Yahoo Breach

yahoo_logo
Everyone knows about the Yahoo’s data breach that affected 500 million user accounts. This is another opportunity to look at how you manage your online passwords and accounts.

If you have a Yahoo account change your password now. Use a password that is not used on any other online or offline account. Duplicate passwords are used by 73% of Internet users. Password managers are the right tool to make this easy. LastPass offers a free computer account for all passwords and important information. When using LastPass you only need to remember one pass phrase to unlock thousands of unique passwords.

autochangepw4To change your Yahoo password log into your email account.  Point your mouse at your name in the top right corner of the screen. Click on Account Info from the menu that appears. On the account information screen click on Account Security on the menu list on the left side of the screen.  After changing your Yahoo password, find the “Disable security questions” on the left of the Account Security screen.  Click on the link to clear all of you current security questions.

Yahoo also offers two step authentication. With this authentication you will need to have a password and a code sent to your cell phone to access your yahoo account. This occurs the first time you login from a new smartphone, tablet or computer.  TwoFactor lists all of the websites that have two factor authentication available.

A Yahoo account key can secure your account without using a password.  It does require that you use your cell phone to authorize each access from a new device.  Yahoo account key setup instructions are found here.

It is not just your login information that is at risk. Beware of phishing emails that are not from Yahoo. Yahoo is sending out an email to affected users.  Yahoo states “the email does not ask you to click on any links or contain attachments and does not request your personal information. If the email you received about this issue prompts you to click on a link, download an attachment, or asks you for information, the email was not sent by Yahoo and may be an attempt to steal your personal information. Avoid clicking on links or downloading attachments from such suspicious emails.” Do not download or click on any links sent in an email claiming to come from Yahoo. Any message containing a link or attachment is not from Yahoo.

If you have any questions or want to know more about how to secure your business on the Internet please contact us.

LinkedIn passwords revisited

LinkedIn Password breach
Last week 117 million accounts and passwords for LinkedIn accounts became available for sale on the Internet. LinkedIn did confirm that this list came from a data breach in 2012.  This represents about one quarter of the accounts at LinkedIn. If you receive a message from LinkedIn to reset your password you need to refresh this information.  A message from LinkedIn also means your password is at least 4 years old. It also means your encrypted password can be hacked. LinkedIn did not change it’s password policy until after the data breach in 2012.

Your LinkedIn email address may also get a message from LeakedSource that solicits you to join there service because they have a copy of the database information. At their blog post is a list of the top 50 passwords used on LinkedIn from this list of 117 million accounts.  You can check to see if you use one of the easiest passwords to compromise on LinkedIn.

We all have scores of passwords that give us access to everything from games to our professional profile. Using a password manager can reduce the complexity of managing this mess. It is time to move your passwords from that list in the book, your excel spreadsheet, word document or your contact list on your phone. If you have employees a policy and procedure should be in place to manage all of the information necessary to run your business.

If you use Office 365 you can manage passwords to Internet sites.  After you log into Office 365 you can unlock access to LinkedIn, Dropbox, Box and thousands of other sites. Multi-factor authentication is available on Office 365 to make sure only the account holder can access your online accounts.  You do not have to authenticate each time you access the account you can authorize a device to access Office 365 for 2 weeks before you are prompted to check a text message or authentication app on your phone.

LastPass is an app that works with your computer, tablet or phone to save passwords.  The consumer version is free to use on your computer.   Twelve dollars per year gets you access from your phone or tablet.   A corporate version is available for $24 per year.  LastPass has features that can change passwords automatically and save them to your password vault. Forms can be filed with two clicks of your mouse saving time online typing static information.

If you want help to manage your passwords just email us.

Comcast Accounts for Sale

ComCastOver the weekend someone on the dark web of the Internet started selling a list of Comcast usernames and passwords.  The complete list had 590,000 email addresses and passwords.  Comcast was quick to respond to this disclosure. By Saturday night Comcast had a copy of the list and checked each entry to determine which accounts were valid. Two hundred thousand accounts at Comcast were forced to reset the password on the next login.

A Comcast representative confirmed that their security teams were certain that none of their systems had been compromised to release the account information.  The possible source for the know good email addresses and passwords could be Phishing attacks or malware installed on the victims computers. Keylogging malware can capture usenames and passwords from your keyboard.

“We’re taking this seriously and we’re working to get this fixed for those customers who may have been impacted,” a Comcast spokesperson told the Washington post adding, “but the vast majority of information out there was invalid.”

Comcast does not offer multi-factor authentication for your account.  Multi-factor authentication requires a password and one other form of identification to allow access to the account.  The other identification can be a text message, smart phone app or a security key in your computer.  If your password is compromised or lost your account is still safe with two factor authentication or multi-factor authentication. If your email is important then you should be using the best in class protection for your messages.  This should include everyone that has a bank account or brokerage account.  Your email is the destination for password reset confirmation messages.

You can check to see what services use multi-factor authenitcation at TwoFactorAuth.

If you are tired of looking for your password in a pile of post-it notes or a book you can use a password manager. Do you use the same password on multiple web sites?  LastPass is free to use on your computer and it does support multi-factor authentication. You can try LastPass here .

Want to know more about how to secure your life online? Click to Send message

LastPass hacked

LastPass HackLastPass suffered a breach last week that involved losing email addresses, password hints, authentication hashes and server per user salts. It you use LastPass you should change your master password now. The corporate line from LastPass states “We are confident that our encryption measures are sufficient to protect the vast majority of users.” from the LastPass announcement.
The two troubling pieces of information lost are the authentication hashes and the server per user salts. With a large computer and this information it is possible to crack a passwords for the user accounts. This explains why LastPass is sure the vast majority of users will be protected. It would take an incredible amount of computing power to crack all of the passwords.

To keep you safe from a compromised LastPass account change your password and your password hint. LastPass also offers two factor identification for access to your password list. This can be done for free with the Google Authenicator application for android, iphone or ipad devices. With two factor identification enabled on your LastPass account you will need your password and a code from Google to unlock your passwords. A remote attack on your account would fail if your phone was not available with the second level of protection. LastPass Altura IT for a video of how to setup LastPass Multi Factor Identification.

Last pass is still a great way to protect and manage all of your account passwords. It is up to you to increase the security for LastPass using one of the eight ways to add a second level of protection. Five of these programs can be loaded for free to your smart phone. There are also two options to use a USB key for the second level of authentication support for LastPass. And there is an option that supports a finger print reader for the second level of authentication. Security is a group effort. Using more that just a password to keep you safe on the Internet just makes sense for everyone.

LastPass signup for your password management.