Next week's program will describe some of the serious threats arrayed against data on your computer, whether the computer is located in a home and has little more than tax records and photos stored on it or whether it's in a corporate office and is filled with proprietary information. This week, though, we'll consider passwords.
The threats we'll consider next week differ considerably from threats aimed at passwords, but the same kinds of people are behind both types of attacks. These are people you don't want to have access to your computer or your data.
We repeatedly hear that it's important to use strong, unique passwords for every account, yet far too many people still use weak passwords (two of the most common are "password" and "123456") and -- even worse -- reuse those same weak passwords for multiple accounts. Reusing passwords is dangerous for a reason that's really easy to understand.
Let's say that I have an account at Yahoo where I use the name "techbyter". Yes, I have such an account and that is my user name. Now let's also say that my password is "%7E2hmJy5t" and at one time that was my Yahoo password. That password is no longer in use and it's not being used elsewhere.
Yahoo has has several high-profile breaches in recent years, so I might safely assume that my "%7E2hmJy5t" password may be known to some number of crooks. Had I used the same password elsewhere, one of those crooks might try "techbyter" and several variants of my name with that password on bank sites. Fortunately, banks are developing more fool-proof log-in systems, but the old saying about fool-proof systems is that they only encourage more inventive fools. But not all banks have multi-component log-in procedures yet.
In general, stores are considerably less secure than banks. So if I had used the same password at commercial sites, the crook who gained access to my Yahoo password could take over store accounts and have expensive stuff sent to him and billed to me.
The obvious problem with unique, complex passwords is remembering which one belongs to what account. Let's say you visit just 100 password protected sites (most people visit far more than that) and you have a unique, complex password for each. Here is what 100 8-character unique, complex passwords look like (and passwords really should be 15 characters or more):
?eKuPhe, mAs+u2rA, mex+BuB6, yudUS=u8, ku*r2Tuv, Xec@vus6, gU4uqup*, 5uFr_jud, 2ac?aCeT, 5raxExu$, cuS4Adr_, 3uFr_ruZ, Wr_3hezu, pUt3U?Eq, tH8th+tA, =atha6Uz, z6J?Crat, @A6uhEsw, 6udRUne_, rA+e3wat, pHa2=Edr, Cre-AtU6, d!e6hEsw, $ra4atRa, 4R@treke, cAthuK?6, DrEt3-Ep, _rEdr4Br, @acAca3r, M2jEt&pr, cHu7hE!u, crER4sa?, 6+jawaST, d6sTU_re, Xe6Ap@et, zU$7yaBu, 4rEr$chA, 2Ta_uMeG, ha6eJAb$, 8huprUd?, CRar=6eg, r3tr@WRa, det=Utr4, veh6&PaS, phuf3eF!, va-4thUt, q-B4xavu, p_SPav7s, Va+REst5, caFe@8uk, 6eMEp#es, bEdUjU-5, SaspE_2s, gayAbe*8, cU5RusT$, pHeT8av$, w-bRe2em, -rasTEP8, jAtHa8e_, c2eyEH#j, TawE3Re#, zuP=UvA4, &Refu6uj, _6sPekuw, cA5acu*r, 4ahef_Xe, m#ThAg3w, s6uJU!ep, t-eZUst8, 3_XEwebA, Phuhus&3, Re&4sTaN, cef?YAt8, yuC3S$Ud, cRan-6ec, #eVaPh3y, frApA3#e, pEteRe2?, *re2rUbA, fu3_uStu, se#eP5hU, w8waXet&, S6ustaY#, 2wUqup*s, &hagup2P, +h7cHace, +aS2spuk, !u3ehEWu, x+tR8Jep, Thus*a5T, ra-H8wre, Rat4en+f, qesWA$6q, suku&UF8, w5a?Rest, vaPR&3re, d&qEza2a, h2hUT-aS, TE!ab7pu, #u5PaStE
Could you remember all of those passwords, their associated user names, and which sites they belong to? Of course not, so you might be tempted to write them down. One bit of malware on your computer would quickly deliver the file you used to store your user names and passwords to a crook.
And that's why LastPass is important. You can use the free version, but a paid version ($12 per year) adds useful features that aren't in the free version. Passwords are stored on your computer, on the LastPass site, and on any device that you've installed LastPass on. No matter where they're stored, they're encrypted based on the password you use to create a LastPass account. That password should be very long (at least 15 characters) and something you can easily remember.
Here's a suggestion: Let's say you had a dog named Rover when you lived in Pittsburgh. You moved there in1972 and you lived on Agnew Road. Here's a password: RoverPittsburgh1972Agnew. You could create a clue (dog city year street) that would have meaning to you, but would be essentially meaningless to anyone else. (Note that I have never lived in Pittsburgh and never had a dog named Rover, so this isn't my password.) There are lots of other clever ways to make up a strong, complex, memorable password and MakeUseOf describes 7 of them.
Incidentally, because LastPass's encryption is based on your user name and password, LastPass will re-encrypt your stored passwords if you ever change your master password (and you should do that occasionally).
LastPass has been around since 2008, when it was released as a browser plug-in. It's now available for all major operating systems and mobile devices. As of late last year, free LastPass accounts sync to all devices where LastPass is installed, not just one. Paying the $12 annual fee is still a good choice, though.
