwords long and complex. Use at least 12 characters and include a mix of uppercase and lowercase letters, numbers, symbols, and spaces. Consider using a passphrase where possible if you don’t use a password manager. A passphrase is a very long (over 20 characters) list of words that resemble a sentence. Passphrases are much easier to remember than 15 random characters.
    Avoid using common words, phrases or quotes that can be easily guessed or cracked by hackers when creating your passphrase.
  4. To make long complex passwords easier to deal with, use a password manager. A password manager will save and encrypt your passwords in a vault that only you can access (and is protected with MFA.) Password managers also help you create strong and random passwords for each account and warn you of re-use.
  5. Don’t use personally identifiable information (PII) in your passwords. This includes your name, date of birth, address, phone number, email address or any other information that can be linked to you.

Bonus Tips

  • Change your passwords only when necessary. Changing your passwords too frequently can make them harder to remember and more likely to be reused or written down. A good rule of thumb is to change your passwords only when you suspect a breach or when prompted by a legitimate service provider.
  • Don’t share your passwords with anyone else. Not even with friends or family members who may have good intentions but may compromise your security unintentionally.
  • Don’t send your passwords by email, instant message or any other means of communication that are not securely encrypted. Hackers can intercept these messages and steal your passwords easily.
  • Avoid using public computers or networks to access your accounts online unless absolutely necessary as they may have malware installed that can capture keystrokes.

Following password best practices will help keep your online accounts safe and secure. By using strong passwords, avoiding common mistakes, and being cautious of cyber threats, you can significantly reduce the risk of your accounts being compromised. Remember to enable two-factor authentication wherever possible for your important accounts.

Security,

The LastPass Data Breach

Written by Larry Strunk

LastPass the popular password manager, has suffered yet another major breach.  This has put customers’ online passwords at risk and endangered their data.  

In late December, LastPass CEO Karim Toubba acknowledged in a blog post that a security incident the company disclosed in August eventually led to an unauthorized party stealing customer account information and sensitive vault data. The breach is the latest in a lengthy and troubling string of security incidents involving LastPass that date back to 2011

An unauthorized party was able to gain access to unencrypted subscriber account information like LastPass usernames, company names, billing addresses, email addresses, phone numbers and IP addresses, according to Toubba. That same unauthorized party was also able to steal a copy of customer vault data 

If you were a “LastPass” subscriber, what should you do? 

LastPass estimates it would take “millions of years” to guess your master password — if you’ve followed its best practices. If you used a complex master password that was only used for LastPass, your LastPass vault is fairly safe. 

The vault is encrypted, and your master was not stored at LastPass, so the thieves did not get a copy of your master password. 

The problem is that the threat actor has two strategies to guess your master password. The quickest and easiest method is to search password databases from other data breaches for your LastPass account name and then try every combination they have. This is known as Credential Stuffing. It would take only seconds to try the combinations. The threat actor will even search for minor variations like adding numbers to the end of the password or changing the one special character at the end of the password. If you don’t re-use passwords, credential stuffing doesn’t work.

The second method is a brute force attack that uses a trial-and-error approach to systematically guess login info, credentials, and encryption keys. The cyber-attacker submits combinations of usernames and passwords until they finally guess correctly. If you used the LastPass recommended complexity combined with their encryption, brute force would take too long to be useful. If you didn’t use a long complex password, or your master password has been leaked through re-use, your password might be guessed in something between minutes and millions of years. 

The safe approach is to operate under the assumption that your user and vault data are in the hands of an unauthorized party with ill intentions, and they are working at trying to unlock your vault. 

If you haven’t — or if you just want total peace of mind — you’ll need to spend some serious time and effort changing your individual passwords. You might want to transition away from LastPass while you update your passwords. 

