How password security will change in 10 years!

Passwords are going out the Window!

We’ve seen in the past where people have used such words as ninja, jesus, 12345678, and password!  I’ve talked about Lastpass in the past and I really believe they are the best possible combination of the two. With the recent questions of Password Length and Password Strength, I have come to the conclusion that in the coming years.   People will be doing a 3 factor authentication and having the passwords as a back up.   It really would be nice to have two ways to authenticate and not have to put in a password.

3 factor authentication!

I know your Password! Click image to see!Three factor authentication is a simple concept.   Since we have a password we can simply use two other ways to authenticate for example a cell phone and maybe a Yubi Key.  The password will be the backup for one or the other.  If you lost your phone and still would need to authenticate you password would be one you can use in an emergency. Thus it really becomes a 2 factor authentication but since we could use all three to authenticate it would make it that much harder for a hacker to brute force an attack and get your sensitive data.

2 factor authentication!

Although most people don’t think of this but having a limited number of possible access to the important data can make it just that much harder and maybe get the hacker to go somewhere else.   What about social networks?  Do we really need that for social?  I am thinking maybe and it just depends on how you login in the first place.   I would love most of them to to maybe let me authenticate with Google and come back to them but that leaves a large hole.   It just depends on how valuable your social status is and what the possible outcome of someone getting a hold of that social network.  

Elite passwords!

Some would call it “leet” speak,  and I’ve heard people say this is something we should do in reguards to making a password.   I tell you know, we already have a 2,000 most common passwords and I am betting it has some really good leet passwords already.  So what makes a hacker no try those to hack your account.   I would think these would be tried after the primary just because this would also be the easiest way to gain access to an account.

In Ten years!

I am pretty confident in ten years we will see something like this happen and we will no longer be depending on a system that was developed in the late 1990’s.   We have to be ready for change and keep it.  I just hope it happens sooner rather than later and that most companies should jump aboard and help us get this implemented.   I don’t know how hard this will be but it will be nice to not have to worry about a password anymore with my bank or other financial institution. 

Paul Sylvester

Rogue Fake Codecs on the Rise

Panda Labs has been talking about Adware/VideoPlay and they are seeing a lot of variants on this.   They even play a game, find the difference in the installation screen:

Now as you can see this look to be the same agreement in all those difference installation.  Some things to consider Never install any software from a website that you don’t know Nothing about about.

Panda Labs also talks about these new variants in regards to what they do:

This file spreads by making copies of itself in the removable drives and it also creates an autorun.inf in order to be run when they are accessed. This file collects the data stored in the browsers, such as cookies, passwords, profiles, email accounts, etc, and connects to a remote address to send the information.
[Via Panda Labs Blog]

[ad#ad2-right]As you can see this makes you have very little security with your system.  I talk about Identity theft, and why you should always worry about your identity.   This however will make your passwords less secure and maybe even compromise you system to the point of having a data breach.   You need to be careful when you come by this, some fake codecs have been know to be scareware.  In which, the fake codecs installs a Trojan to tell you have a virus and try to make you buy a fake program to get rid of the Virus.  In one of my recent posts about Codecs and Facebook, I talked about the K-Lite Mega Codec Pack and how that will prevent you from installing these sociable links from friends and family.  The nice thing about this pack is it install all the really good codecs that you might come across on the web.  If you have this installed and there’s a website that says you need a special codec, you’d know that it is either a fake codec or the author who made the video doesn’t standardize.   In which case you will be more willing to leave that site without installing that codec.

If you follow these steps and also consider installing an Anti-virus and Firewall, you will be in a much better shape then when you first started out. Remember only you can prevent from getting a virus. You should also consider doing the registry edit that will prevent Autorun. As you can tell these new variants also are spread through USB and other removable media. This is the other way these programs are using to infect other systems.

Admins are shaking in there boots due to the Ms 09-001 Patch

I have to talk about this because this is a big deal.   According to Techworld and I’ll quote:

“This one scares me – a lot,” says Eric Schultze, CTO of Shavlik Technologies. “It is a lot like Blaster and Sasser. It is the same exploit vector. If I am an attacker and I can touch NetBios then I can execute code with no credentials.”

[via Techworld]

[ad]Now This is due to the fact of what is happening with an update that came a few months ago the MS 08 – 067 that still people haven’t patched their systems.  According to F-secure the Downadup/Conflicker has grown overnight by a million computers being infected.

Now why are they scared of the recent patch (MS 09-001), because of so many vectors of infection, you don’t need any credentials.  The virus  does not  need to know any passwords or user names to gain access.  Just like the Downadup variant that is hitting the internet right now, this virus tries to access accounts by guessing weak passwords or even putting itself on flash drives or other mobile media to get other systems infected.

