What’s the big deal with hashing, and why should I care?

by , on


Hashing algorithms have been in the tech news a lot lately. What are they and why is everyone trying so hard to break them?

The latest news concerns the SHA-1 algorithm, which has been declared dead now that a team of researchers from the Centrum Wiskunde & Informatica (CWI) institute and Google Research have found a way to create two documents containing different content that generate the same hash. In crypto terms, this is called a collision.

The reason this is big news is because about 20% of websites that use certificates are still using SHA-1. If yours is one of them, then your administrators have got some scrambling to do.

Let’s back up and explain briefly what hashing is, how it differs from cryptography and why collisions are such a big deal. A hashing algorithm disguises input text by running it through a filter that turns it into an unintelligible string of gibberish, with all strings usually being the same length. It does this by adding a random string of data called a “salt” to the front or back of the password. The password plus the salt are then run through the hash algorithm to create a unique character string.

The authentication system can then store the salt plus the hash instead of the password to validate access attempts. Any time there’s a login attempt, the salt is applied to the password that’s entered and the resulting “salted hash” is compared to the one stored in the password table. If they match, then the password is valid and access is granted. If they don’t, the password is rejected.

The beauty of salted hashing is that it enables password authentication to work without requiring that the password itself be stored. Once the salted hash is created, the password can even be thrown away. Anyone who steals the password file only gets a bunch of gibberish characters that are nearly impossible to decode*. Even if multiple accounts use the same password, the randomly generated salts ensure that the hash values are different.

So why does this matter to you? Because hashing systems only work if no two strings of code can produce the same salted hash code, an event that’s called a collision. That’s why security researchers work so hard to find weaknesses that enable collisions to happen. The thinking is that if the good guys can find a weakness first, they can warn everybody before the bad guys have a chance to do any damage.

Security researchers first produced a collision in SHA-1’s predecessor, MD5, in 2005. They used brute-force methods to create two different password input strings that produced the same salted hash in as little as one minute using a basic laptop computer.

At that time, SHA-1 was suspected of also being vulnerable, but no one had yet successfully produced a hash that created a collision. All that changed in February with the publication of a paper by CWI Institute and Google Research that described in detail how a collision had been induced.

Bottom line: If your authentication system uses SHA-1 or MD5, you’re at risk of being breached.

You might wonder why these vulnerabilities are being discussed more than a decade after their existence first came to light. The answer is part technology, part human nature.

Switching from one hashing algorithm to another isn’t a trivial task. There are issues of backward compatibility with systems that use old hashing algorithms. Administrators must, in effect, catch every instance that uses the old algorithm and modify it. It’s time-consuming drudge work, and it’s tempting for busy admins to work on more pressing projects.

Then there’s the risk/reward tradeoff. The CWI/Google team said they committed 6,500 years of CPU computation and 110 years of GPU (graphical processing unit) computation to completing the two phases of the SHA-1 attack. They estimated that it would have cost about $110,000 worth of Amazon Web Services resources to duplicate the computing power they brought to the task. Since no one but the most determined and well-funded criminal enterprises or governments would commit those kinds of resources, it’s tempting to just hope for the best. Now that a compromise has been published, however, smarter attacks will follow.

That’s why even patches for severe vulnerabilities can take years to percolate through the user community. As recently as mid-2015 there were reports that MD5 was still in widespread use. When 200 million Yahoo credentials went up for sale online last summer, it turned out that they had been protected using MD5. That breach occurred in 2012, seven years after the first vulnerabilities were reported.

In other words, things don’t change nearly as quickly as we would like to believe. That’s why vendors are trying to push the issue this time. Google said it will publish the source code for creating an SHA-1 collision next month, along with protections for Gmail and GSuite users that defend against use of their collision technique. Security experts recommend switching to SHA-2 or one of its companions.

Ask your email administrator which hashing algorithm your company is using. It it’s SHA-2 or higher, you’re in good shape. If you’re greeted by a blank stare, well, you have bigger problems.

*If you think hashing sounds a lot like encryption, you’re right. The approaches are similar, but the intended outcomes aren’t. The main difference is that encrypted data is intended to be decrypted at some point, which is why keys are used. In contrast, hashed data is never intended to be decrypted.


Password Myth Busters

by , on


Think you know it all when it comes to passwords and protecting your digital life? Guess again. As the saying goes, it’s what you don’t know that can hurt you. Here below are some popular myths about passwords and digital security – busted for you.

