Tag: Password Manager

Categories
Casserly Consulting Blog

Tip of the Week: A Secure 2018 Relies on Powerful Passwords

password_strength_400.jpg

Password security is one of the most important parts of using an online account. It seems that the average user runs into the paradox of password security by using either complex, hard-to-remember passwords, or simple and less-secure passwords that put their accounts at risk. Even if the user is aware of the benefits that come from using a secure password, chances are that they will sideline security in favor of ease of access.

According to a list of the worst passwords in 2017 compiled by Splashdata, some of the worst passwords included “password” and “123456.” These two have topped the list since at least 2010, when Splashdata made their debut survey. Other passwords included in the top five include “12345678,” “qwerty,” and “12345.” Even “starwars” made the list at #16. For further reference, you can view the list of the worst passwords in 2017 here .

Best practices for password security are relatively well-known, especially considering how many experts study this particular field. Here are some tips from the guidelines recommended by the United States Computer Emergency Readiness Team, or US-CERT. In fact, US-CERT was created by the Department of Homeland Security for the specific purpose of preserving online security against threats.

Some sites or applications force users to use these best practices when creating a password, so do yourself a favor and keep these in mind:

  1. Use different passwords on different systems and accounts.
  2. Don’t use passwords that are based on personal information that can be easily accessed or guessed.
  3. Use a combination of capital and lowercase letters, numbers, and special characters.
  4. Don’t use words that can be found in any dictionary of any language.
  5. Develop mnemonics (or spoken memory tricks) such as passphrases for remembering complex passwords.
  6. Consider using a password manager program to keep track of your passwords.

COMPANYNAME is of the firm mind that you should never underestimate the importance of network security best practices–particularly password security. To learn more about how you can secure your business, reach out to us at PHONENUMBER.

Categories
Alerts

Alert: LastPass Vulnerability Found. Is Any Password Manager Safe?

b2ap3_thumbnail_last_pass_leak_400.jpg Thanks to one of Google’s researchers with the Zero Day Project, it has been discovered that LastPass has a major vulnerability as a result of a major architectural problem. This news comes on the heels of many other flaws the same researcher discovered within LastPass. However, based on what the researcher claims, these vulnerabilities were much less serious than his latest discovery.

After having “an epiphany in the shower,” Tavis Ormandy realized that the latest version of the password manager’s browser extension is subject to a flaw that allows some malicious websites to have their way with the user’s system. Otherwise, the vulnerability allows malicious websites to steal the user’s passwords from behind LastPass’ protections. Unfortunately, this vulnerability seems to be present in the extensions for every major browser on Windows and Linux, and is most likely present for Mac users as well.

Making this vulnerability even more significant, the vulnerability only requires the extension to be installed in order for it to be exploited. A user could be logged out and still be subject to receiving malicious code from the website they’re visiting.

To their credit, LastPass is committed to resolving this issue, acknowledging Ormandy’s report a mere hour after he submitted it. Two days later, LastPass released a blog post going over these events and offering a few recommendations:

  • Launch websites from the LastPass vault: To retain the highest level of security as possible, it’s better to access websites from the LastPass vault itself.
  • Use Two-Factor Authentication wherever possible: This will add an extra layer of security to prevent leaked credentials from granting easy access to your accounts.
  • Keep an eye out for phishing attacks: Clicking on a malicious link is a great way to hand over your access credentials to malicious entities, so before you click on a link in a received message, take a moment to ask yourself if the link makes sense to be coming from who allegedly sent it.

LastPass has also been vocal in their appreciation for people like Ormandy finding issues like these before they are found the hard way. According to Joe Siegrist, cofounder and vice president of LastPass, “We greatly appreciate the work of the security community to challenge our product and uncover areas that need improvement.

LastPass now has 90 days before Ormandy and Project Zero release the technical details as part of their disclosure policies. In the meantime, it would be prudent to take LastPass’ advice to heart for the sake of your own network security.

To ensure your credentials are protected, and to schedule a full security audit, contact COMPANYNAME at PHONENUMBER.