Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

Archive

Posts Tagged ‘passwords’
April 10th, 2014

Do you hate updating your passwords whenever there’s a new hack?

Advice about changing passwords from AVAST.

Change your passwords as a precaution against the Heartbleed bug.

We reported yesterday about the serious Heartbleed  bug which allows hackers to steal encryption keys from nearly two-thirds of all websites.

“This is probably the worst bug discovered this year. We believed in the security of SSL/TLS, and now discover that it comes with a hole that allows anyone to read our personal information such as passwords, cookies or even server’s private keys,” said Jiri Sejtko, Director of the AVAST Virus Lab. “We, as end users, simply can’t do anything, but make sure we are as secure as possible.”

That means changing your passwords. Again.

If just thinking about changing all your passwords makes you want to jump out the window, then here are a few tricks to help make it a little less painful. At the end of this post, we’ll share a tip on how to make password creation, as well as remembering them all, as easy-as-pie. So go all the way to the end. ;)

Why do cybercrooks want your password?

It takes serious effort to hijack accounts, so there must be some payoff at the end for cybercrooks.  Obviously, it’s not to get your vacation photos. Money is the most common motivation. Your money.

There are many ways of turning stolen data into money, but one of them is worth highlighting. Research shows that 55% of us reuse passwords on different sites. It is likely that you use the same password for Facebook  that you use for your bank account.  This means that cybercrooks can steal your money much easier. Never use the same passwords on different sites, especially for really important services.

Password basics

1. Use a random collection of letters (uppercase and lowercase), numbers and symbols

2. Make it 8 characters or longer

3. Create a unique password for every account

Tricks and tips

Maximum password security requires at least seven characters, a mix of upper and lower case, a few symbols, and a sense of humor.

Create an acronym using a meaningful, easy-to-remember piece of information. Use a sentence like My wedding anniversary is 28 December, 2001. That phrase turns into this password, Mwai28/Dec.01.

Many sites require a special symbol like ` ~ ! @ # $ % ^ & * ( ) _ – + = { } [ ] \ | : ; ” ‘ < > , . ? /. Use some of those to replace letters. Your password can be this, M<>ai28/Dec.0!.

Read more…

Categories: General, How to Tags: , ,
April 9th, 2014

Heartbleed affects much of internet. Time to change your passwords again.

Heartbleed security threat scares internetThe security community is buzzing with news of a threat called Heartbleed. The bug reportedly affects nearly two-thirds of all websites, including Yahoo Mail, OKCupid, WeTransfer, and others. The bug takes advantage of a vulnerability in OpenSSL, an open-source protocol used to encrypt vast portions of the web. It allows cybercrooks to steal encryption keys, usernames and passwords, financial data and other sensitive data they have no right to.

In a blog post to their users, Tumblr described it this way,

…that the little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit.

The latest version of OpenSSL fixes the problem and websites are already upgrading.

However, your popular social site, your company’s site, commerce site, hobby site, sites you download software from or even sites run by your government might be using vulnerable OpenSSL, warns Codenomicon on their site about Heartbleed. GitHub compiled a list of sites that are vulnerable, but some may have already been updated. AVAST’s website is safe from the Heartbleed threat.

You can check a site’s vulnerability status at the Heartbleed test site which enables users to enter domains. If a site comes back as an “uh-oh” but doesn’t say “heartbleed” then there may be something else wrong, but it’s not Heartbleed. Update: AVAST’s COO, Ondrek Vlcek recommends this checker, https://www.ssllabs.com/ssltest/analyze.html.

What can you do?

The best advice is to stay away from affected sites for a while. In their report on Heartbleed, Tor advises, “If you need strong anonymity or privacy on the Internet, you might want to stay away from the Internet entirely for the next few days while things settle.”

You need to change your passwords for any vulnerable sites as well. Once affected sites start making the updates, they will most likely advise their customers to change their passwords. Earlier today, Tumblr sent their users a note encouraging them to change passwords to all their online accounts immediately.

“This might be a good day to call in sick and take some time to change your passwords everywhere — especially your high-security services like email, file storage, and banking, which may have been compromised by this bug,” Tumblr said on their blog.

We have written tips about creating strong passwords in the avast! blog. Read My password was stolen. What do I do now? as a reminder.

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on FacebookTwitter and Google+. Business owners – check out our business products.

Categories: General Tags: , ,
October 29th, 2013

How many variations of “qwerty” and “1234″ can you think of?

passwords strip_

http://www.dilbert.com/

I am quite surprised at how inventive people can be when it comes to the thinking up weak passwords. The obviously weak combinations like ’1234′ or ‘qwerty’ along with names and phone numbers are quite common parts of passwords.

