At a client’s office this week, one of the IT Professionals had an interesting idea. He can configure two-step logon to contact him, not the consultant, for login verification.

If you configure this at your office, here is how it would work: First, the consultant would enter their username and password to login to your network. Then, an app on your smartphone would indicate that the outsourced consultant is trying to gain access. Then, you will be able to choose to allow or deny the consultant’s login attempt.

This IT Professional wants to know, in real-time, when someone is attempting to log on to his network. If you use this arrangement, you will have the capability to permit them or deny them access each and every time.

It is an interesting idea.

The post A Way to Control Consultant Access – Every Time appeared first on Foster Institute.

You’ll enter a username, and your phone will buzz to ask you if it is really you who is attempting to log in. Just keep your phone with you, and passwords may be a thing of the past.

But protect your phone so that an unauthorized person doesn’t gain access to it. Would you be willing to risk it? At least nobody thousands of miles away would come to steal your phone. But what about someone else in your office that gains access to your phone and approves a bogus logon so they could do you harm?

The obvious less convenient, but more secure, solution is two-step logon where you enter a user name and password, then your phone buzzes asking you to confirm. Someone else stealing your phone won’t help them at all, as long as they don’t know your password too.

The post No More Passwords appeared first on Foster Institute.

First, never put your most sensitive passwords into any password manager. That means passwords to your banks, online trading accounts, and any other websites that aren’t worth exposing to any increased risk. More information here: Passwords are Difficult to Remember

Second, always enable the two-step login process on your password manager. An example of this solution: You enter a username and password into a website, and then your mobile phone buzzes and tells you to enter the code such as 777888 to complete the login process. That way, even if an attacker learns your password, they will need to have the device you are using for two-step login. In this example, an attacker would likely need to steal your mobile phone too before they could log on, even if they know your username and password. Unless someone in close proximity to you is a member of the group that hacked LastPass, then they might need to travel a long way in order to steal your phone from you.

With the LastPass breach, as of this moment, LastPass thinks that the hackers stole passwords, but that the passwords are all encrypted. They think that, as long as an attacker doesn’t know your password to LastPass, then the attacker won’t be able to use your passwords at any of your protected sites. In addition, if you use two-step login on LastPass, you are quite possibly protected even if the attacker does learn your LastPass password.

If you receive an email that appears to be from LastPass instructing you to “Click Here to Reset Your Password”. Do not click; it might be a trick.

Password managers are very helpful. They speed up workflow and prevent problems such as a user using the same password at more than one website. When using a password manager, just be sure to follow the two steps above. Be selective when choosing what passwords to store, and enable two-step login. Find more information about how to handle passwords here: What to Do About Your Passwords

Forward this to everyone you know who uses a password manager. Additionally, forward it to everyone you know who is not using a password manager – they probably should be using one; just be sure they follow the guidelines above.  Thank you for helping keep the world a safer place to live and work!

Password Managers and Two Step Logins

After the LastPass announcement, many readers have reached out with questions about password managers and about two step login. Important points:
First: Just because LastPass discovered, and announced their breach, does not mean that other password managers aren’t breached as well.

Second: You enabling and configuring two step logon to LastPass, or any other password manager, is intended to make authenticating to that password manager more secure. That strategy is designed to make it more difficult for an attacker to be able to use your password manager to discover or use your passwords to websites.

Remember, a password manager’s function is to store your passwords for you so that you do not need to type those passwords into websites.

Password Managers are designed to be a tool that provides more of a convenience than security. A password manager also makes it easier for you to use secure password habits. For example, you can use different passwords for each of your websites rather than using the same password on multiple sites, without you needing to remember all of your passwords.

Keep in mind that an attacker could potentially learn your passwords in other ways too.

Therefore, you still need to enable 2-step logon on sites too. Websites such as PayPal, DropBox, GoogleApps, and the many others support two step logon. Now, no matter how an attacker learns your password, the two step login on specific sites is designed to help protect you from bad guys attempting to authenticate to those sites using your password.

Third: Configuring a password manager, or a website, for two-step logon will hopefully be an easy process. However, if you run into difficulty, don’t give up. Enlist the assistance of someone e-savvy who has experience setting up the two-step logon. Alternatively, you might choose to contact technical support.

Most likely, everything will go smoothly when you follow the instructions. If you decide to search Google for answers to any questions that you have about configuring two step logon on websites and for your password manager, be sure to use Google’s search tools to restrict the search to recent postings. Finding new instructions obviously works better than following instructions, without your being aware that they are old, outdated instructions that do not work.

Please post your comments below…

The post LastPass Password Manager Hacked appeared first on Foster Institute.

Both Google and Microsoft strive to have great security. In most cases, the weak spot in security won’t be within Google or Microsoft itself. You’ll want to have great protection for the computers and connections that link the human user to the cloud service.

One of the best things you can do with Google and Microsoft is to enable two-step logon. That way, when someone learns one of your organization’s passwords, the unauthorized user will likely experience great difficulty using that stolen password.

An example of this solution: You enter a username and password into a web site, and then your mobile phone buzzes and tells you to enter the code such as 777888 to complete the login process.

Now an attacker, even if they know your password, would need to steal your mobile phone too before they could log on with your username and password. Obviously, if the attacker is in another city, then it is more difficult for them to steal your phone.

Drop Box, PayPal, Google Apps, Microsoft, and many other sites already support multi-factor authentication – you just have to “turn it on.” See https://www.google.com/landing/2step/ to set up your Google account’s 2-step verification.

The post Is Google Apps or Microsoft 365 more secure? appeared first on Foster Institute.