How Secure are Security Questions?

two hands holding a tablet with the word questions on it

What was the name of your first childhood friend? The city where your father was born? What is your favorite TV show? Your mother’s maiden name? What was the name of your first pet? Here is the real question: what makes users think these types of security questions are going to assist in securing your important accounts?

Unfortunately, the truth is that the security questions heavily relied upon by businesses, websites, and other vital accounts, may have significant security issues. Continue reading to learn what these issues are and what other alternatives can be used instead.

What is so bad about security questions? 

In reality, security questions are just ineffective in today’s advancement of technology. Cybercriminals can quickly obtain necessary information from victims through phishing scams. More than likely, hackers will attempt to break into bank accounts. By successfully phishing a victim, the cyber attacker can obtain account information from the victim’s bank or financial institution. Also, possibly even the victim’s access credentials such as a username. With login information, such as a username, cybercriminals can quickly obtain their victim’s password. By clicking “Forgot Password?”, cyber attackers can see the possible security questions that the victim may have selected. Often, hackers can find these answers via the victims or their family/friends social media accounts.

Many people are unaware that their online presence can tell complete strangers a lot about themselves. This is part of the danger that comes with posting personal information on social media. Privacy is also entrusted to the platforms that are used and the websites that are commonly used which can also fall victim to cyber criminals.

It gets worse…

A study by Google in 2015 revealed that answers to these security questions are easily predictable. 

For example, the study found that with one guess and the knowledge that the user speaks English, there was a 19.7% chance of correctly answering the security question, “What is your favorite food?”. There was a 24% chance of correctly answering the question, “What was your first teacher’s name?” with ten opportunities to answer and the knowledge that the user speaks Arabic. With ten guesses and the understanding that the user speaks Korean, there was a 43% chance of correctly answering the security question, “What is your favorite food?”. 

Some technical skill and luck are required on the hacker’s part but some of the answers to security questions can easily be found online. Therefore, It is important to remember not to overshare personal information online. 

What can be used instead of security questions?

There are better alternatives to help keep businesses and accounts secure. Some companies utilize multi-factor authentication and/or biometrics. These options can make it easier for you to access your accounts while making it difficult for hackers. 

We, at WheelHouse IT, are here to help you keep your business secure from hackers and cyber attacks by implementing the best cybersecurity measures. To learn more, contact us at 954.474.2004. 

Tips on How to Create a Secure Password 

a woman sitting at a desk with a keyboard in front of her

Trying to create secure password can be a challenge. Even more so when it’s recommended you have a unique password for every account and website you visit. Many people settle for using the same password across multiple accounts but using the same password can put you at risk of exposing all of your personal information. 

Every year, criminals find new and unique ways to gain access to hack your account and get a hold of your personal information. You need to know how to create strong passwords that will reduce your risk and protect you from becoming a victim of cybercrime. Following these tips, you can create a secure password to keep your information safe. 

Tips For Creating a Secure Password

Many people store valuable information online. While it is easy to access and convenient, without a strong password, your information is at risk of being stolen by hackers. To keep your accounts and information safe, you need to know how to create a strong password. These tips will help you create a secure password. 

  • Use a Long Password – When you prioritize the length of the password, it is harder to guess. Passwords of at least 16 characters long reduce the risk of hackers gaining access to your account.
  • Combine letters, numbers, and symbols – Your password should consist of letters, numbers, and special characters to increase the complexity of your password. 
  • Use Different Passwords – Using the same password for all your accounts increases your risk of hackers gaining access to all of your accounts through credential stuffing. 
  • Never Use Personal Information – Avoid using information such as birthdays, addresses, names, and phone numbers. 
  • Try Passphrases Over Passwords – It’s hard to remember a long password. Using a passphrase can be easier to remember while keeping your password complex. 

The goal is to create a long, complex password that is easy for you to remember but hard to guess. There is a lot to remember when you create your passwords, and companies require you to change them quarterly or annually. 

Additional Security Measures to Protect Yourself

Passwords are just one level of security to ensure your accounts are safe. Implementing multi-factor authentication and password management solutions can help provide additional layers of security that make it difficult for hackers to gain access. 

Multi-factor authentication uses multiple ways to ensure an account is accessed by someone authorized. They will consist of using a password paired with additional authentication through your smartphone or email by sending a code for you to verify. It can also use biometrics such as a finger scan to confirm your identity. These factors make it difficult for anyone to gain access. 

Password management tools can help you manage your passwords efficiently and easily. They use an encrypted database secured by a master password that allows you to store your passwords when you need access to additional accounts. These tools make it easier for you to create complex passwords without having to remember each individual one. Many of these password managers can create complex passwords for you to take the challenge of having to think of a new password every time you need to make an update. 