Myth: Most people exercise reason and caution in securing their digital devices and Website access with good passwords.

Reality: Nearly one in five people use the following password, many on multiple devices: 123456. That’s the conclusion of a search of 10 million passwords used in successful data breaches in 2016. The second most commonly used password? None other than 123456789! And coming in a close third is qwerty – the top six letters of a common keyboard. Don’t expect much help from Websites who could, if they wanted enforce tougher password policies. But that might slow site traffic. Thus good password hygiene is up to you. Click here for a free copy of a great guide to password safety in an unsafe world.

Myth: Passwords are becoming outmoded and old school, easily replaced by more snazzy technologies and techniques.

Reality: In the words of international security expert Per Thorsheim, “Everyone who predicts the death of passwords next year will be wrong again, just as they have the past 10 years.” It’s not that the industry hasn’t tried to retire tried and true passwords to protect your digital life. There are patented, wearable devices for wrist vein recognition; a ‘selfie’ that identifies you by the size of your body parts (just don’t gain/lose weight); iris scanning (hold the contacts); even a notion for a swallowable ‘pill’ that is powered by stomach acid and which emits signals to sensors in digital devices. Or – you can just get yourself a great free password management solution that creates nearly uncrackable passwords for each device and site you enter, and remembers them all for you.

Myth: There’s no need to reset the factory-installed passwords in digital devices like baby monitors and security cameras. Why bother?

Reality: Last October sophisticated international hackers using a popular piece of hacking software called Mirai broke into more than 100,000 Internet of Things devices, including security cameras and baby monitors. They then created a large botnet—a centrally controlled, infected network of internet-connected devices, albeit not exactly smart devices but interconnected all the same. They then used the botnet to launch a distributed denial of service attack on a major internet backbone company, rendering millions of people and businesses without service. Mirai-toting hackers struck again a month later, this time knocking electric power out to nearly a million German customers. The moral of the story: Reset the factory password presets on your digital devices so you won’t become part of the problem.

Myth: So what if my password gets stolen. What can the crooks do with it anyway? Probably nothing.

Reality: A year ago some 400 million passwords stolen from MySpace went up for sale to the highest bidders on part of the Internet known as the dark web. The same hacker later placed another 100 million purloined passwords stolen from LinkedIn for sale. Armed with these seemingly innocuous passwords, hackers used sophisticated programs to try to kick the door in on personal bank accounts, social media accounts, credit card accounts, and other places where troves of personal data lie. And once they are in they can do all sorts of nasty things to make your life miserable. Again the only protection is strong passwords that are not used repeatedly for different devices and different sites. Remember that 63% of successful data breaches result from weak, default or stolen passwords. Virtually all of this can be stopped.

Myth: When US citizens traveling in the US, TSA as well as US Border Patrol agents can never demand the passwords to your devices.

Reality: That is true for the TSA, but not so for US Border Patrol agents. There are confirmed news reports of US citizens being prevented from re-entering their own country unless they turn over both their devices and the passwords for unlocking them. What the agents can then do with the information they view or seize and how long they can keep it is undefined and unclear. The only solution and protection, for now, is to remove any sensitive data and files from your devices before traveling internationally –much easier said than done for business travelers. But that is another reason for using third party cloud storage providers, which can safely offload those files from the devices for retrieval later on.

Myth: When traveling internationally it is generally safe to use the digital device charging stations in hotel rooms, and it is safe as well to just jump on line to check your bank balances and credit card statements from ‘public’ PCs and tablets at coffee houses and bookstores.

Reality: Wrong on both accounts. Even in nice hotels, it is easy for cyber thieves working with cleaners to install malware discretely on room docking stations. Using these, it is easy to steal passwords to whatever sites you access. Ditto with publicly available devices, which are notoriously riddled with malware to swipe your digital goods.


Perhaps the most stark reality is that the world is a very unsafe place when it comes to your digital data, given the number of cyber thieves out there, the sophistication of their illicit techniques, and their determination to rip you off.  For consumers, passwords by far remain the best protection in this global threat environment.


Cybersecurity Travel Tips When Going Abroad

by , on


Tips and Tricks for Cyber Safe Foreign Travels

Vacation time is looming, and with the growing strength of the U.S. dollar vs. other currencies, many people are making plans for international travel. If you are among them, be sure you have done all you can to take responsibility for cybersecurity when traveling. After all, it’s a dangerous world out there when it comes to the cyber threat environment. Some common sense and preparation will go a long way toward ensuring your international travel memories are of the good kind.

