No Surprises: Worst Passwords of 2014

January 21, 2015 at 11:25 pm (1Password, Applications, Productivity, security) (, , , )

Yesterday, SplashData announced its annual list of the 25 worst passwords (read: most common) on the internet. The list is compiled from over 3.3 million leaked passwords. Having worked at an Apple store for five years, the greatest offenders were no surprise to me. During those first few months at Apple, I was constantly amazed at the number of customers who used many of these top passwords.  Not surprisingly, many of these folks were hacked. The most common offenders were (are you ready for it?) “123456”,  “password”, and “qwerty”. Other commonly used passwords that are easily guessed by hackers, or by someone you know who might like to get into your account for nefarious purposes, include names (yours, your significant other, your favorite pet), favorite sports (baseball, football, golfer), favorite sports team (yankees, steelers, rangers), and favorite superhero (superman, batman). Hackers commonly use a “dictionary crack” which takes only a short time to run. If you use a word or words from the dictionary with no letters or symbols to break it up, your password can be easily guessed by the program.

Because of so much publicity surrounding data breaches this past year (Target, Home Depot, and many others), people are finally starting to pay attention and use slightly stronger passwords.  However, simply substituting numbers for some letters (3 for E, 4 for A, etc.) is really not enough anymore.  While “P4ssw0rd” is better than “password”, it is still easily guessed. It would be better to use something like “P4$$w)rd”, which is still “password”, but with substitution of numbers and symbols. Another big risk that people take is using the same password for all their sites.  If your login information was accessed during a data breach, all the hacker needs to do at that point is start using that login information for the common banks. If you reuse passwords (use the same password for your Target account that you use for your Bank of America account) then the hackers have just gotten both your Target account information and your banking information. Now do you see why reusing passwords is a bad idea? 

DilbertPasswordInstructions

Here are a few tips to make your passwords stronger: 
1.  Use a combination of upper and lower case letters, numbers, and symbols.  Most sites have a minimum length, but it can vary from 4 to 8 characters up to 14 to 18 characters or more.
2.  Do not reuse passwords. In other words, don’t use the same login information for multiple sites. 
3.  Use two-factor authentication when possible.  Many sites like Facebook, Twitter, Google, Battle.net, and others, are using this method, which is like having a security door in addition to your main door. Each time you log into the account, you are sent a code to your phone to enter after entering your initial credentials. It changes each time you login, so a hacker would have to have access to your device at the time of the login attempt in order to get the code.  
4.  Wait for it.  You know it’s coming.  Use a password manager such as 1Password for the best possible security.  Not only does 1Password store all your login information for every site you visit, but it will also generate strong passwords for you (and you can set criteria, such as length, number of characters and symbols,  etc.), and you only have to remember your master password.  The app remembers all your other passwords for you. In addition to login information and passwords, it also stores secure notes, attachments, software information (serial numbers and software keys), network information, banking info, and more.  It works across platforms, and is always in sync.  Best of all, the next time there is news of a data breach somewhere, and everyone is scrambling to change their passwords, you can sit there with a smug grin on your face knowing that you don’t have to worry about it. Do you have any tips or tricks to add?  Do you want to tell us the ‘best worst password’ you’ve used (or heard of)? Let us know in the comments. 

Permalink Leave a Comment

Help! I Forgot My Apple Password

December 15, 2014 at 9:09 am (1Password, Apple, Applications, How-to, iPhone/iPod Touch, security) (, , )

Back in the old days when I worked at Apple, there was hardly a day that went by when we didn’t get at least one person at the Genius Bar who had forgotten their Apple ID or Password.  They would frequently swear up one side and down the other that they knew what it was, it had always been that, and Apple was just wrong.  Uh-huh.  Right.  But, things happen, and sometimes it happens to the best of us.  Like my dad.  He is a pharmacist, one of the most intelligent men I’ve ever known.  But, bless his heart, he is not the most tech-savvy guy around.  Don’t get me wrong, he tries.  Oh, how he tries.  But, as much as I’ve tried to gently guide him and help him, I still end up going over about once a week to provide a little tech support (usually just to reset the router).