If malware in the form of a key-logger finds its way onto your computer, LastPass still protects you because it doesn't type passwords. Instead, it auto-fill passwords and for those times when you must type something at login time, LastPass displays a virtual keyboard that you use by clicking with the mouse.
LastPass also includes a secure note function where you can store important information that's not password related. There's also a Security Challenge that helps you find passwords that aren't sufficiently complex or are on sites that have recently been hacked.
You may notice that my security rating isn't 100%. That's because I continue to use some duplicate, simple, and old passwords on certain trivial sites. My definition of "trivial" means that the site contains no information that should be private or secure, has no access to any financial information, and would not be a problem if someone gained access to the account. Needless to say, there are only a few sites that fit that description.
The $1 per month paid version offers a shared family folder for up to 5 users, YubiKey & Sesame 2-factor authentication options, priority tech support, and 1GB of encrypted file storage.
Password managers are essential. If you try to remember passwords, you'll forget some of them or, worse yet, store them in a plain text file or spreadsheet on your computer. The $12 annual fee provides access to powerful features, but there's also a free version. Even the free version has many useful features, and the primary
function -- keeping your passwords safe and accessible -- is available in both free and paid versions.
Additional details are available on the LastPass website.
Security consultant Frank Abagnale has an interesting background. When he was 15, he became a famous impostor and by the time he was 21 he had assumed the identities of an airline pilot, a physician, a US Bureau of Prisons agent, and a lawyer. Eventually caught, he served less than 5 years in prison, then went to work for the federal government, and now runs Abagnale & Associates, a financial fraud consultancy company. He also advises the AARP on how to avoid the many scams that may arrive by phone, email, and sometimes even postal mail.
Your phone rings. The caller says that a dangerous virus has been detected on your computer, but he can help you. The best advice: Just hang up. Abagnale says that scams are many and varied.
The FBI says losses will total in the multiple millions this year. In response, the AARP Fraud Watch Network has launched an education campaign to help people protect themselves.
Abagnale says that it's essential to understand how the scams work.
You don't need to be a member of the AARP to use the anti-fraud resources. See more on the AARP website. Or check out the downloadable booklet from Microsoft's website.
First question: How is that pronounced? Is it ALT-aba or AL-taba? Verizon is proceeding with its plans to acquire Yahoo's core internet business and a regulatory filing says Yahoo's name will change to Altaba (however you say it).
That's because changing the name changes the basic operation of the company. Yahoo, the company that exposed millions of email addresses and other information to hackers over the years will be nothing but a memory and Altaba (however you say it) will be clean and clear.
Marissa Mayer, who tried to clean up the mess left by previous CEOs, will be out as CEO but plans to stay with the company.
So how should we pronounce the new name? The Wall Street Journal says Altaba is a combination of "alternate" and "Alibaba", so apparently it's pronounced "ALT-aba".
Alibaba Group Holding Limited is a Chinese company (阿里巴巴集团控股有限公司) that's been around since 1999 when Alibaba.com was set up as a business-to-business portal to connect Chinese manufacturers with overseas buyers. Jack Ma created the company. The company primarily operates in (the People's Republic of) China. In addition to being one of the world's largest internet companies, Alibaba claimed to be the world's largest retailer in 2016.
Verizon agreed to acquire Yahoo for a little under $5 billion last year and Verizon's CEO, Lowell McAdam, said the acquisition of would put "Verizon in a highly competitive position as a top global mobile media company" and help accelerate the company's revenue stream in digital advertising.
There were questions about the deal when Yahoo admitted the two largest data breaches in history -- last year Yahoo announced that a 2014 attack exposed 500 million accounts and in December 2016, Yahoo said that credentials from another 1 billion user accounts had been stolen in 2013.
Those questions persist. Verizon could quash the deal or renegotiate the purchase price.
A significant amount of tech support time could be saved if users would take one simple step before calling tech support. Nobody expects users to be able to figure out that sector 12,557 on a hard drive has just done bad or that memory chip 2 is about to fail, but sometimes users might find that there's really no problem at all.
Case in point: This week my cable system's set top box shut down after a wierd power fluctuation. I turned it back on. "FAIL" it said. I unplugged it and plugged it back in, but it still said "FAIL". What would you do in a case like that. I presumed that I would need to have the cable company replace it and unplugged it so that I could return it. After waiting half an hour, I plugged it in again. This time it said "boot" and a minute or so later, it was running normally.
That definitely applies to computers. One of the first troubleshooting steps you should try is a full power off reset. Not just a reboot because some problems can survive a power on reset. Instead select "shut down", give the computer a few minutes, and then reboot. You may find that the problem no longer exists and it saves the embarrassment of taking a computer in for service, having the technician boot the system, and finding that there really isn't a problem.
And don't stop with just the computer. If you're seeing a network problem, shut the computer down, unplug the cable modem, and unplug the router. Wait a minute or so and then plug everything back in and start up again.
The jury is out on whether computers should be shut down every day. My primary system remains on overnight because some maintenance programs run then, but the other systems are shut down. Even so, I reboot the system every week or two. If you use sleep mode, it's important to reboot once a week or so to clear the computer's memory. Some applications (I'm looking at you, Firefox) do a very bad job of releasing memory the application no longer needs and a full power off reset takes care of that.