Let’s break down the tips and tricks of cyber safe travel into two categories. The first is basic “blocking and tackling,” which for the most part is done prior to your travel. The second category deals with security tips once you are on the road.

Held up at the border

First, it is important to know in advance that the travel environment itself has changed. While traveling within the U.S., the TSA agents at the gates are not allowed to confiscate your digital devices nor are they allowed to demand passwords to get into them. If such attempts are made, demand to speak to a supervisor.

The rules, however, are different for U.S. Border Patrol agents and for agents in other nations too. Recently there have been multiple news reports of U.S.-born citizens having to turn over digital devices and their passwords as a condition for entering or reentering their own country. What can the border agents do with your passwords or data on your devices? How long can they keep that information? How long can you be detained? These and other questions are not easy to answer. But as you will see from the tips and tricks below, there is much that can be done to minimize what might be compromised or inspected while you ensure your trip overall is as cyber safe as it can be.

Basic blocking and tackling, before you head out

  • Back up your e-files. Just presume you are going to lose everything on your devices. If all data is backed up before you leave, then if you lose your device you won’t lose what really matters most to you.
  • Don’t carry sensitive data. This is easier said than done if you are mixing business and pleasure, but it is not unreasonable to just leave behind all the sensitive files you are not likely to use. Store them on cloud backup or on removable media. But get them off your devices.
  • Change all passwords for all devices. When doing this, use two-factor authentication if possible, which most devices have today. Make the passwords eight characters or longer with a combination of nonsensical letters, numbers, and symbols.  Download a free password manager that will do all the work of creating complex passwords and remembering them for you.
  • If you haven’t checked recently, this is an excellent time to be sure your antivirus software is current. There is plenty of danger lurking in foreign hotels, coffee houses, and even airports, as we’ll see. This software is your first line of defense.
  • If your smartphone allows, and most do, enable the feature that automatically erases all data in the event of multiple failed password attempts (usually 10 or so).
  • If available, enable anti-theft software (often through the cloud) that allows you to lock your device remotely if it is stolen. Enable and activate the “find my phone/device” function so if your phone or tablet is stolen, you can track it, disable it, and change all the passwords.
  • Be mindful of movies, books, and other things you have loaded into your devices that could be considered pornographic and otherwise illegal in certain other countries. Also, some downloads considered legal in the U.S. may actually violate local intellectual property or digital asset rights in other countries, should your device be searched. Just err on the side of caution and store and remove anything that might be thusly construed.
  • Disable Wi-Fi auto-connect options from all devices before you leave, such that you have to manually connect when you think it is safe to do so. The best approach is to buy a subscription to services that only connect to secure Wi-Fi hotspots throughout the world. Rates are inexpensive and getting more so all the time. Just do a search on “unlimited wifi.” If you will need to transfer or access sensitive data abroad, consider getting a highly secure VPN connection on a daily or weekly rental basis. Just search “VPN rental.”
  • Similarly, disable Bluetooth connectivity. If left on, cyberthieves can connect to your device in a number of different and easy ways. Once they are in, your cyberworld is their oyster!
  • Finally if you do not have an international subscriber identity module, better known as a SIM card or do not have a roaming package on your smartphone, your two-factor authorization access will be limited. All the more reason to purchase a secure Wi-Fi data plan.

Now that you have arrived…

The tips and tricks in this list really won’t take long at all for travelers to put in place. Doing so is great insurance against many of the cyber threats that lurk when your plane touches down on foreign soil. But once that happens and your excitement builds as you head to the luggage carousel, your cybersecurity work is not done. Here are some steps to promote cybersafety on the ground:

  • Double check to be sure all of your apps are password protected with fresh, new passwords, ideally stored in your password management system so you don’t have to remember any of them. And don’t use the same PIN for hotel room safes that you use for your device password.
  • At all cost, avoid using “public” digital devices, such as those at coffee houses, libraries, and bookstores. They are often notoriously riddled with malware lurking to steal your information. If you use them, you should presume that someone other than you will see any information you enter.
  • Be very careful about connecting to any Wi-Fi network if you haven’t subscribed to a global service previously, per the tip above. These are prime milieus for cyberthieves. Say you are in a train station (bahnhof) in Germany. You scan your device for a wireless network and there are several. A legitimate one might be “bahnhofwifi”—but you don’t know that. A cyberthief has set up his own Wi-Fi trap and it shows up as “bahnhoffwifi,” with but one letter changed. Connect to that and your troubles are just starting.
  • Don’t charge your devices using anything other than your own chargers plugged directly into the wall or into your adapter. It is easy for cyber thieves to install malware onto hotel and other public docking stations.
  • Never connect any USB drive or other removable media that you don’t personally own. Again, they are easy to load with malicious software.
  • This goes without saying, but NEVER let your devices leave your sight. If you cannot physically lock devices in your hotel room safe or other secure place, take them with you. There are no good hiding spots in your hotel room. And, of course, never check your devices with your luggage.
  • Most social media sites are happy to automatically share your location as you post photos and messages. This also tells thieves back home that you are away, which is a great time to break in. So limit the information you post regarding your location at any point in time.

Bon voyage! And safe cyber travels.


Why Company-wide Password Management Just Makes Sense

by , on


When pressed for reasons for not deploying a comprehensive password management system company-wide, leaders conjure a variety of answers. Among the most common refrains is, “We haven’t been attacked or breached, so why bother? We have other priorities.”

What they should be saying is, “We haven’t been attacked or breached – yet.” Data from the 2016 Ponemon Institute’s State of Cybersecurity in SMBs research study shows that half of SMBs today will suffer data breaches involving customer and employee information this year. And in the 2016 Data Breach Investigations Report by Verizon, a key finding is that nearly two-thirds (63%) of confirmed data breaches involve weak, default, or stolen passwords.

With strong passwords clearly a deterrent to attacks, it is sobering that the Ponemon study also finds that nearly six in 10 SMBs have no visibility into employees’ password practices. Worse, in typical SMBs today, 60% of employees use the same password for everything – and they’re often not strong passwords at that.

Password solutions that deliver big time

By contrast, SMBs that have adopted company-wide password management solutions have achieved measurable results in upping their security efforts. Keeper Business includes a security audit dashboard with its comprehensive password management solution. The dashboard scores various password practices in effect in the organization, such as whether two-factor authentication is in use, the relative strength of passwords in use, whether the same passwords are used for access to different systems, and so on.

For example, a small financial institution registered a score of 50 (on a scale from 1–100, with 100 being highly secure) prior to deploying the Keeper solution. A few weeks after the deployment, that score shot up to 95, reflecting consistent usage of very strong passwords by employees and an end to using the same passwords repeatedly.

A big benefit of the Keeper security audit dashboard is benchmarking an organization from a security perspective so they can see over a three-to-six month period how well they are doing in increasing security and mitigating risk.

Additionally, organizations opting for a company-wide password management solution may find that it pays for itself. With Keeper’s solution, the often dozens of passwords and login credentials employees typically have are boiled down to just one. Keeper customers notice a marked reduction in helpdesk calls for password resets, saving measurable IT helpdesk time. Given that Keeper’s comprehensive password solution costs about $30 per employee, that cost can be recouped through these helpdesk savings.

Fast deployment, ease of use

Some organizations choose to manufacture their own password management solution, often an on-premises one. But those solutions lack the flexibility and agility of a true cloud-based offering like Keeper’s. Also, companies like Keeper are constantly updating their offerings to combat the ever-changing threat environment, updates that may not occur when companies opt for a homegrown system.

A business can fully deploy the Keeper company-wide password management system in five to 10 business days, depending upon the local administrator’s availability to do so. Users are then invited to very quickly learn how to use the solution. As an indication of the product’s ease of use, 90% of all employees at organizations that have adopted Keeper are using the solution.

One Keeper customer, Education Advanced, has this to say about the experience of installing Keeper across the entire organization: “We needed no support from Keeper whatsoever because getting the solution up and running was so simple,” says Eli Crow, CEO and company founder. “I really couldn’t imagine it being any easier.” In fact, the solution was so easy to install and use that several employees quickly adopted the Keeper solution for their personal use.


Why a Password Manager is a Gadget Lover’s Best Friend

by , on


Gadget lovers. We all know one. Perhaps you are one.

People who love gadgets appreciate the freedom their devices give them to access the information and services they want at any time. But gadget lovers often take big risks with security. They may have an assortment of favorite apps that are spread across their phones, tablets, game players, PCs and even watches. Remembering unique passwords for all of them is simply impossible.