Not long ago, I was doing some routine upgrades when the box popped up for the Apple ID and Password.  I entered it, and immediately was informed that I was mistaken.  Frowning, I thought I must have entered it wrong.  I re-entered it, and got the ‘no dice’ message again.  “Dad”, I called out over the balcony, “have you changed your Apple Password without telling me?”.  He responded that he had not, so I opened my all-around favorite app, 1Password (I know, you’re shocked). I pulled up Pop’s info, only to find that the password listed was the same one I’d tried without success.  So, at this point, what to do?

There are a couple of things that one can do in this instance.  You can always contact Apple support.  This might be best for folks who are not tech-savvy.  Had I not been around and available, I would have sent Pop this route.  To get in touch with Apple’s support team for Apple ID issues, you can use this link:  https://getsupport.apple.com/Issues.do
You click a selection to let them know if your issue with your Apple ID is related to iTunes, iCloud, or “other”, where “other” includes Apple ID and password issues, as well as issues related to your security questions, game center, face time, messages, and more. When you select your issue, you’ll then be given a choice to schedule a call with Apple support.  You can call them or they will call you.  This cuts down on a long hold time for you.  A schedule is displayed, and you choose your preferred time, in fifteen minute intervals.  For instance, if I wanted to call this morning, it shows me that there are 6 appointments available between 9:45am and 11:15am.  I select the one I want, enter my contact information, then sit back and wait for them to call me.  You can call them as well, but during times of high call volume, you might have to hold for a bit.  Letting them call you is definitely the easier option.

If you have an iDevice (iPhone or iPad), you can easily recover or reset your account information.  Simply open the Settings app, then scroll to iCloud and tap it. At the top of the iCloud settings, you’ll see your name and email address.  Tap on the email address.  A box will appear for you to enter your password.  Underneath the box, tap on the blue text that says “Forgot Apple ID or Password?”  You will then have two choices:  If you don’t remember your Apple ID, tap the blue text that says “Forgot your Apple ID?”  Boxes will pop up for you to enter your name and email address to recover your Apple ID.  If you know your Apple ID but don’t remember your password, enter your email address then click “Next”. Then tap whether you want to reset your password by email or by answering your security questions. After that, you should be able to reset your password and log in to your account as usual. 

My Apple ID

You can reset your password from the “My Apple ID” site using your web browser.  Under the blue “Manage Your Apple ID” link on the right side of the page, click on the option to “Reset Your Password”.  You will have to enter your email address and correctly answer the security questions to complete the process and have your password reset. 

There is a little-known secret that allows you use your web browser to search multiple email addresses to try to find an Apple ID that you may have forgotten after changing your email from one account to another. Go to Apple’s iForgot site, enter your name, your current email address, and up to three former email addresses.  Answer the security questions to verify that you are really you. This should be enough to find your Apple ID.  You can follow the other steps to reset your password if needed.  Now you can log in as usual. 

Once you recover your Apple ID and password, please put the information into your 1Password app.  If you aren’t using it yet, there’s no better time to start.  Check it out at their 1Password website. Start using 1Password and have all your user names, passwords, login info, secure notes, and more right at your fingertips.  Best of all, you only have to remember one password (you know you wondered where the name came from) from now on.  The app remembers the rest. It’s accessible anywhere, and syncs across all your devices. Get it now, and never have to fill out another form to recover ID and password information.  Think of all the time you’ll save! 

If you have any trouble, you can always refer back to the link to get in touch with Apple’s support team.  They will help get you back on track in no time. 

Permalink Leave a Comment

1Password App Extension Coming in iOS 8

August 6, 2014 at 9:48 am (1Password, Apple, Applications, Current Events, iDevices, iPhone/iPod Touch, Productivity) (, , , )

One of the really cool things announced at Apple’s WWCD this year was the addition of app extensions for iOS 8 (iOS is the operating system that runs our iDevices).  When you log in to an app on an iDevice, you have to do the copy and paste dance of going to 1Password (or your notes or wherever you have your login info), go back and forth between the screens a couple of times, until you submit the info and successfully log in to the app…unless you use the same password for everything, but you don’t do that, right?  Because that’s just wrong, and setting yourself up for a world of hurt.  So, the announcement about app extensions was fantastic!  Because now, you won’t have to do that do-si-do anymore.  There is a short video at 1Password’s blog where you can get a look at the coolness of it.  More info will be coming soon, but I can’t wait for this feature.  Be sure to let your favorite app developers know that you want them to use the 1Password extension with their apps. 

