Protect yourself from the next big data breach

Topic

New Reply

	TOP STORY Protect yourself from the next big data breach
	By Fred Langa Huge online attacks, such as the recent Adobe break-in, bring to mind a pressing question: What should we do if our credit-card data or sign-in credentials are stolen? Plus, what steps will help minimize future exposures when large corporate sites are cracked — as they no doubt will be — by malicious hackers and cyber thieves?

---

The full text of this column is posted at windowssecrets.com/top-story/protect-yourself-from-the-next-big-data-breach (paid content, opens in a new window/tab).

Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.[/td]

[/tr][/tbl]

Reply | Quote

Replies

I agree with Fred, RoboForm is an excellent choice, not just for the aspects Fred outlined, another worth a mention they also offer RoboForm2Go which you can load on any computer without leaving a trail. In other words you can Sync RoboForm data into your RoboForm2Go loaded on a USB stick, they offer sync program, found that can be tricky, they changed to annual subscriptions after version RoboForm (R) Version 6.10.2 which i paid life use money for, i’ve stuck with that version which wont install in later versions FireFox 3.6 which is a bit of a pain as hotmail (outllook.com) Yahoo and even Google gmail now complain about (FireFox 3.6) but if i update it i’d need to pay annual subscription for the otherwise excellent program RoboForm combined with RoboForm2Go program

Reply | Quote

I agree, although I personally use KeePass.

Most of the sites currently use the e-mail address of the person as username. Therefore, it becomes difficult to really change one’s username every time.
I’d like to know Fred’s recommendations to overcome this issue…

Reply | Quote

I agree that using different passwords for different sites is a way to go. Unfortunately Fred did not attempt to address the issue of reinstalling or moving the saved username/password pair between 1 computer and another one. How could I get my IE/FF/RoboForm data across is the reason why I don’t password manager.

Reply | Quote

I agree that using different passwords for different sites is a way to go. Unfortunately Fred did not attempt to address the issue of reinstalling or moving the saved username/password pair between 1 computer and another one. How could I get my IE/FF/RoboForm data across is the reason why I don’t password manager.

Exactly the same file containing all encrypted passwords has to be available and updated on all my computers and smartphones, 1 – how easily does every of the recommended programs do this? 2- Is it safe to use Google Drive for that aim. ?
3 paying in dollars for software from Europe can only be done by credit-card, I don’t like that. Here in Holland we have a much safer system : I-deal. But that system suppose that banks are willing to work together, unthinkable in US, I fear. It means that only free or european software is possible for me.
Good article, I hope to hear more about it. Ferdinand

Reply | Quote

I agree that using different passwords for different sites is a way to go. Unfortunately Fred did not attempt to address the issue of reinstalling or moving the saved username/password pair between 1 computer and another one. How could I get my IE/FF/RoboForm data across is the reason why I don’t password manager.

That function is built in to Roboform. It synchronizes changes across all devices, and when a new device is added, the initial install of Roboform grabs all the data stored and brings the new device on line, synchronized with all others.

Reply | Quote

I use LastPass not RoboForm, but I wanted to point out that both Firefox and Chrome have easy sync capabilities; changes to your browser on one computer, including bookmarks and add-ins like LastPass, are matched by changes to that browser on your other devices, whichever devices you’ve set up to sync. Creepy maybe, but it has worked seamlessly in my experience. FWIW.

I agree that using different passwords for different sites is a way to go. Unfortunately Fred did not attempt to address the issue of reinstalling or moving the saved username/password pair between 1 computer and another one. How could I get my IE/FF/RoboForm data across is the reason why I don’t password manager.

Reply | Quote

I find it interested that no-one has questioned, either here, in Fred’s article or in the press generally, why Adobe were storing unencrypted passwords. If you only store the encrypted password, as Unix has done for over 40 years, loss of password data is of no consequence. To my mind Adobe have been grossly negligent in their handling of customer data even prior to losing it.

Reply | Quote

I find it interested that no-one has questioned, either here, in Fred’s article or in the press generally, why Adobe were storing unencrypted passwords. If you only store the encrypted password, as Unix has done for over 40 years, loss of password data is of no consequence. To my mind Adobe have been grossly negligent in their handling of customer data even prior to losing it.