Some multi-device aficionados might be tempted to default to using the same password again and again (60 percent of online users do that). Others may opt for the convenience of storing their passwords in a text file or email message.

Both are bad ideas. Sure, fumbling for passwords on a tiny device is inconvenient. But there’s a better approach: a password manager.

A password manager ensures that you have access to everything you need to access any service from any device. A good one provides equivalent functionality across desktop and mobile devices, and support all the browsers and operating systems the gadget lover will ever use. The beauty of a password manager is that you only need to remember one password access your entire trove of services (so make sure you choose a strong and unique one!). Login once and everything else is automatic.

It’s also a great tool for making sure your various digital identities are secure. That’s because a password manager generates unique and secure passwords for every site and app you use. It takes care of remembering them for you and automatically fills in your login credentials when you open the site or app. You literally only need to remember one password.

There’s a secondary benefit many people don’t realize: A password manager protects you from phishing attacks. A favorite tactic of phishing scammers is to trick their victims into clicking on a link that takes them to a webpage that looks legitimate but is actually a false front intended to capture a password or credit card number. A good password manager won’t fill in a form unless the web address is one it recognizes. If the automatic form field doesn’t work, the page probably isn’t legit. Given the many small devices don’t display URLs – or make them difficult to see – this is an essential mobility feature.

Mobile device lovers should appreciate another compelling virtue of password managers: More than three million phones are lost every year in the US alone. If a phone isn’t secured – and 32% of them aren’t, according to a recent Keeper survey – then anyone who finds it can read any plaintext files that are on it. Passwords stored in text or email messages are sitting ducks.

For all the reasons above, it’s a good idea to gift the gadget geek in your life with a password manager. Look for one that uses strong encryption (we recommend 256 bit AES and PBKDF2, at a minimum), supports biometric authentication and has secure sharing capabilities.

Also, consider one that includes secure vaulting capabilities. That’s because sensitive documents and images shouldn’t be stored locally on a mobile device. Storing them on a cloud drive isn’t necessarily any safer, particularly if the owner is logged in automatically. A secure vault not only ensures protection but also enables sharing with other trusted users. And what gadget lover doesn’t appreciate a little peace of mind?


11 Security Tips for Tax Time

by , on


Tax time is like Christmas for cyber criminals. Their victims are busily pulling together sensitive financial information from all kinds of online sources, and many are filing using one of the half-dozen or so web-based tax-preparation services or electronical state or Federal portals. In the rush to meet deadlines and avoid the ire of the taxman, consumers are especially vulnerable to scams and identity theft. Here are some tips to keep yourself safe and sane.