So why are admins scared over this new patch?

Most  companies don’t patch there system as quickly as Microsoft would like them to.   You see most companies have quite a few computers depending on the size of the company it could be quite a lot.  So many in fact that it would have several IT personal just to keep the system going.
[ad]

So why don’t they just put the new patches on the systems?

Depending on the size of the company and what they do has a lot to do with them updating there systems.  Some use really special programs or have a network going that is vital.  Even the smallest update to the system could bring the network or the program down.  Most companies liketo test it out on test machine for a while to make sure that the patch doesn’t  prevent the business from doing business.   Here are a few articles that prove why companies do not want to just install patches automatically:

Some companies are using older systems like Windows ME or some older Windows Operating systesm.   Although there isn’t anything we can do about those because Microsoft has stopped supporting them with updates and all.  I know we are all thinking thesame question?

Is there a way to fix the problem with Windows Updates?

I personally don’t have an answer but I am sure hackers will find ways to exploit codes so they can get on your system so way.  I’ve recently read a story about Adware Author and now I understand even more about why people do all of this.

This is one of the questions every admin has to ask themselves?  How do we update all of the systems we are responsible for?  There are no easy answers to this.

Old phish becomes new again

According to some reports, this phishing has started up again and is now changed a little web address and when you go to the site it looks like:

Twitter Phish spam

[ad#ad2-right]If you sign into this website with your twitter account information, it sends out a Direct message with these links in them rosalierebyb.blogspot.com redirects to http://twittyblog.access-logins.com/login and the only way you can fix this is to CHANGE YOUR PASSWORD.

I’d also suggest getting a password manager so if you use just one password for all accounts you will easily be able to change them and make the passwords much harder to hack. You do not want your passwords stolen do yo? I suggest Roboform it works really well with password management.

Reviewing Roboform: Great Password Manager

I’ve had Roboform for the last few months checking it out working with it seeing what is the pro’s and cons of it. Here’s what I’ve found out.

Limited number of passwords for non-license (Limited to 10 passcards – login information and password) — This doesn’t surprise me in fact once I’d started using it I had to buy it. You see I’ve got so many places I like to visit and so many logins it isn’t easy to track them all. This helps me login to each and everyone of them very easily. Although if you only have a limited amount of sites the free version will work well for those people too.

Defeats Key loggers — This is good for those who have family members who use the same computer just in case someone installs a virus that tries to steal your sensitive information. Can be put on a portable thumb drive with use to a library or open platforms. This also will prevent key loggers from getting your login information.

Generates strong passwords — This is a must in my field, I’m so tired of having to come up with a password. Now this is generated on the fly. Click a button and you have a password generated. Tried this out on several sites that would tell you how strong it is and all of the said excellent.

Works with Firefox, Internet explorer, and MSN/AOL — Now being that I don’t have a MSN or Aol I do not know this I have however tried this on Internet explorer and Firefox very easily. It works well with Vista no major problems. I have tried it with Google Chrome and it seems not work at all with it. I do not know if they will start supporting it and only time will tell!!

Backing up your passwords — it is really easy to back up your passwords database on Roboform. Just copy and paste and your done. No needing to find a hidden Directory, Roboform Database for Vista is in the My Documents folder under “My Roboform Data” Folder. All you need to do is copy that to a USB key and no worries Roboform automatically encrypts the passwords so without the Master password you can’t use them.

No need to remember Passwords — Yes that is right you no longer have to worry about remembering your passwords all you have to do is click a button and Roboform fills the required input forms. It can be annoying if you use the free version because you only can save 10 passwords then the rest you will have to remember.

Easily speed through login screens — This is the best part of Roboform because no more having to type in the site you need to go to login. Roboform does that for you without any problems. You just pick where you want to go and Roboform takes you through and fills the information in before you know it. I absolutely love this feature because You don’t have to type in the place you want to go it will automatically take you there.

Roboform has several version — Roboform can be made portable and also be put on PDA’s (Personal Digital Assistant) or a Mobile Phone(Windows Mobile, Palm, Symbian, or Blackberry). This is great for those who need to have your passwords on more than one type of device. Keeps it safe like big brother still need a master password to get to it. It also makes it just as easy to surf to the important websites with ease.

Download Roboform:

To Buy Roboform:

I strongly recommend this to anyone who has problems remembering passwords or want to upgrade there passwords to the next level.  This will ultimately protect you far better than trying to remember all your passwords.   This however is a personal and this will not protect you 100% but will get far closer to the 100% than just doing it alone.  Remember only you can protect your sensitive data and nothing else can stop password stealing 100% of a time.