Permalink Leave a Comment

Where do you keep your Passwords? No More Sticky Notes!

June 8, 2014 at 11:31 am (1Password, Apple, Applications, Current Events, iDevices, iPhone/iPod Touch, Productivity, Products, shareware) (, , , , )

I realize I’ve been hyping the fantastic 1Password app quite a bit lately.  There’s a good reason for that.  It’s the best.  If you care anything about your data, you owe it to yourself to protect it.  That means using 1Password. 

 

Friends frequently ask me what 1Password is, what it does, why they need it, and many other questions.  I’d gotten my “elevator spiel” down to about a minute or so, but I was afraid of being inconsistent, or leaving out something important, (especially with all the new features added recently), or just freezing up (it happens sometimes). But, now there is something even better. 


Now there is a real video, complete with snazzy soundtrack, that can be clicked and watched again and again. Keep watching until you realize that you cannot go another minute without the muscle that 1Password provides.   

 

Enjoy this brief video, then head on over to 1Password and pick up a copy today.  


Permalink Leave a Comment

Apple iDevices Held for Ransom Down Under: Don’t Reuse Those Passwords, Mate

May 29, 2014 at 2:13 pm (1Password, Apple, Applications, Current Events, iDevices, iPhone/iPod Touch) (, , , )

Something interesting happened in Australia recently when Mac, iPhone, and iPad users were hacked using Apple’s Find My iPhone feature to lock devices and send ransom messages to the owners. They demanded a $50 “unlock fee” to be paid via PayPal payment from the owners. 

 

While it wasn’t immediately evident how these hackers gained access to the devices, it was soon ascertained that they obtained the information from a data breach. Because many people reuse passwords, it is likely that the hackers found people who used the same passwords for the accounts from the data breach and their Apple ID, which then allowed them control of  the iDevices. 

 

Apple made a brief statement to let people know that iCloud was not compromised.  They also advised those affected to change their passwords. They can also go to their local Apple store or call Apple Care if they need additional assistance. 

 

This reinforces the sensibility of utilizing two-step authentication whenever possible, and reminds users to never reuse the same password across accounts. It also reiterates the need to use a good password manager such as 1Password to create strong passwords for all your accounts. Until next time, be safe with those passwords folks. Friends don’t let friends reuse passwords.  


Permalink Leave a Comment

The Heartbleed Bug, 1Password, Watchtower, and You

April 18, 2014 at 6:58 pm (1Password, Apple, Current Events, iDevices) (, , , , , )

Anyone who has spent any time with me knows that 1Password is one of my favorite applications.  It ranks right up there with Evernote, TextExpander, and Dropbox for must-have, can’t live without applications for Mac and iDevices alike (and even Android and Windows folks are covered).  1Password has long been my go-to app for password management, secure note storage, software license info, and general account and login information. It even helps me complete online orders quickly, easily, and securely. 

 

Heartbleed logo

 There was a new bug discovered recently called Heartbleed.  This bug is of the electronic variety, not the pesky outdoor variety…although both have the potential to be particularly troublesome.  The Heartbleed bug affects most all of us in one way or another.  It has been shown to be a serious vulnerability with SSL encryption, which is used to provide security over the internet for many applications such as instant messaging, web applications, email, and some virtual private networks (VPNs). SSL is the ’s’ in https, or to break it down a little more, it is what usually keeps your information secure and is shown by the little padlock icon in your browser’s address bar.  Without getting too technical, the Heartbleed bug essentially allows the bad guys to access what the user thought was their secure data, such as account user names, passwords, and possibly even the actual content. 