  1. Update protective software. Be sure your malware and firewall protection is up-to-date before conducting any secure online transactions. Perform a deep antivirus scan before opening sensitive documents or connecting to a tax-preparation service.
  2. Back up everything. Ransomware was the fastest growing form of malware in 2016, and there are no signs its momentum has slowed. Most ransomware encrypts all the data on your hard drive and demands a ransom payment to unscramble it. The only effective defense is to have a backup, so make sure all of your sensitive financial documents are stored in at least one other place, such as a cloud service or on a USB drive. Also, protect any sensitive data on your local storage media by saving it in an encrypted folder.
  3. Don’t forget physical security. If your office is in a shared space, your security is only as good as the locks on the door. Store physical records in a safe or file cabinet with a good-quality lock. And don’t keep old tax records. The statute of limitations on back taxes is three years, although It may be as long as 10 years in some circumstances. Whatever the case, there’s no reason to keep those 2005 files around anymore. Shred them.
  4. Use strong passwords when filing online. This is no time to safeguard your account with passwords like “123456” or your telephone number. Choose a password of at least eight random alphanumeric characters, including upper- and lower-case, digits and punctuation marks. Most password managers will generate secure passwords for you and store them safely. If the tax-preparation site offers two-factor authentication, use it. Be sure any online tax-preparation service you use employs the secure “https” protocol. If you don’t see those characters at the beginning of the web address, your connection isn’t secure.
  5. Don’t use public Wi-Fi services when working with financial information. Most are unencrypted, which means that anyone sniffing the network can harvest any information that is transmitted over it. Although you may need a cup of coffee to calm your nerves at this stressful time, don’t do your taxes from the local coffee shop. Get your joe to go.
  6. File early. The IRS estimates it paid out nearly $6 billion in bogus refunds to identity thieves in 2013, and the real figure was probably higher. Tax identity theft is a growing problem. Any thief who has your Social Security number can file a false W-2 form and claim a refund in your name. Your filing then gets rejected, and you have to submit to a lengthy appeals process. It takes an average of 278 days to resolve a claim, and even then there’s no guarantee you’ll win. The best strategy is to file early, particularly if you suspect that your Social Security number has been compromised. That way crooks have a smaller window to scam you.
  7. Don’t share passwords, even with your accountant. This isn’t about trust but control. Even if your accountant is your best friend, there’s no guarantee he or she can’t get hacked. If you need to share documents,  export them and store them in a secure online vault with sharing  capabilities. It goes without saying that you never send passwords by email, right?
  8. Don’t share Social Security numbers, either. All a thief needs is those nine digits and your address to file a fraudulent return. You should only share Social Security numbers over the phone or in an encrypted email message.
  9. Don’t fall for phishing scams. Scammers love tax time because they know consumers are in a state of high anxiety about the potential for audits or fines. Phishing messages often contain alarming language or threats that are intended to scare recipients into giving up personal information. Any email that appears to be from the IRS and that asks you for personal information is a scam. The basic rules of phishing prevention also apply: Don’t click on links in email unless you’re absolutely sure of the identity of the sender.
  10. Monitor your filings for suspicious activity. When you file your taxes, the IRS provides you with an Electronic Filing Identification Number (EFIN). You can use this number to check periodically on how many tax returns have been filed in your name. This enables you to catch a breach  quickly. The IRS has more information here.
  11. Don’t fall for fake IRS phone scams.  Bad people posing as IRS agents are contacting innocent taxpayers to steal personal information, money and tax refunds.  The IRS never calls taxpayers by phone to request personal information, tax information, credit card numbers and money.  If you get a phone call from an IRS impostor, tell them nothing and immediately hang up the phone.  Then, report the incident to the Treasury Inspector General at (800) 366-4484 or at www.tigta.gov.  Thousands of taxpayers fall victim to fake IRS phone scams where the caller will demand immediate payment to release a tax lien or levy.  You can learn more about this phone scam here.

The IRS also publishes a great, 21-page guide to “Safeguarding Taxpayer Data.” Read it if you want to be sure all your bases are covered.

eWeek has shared a version of this article on their website. To read it, please click here 


Spring Cleaning Your Digital Life

by , on


It’s spring: Out with the old!

Organizing and cleaning up your digital life has gotten easier

Spring is here, which many people will greet with determination to clean out a lot of junk – from closets, garages, desks, and so on. But what about your digital life? As it turns out, that too will benefit from some reasonable spring-cleaning. It really won’t take long, and the results may be every bit as satisfying as throwing out those smelly old running shoes growing a new form of life in your closet.

Below are some tips for sprucing up your digital life.

Don’t pass on secure passwords

What do 12345, 123456789 and 123456 have in common? They are, in order, the most commonly used passwords of some 10 million passwords analyzed from data breaches in 2016. Regardless of whether your passwords have much in common with these or not, this is a great time of the year to change them – all of them.  Research shows that, given the opportunity, nearly two out of three people use the password for all log-ins. Change them to oddball combinations of letters, numbers and symbols such that they are almost bulletproof.

Of course then you’d be left with a potentially large number of passwords that almost no one could remember. One solution to this that appeared recently suggested that you ‘write down your new passwords and store them in a safe place.’ Wrong! There probably is no safe place they can be stored that you can actually access easily and quickly. That is one of many good reasons why it makes sense to download a free password manager that will do all the work of creating complex passwords and remembering them for you.

Make mobile security meticulous

Smartphones are the most used digital device, and as such are loaded with data. Photos and videos consume huge swaths of phone storage. You may want them but do you need all of them on your phone? Download them to your computer or backup cloud service. There are lots of great, free products out there for helping both Android and iPhone users get more phone memory instantly and give a boost to battery life as well. Some of these apps can actually identify poor quality photos that you probably don’t want anyway, as well as duplicate photos.

In addition, there are more smartphone apps available than you might think – two million and counting both for Android and iPhone. Accumulating them is easy, and can consume memory. This is a great time to take stock of what you have, deleting the ones you simply don’t use any more. Even if you don’t use them, they may well be permanently connected to the Internet for notifications, consuming your mobile data and battery as they do so.