4 Corner IT can help you implement all of the best technology solutions for your business. To learn more, contact us at 954.474.2204.

Contact Us Today!

Best Password Practices from NIST

Closeup of Password Box in Internet Browser. NIST

When a hacker tries to access one of your accounts, the first challenge they must overcome is the password. This is why industry professionals always encourage you to create them with security in mind. The latest guidelines issued by the National Institute of Standards and Technology, or NIST, are not quite conventional or traditional. However, they do give valuable insights into how to create more secure passwords.

What is the NIST?

The NIST is the authority on all things password-creation, and they are no strangers to issuing various best practices. While these practices do shift over time, due to the unfortunate side-effect of threats adapting to security standards, their advice is trusted and should absolutely be considered by all. Please see below for the recent update on password best practices.

The New Guidelines

Many organizations and Federal agencies have adopted these guidelines. Here are the latest steps to take when building a secure password.

Length Over Complexity

Most security professionals have advocated for password complexity over the past several years, but the guidelines issued by NIST disagree. NIST suggests that the longer the password, the harder it is to decrypt. They even go so far as to say that complex passwords with numbers, symbols, and upper and lower-case letters make passwords even less secure.

The reasoning for this is that the user might make passwords too complicated, leading them to forget them entirely, so when it comes time to replace the password, they will add a “1” or an exclamation point at the end. This makes them easier to predict should the original password be stolen. Users might also be tempted to use the same password for multiple accounts, which is a whole other issue that certainly does not aid in security.

No More Password Resets

Many organizations require their staff to periodically change their passwords, mostly every month or every few months. The idea here is to preemptively change passwords on the off chance that the old passwords have been compromised. Trying to use the same old password multiple times would then lock the hacker out of the account, as the password has since been changed. While this has been an accepted best practice for some time, NIST recommends that this practice be put to the wayside, as it is actually counterproductive to account security.

The reasoning behind this determination is that people will not be as careful with the password creation process if they are always making new ones. Plus, when people do change their passwords, they will use the same pattern to remember them. This means that passwords could potentially be compromised even if they have been changed, as a hacker could recognize the pattern and use it against the user.

Make Passwords Easy to Use

Some network administrators worry that the removal of certain quality-of-life features such as showing a password while the user types it, or allowing for copy/paste, will make the password more likely to be compromised. The truth is the opposite. Ease of use does not compromise security. People are more likely to stick to established password protocol if you make it easier for them to do so.

Don’t Give Out Password Hints

At the same time, you don’t want to make things too easy for your employees, either. One way that administrators help out employees who easily forget passwords is by providing password hints. The system itself is flawed, especially in today’s society of oversharing information across social media and the Internet in general. If Sally makes her password based around the name of her dog, for example, the hacker might be able to find that information on her social media page. Then can try variations of that name until the code is cracked. So, in the interest of network security, it’s better to just forego these hints. There are other ways to make your password system easier to deal with that don’t compromise security.

Limit Password Attempts

When you place a limit on password attempts for your business, what you are essentially doing is giving hackers a limited number of chances to get lucky. NIST suggests that most employees will fall into one of two categories in regard to password remembrance. Either they will remember it, or they will keep it stored somewhere (hopefully in a password management system). Thus, if an employee is likely to do one or the other, a limit on password attempts will not necessarily impact them. However, it will make all the difference against security threats.

Implement Multi-Factor Authentication

COMPANYNAME recommends that your business implement multi-factor authentication or two-factor authentication whenever possible. NIST recommends that users be able to demonstrate at least two of the following methods of authentication before they can access an account. They are the following:

  1. “Something you know” (like a password)
  2. “Something you have” (like a mobile device)
  3. “Something you are” (like a face or a fingerprint)

If two of the above are met, then there is sufficient evidence to suggest that the user is supposed to be accessing that account. Consider how much more difficult this makes things for a hacker. Even if they have a password, it is unlikely that they also have physical access to a mobile device, a face, or a fingerprint.

Make password security a priority for your organization now. That way you don’t have to worry about data breaches later on down the road. WheelHouse IT can help you set up a password manager that makes adhering to these best practices easier. To learn more, reach out to us at (877) 771-2384.

Contact Us Today and Check Out Our Cabling Services!

6 Cyber Security Must-Haves for Remote Work

6 cyber security must haves for remote work

The quick transition to remote work that many companies have had to make has revealed security risks that IT professionals are not able to monitor or correct as closely as they would be able to when employees work in-house. To mitigate these risks and protect data, employees will need to follow cyber security best practices and abide by the requests made by IT. Fortunately, skills and security measures like the following that employees will need during these times help not only their employers in the present but protect them from personal security risks in the future. 