 

In order to fix it and recover, the owners of the services and the service providers must patch the vulnerabilities and distribute new versions that clients will implement generally by upgrading their software. Additionally, users should change their passwords, 

 

Most everyone is affected in some way, largely because of the widespread popularity of OpenSSL. In addition to being used by many social networking sites, blogging sites, ecommerce sites, and even some government sites, OpenSSL is also used for mail and chat servers, and VPNs (virtual private networks). It is very difficult to detect because the bug leaves no trace of abnormalities in the user logs. 


Dave Teare, co-founder of AgileBits, and developer of the aforementioned awesome password management software, 1Password, released a newsletter to users to inform them of the Heartbleed bug, and to let them know how 1Password can help them defend themselves. 

 

1Password was not affected by Heartbleed because it uses a different type of encryption. The data within 1Password is completely safe.  However, you will need to change your password for any websites that were affected.   

 

1P logo

 1Password makes it incredibly easy to change your passwords. They have a terrific feature that enables you to do something called a security audit. With a click of a button, it tells you which of your passwords are weak, which are duplicates (bad!), and which are older (6-12 months, 1-3 years, 3+ years) which is especially good if you use time sensitive passwords or work somewhere that requires they be changed monthly or quarterly.  I could never keep up with the timing on those when I worked at Apple, and it never failed that I would have to change my password at the most inconvenient time.   

 

One of the most common questions after Heartbleed was publicized was, “Which passwords do I need to change?” but part of the problem was that folks didn’t know whether a particular site had patched (or fixed) their vulnerability without going to every single website for which they had an account.  Talk about a huge time suck.  I could have spent a few days just checking websites.  Then, I would have had to note which sites were fixed, and which sites I needed to follow up with if they had not been patched.  Surely there was an easier way, right?  Yep, and the wonderful folks at 1Password helped us with that. 

 

Watchtower

 Enter 1Password Watchtower. Talk about slick!  I am so loving this new feature.  It will let you know the status of the websites affected by Heartbleed.   For example, it will let you know if you need to avoid the site until it is fixed, if it has been fixed and you need to change your password (see example screen grab), or if it was never vulnerable and therefore not affected, so you don’t have to change your password for that particular site.   The danger of reusing passwords (using the same password for multiple sites) is because if you use a password on a site that was vulnerable, the bad guys could have accessed your user name and password.  Then they could go to a site that wasn’t vulnerable on its own, but they didn’t need it to be vulnerable, because you had already handed them your user name and password on one of the other sites. Does that help to better explain why it’s such a bad idea to use the same user name and password for everything?  Here is more information on the new Watchtower service.  


Cult of Mac published a very helpful article  that walks one through the process of resetting affected passwords quickly and easily.  They have also listed links to the password reset page of popular websites such as Facebook, Google, Amazon, Instagram, IFTTT, and many others. Using the Security Audit feature, you simply start at the top of the list and follow the step-by-step instructions to change your password.  Once you’ve finished with that website, just go to the next one on the list until you’ve finished all of them.  How much time it takes will obviously vary depending on how many passwords you need to change, but it really is a fairly quick and painless process.  Plus, it should go without saying that now you will have peace of mind that your login information is safe again. 

If you don’t already have it, pick up 1Password today and get started on your path to a safer online experience.  Then, next time your friends are freaking out because “ACME Data” got breached, you can say, “Meh, I have 1Password. Not worried.” and keep on watching your videos.


For more information about Heartbleed, 1Password, and Watchtower, head over to 1Password’s website.  Their terrific blog has all the latest information about things that would be rocking your world in a bad way, were it not for 1Password keeping things in balance.  Cheers!


Permalink Leave a Comment

Beware of Friendly Emails from Social Media Contacts

September 5, 2013 at 4:43 am (Uncategorized) (, , , , , )

1Password Logo

I’m beginning to really hate Facebook these days.  Their lack of privacy protection coupled with scum of the earth who prey on others is almost enough to make me delete all social media forever. Almost. 