Finally, the network providers are in a state of constant flux as they jockey for subscribers with what may seem like increasingly generous data plans. Comparing these plans can be a colossal headache, but worthwhile if you can save $10 or more every month for the same or better service. This vendor-independent site and search engine can help you compare and contrast all that’s out there. And if you have an iPhone, go to settings and turn off Wi-Fi Assist, which can be a data hog. Turn it on only when you need a cellular signal at times when the Wi-Fi connection is a poor one.

Urban renewal for your digital world

Perhaps the single most important spring-cleaning task for your computer is to be certain the stuff you really want is properly backed up. Think of all the things that can go wrong – from a hard drive failure to a ransomware attack to a lost or stolen computer to a freak electromagnetic impulse. Stuff happens! Cloud backup is cheap and easy with many first class service providers. And for really important files or photos, consider secure file storage.

Other considerations: Be absolutely certain your antivirus and other security solutions are in place, currently versioned, and working. Shovel out your email by moving or deleting in-box items that have been hanging around and insuring your spam filters are functioning.

None of these common sense spring-cleaning suggestions take much time or effort for that matter. You’ll end up creating lots of new space on your devices, and you know the saying: Junk expands to fill the space available. Undoubtedly it will.


PIN vs. Password: What’s the Difference?

by , on


If you use Windows 10,  you may have noticed that you now have the option of signing in with a personal identification number (PIN) instead of a password. The same applies to the Apple Mac as well as many brands of smartphone. Which might lead you to wonder what exactly is a PIN and how does it differ from a password?

The use of PINS has grown with the popularity of mobile devices. Entering long usernames is a pain with a touchscreen, so a PIN presents a shorter, more usable experience. But a PIN isn’t necessarily the same as a password. Depending on the scenario, it has different applications.

There are many ways to implement PINs, but the most common is to link them to a specific physical asset, such as a computer, credit card or phone. Most of us had our first encounter with PINs when we first used an ATM card. In that case, the PIN is a form of two-factor authentication. The physical card is the first factor and the PIN provides an additional level of verification that the cardholder is authorized to use it.

PINs may be stored on a server or on the device itself. In the case of Windows 10, Microsoft uses a physical chip called a Trusted Platform Module that includes multiple physical security mechanisms and cryptographic algorithms to make it nearly impossible to compromise. The PIN is only stored on the client PC. This approach is more secure than validating on the server because an attacker would have to gain access to the computer itself to steal the PIN. Similarly, the new chip credit cards that are now being broadly deployed in the U.S. store the PIN locally so that there is no chance of a large-scale compromise at the server level.

A PIN usually consists of a string of between four and eight numbers, although variations may include letters and punctuation at the security administrator’s discretion. Why is four numbers the standard for most applications? Because the man who invented the ATM back in the 1960s found that his wife couldn’t remember more than four numbers. You can look it up.

Four numbers offers only 10,000 possible permutations, which you’d think would be a snap for a password cracker to defeat. In fact, it’s not so easy.

For one thing, PINs almost always require manual data entry. Attempting a brute force attack using a keyboard would quickly frustrate most intruders, not to mention cause painful hand cramps. Most systems that use PINs also specify a maximum number of access attempts before shutting down. For example, Apple’s iPhone gives you just six chances to enter a four-digit passcode. After that, the phone is disabled. Windows permits four incorrect attempts before requiring a restart, and multiple restarts will lock the machine.

So given four attempts to authenticate against the universe of 10,000 codes, the intruder has only a .04% chance of success. That’s why some people say PIN security is actually better than password security.

Which doesn’t mean you shouldn’t be careful. PINs demand the same level of care as passwords. Unfortunately, many people simply choose the easiest numbers that come to mind. Researchers at the data analysis firm Data Genetics found that the PINs “1234,” “1111” and “0000” accounted for nearly 20% of all the four-digit PINs they analyzed. In fact, “1234” was more popular than the least-used 4,200 codes combined. Human nature is difficult to change*.

Data Genetics also found that four-digit combinations starting with “19” rank above the 80th percentile in popularity. So using the year you were born is not a good idea.

