Password managers are very helpful since they make it so convenient to be secure, and can greatly simplify and speed up the login process at websites. Many people feel password managers are worth the risks, especially when the risks can be minimized as summarized below:

First, as you can see, there is no guarantee that password managers are perfect. Never store super-sensitive passwords into your password manager. Store them in your head.

Second, enable two-step verification on all websites. Then, if an unauthorized person obtains your password, they will have a difficult time logging in, if they cannot perform the second step.

Third, one of the ways to launch the exploit involves tricking the user into clicking a link, such as a link in an email message, or getting a script to run on a web page as the user visits the page. Using click-to-play can greatly minimize those risks.

To learn more about the first two, see last week’s newsletter posted at www.fosterinstitute dot com/blog/your-iphone-and-ipad-are-in-danger. Never mind the title; the content addresses the first two steps listed above even if you use Windows or Android.

As for the third point, we’ll cover click-to-play next week, or you can simply google those terms and get started right away.

The announcement came from LastPass, and don’t panic if you use it. LastPass says the exploit is very difficult for an attacker to use, but not impossible. Resetting your passwords is not going to help, yet. Only after LastPass develops a patch, and then only when LastPass on your computers are patched. LastPass said this only affects users using the LastPass extension in Chrome, but that researchers have used the exploit in other browsers too. Email us if you want more technical details.

Please forward this to anyone you know who may use a password manager or lets their browsers remember their passwords.

The post Alert – A Popular Password Manager Has Serious Security Flaw Right Now appeared first on Foster Institute.

I know – it would be so easy to blame Google. Those passwords were gathered from other “stolen password repositories” posted on the dark-web. They were originally acquired through key-loggers, social engineering, brute-force attacks, and a myriad of other ways. None of them, so far as anyone can tell, were stolen by bypassing any security on Google’s systems.

Once upon a time, imagine a situation where a company called Eulcon Inc. buys a lock from a company named Good-Lock. If an employee at Eulcon Inc. loses the key, and an attacker finds the key, and the attacker breaks into Eulcon, should they blame Good-Lock for the intrusion?

Here is what would be much more secure. What if, every time someone turned the key in the lock at Eulcon, the lock wouldn’t open yet. First, someone at Good-Lock would phone the person at Eulcon to whom the key is registered, in order to verify that they are the person who turned the key. The lock would only open for an authorized person. Potential intruders stay locked out.

This is why it is so important that all organizations set up two step login everywhere possible. Two factor auth dot org provides a list of services that support two step login. Additionally, VPNs, Windows, and other services support two step login. Configure two step login, or pay the consequences. And don’t blame Good-Lock. And don’t be like Eulcon spelled backwards.

Please forward this cyber-security info to everyone you care about.

The post Why is it not Google’s fault? appeared first on Foster Institute.

First, never put your most sensitive passwords into any password manager. That means passwords to your banks, online trading accounts, and any other websites that aren’t worth exposing to any increased risk. More information here: Passwords are Difficult to Remember

Second, always enable the two-step login process on your password manager. An example of this solution: You enter a username and password into a website, and then your mobile phone buzzes and tells you to enter the code such as 777888 to complete the login process. That way, even if an attacker learns your password, they will need to have the device you are using for two-step login. In this example, an attacker would likely need to steal your mobile phone too before they could log on, even if they know your username and password. Unless someone in close proximity to you is a member of the group that hacked LastPass, then they might need to travel a long way in order to steal your phone from you.

With the LastPass breach, as of this moment, LastPass thinks that the hackers stole passwords, but that the passwords are all encrypted. They think that, as long as an attacker doesn’t know your password to LastPass, then the attacker won’t be able to use your passwords at any of your protected sites. In addition, if you use two-step login on LastPass, you are quite possibly protected even if the attacker does learn your LastPass password.

If you receive an email that appears to be from LastPass instructing you to “Click Here to Reset Your Password”. Do not click; it might be a trick.

Password managers are very helpful. They speed up workflow and prevent problems such as a user using the same password at more than one website. When using a password manager, just be sure to follow the two steps above. Be selective when choosing what passwords to store, and enable two-step login. Find more information about how to handle passwords here: What to Do About Your Passwords

Forward this to everyone you know who uses a password manager. Additionally, forward it to everyone you know who is not using a password manager – they probably should be using one; just be sure they follow the guidelines above.  Thank you for helping keep the world a safer place to live and work!

Password Managers and Two Step Logins

After the LastPass announcement, many readers have reached out with questions about password managers and about two step login. Important points:
First: Just because LastPass discovered, and announced their breach, does not mean that other password managers aren’t breached as well.

Second: You enabling and configuring two step logon to LastPass, or any other password manager, is intended to make authenticating to that password manager more secure. That strategy is designed to make it more difficult for an attacker to be able to use your password manager to discover or use your passwords to websites.

Remember, a password manager’s function is to store your passwords for you so that you do not need to type those passwords into websites.

Password Managers are designed to be a tool that provides more of a convenience than security. A password manager also makes it easier for you to use secure password habits. For example, you can use different passwords for each of your websites rather than using the same password on multiple sites, without you needing to remember all of your passwords.

Keep in mind that an attacker could potentially learn your passwords in other ways too.

Therefore, you still need to enable 2-step logon on sites too. Websites such as PayPal, DropBox, GoogleApps, and the many others support two step logon. Now, no matter how an attacker learns your password, the two step login on specific sites is designed to help protect you from bad guys attempting to authenticate to those sites using your password.

Third: Configuring a password manager, or a website, for two-step logon will hopefully be an easy process. However, if you run into difficulty, don’t give up. Enlist the assistance of someone e-savvy who has experience setting up the two-step logon. Alternatively, you might choose to contact technical support.

Most likely, everything will go smoothly when you follow the instructions. If you decide to search Google for answers to any questions that you have about configuring two step logon on websites and for your password manager, be sure to use Google’s search tools to restrict the search to recent postings. Finding new instructions obviously works better than following instructions, without your being aware that they are old, outdated instructions that do not work.

Please post your comments below…

The post LastPass Password Manager Hacked appeared first on Foster Institute.