Secure Wi-Fi

The convenience provided by an open wireless network doesn’t mitigate the risk of sensitive data falling into the wrong hands, and this applies to personal financial information as much as it does to data relating to work. Employees will need to secure their home wireless networks with the most advanced protection available to them. Users should also have the latest firmware.

Encrypted Traffic

IT departments can consider a virtual private network, or VPN, on top of secured wireless networks to encrypt all traffic data. There are downsides to VPNs, however, including slower connection speeds. Some users may not like that their employer can monitor their network usage with a VPN, either.

Phishing Prevention

It doesn’t matter if a company uses the most advanced security software or the most impenetrable hardware if the user is the weak point. Employees should undergo training to detect and avoid phishing scams and their various modes — phone, text, and email —  before working remotely, even if they’ve already issued this training in the past.  All it takes is a careless click to give access to a user’s login information.

Fortunately, modern security software can even warn about potential phishing attacks.

Smart Password Usage

Not only is it risky to use the same password and username for multiple websites, but choosing simple passwords that are easy to crack also puts a user at risk. Because users won’t necessarily opt for best practices such as strong passwords that they periodically change, companies should ensure that their software systems require these password security measures and even use password managers to generate and store strong passwords. Businesses should also encourage two-factor authentication, which requires that users enter a second code that is typically sent via email or text, to log in.

Company-Issues Devices

Many of the risks listed above can be minimized when a company issues devices that prevent unauthorized changes and have the appropriate software installed so that employees have all the resources necessary to complete their jobs. Sending employees home with company devices keeps sensitive data away from personal devices, which may be less secure and more likely to be compromised, and companies can install enterprise-level security software to prevent malware and phishing attacks. 

If this is not possible, companies should set standards for which devices can be used, including software and hardware requirements, to ensure the devices being used are as secure as possible and to avoid the risk of “shadow backups” to personal cloud storage accounts.

Data Backup

Assuming that users abide by cyber security best practices and a company’s software is set up securely, there is always the risk of hard drive or another mechanical failure, which is why a company must have a plan in place to back up data. Many companies opt for cloud storage, a solution that is especially useful when the office is inaccessible; however, some choose physical servers that their IT team members maintain themselves. 

Companies that want to increase cyber security measures for remote workers or ensure that their systems are secure enough for telecommuting can contact us for a cybersecurity analysis.

Also, check out our cabling services!

The Newest Extortion Scams Are Using Your Own Passwords as Bait

the newest extortion scams are using your own passwords as bait
Using Your Passwords

Internet scams have become more and more sophisticated. Thus, extortion scammers have found a new piece of bait by which to hook internet users. The bait is their old passwords. These extortion schemes often claim that someone has the person’s compromising information. Then they say are happy to help get that information back if the person is willing to pay.

The person coughs up the cash, fearing that their information may be compromised. This is in order to protect information that the person claimed they should protect. The catch? The entity that they claim meant harm never had any of the person’s information in the first place. Then, people believe that scammers are burrowed deep in their computers. They believe they are getting a hold of the person’s private information. Many scammers even demand that the payments be made in Bitcoin. Otherwise they refuse to carry out “the job” of stopping hackers purportedly have the person’s personal information. (Really, they don’t have their information at all – the said person burrowing in the person’s computer doesn’t even exist).

What Can I Do To Avoid Extortion Scams?

We offer the following advice to people who have had issues with these kinds of scammers in the past. It is to help them avoid having issues with these same scammers in the future:

  • Scammers will generally want to rush the person into making hasty decisions. Thus, will pressure you to pay them immediately for their “services”. However, if you have any feelings that the person with whom you are talking is not for sure authentic, authorities encourage you not to give them any information as it encourages them to keep on scamming other people after they are successful with you.
  • Once you realize that you have been scammed, change your passwords immediately. Moreover, use different passwords for all online accounts and be sure to require Two-Factor Authorization when it’s an option.
  • Do not have any further communication with anyone who you think is a scammer.
  • Always update your antivirus software and other operating systems to give the scammers less of a chance at getting at your personal information.
  • Cover your webcam at all times when you are not using the device.

Remember, scammers only need to be successful with a fraction of the people with whom they engage in order to be successful at what they do. They will make this a lucrative process which will only continue encouraging them to scam more and more innocent, unassuming people into believing their lies.

In the end, the next scamming issue is the fact that these people claim to have your old passwords and will use that as bait to try to get you to pay them to help “protect your personal information” as they will claim. In these cases, these people don’t have any of your personal information in the first place. They are simply scammers out trying to get money off of you and they will do absolutely nothing for you in return.

For more information on the latest scams that you need to watch out for please feel free to contact us at 4 Corner IT for further assistance.