Avoid easily guessed or researched PIN combinations, such as the last four digits of your Social Security number, your phone number or the day and month in which you were born. If you want to use a number that’s easy to remember, try an old phone number that can no longer be traced to you, or a combination of two numbers, such as your childhood street address and the grade on your sophomore year chemistry exam.

If the online services that you use offer the option of a PIN to complement your username and password, we recommend you use it. If the online services that you use offer the option of a PIN to complement your username and password, we recommend you use it. Device makers are also broadening the number of options to now include fingerprint recognition, facial recognition and voice recognition. These are often good alternatives to PINs, but we recommend against making them your primary form of authentication. Researchers have demonstrated ways to compromise fingerprint scans with wax molds, and face- and voice-recognition technologies are not mature enough to replace two-factor authentication on their own.

With so many large-scale password breaches in the news, it’s nice to have a second level of protection.

*The Data Genetics blog post is well worth reading for its interesting tidbits about password length. For example, the fourth most popular seven-digit password is 8675309 which will resonate with 1980s rock fans. The 17th-most popular 10-digit password is “3141592654.” Look it up.

TeamSIK Response

by , on

Keeper’s engineering team prioritizes the security and privacy of our customers over all feature and functionality decisions in our application.  Our company policy has a strict zero-knowledge and no-data-leakage policy and everything we create adheres to these protocols.

Recently, a team of researchers posted a report about vulnerabilities and bugs in various Android password management apps.  First of all, I think TeamSIK did a great job.  They clearly spent significant time and performed an intense and technical analysis of the applications on the Android platform. Both of the reported issues were quickly resolved and published.

The issues reported about Keeper (SIK-2016-025 and SIK-2016-026) were not vulnerabilities, but in fact just bugs, which is why they classified them as “medium” risk.  I have addressed this distinction with TeamSIK since both issues were “low” risk due to the reasons described below:

  1.  Attacker must have physical access to the device and;
  1.  Attacker must bypass the device lock screen or fingerprint and;
  1.  The app must be running in the background in an active state (where the auto-logout timer set by the user hasn’t activated yet) and;
  1.  The device must have a USB cable plugged into a computer and authorized by the device and;
  1.  The user’s two-factor device must be accessible from the same device and;
  1.  The attacker must have access to the user’s email account on the same device.

The foregoing was an extremely unlikely scenario.  No customers were affected by this issue and moreover, no data leakage was ever at risk.

Thank you for staying protected with Keeper.

Keeper Customer Profile: Salvatore Porcillo

by , on


Cyber security becomes more important every day as hackers continue to target users for personal information that can be sold for a profit on the dark web. With more than 10 million consumers engaged with Keeper on a daily basis, we thought it would be a good idea to find out a bit more about our customers and share how Keeper helps simplify and protect their digital lives.

PDF version here

When did you start using Keeper?
I believe at least 5 years ago, or more. I have communication with Keeper dating back to 12/2011.

How many passwords does Keeper store for you?
Based on a hard count, I have 474 different entries in Keeper in 13 folders. I should mention, I use Keeper for passwords, SS #’s, passport #’s, VIN #’s, etc. I like having these items at my “finger tips” if needed. I use Keeper for passwords and for securing other import information that I only have access to.

What kind of files (e.g. passport, credit card numbers, photos, license, etc.) do you store in Keeper’s encrypted vault?
All the previously noted, plus work related passwords, etc. My Folders are: Auto, Sports (for my kids’ activities), Electronics, Financial, Health/Life Insurance, Home, Legal, Online, Restaurants, School/College, Stores, Travel and Work. So basically anything that could be associated with the mentioned folders is included in Keeper.

What is one thing you would recommend to a new Keeper user?

I’ve sold family and friends on it, I’m a big fan. I say, it’s secure and if you do it right, you’ll have any and all information that you need available to you 24/7.

Why did you decide to start using a password manager?

I think it started out as a need to store passwords, but once I understood that I could use it for other important information, I got obsessive. I have OCD (self-diagnosed), so I just started loading it with all kinds of information. I should mentioned, I carried around a Franklin Covey Planner for years, with all my password information hand written in it. At some point I realized, that wasn’t a very good idea and I needed an alternative. That’s when I started to seek out an electronic version or App to keep this information.

What are some main benefits you get from utilizing Keeper?

I have everything I need at my fingertips when I need it, it’s secure, easily accessible, inexpensive to own and it’s in the cloud so I’ll always have it, it’s password protected and most of all it’s fun to use.