Some background

The story begins with me fighting a familiar piece of malware, Bicololo, which is spyware designed to steal the identity from users of Russian social networks. A routine task you might say. This time the authors were less cautious with settings on their rogue servers, so I managed to get hundreds of freshly-stolen credentials. What to do with them? The first thing I tried was contacting support of the affected social network to get users warned and passwords reset. Unfortunately, my effort met no success there; they did not even bother to answer my mail! So instead of getting to warn hundreds of innocent users on the Russian social network,  I used this unique opportunity to analyze the habits users have regarding their passwords and share it with our AVAST readers.

Once I cleaned up the data, I received about 850 unique combinations of username-password pairs. This is not enough variants for the results to be widely  representative. The data was obtained from a rather specific group of (less experienced) users whose lack of knowledge allowed their computers to be infected. I expect the general reality to be a bit better than my results. Though my findings are not scientifically-correct, they can give us some insight into the problem and show us examples we should avoid while choosing our passwords. Read more…

Comments off
April 15th, 2013

WordPress sites hacked

wordpress-logoThere is a nasty botnet trolling WordPress sites trying to log in with the default admin user name and using “brute-force” methods to crack the passwords. Our advice to save your wordpress blog from being hacked is to change admin as the login name to something else and use strong passwords.

Matt Mullenweg, the founder of WordPress, advises the same thing on his blog. He also said to turn on the two-step authentication, which prompts you to enter a secret number you get from the Google Authenticator App on your smartphone. To make as secure an environment as you can, ensure that the latest version of WordPress is installed as well.

“Do this and you’ll be ahead of 99% of sites out there and probably never have a problem,” Mullenweg writes to assure 64 million WordPress users.

March 25th, 2013

Personal identification numbers (PINs) need protection too

ATM PINBy now, avast! users are aware of the importance of creating strong computer passwords, and guarding their Social Security number like a trained Doberman. But what about the humble four-digit personal identification number (PIN)? PINs are security features just like passwords. They give access to your mobile phone, credit card, bank account, and numerous other things. My garage door opener even has a keypad and PIN. Because it’s the key that unlocks so many doors, literally and figuratively, it pays to keep your PINs safe.

Here are some things to remember when choosing a PIN:

  • Be more original than 1234. One in 10 people use this number combination. Together with 1111 and 0000, these three combinations make up nearly 20% of PINs. Think of it this way, if you find an ATM card on the floor, you have a 1 in 10 chance of getting the correct number if you type 1-2-3-4 .
  • Using your birthdate as a PIN is a bad idea. Everyone carries their driver’s license in their wallet with their ATM card. The birthday information gives a wallet thief both the lock and key in a convenient location. One study said that one out of 15 wallet thief victim’s also had their ATM raided!
  • Forget about your address too. Your house or apartment number is also printed on your driver’s license, so it’s easily found.
  • Keep LOVE in your heart, not on your phone. 5683, which spells out “love” on the keypad is very popular.  Use a less popular word, maybe 9278, which spells “wart.”

Here are some tips to secure (and remember) your PIN:

  • Use the bank assigned number. Just don’t write it on your ATM card.
  • An old phone number, student or work ID is good, as long as they’re not listed anywhere.
  • Choose a meaningful number. The score of the big game (your favorite basketball team won 80-58, so the PIN is 8058).
  • Base the number on a phrase instead of a word, such as 2432 for “Avast is FREEking awesome” (AIFA).
  • Hide the number in a fake contact. If you have too many PINs to remember, make up a fake contact with a fake phone number and keep it in your phone. Just don’t let the battery run out!

Share your tips in for creating strong PINs and how to remember them in the comments section.  And please follow us on social media. We can be found on Facebook, Google+ and Twitter.

September 4th, 2012

Scrubbing toilets is preferable to thinking of another password

“…consumers think cleaning their bathroom, or in the extreme cases trying to solve world peace, sounds preferable to adding yet another password to the list.”

When scrubbing toilets and doing other household chores is preferable to thinking of new user names or passwords, then you know it’s a burdensome thing. A new national survey from Janrain, a social software services company, reveals that American adults need to remember five or more unique online passwords. Thirty-eight percent are so frustrated that they think tasks like folding laundry or scrubbing toilets – even solving world peace – might be easier than coming up with another new user name or password combination.

The majority of those surveyed say they try to create strong passwords, using letter and number combinations instead of obvious names or words, like “password,” but the problem is recalling the complicated passwords. Nearly 37 percent have to ask for assistance on their user name or password from at least one website per month.

“With all of the different websites consumers login to on a regular basis – from email and social networks to online banking and e-commerce sites – it’s no wonder people are struggling to remember such a large number of passwords,” Janrain CEO Larry Drebes said. “What’s surprising is that consumers think cleaning their bathroom, or in the extreme cases trying to solve world peace, sounds preferable to adding yet another password to the list.”