After getting a message telling me my account had been hacked (and knowing it hadn’t), I started investigating.  It seems a lot of people have been getting messages purporting to be from myself and others in my contacts list, but the email address is different.  You can quickly check to see if your account has truly been compromised by checking the “Sent” mail to see if mail has actually been sent out to others. If it has, you’re dealing with something different entirely.  Most likely, though, it is just the contacts list that was compromised by someone you know on a social media site. 

So, what usually happens is something like this:

Someone has their account compromised. Their friends list is obtained. Now, phishers send email to those contacts from a person’s name on their friends list, and often the email address is hidden (or folks just don’t notice it is a totally different email address because they see a person’s name with whom they are familiar, and they just skip over the email address).  Then, the recipient clicks on the link from the brief message (which ALWAYS includes a link of some sort, be it a photo, video, or weblink). Now, the unsuspecting person has likely just come in contact with some spyware, malware, etc.  If they have a Mac, they are probably ok.  If they have a PC, it depends on their protection package. 

The scammers generally have not accessed the account details of the folks on their list, it’s just a list of contact names, kind of like someone writing any name in the return address field of a letter to be mailed. I can choose any name from my address book to place in that field, then I can add any address to it as well. 

Note that it often happens to those of us with friends in common.  I suspect the spambots gather webs of common friends, then use them to send email phishing scams to targets. 

This is typically what you’ll see in the resulting email:

1.Friend’s name (John Smith) in the “From” field, but with a different email address.  These are frequently from a Yahoo or Hotmail address (gencobet@yahoo.co.id)

2.Subject is usually something like “Check this out” or “For ‘your name’”

3.Generally, the messages are very brief and always include links, saying something like “You’ve gotta see this” or “Look what I found” or (lately) “Saw this picture of you on (insert your social media site here)”


There are a few things you can do to protect yourself.  If you don’t use a really good Password manager like 1Password (https://agilebits.com/onepassword) please start now.  I can almost guarantee the safety of my accounts because I use 1Password with its random password generator.  I don’t reuse passwords, I don’t use my spouse’s name or pet’s name or birthdays or words that are in the dictionary for passwords…all of those things that make some folks perfect targets to have their accounts compromised.  You only have to remember your main (master) password, and the rest is automatic. It takes care of logging in to sites for you and does so much more, including protecting you from phishers by making sure the website you think you are viewing is the actual site, and not just pretending to be that site (a popular way many folks give up their passwords is to think they are on sites such as banks, PayPal, etc. but they really are not). Therefore, not only does 1Password securely store your passwords, logins, and other information, it also acts as your first line of defense against scammers, phishers, and other unscrupulous scum of the earth.  It used to be Mac-only, but now there are versions for Windows, iOS, and Android, so virtually everyone is covered.  The versions all sync, so you always have all your information where you need it. This is the one of the top three apps that I absolutely, positively could not be without. 

Enable 2-factor authentication, also known as two-step verification, when possible.  This means that in addition to logging in to a site with your user name and password (first step), you will be sent a code, often by SMS on your cell phone, to verify the account (second step).  Several sites offer 2-step verification now, including Google, Facebook, Twitter, and others.  Here is a link to a Gizmodo article telling you how to enable it on your other services: http://gizmodo.com/how-to-enable-two-factor-authentication-on-all-your-acc-510245714  I’ve been using 2-factor authentication with Facebook for awhile now, and, while it can occasionally be a pain, I have gotten used to it and feel much safer using it knowing that it would be very difficult for someone to access my account. 

If you aren’t sure about a message you receive from someone, look at the return email address.  Make sure it is actually the sender’s email address. 

This should go without saying, but don’t EVER click on the links. Doing so will almost always invite trouble. It might look harmless, but a link can be named almost anything. I can send you a link to a site that will install really bad juju on your PC, yet I can title it, “Beautiful Sunset”. 

Above all, be vigilant and use common sense. It’s always ok to send someone a message to ask them if they sent you something. Replying to the message will not send it back to your ‘friend’ in most cases, because it wasn’t from them anyway. It’s best to just ignore it. Still, one of the best things one can do to protect themselves online is to make good use of 1Password. Be safe out there. 

Permalink Leave a Comment