All the articles I read said the data was encrypted, both card details and passwords. Fortunately, I don’t have an account with Adobe and have just replaced Reader with
PDF-Xchange viewer (just in time it seems) as what’s more worrying is the theft of Adobe source code.

Eliminate spare time: start programming PowerShell

Reply | Quote

I to have been using RoboForm for many years but didn’t like their ‘Everywhere’ annual subscription fees, so I have been using MS SkyDrive to store my RoboForm data files for my PC and laptop as a work around to RoboForm’s $$$ plan.

Reply | Quote

jyungton,

I also use Skydrive, but RoboForm does make it difficult to do that automatically due to the individual LICENSE.RFO files on each machine. Using a manual sync program such as SyncToy allows you to do excludes for individual files, but Skydrive is all or nothing. At least so far. It is easy to manually run the synchronization, and even schedule it, but I am still looking for a way to do this fully automatically. Have you done this, and if so, how?

Treg

Reply | Quote

Having been burned years ago by a ‘secure’ pass-word manager program, I developed an external method of keeping track of sign-ins and passwords. I use a simple ‘Rolo-dex’ card system with the web-site, user name, and password each on a separate card and in pencil for easier changes. In addition the password uses a ‘date-time’ generation method as part of the password. That way I can tell the age of the password and when it should be changed. The rolodex may be a little inconvenient but I feel more comfortable. Also I do not have to remember any passwords. The only drawback has arisen with mobility. For sites that I plan on visiting, I copy the info to an index card or mini-notebook. If I forget any then I’m out-of-luck. But I’m not all that ‘mobile’, so it isn’t a big deal. I’m part of the Senior-Living group and have finally settled down. Thanks for everything.

Reply | Quote

One thing most people do not do is prioritize the needed security for a site. In the vast majority, you really don’t care. I have about a dozen high security sites, such as brokerages, PayPal, medical, email, etc, with very long, complicated passwords. RoboForm is great for that. The rest, in the hundreds, literally use a username and password which I have been using since 1978. If they were to be compromised, except for annoyance, and perhaps a bit of embarrassment, it just wouldn’t matter.

Reply | Quote

I have used Roboform for years, and am generally happy with it, although it does have one really annoying “feature” they don’t seem to be interested in fixing. One question for the group — does anyone know of an easy way to produce a listing of site name/username/password in clear text, so that I could use Excel to sort and analyze my 573 passwords? Roboform does provide a tool to generate an XML backup file, but all I know about XML is how to spell it.

Reply | Quote

I have used Roboform for years, and am generally happy with it, although it does have one really annoying “feature” they don’t seem to be interested in fixing. One question for the group — does anyone know of an easy way to produce a listing of site name/username/password in clear text, so that I could use Excel to sort and analyze my 573 passwords? Roboform does provide a tool to generate an XML backup file, but all I know about XML is how to spell it.

Lastpass can export to a csv file (amongst others). You have to enter the master password to do this. CSV files can be opened in Excel.

Eliminate spare time: start programming PowerShell

Reply | Quote

“..recognizes the specific site and automatically fills in the sign-in boxes with the correct username and password for that site.”

And there’s the rub.
Kindly explain the ‘ease’ of managing separate accounts for your wife, kids, and others at oh, say — an airline website.
Or a bank. Or brokerage. :^_^:

My ‘rolodex’ is a desktop text file — if I’m suddenly incapacitated, the family has easy access to the latest revisions, and knows how to use them.
/.

Reply | Quote

Interesting article, and timely too. I have been an advocate for the Norton suite of products for years. That is until recently as I learned that Symantec has dropped the ability for you to store your logins and other information (credit cards and personal information) in their “Identity Safe” vault locally. Now, if you want to use this particular feature, it all goes to their cloud servers and is no longer stored locally on your own system. While they claim that this is for the consumers convenience so that a customer can access their information from any computer they use that has access to Norton’s tools, I find this to be a disturbing trend for a company that is supposed to be in the business of keeping your data safe. A recent article on “the guardian” website states that the NSA (US) and GCHQ (UK) have been in “… collaboration with technology companies and internet service providers themselves.