If you are experiencing password fatigue, and would like to never worry again about remembering your passwords, then try avast! EasyPass.  You get strong, unique passwords for every site you visit – with just one click. The best part is that you access your passwords using one Master Password, so you don’t have to remember lots of passwords or waste time asking websites for help.  Download a free trial of avast! EasyPass now.

Categories: General Tags: ,
Comments off
August 13th, 2012

World of Warcraft Players Fall Victim to Battle.net Hack

We have another entry on the growing list of hacks – Blizzard Entertainment, publisher of popular games such as World of Warcraft and the Diablo and Starcraft series, reported last week that a large amount of user account data for Battle.net gamers was compromised.

“This week, our security team found an unauthorized and illegal access into our internal network here at Blizzard. We quickly took steps to close off this access and began working with law enforcement and security experts to investigate what happened,” wrote Blizzard President Mike Morhaime. “We take the security of your personal information very seriously, and we are truly sorry that this has happened.”

Stolen data includes email addresses, answers to security questions, a database of “cryptographically scrambled” passwords, and data related to dial-in and smartphone app-based two-factor authentication. Battle.net users should change their account passwords immediately. You can do that here.

Jindrich Kubrec, Avast Virus Lab senior analyst gives some tips for securing your passwords:

1. Avoid anything ‘personal’ such as names and birth dates – see this list for examples of passwords to avoid
2. Avoid overly complex passwords as you don’t want to write them down
3. Don’t reuse passwords anywhere – leaks will happen in the future and you don’t want a single leak giving the bad guys keys to all the online services you use
4. Longer passwords are always better
5. Beware the phishers: always ensure you’re doing sensitive operation on the legitimate site, under a secure and verified connection. I’d also recommend never clicking on links in emails to update sensitive information Instead, manually enter the site and make changes.
6. If you can’t be bothered with steps 1 – 5, try avast! EasyPass to generate strong, unique passwords for every site you visit. The best part is that you access your passwords using one Master Password, so you don’t have to remember lots of passwords.

Comments off
June 7th, 2012

LastFM investigating passwords hack

Yesterday, LinkedIn started investigating a password leak, followed by online dating site eHarmony, and now online music streaming site LastFM has announced on their blog that they too are investigating the leak of user passwords. As a precautionary measure, they are advising all their users to change their passwords immediately. You can do that here.

Yesterday, a Russian hacker reportedly stole 6.5 million LinkedIn passwords and 1.5 million passwords from eHarmony. It is not yet known if the hacking incidents are related.

It’s worth repeating the password tips my colleague Jindrich Kubec wrote in an earlier blog post.

A simple 5 step procedure for creating new passwords:

  1. Avoid anything ‘personal’ such as names and birth dates – see this list for examples of passwords to avoid
  2. Avoid overly complex passwords as you don’t want to write them down
  3. Don’t reuse passwords anywhere – leaks will happen in the future and you don’t want a single leak giving the bad guys keys to all the online services you use
  4. Longer passwords are always better
  5. Beware the phishers: always ensure you’re doing sensitive operation on the legitimate site, under a secure and verified connection. I’d also recommend never clicking on links in emails to update sensitive information Instead, manually enter the site and make changes.
Categories: General, Technology Tags: ,
January 20th, 2012

I’ll show you my password, if you’ll show me yours

On the heels of the Zappos cyber robbery last Sunday that left 24M customers fretting over stolen passwords and email addresses, articles are being published about how people can protect themselves online. The number one point is always about passwords. Clean up your passwords. Never Share Your Password. Create different passwords for different accounts.

Sage advice, which we at AVAST support. We even have a dedicated password manager called avast! EasyPass to help you juggle it all. The theft at Zappos and the struggle for greater online privacy made it even more startling when I read about the growing trend among teenagers to share their passwords as an act of trust with their current BFFs. Read more…

November 23rd, 2011

Survival Tips for Black Friday and Cyber Monday

Black Friday, the day after Thanksgiving and the busiest shopping day of the year, starts at midnight November 25th with mega-sales running throughout the weekend. Cyber Monday, the online retail equivalent to Black Friday, is the time when many consumers, who didn’t want to fight the crowds over Thanksgiving weekend or failed to find what they were looking for, shop online that Monday from home or work.

“For our US friends especially, this weekend is when retailers, offline and online, offer the best deals of the year,” said Jindrich Kubec, senior virus analyst at the AVAST Virus Lab. “It’s also when cybercriminals become hyperactive with scams and fraudulent offers.”

Read more…

Comments off