The National Institute for Standards and Technology is working on new password guidelines which will be mandated for government sector users, and strongly recommended for businesses as well. Still in draft from, the standards can be found on the document Special Publication 800-63-3: Digital Authentication Guidelines. Here are some of the recommended changes, so far. We approve, and in many cases have been ...
We warned our readers about the FBI alert regarding the Business Email Compromise scam on July 6. Cyber-criminals have successfully bilked US companies of over 3 billion dollars since January 2015. Typically this exploit starts by the attacker gaining knowledge of the CEO’s or other highly placed executive’s user credentials to their email account. This is most often done using a spearphishing email, but could also be ...
Holy acronyms Batman! What the heck does this headline mean? Well, the National Institute for Standards and Technology (NIST) has removed two-factor authentication (TFA) via short-messaging service (SMS) from the approved list of two-factor authentication methods. The reason is that SMS is an unencrypted service, and the lack of encryption makes it too insecure for use in Federal authentication systems. NIST is recommending that all ...
I am a firm believer in, and user of two-factor authentication (TFA or 2FA). Heck, if there was three-factor authentication I would probably sign up. The two most popular authenticator apps are Authy and Google Authenticator. I primarily use Google Authenticator wherever I can. I use SMS when Authenticator isn’t an option, or won’t work. I had trouble, for instance, getting Facebook to work ...
Bruce Schneier had an interesting post where he attacked the commonplace practice of requiring regular password changes. Usual corporate IT policies require changes every 90 days, and in some high security environments, more frequently than that.
The basic issue with frequent password changes is that humans will create a system that makes it easy to remember the next iteration of the password. ...
Continue Reading →
Maybe you like the idea of two-factor authentication, but the Google Authenticator smartphone app seems too cumbersome. Or maybe you are not a smartphone owner, because you don’t like the idea of a phone that can track your location to within a few feet, and keeps sharing all your personal data with the apps on your phone. So you own a flip phone ...
Google Authenticator is my favorite go-to app for setting up two-factor authentication. But what if you want to remove an account from Google Authenticator?
I set up two-factor authentication for Facebook and the Authenticator app did not work. So I tried again, and ended up with two accounts on the Authenticator list, neither of which worked. This pushed other working accounts down far enough ...
Continue Reading →Hardening and securing WordPress websites is one of my specialties. We have reported previously on three of the best WordPress security plugins, Sucuri, Bulletproof, and WordFence. I can tell you that each of these plug-ins performed admirably against the continuous barrage of brute force and password reset attacks that my sites have endured. Security appeared to be strong, but I wanted more.
I have been deploying two-factor authentication (TFA) everywhere I can, in order to overcome the inherent weakness of password ...
Continue Reading →
On Wednesday we discussed the many, many ways your smartphone is vulnerable to attack. Today we will look at solutions. Smart mobile devices need to be secured just as you would a laptop or desktop computer The small size and easy portability of smartphones and tablets make them easier to steal or lose. Some of our recommendations:
Ah, the good old days, when perimeter defenses and endpoint security software was all you needed to keep your network secure. Was it ever really that simple? Probably not, but many business owners and IT professionals are still hoping that keeping the firewall and antivirus updated is enough.
Over 90% of exploits start as an email in somebody’s inbox. According to NSS Labs, 97% of all breaches are enabled ...
Continue Reading →