Through these covert partnerships, the agencies have inserted secret vulnerabilities – known as backdoors or trapdoors – into commercial encryption software.”

Scary thought, huh?
ref: http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security

Reply | Quote

“..recognizes the specific site and automatically fills in the sign-in boxes with the correct username and password for that site.”

Am I missing something? Doesn’t this mean anyone with my PC who manages to open it will be able to access all the accounts in it?

Reply | Quote

”..recognizes the specific site and automatically fills in the sign-in boxes with the correct username and password for that site.”

Am I missing something? Doesn’t this mean anyone with my PC who manages to open it will be able to access all the accounts in it?

I think that is the main problem with using these password managers. I think I will now:

1) Use a password manager for less important passwords that are not related to finance information. Could be logins to hobby sites, Windows Secrets, news sites etc with no paid subscriptions.
2) Find some kind of small hardware device with a small display that can retain my most important financial passwords. It could be an old phone (not smartphone), but I would prefer something smaller. Anyone know about such a device?
3) Use the one-time credit Card solution suggested and/or the PayPal solution mentioned
4) Use a hardware token where possible and convenient

Reply | Quote

No, the accounts can only be accessed if you (or your “anyone”) can supply the master password. The point of a password manager is not that you don’t have to supply a password but that you have a different password for each account but only have to remember one password.

Reply | Quote

No, the accounts can only be accessed if you (or your “anyone”) can supply the master password. The point of a password manager is not that you don’t have to supply a password but that you have a different password for each account but only have to remember one password.

True but if you use the PC for all purposes you might end up with a keylogger installed unintentionally, and so goodbye security.

Reply | Quote

True but if you use the PC for all purposes you might end up with a keylogger installed unintentionally, and so goodbye security.

Without a password manager, yes, you are totally stuffed if you have a malicious keylogger, even if you keep your passwords on a Rolodex. With a password manager like Roboform it is slightly better because it bypasses the keyboard (or Paste) and therefore the keylogger will not see your account passwords. It is true that the keylogger will see your master password but without another attack vector, for example giving access to your filestore, this would be of no use when the keystrokes are analysed.

Reply | Quote

Without a password manager, yes, you are totally stuffed if you have a malicious keylogger, even if you keep your passwords on a Rolodex. With a password manager like Roboform it is slightly better because it bypasses the keyboard (or Paste) and therefore the keylogger will not see your account passwords. It is true that the keylogger will see your master password but without another attack vector, for example giving access to your filestore, this would be of no use when the keystrokes are analysed.

I was thinking that if a keylogger is installed your pc will also be remotely controlled, but that might not be the case in general. Therefore I saw the master password as the critical security breach.

If you know that a person uses a password manager it must be possible to program a virus to extract the passwords either when the program is used or extract the data every time a form is filled out on the web?

Reply | Quote

I tried or looked very closely at most of these a year or so ago to make my own selection: LastPass (premium). Pretty happy with it but none of these vendors really offer mobile support UNLESS you use their own browser. Effectively for me that just means I don’t use most of my really secure sites on the mobile platforms except for just a few for which I have memorized passwords. Half a loaf is better than none.

Generally when I’m on the iPad or Android tablet/phone I am using Chrome or Safari and looking at/doing multiple things and opening the LastPass browser for a site of interest at that moment just doesn’t fit into how I work. I will freely admit I haven’t used the LastPass browser more generally to see if I could live with it all the time on mobile devices but again, that’s not what I was looking for. Most people want to be secure but we also have our browser likes/dislikes and usually have one we prefer. The issue here may be Apple protecting their turf so Chrome cannot offer plug-ins or even a Bookmarks bar on iOS and most of these work via browser plug-ins. Now I think about it Chrome on Android doesn’t offer plug-ins either…

Reply | Quote

One method not mentioned in this article was what they call a “Freeze” on your credit with all three agencies. There is a charge to freeze with each agency and to unfreeze and it varies by state. I have my credit frozen with all three agencies so it is very unlikely that someone could obtain credit with my Social Security Number or other information. The downside is that you have to unfreeze when you want credit with a new vendor. The unfreeze can be for a specified period of time and then it reverts to frozen and of course you can unfreeze and not go back to frozen. The plus with this method is that you don’t have to pay some company repeatedly for credit reports, watches or whatever. See link for more information:

http://en.wikipedia.org/wiki/Credit_freeze

Reply | Quote

Is it really more secure to use passwords made of completely random strings? Surely the most important factor in making a password hard to guess is its length?