With that in mind, here’s what you need to do immediately if you’re a LastPass subscriber: 

  • 1. Find a new password manager. Given LastPass’ history with security incidents and considering the severity of this latest breach, now is a great time to seek an alternative. 
  • 2. Change your most important passwords immediately. This includes passwords for anything like online banking, financial records, internal company logins and medical information.  
    Don’t forget the email account that you use for resetting your forgotten passwords is one of those ‘important passwords’ 
    Make sure these new passwords are strong and unique. 
  • 3. Enable two-factor authentication wherever possible. While you are changing your passwords, make sure to enable two factor authentication on any online account that offers it. This will give you an added layer of protection by alerting you and requiring you to authorize each login attempt. That means even if someone ends up obtaining your new password, they shouldn’t be able to gain access to a given site without your secondary authenticating device (typically your phone). We will be posting an article soon about multi-factor authentication.
  • 4. Change every single one of your other online passwords. It’s a good idea to change your passwords in order of importance here too. Start with changing the passwords to accounts like email and social media profiles, then you can start moving backward to other accounts that may not be as critical. 
  • 5. Change your master password If you choose to stay with LastPass.  This doesn’t change the threat level to the stolen vaults, it will still help mitigate the threats of any potential future attack.   

If you find that your data has been breached or you are experiencing unusual functionality with your business computer systems, contact your IT Department. If you are a business owner, Cogent Technology Solutions can assist in remediating a Cyber Attack. Contact us immediately at http://www.cogent-ts.com/get-started/ 

Security, Tips and How To, ,

Cybersecurity First

Written by Larry Strunk

Cybersecurity starts with you. Every time you use the Internet, you face choices related to your security. Is that really your friend on Facebook asking you to add them again? Is that oddly worded email really from the CEO asking you to confirm your social security number? Is the “Strong Coffee” wireless network really the coffee shops?
Your security and the security of your employer depends on everyone making secure online decisions. Making the Internet more safe and secure requires all of us to take responsibility for our own cybersecurity posture.

Cybersecurity awareness month is coming to an end, but we need to stay aware. Peak shopping scam season is coming.

Security

Fight the Fish!

Written by Larry Strunk

Phishing attacks have been around for a while, but they were responsible for 22% of all data breaches in 2020. While email is used in over 80% of phishing attempts, they can also use text messaging and phone calls. The methods crooks use continue to evolve, email attachments one day, disguised web links the next. They pose as your boss, your ISP, a business partner, a government agency or your bank. As phishing attacks evolve the bait is hiding the hook better. We can’t just rely on spotting spelling and grammar mistakes. Remember, the crooks only need to succeed once, and can keep trying.

  • Think before you click – Look closely, if you are at all suspicious attempt to verify with the sender
  • Verify before you enter credentials – If you do click on a link and are asked for credentials, close your browser and call the sender
  • Keep sensitive data off of free Wi-Fi networks – If the crook is listening in at the coffee shop, they can grab your data.
  • Don’t reuse passwords – Not re-using passwords is a damage limiting precaution. When you reuse your password, the bad guys have access to every site you use that password on

As phishing techniques get more sophisticated, they are getting harder to spot. Understanding the attackers methods may help you see new phishing methods quicker. The four main components of a phishing attack are;

Targeting – Phishing crooks use targeting to increase their odds of fooling you. It can be a broad group, like customers of a bank that has just merged. Or, it can be targeted at an individual, which is known as spear phishing. The target selection determines what type of bait gets used.

Bait Selection – Next, the crooks choose their bait. These are the emotional triggers that are designed to prompt you to click on the link or download the file. Her are a few common emotional triggers.

  • Curiosity – The ‘what happened next’ or ‘find out more’ approach. These are often tied to current events, celebrities or more normal events that can pull at you emotionally and reduce your level of care before clicking the link.
  • Hope – Hope phishing uses our aspirations to trick us. These can include high paying job offers, prize winnings, or health and fitness goals.
  • Necessity and Fear – The necessity trigger is very effective and really cranks up the urgency of a response. They can include warnings about large purchases on your amazon account or being locked out of your email or other account.

Hook Selection – After choosing their bait, the bad guys need to select the ‘hook’ or method they will use to collect your credentials or deliver malware or ransomware. Below are some of the more common hooks. One newer trick is to hide the phishing link in an unexpected place such as an unsubscribe link after the content.

