ITSS

Making Passwords User Friendly

The KISS principle has been in use since the 1960’s with its roots in the U.S. Navy. The acronym, which stands for “Keep it simple, stupid” forwards the notion that simplicity should be the goal for any design or system and complexity should be avoided whenever possible.

With the 90’s and the rise of the Internet, password requirements have become increasingly more complex. First, we had to include a minimum of six or eight characters, then a mix of alphanumeric characters, the addition of upper case letters, and eventually special characters. The complexity required in passwords today have caused a new problem for users: we tend to forget them.

Passwords are key to protecting your accounts and knowing simple ways to securely create and manage all your passwords is vital for digital security and our digital quality of life. This month our focus will be on making passwords fun to create and manage effectively.

The following steps will help reduce the pain in creating and managing passwords:

Passphrases

The traditional approach to creating a password has been to make it very complex. This trend makes the passwords difficult to remember and ultimately people use shortcuts or workarounds that jeopardize security. Passphrases, however, can be fun and much easier to remember (KISS). A passphrase is a type of strong password that uses random words or short sentences. Here are examples of passphrases:

  • The-future-is-now-says-the-president-in-march
  • I really look forward to summer days in the Atlantic Provinces!

The examples above are strong, fun to create, easy to remember, and contain over thirty characters which makes it more difficult to crack. Remember, the key to strong passphrases is to make them long - the more characters you have, the better.

Password Managers

It is important to use a unique password or passphrase for each account that you have. Reusing the same password for different accounts makes you vulnerable to hackers. A hacker who has accessed one of your accounts will try to reuse the stolen password to access other accounts that you have.

Password managers are special programs that securely store all your passwords in an encrypted vault. You only need to remember the password for the password manager in order to access all the passwords that you have saved in it. There are other features that come with password managers that may vary from one application to the next. One caution: always remember the password for your password manager.

There are both paid and free password managers available. See a list of free password managers HERE (Fossbytes.com).

Two-Factor or Multi-factor Authentication

Two-factor or multi-factor authentication adds an additional layer of security to your account. This means an additional step is required to log into your accounts apart from entering your password. For example, you will need your password and an automated numerical code sent to your phone, or an authentication message sent to your phone prompting you to verify you are trying to access your account (this is similar to a two step verification used on popular email platforms such as Gmail, yahoo mail etc.). Other examples include using biometrics, key fobs or cryptographic keys, or smartphone enabled applications. These methods of authentication provide a strong additional layer of defence for the user without unduly burdening the user.

Further Reading:

Making Passwords Simple: https://www.sans.org

Long Live the Passphrase: https://www.sans.org

 

Published April 12, 2019

Staying Safe During Tax Season

As tax season nears, we begin to collect all the necessary paperwork and fret over whether we will have to hand over even more of our hard-earned money to the government. It is also the time of year that questionable phone calls and emails start coming in.

Tax season could become the CRA tax scam season.


Security Awareness Education Tax Scam imageCRA tax scams come in various forms – via phone calls, emails, or text messages. Typically, the caller or email sender poses as an agent or representative from the Canada Revenue Agency (CRA) in an attempt to gather personal information (such as name, social security number, date and place of birth, mother’s maiden name etc.) or intimidate an individual into providing financial payment. These types of scams have become so common that the CRA has put together tips on how to stay safe and how to report scams.

 

Here are some highlights from that page:

The CRA will never:

  • Give or ask for personal or financial information by email and ask you to click on a link
  • Send an email with a link to your refund
  • Demand immediate payment by Interac e-transfer, bitcoin, prepaid credit cards or gift cards from retailers such as iTunes, Amazon, or others
  • Use aggressive language, threaten you with arrest, or a prison sentence
  • Set up a meeting with you in a public place to take a payment
  • Contact you via text messages or an instant messaging application (such as Facebook Messenger or WhatsApp)

 Here are some examples of tax scams:


security awareness education tax scam text message

(text message)


security awareness education tax scam email

(email)


To read more, check out the following links:

 

Published March 01, 2019


 

Dating in a Digital World

Love is in the air!... maybe…

As Valentine’s Day approaches, single people often feel an extra push to “get out there” (even if “getting out there” means signing up for one of the many dating sites while sitting at home in pajamas). Online dating is now one of the most common ways that people meet potential mates. With the rise in online dating, came the increase in romance scams, which is a common way for scammers to seek out new victims. Romance scams are fraud conducted by individuals who use the promise of love, romance, or a night of hedonistic fun in order to entice and manipulate online victims into giving money, gift cards, or worse.