my reasoning is –
* If someone has your passwords in unencrypted form it doesn’t matter how complex they are.
* If they have an encrypted copy the passwords are only as safe as the encryption used
* If they are trying to guess a password, and you have not used an obvious source they can only use a brute force attack

With brute force attacks the most important factor is the password length. To a program trying out random strings an 8 or 10 character string is going to be orders of magnitude harder to guess than a 6 character one.

* avoid dictionary words, (and combinations of them),
* avoid common substitutions

Beyond that a long easily memorable password is always going to be more secure than a short random string eg corkleborkle is better than $%GFrRad and a lot easier to remember!

Don’t get me wrong – I’m a fan of secure passwords, and long time user of Last Pass – but if you *have to* remember passwords length is easier than complexity.

Reply | Quote

Just a question for Woody. If the password manager software fails and is no longer supported, how would you be able to open any of your sites requiring passwords, since you would not know them and could not open your list of passwords from your single access password?

Reply | Quote

Just a question for Woody. If the password manager software fails and is no longer supported, how would you be able to open any of your sites requiring passwords, since you would not know them and could not open your list of passwords from your single access password?

First, no software disappears instantaneously. If a company shuts down, you will still have time to save your passwords in a way that allows you to recover them afterwards. I don’t know about the others, but the password manager I use, LastPass, works even when the app cannot reach LastPass’s server, which means that even if LastPass failed and disappeared overnight, I could still access the browser add-on and use the feature that allows me to export all passwords to a file, from which they can then be accessed.

Reply | Quote

Just a question for Woody. If the password manager software fails and is no longer supported, how would you be able to open any of your sites requiring passwords, since you would not know them and could not open your list of passwords from your single access password?

I mentioned in my earlier post i also use RoboForm2Go program , it is installed on USB, often as necessary I synchronize it with PC-RoboForm passwords. You can load RoboForm2Go program on any PC and log into all your stored sites/passwords leaving no trace files on public or other computer that you use it on.
The versions of RoboForm i use are no longer supported by RoboForm however they are not involved in anyway with my logins, the programs including RoboForm2Go program are stand alone and all you need.

Reply | Quote

I visit several sites, among them Bell Canada and Rogers Cable, that will not accept special characters in their passwords. (You would think that companies in the internet business would know better.) As I understand the password managers, I would not be able to use them for these sites, since I would have set the criteria for all my passwords on the initial installation. Is this correct?

Reply | Quote

I visit several sites, among them Bell Canada and Rogers Cable, that will not accept special characters in their passwords. (You would think that companies in the internet business would know better.) As I understand the password managers, I would not be able to use them for these sites, since I would have set the criteria for all my passwords on the initial installation. Is this correct?

With LastPass, when you click on the password generation link, you have the ability to tell it what characters to use, and length of password. I think it’s annoying as well, that too many companies don’t allow special characters and also limit the password to 10 or even eight characters.

I assume other pwd managers will have something similar.

Eliminate spare time: start programming PowerShell

Reply | Quote

Thanks for the article, Fred.

In about 6 months,
I’ll be moving OUT forever,
– from: Win XP (no more MS security updates as of April, 2014),
– to: Ubuntu Linux v.14.

Here are my 2 Pwd. Mgr. recommendations for LINUX,
which might help other people:

1) The great “LastPass” Pwd. Mgr.
has a Linux version.

I’ve been using it for years under XP,
as a Firefox addon.
So I’m ok there…

2) In the past,
I used “KeePass” in XP, another good alternative.

There are 2 Linux versions available, for “KeePass”:
[a] “KeePass for Linux”,
(created by the author of “KeePass” himself).
http://sourceforge.net/p/keepass/discussion/329220/thread/17d1bd26

“KeePassX”
(recommended by the author of “KeePass” himself).
http://www.keepassx.org/

If anybody has other Pwd. Mgr. suggestions **FOR LINUX**,
pls post here.

Many of us are preparing for April 2014,
to migrate from XP to Linux,
so preparing now is important!