  • A faked link that you will click on to reset your password or download a form or document.
  • A request for payment to a spoofed payment site
  • An attached file they are  pushing you to open

Casting the Line – Finally, the crook has to get the phishing message in front of you. They once again have multiple choices for delivery and methods to further hide the hook.

  • Spoofed email address – This can be a very effective method. The email looks like it came from you boss, a business partner, a government department or even your family.
  • Spoofed Domains – The bad guys often will register a look alike domain to make the content look more legitimate. They will use letter substitution and visual disuquises like adding an extra ‘l’ to a name that has two l’s (billling  vs billing) or using two ‘v’s for a ‘w’ (vvorldwide vs worldwide.)
  • Stolen email addresses – When the crooks have already stolen some credentials, they can use the compromised account making it very difficult to detect the sender is not legitimate.

Stopping phishing attacks look to be around for a while. Fortunately, they still require you, the recipient, to take action before the attack succeeds. Knowing what to look for and what to do if you see something suspicious is the best defense against phishing attacks. We can provide security training and ‘safe exposure’ to help you and your staff be better able to recognize scam and phishing emails. Please contact us to learn more.

Security

Beware of Covid-19 Vaccine phishing emails

Written by Larry Strunk



On Friday December 18th, the US DOJ seized two domain names that were claimed to be the sites of companies developing treatments for Covid-19.

The sites were really being used to
collect personal information of visitors and then use them for further phishing and malware attacks.

Don’t make the mistake of thinking there aren’t more fraudulent sites looking to steal your information or infect your computer.



Credential phishing emails use social engineering to exploit some of the basic questions and concerns that users and employees will have about the Covid-19 vaccines;
How soon will a vaccine be available?
Will it be safe?
How can I get it?
When can I get it?
How much will it cost?
Should I get it?

Credential thieves will promise to provide one or more answers to the above questions to tempt you to click the links and sign in or supply your personal information.
If you receive an email with links to answer the above questions, Think before you click!

Below is a screenshot of an actual phishing attempt using the Covid-19 vaccine to get users to click the link in the email and fill out a form.

If the user clicks on the link, they are taken to a fake site that is made to look like Adobe’s document cloud service asking you to login.

Once you sign in, the crooks get your login to use for other purposes. If you do have questions about the vaccine, don’t get them from an unsolicited email, text message or social media messaging apps.
Go to a trusted source directly, ask your medical professionals, or your County Health Department.
Think before you click!

Security

Holidays Bring the Worst Out in Cyber Scammers

Written by admin

We are in the peak of shipping scam season. Sent via email or text, the simple message that a delivery may not make it by Christmas is all that’s needed to get you invested enough to need to find out more, click links, provide credentials, etc.
Any legitimate shipping notification will provide some details you already known (e.g., the company shipping the item, your address, etc.)

If you receive an urgent shipping delay notice, don’t click on the links in the message. If you think it might be about a package you are expecting, contact the store, you are expecting the shipment from. If that’s not possible, try to track the package via the shipping companies’ website.

Do you know the red flags for Holiday Phishing emails?

We partner with a company called KnowBe4 to provide security training to help you and your staff be better able to recognize scam and phishing emails. Please contact us to learn more.

Important, Security,

10 Holiday Cybersecurity Alert Tips

Written by admin

Happy Thanksgiving!
It’s Holiday Season for the cyber crooks as well as all of us.
But not the way you might think. They go into scam-overdrive mode.
Black Friday and Cyber Monday are the busiest online shopping days and the bad guys are planning to get rich with your money. So, here are 10 Holiday Cybersecurity Alert Tips:

  1. Be wary of ads, giveaways, and contests that seem too good to be true. These run rampant during the holiday season!
  2. Pay close attention to the websites you visit and shop on. It’s safest to only use those you trust. Watch for mispelled site names.
  3. Watch out for holiday greeting cards that may not be the sender you think! Don’t open these unless you’re certain you can trust who they came from.
  4. Keep an eye on your bank accounts and monitor your credit report regularly.  Watch for unexpected charges. It’s easier to miss fraudulent charges when you are doing a lot of on-line shopping.
  5. Be careful with messages regarding shipping changes. Always use official channels to stay updated.
  6. Keep all devices up to date with basic security measures to lessen your chance of becoming the victim.
  7. Only connect to known Wi-Fi networks; beware of network names that have typos or extra characters.
  8. Use strong, unique passwords on all accounts. This is a good time to update passwords!
  9. Be safe on all social media; don’t overshare and take the time to review your privacy settings on the platforms you use.
  10. Keep devices in view (or know where they are) throughout the course of all holiday travel.
Security, Tips and How To