Typically, these scams come in the form of “catfishing”. Catfishing is the practice of pretending to be someone you are not in order to attract others. A common example of this would be someone who uses a set of photos they found online in order to draw in potential victims.

Without a doubt, online dating is a great way to expand your dating sphere and learn more about someone before you take the time to meet and get to know them in person. It is important to remember that there are good people out there as well – the key is to know how to tell the difference.  

Here are some tips to keep you safe after you’ve swiped right:

  1. If they are looking for money, it’s likely a scam. Send them a link to an employment site and block them.
  2. Always meet in a public place until you feel safe to head somewhere more private.
  3. Let a friend or family member know where you are going and check in with them.
  4. Do some research – search for the lucky person on search engines and social media sites. You can even try a reverse image search to see if their photo is fake.
  5. Consider a video chat before meeting in person.
  6. Be careful using apps that track your location. For example, if a dating app shows the distance between you and a potential partner, your location is being tracked.
  7. Don’t share personal information before getting to know the person.
  8. Don’t add your social media accounts to your public profile in a dating app – this could reveal your real name, surname, university, or place of work.
  9. Be careful when someone suggests you take the conversation to personal email or another website.
  10. Be cautious about sending images. Practice caution and use judgement if you choose to.
  11. Install antivirus software on your smartphone. This will notify you of any privacy breaches.
  12. Go with your gut – if something seems “off”, back out. If things get worse, block them and report to the local police.

Read more about staying safe on popular dating apps:

https://internet.frontier.com/resources/how-to/cyber-security-checklist/

Published February 11, 2019


 

January 28 is Data Privacy Day

Data privacy for individuals means reviewing privacy settings on social media, being mindful of entering data into websites, and taking ownership of one's online identity.

The internet is full of data about you and me. Whenever we play a game, shop, browse websites, or use any of the numerous apps, our activities and some of our personal information may be collected and shared. This also applies to our connected devices such as smart TVs, phone trackers, GPS, security cameras, wearables, and smart appliances. These devices make our lives pretty convenient but also keep our “digital footprint” on the internet afterwards. The Internet of us (based on our shared information) and Privacy define our online presence. It is therefore critical to learn how to protect our information and guard our privacy online.

The following tips will help to protect your online privacy:

Use long and complex passwords or passphrases. 

These are often the first line of defense in protecting an online account. The length and complexity of your passwords can provide an extra level of protection for your personal information. Avoid using the same password for multiple websites, accounts, or apps. Use a password manager to manage numerous passwords.

Take care what you share. 

Periodically check the privacy settings for your social networking apps to ensure that they are set to share only what you want, with whom you intend. Be very careful about putting personal information online. Remember, what goes on the Internet, usually stays on the Internet.

Go stealth when browsing. 

Your browser can store quite a bit of information about your online activities, including cookies, cached pages, and history. To ensure the privacy of personal information online, limit access by going "incognito" and using the browser's private mode when necessary.

Using Wi-Fi? 

If only public Wi-Fi is available, restrict your activity to simple searches (no banking!) or use a VPN (virtual private network) when necessary. The latter provides an encrypted tunnel between you and the sites you visit.

Should you trust that app? 

Only use apps from reputable sources. Check out user reviews or from other trusted sources before downloading any app that is unfamiliar.

Has your privacy been compromised?

Change the password of any site or app that you believe may have been compromised. If you reuse passwords for multiple sites you should change them all to make sure your information is safe.

Visit the ITSS Help Desk if you have any further concerns.

Published January 22, 2019