Reply | Quote

I am disappointed by the sparse info on dealing with password management across multiple platforms. Work computers, home computers, mobile devices, public (hotel) workstations.

Reply | Quote

I use DASHLANE, which is also available on most OSes and synchronised on the different platforms. 20$ for 1 year subscription.
Free if you don’t want synchronisation.
Before that, I used Password Memory from CodeAero which is also free but works only on Windows

Reply | Quote

Very interesting article. It makes me rethink some things. My daughter has the final stop-protection. She has a credit card that she uses for online shopping only. Separate bank. She places a limit of $300 on it. If the number gets breached, she’s out $300 until she notifies the bank.

Reply | Quote

Good article. Thanks.

Don’t you find it infuriating that so many site limit passwords to 6-10 or 6-12 characters and forbid the use of non-alphanumeric characters? I always use at least 16 characters with a smattering of symbols. I use 32 characters for securing my password utility!

You should also ensure that your computer has a really strong password for log in: that is probably as important as the password for your bank account!

Reply | Quote

The only problem I have with pass word generators and vaults is logging in on some of my other computers…laptop, tablet, test PC.

Reply | Quote

We do a fair bit of online shopping. They like to save your credit card info so that on your next visit you can do convenient one-click checkout. Over time, several websites saved or stored several of our credit/debit cards. They don’t seem to store the little 3-digit code from the back of the card, but that’s not much comfort. Anyway, we created a free PayPal account and deleted the saved credit cards from those websites. The Paypal option seems safer to us as the website doesn’t store your Paypal info.

Reply | Quote

Depending on your location there are pros and cons. In some jurisdictions you get much more protection with a credit card than with PayPal, especially for larger transactions.

Reply | Quote

I don’t agree. Although I use LastPass, I re-use a small handful of passwords many times over. Thank goodness. Even worse would be to allow LastPass to create a unique and complicated password for each site. Here’s why. Today I attempted to visit a site on my cellphone rather than my desktop computer. LastPass wasn’t there on my cellphone to fill in my info. I didn’t remember it. I was locked out. Arrgghh! Or I might be using a computer away from home. That would require me to log into LastPass first; but that happens so rarely that I don’t remember the main LasPass password (they had a security breach a while ago, and I had to change my password, so I get it confused with my other passwords.) But even on my desktop when I’m fully logged into LastPass, I’ve run into awkward situations. Sometimes there might be a change on a site or for some other reason I’m asked for my password in a popup window instead of the normal place that LastPass knows, leading to another impasse. I have to open another tab, and go to all the trouble of logging into my LastPass vault to find the correct password.

Don’t other people run into these situations? I find password managers convenient, but far from a panacea and by no means a solution for the problem of handling multiple, complicated passwords.

Reply | Quote

One of the best protections for the credit card problem is to get a credit card which allows you to create virtual credit card numbers (both Citibank and Bank of America offer this feature). When making an online transaction, they allow you to give each merchant a unique credit card number. These can be set up with credit limits and expiration dates. They only work with the first merchant making the charge and can be cancelled any time you wish. If the number is stolen, it can be cancelled without the need to get a whole new card but can’t be used anyway. All the charges show up on your regular card statement with a note of the virtual account number used.

Reply | Quote

It seems to me that the vast majority of security breaches have been due to stolen or hacked into password lists from various sites as well as wi fi snooping of some stores, not the strength of the password. It seem to me not using the same password on different sites is more important than the strength of the password itself.

Jerry

Reply | Quote

Have a look at this http://www.itnews.com.au/News/352619,chrome-firefox-store-saved-passwords-in-plain-text.aspx.
R

Reply | Quote

Hi All

My question may have been covered but I cant seem to find it, If it has been covered my apologies. The question I have with the random generated passwords kept on a password manager installed on your computer is a computer failure. If the hard-drive crashes and you cant retrieve any data is the passwords lost, and if not how can they be retrieved.

cheers

Alan

Reply | Quote

Hi All

My question may have been covered but I cant seem to find it, If it has been covered my apologies. The question I have with the random generated passwords kept on a password manager installed on your computer is a computer failure. If the hard-drive crashes and you cant retrieve any data is the passwords lost, and if not how can they be retrieved.

cheers

Alan

First, you should never ever find yourself in a situation like the one you described. That’s what backups are for. We strongly recommend a backup regimen that includes imaging, so that you can recover your data and your system, in case of disaster.