New Text Message Scams

Written by Larry Strunk

Just like email scams, text message scams use current events to trick you in to responding and giving away your personal information. Text message scams ratchet up the urgency and scare tactics to fit the short message format and try to get you to respond without much thought. The latest text-based scam tied to current events is using COVID-19 tracing to get you to download an app or visit a website and give personal information.

You receive a text message saying “Someone who came in contact with you tested positive or has shown symptoms…More info at link” If you tap on the link, you are sent to an official looking website that starts asking for personal information, or attempts to download an app that will ask for access to your information.  Don’t tap the link. (Source)

In Michigan, you may get a text message from the ‘2051’ prior to being called by contact tracers from the state or county health departments. The phone call itself will come from 866-806-3447, ‘MI COVID HELP’ or your local health department.

Health department tracers will never ask you for personal identification like your Social Security Number, driver’s license, or credit card information. 

If a caller claims to be working for the health department and asks for personal identification or financial information, it is a likely a scam. For more info on how Michigan is conducting contact tracing, go to the Michigan.gov site about tracing.

Security, Uncategorized

Microsoft Warns of a Massive Covid-19 Excel Phishing Attack via email

Written by admin

The emails claim to be from ‘Johns Hopkins Center’ bearing “WHO COVID-19 SITUATION REPORT”. The attached Excel file, if opened, shows security warning show a graph of supposed coronavirus cases in the US. The file contains a malicious Excel 4.0 macro which downloads & runs NetSupport Manager remote administration tool (RAT).

Microsoft has seen several hundreds of unique attachments designed to avoid antivirus scanners. We expect that the details of the attack will change over time with new faked senders, new email subjects and different file types.

The best way to avoid the attack is to be skeptical and “Think Before You Click”. Johns Hopkins does not send attachments in their update emails.

Be skeptical and cautious – Don’t respond to sensational email marketing. If you are not sure if an offer is real or fake, use your browser and trusted sites to research further.

Fore more info see this post from our Security Awareness Training Partner, KnowBe4.

Important, Security, ,

Don’t reuse passwords! (and other password guidelines)

Written by Larry Strunk

Last week, 530,000 Zoom accounts and passwords were for sale on the dark web (5 for a penny). Investigators think that the accounts were not ‘hacked’ or stolen from Zoom or exposed by a vulnerability. Instead, the account list was likely created from an old data breach. This is called credential stuffing. The crooks take known email addresses and password pairs and try them on other services.

This event is a good reminder that reusing passwords is bad. If one of your accounts has a data breach, or your password gets hacked by other means, the bad guys will try that account name and password on every other site they can. If you have reused that compromised password, you are now in a race with the credential thief. to change your password at every service you used it.

Our guidance on passwords:

One password per service – Keep them unique. This is hard to do but critical to limit damage when one of your accounts gets hacked phished, or otherwise compromised.

Longer is better – But only if you follow other good practices. ThisIsMyPassword is long, but it’s not a good password!

Random is better than predictable – dgr4&J2Q is better than Thing1&Thing2

The most likely way your password will get to crooks these days is a data breach or getting it from you directly via a phishing attack. The strongest password doesn’t help much once the bad guy has it. That’s what makes sharing passwords between sites so bad.  Let’s say that you were tricked into signing in to a fake Facebook login page. Now the bad guys have your info and can try your Facebook login at all of your other accounts.

With the number of accounts each of us has, it can be very hard to follow the one password per service rule. 

Using a password manager makes one password per account easier than typing the same password several times a day. A password manager securely stores your passwords and can fill in your login page automatically. We like LastPass, but 1Password and KeePass are also good solutions. Contact us to learn more about password managers or help in creating strong passwords and password policies.

Security, Tips and How To,