I use LastPass. LastPass encrypts all my data (passwords, secure notes, etc) and keeps an encrypted copy in their servers. Like that you can recover everything in a disaster scenario such as the one you described.

Reply | Quote

The first hing you should do is check if your password manager is an installed program on your computer (under Start / All Programs) or if it’s installed as an add-on or “extension” on your internet browser.

As far as i know, password managers that are installed as a browser extension / add-on will keep all your passwords backed up on their encrypted servers on the internet. That way they are accessible to you from any computer that has the browser extension / add-on installed. This means that if you restore or replace your failed computer and install the password manager afresh all your passwords, etc. will be available.

Regarding a password manager program installed only on your computer and not on your web browser (rare!), you should look in Settings or Options or Preferences of that program to make sure you can save a copy of all your passwords onto a USB flashdrive or onto a recordable CD or onto an external hard drive for safekeeping.

I use the free add-on / extension LastPass. When using our laptop instead of the desktop PC, LastPass still works because the passwords are available whenever i’m on the internet.

For banking and credit card, however, i still use memorized usernames and passwords. Call me old-fashioned but, hey, it’s only a couple of websites to remember …

Reply | Quote

I use Lastpass, but it is difficult when sites (such as my UK banks) require several levels of log in and security information.

Also, several of those bank sites use an on screen keyboard that requests random characters from a password. I have not found a way for Lastpass to handle this situation.

Reply | Quote

I use Lastpass, but it is difficult when sites (such as my UK banks) require several levels of log in and security information.

Also, several of those bank sites use an on screen keyboard that requests random characters from a password. I have not found a way for Lastpass to handle this situation.

When the bank mandates the use of the virtual keyboard, I think there likely is really no safe way for LastPass to handle the situation. If it could it could interfere with that, malware would likely be able to do it, as well. So, in such cases, you need to use the virtual keyboard and maybe resort to LastPass to be reminded of the password, if you don’t have it in memory.
There are also other cases where LastPass simply is unable to insert the login details, even when there are no virtual keyboards. I have seen a few. In those cases, you can still copy the username and password, separately and add them to the login dialog. It’s not that pleasant, I agree. No apps are perfect, but I find LastPass to be a very valuable help, even with these infrequent situations where it doesn’t behave as we would like it to.

Reply | Quote

When the bank mandates the use of the virtual keyboard, I think there likely is really no safe way for LastPass to handle the situation. If it could it could interfere with that, malware would likely be able to do it, as well. So, in such cases, you need to use the virtual keyboard and maybe resort to LastPass to be reminded of the password, if you don’t have it in memory.
There are also other cases where LastPass simply is unable to insert the login details, even when there are no virtual keyboards. I have seen a few. In those cases, you can still copy the username and password, separately and add them to the login dialog. It’s not that pleasant, I agree. No apps are perfect, but I find LastPass to be a very valuable help, even with these infrequent situations where it doesn’t behave as we would like it to.

I agree with you about LastPass. I use it all the time, although I’ve found one or two sites that won’t even allow a password to be pasted into their dialog boxes. Still, LastPass works perfectly with 90%+ of the sites I’ve accessed.

Reply | Quote

I use Lastpass, but it is difficult when sites (such as my UK banks) require several levels of log in and security information.

Also, several of those bank sites use an on screen keyboard that requests random characters from a password. I have not found a way for Lastpass to handle this situation.

My bank website is like that, too. If you wish, you can create an entry for the website then use the edit/comments/other info box for that website in the LastPass “Vault” to make notes on the security steps. When you go to sign in at the website you can also open the LastPass Vault and there’s your notes to help you sign in. As mentioned previously, i still prefer to memorise the bank and credit card sign-in info rather than trust any[/I] password manger program. But, hey, if you have a bunch of sensitive places to sign in like banks, etc. then how do you remember them all? If you only access those websites when you’re at home you could write down all the sign-in stuff on a piece of paper and keep it in your desk …. if you feel your desk is safe and secure!

Reply | Quote