Bitwarden – CyberEye

Dan Gavin 23, Feb, 2021

Blog

The Saga of the Stolen Stingray

Protect It: I imagine one day I’ll own a 1970 Corvette Stingray. It will have its own garage. I’ll lock the garage doors when I’m not using it to make sure it’s safe. I’ll put an alarm on the building—to be sure. And I WON’T leave the keys in it!

Hijacked: A few months ago, my mother-in-law told me her email “broke.” For a few days, she hadn’t received any emails in her Outlook Client. So, I took a peek at her Cox webmail. I found a message stating the account was locked, due to suspicious activity. After a couple hours with tech support, we were able to get in. We found the account had been sending hundreds of spam emails every day. A criminal had hijacked her mail.

Recently I read a blog post in Dentaltown from a dentist victimized like this. His email account had become an unwitting offender. How did this happen to them? Will it happen to you? How can you prevent it?

Credential Stuffing: These email accounts fell victim to what we call a “credential stuffing attack.” It’s often performed by software known as “bots.” See, websites should be storing your username/password pairs (AKA “credentials”) in an encrypted database, but they often don’t. It’s like storing a 1970 Corvette Stingray in your garage (keys in the switch), and then leaving the door wide open. You’d never do that, but websites do—all the time!

Darkweb Dump: Criminals break into those websites and scoop out your credentials. Then, those same criminals dump your credentials on the darkweb. Other crooks snag these breached credentials from darkweb, Amazon-like sites. They then code their bots with lists of credentials, including yours. Finally, the bot logs into your email account.

Picture this: You use your Gmail address as the username to log into scrapbook.com. Then, you use the same password for scrapbook.com that you use for your Gmail account. A criminal breaks into scrapbook.com. If the database isn’t encrypted (the doors were left open), the thieves steal your credentials. In essence, the criminal drove away in your beloved Stingray! It happened because you used the same key for every door you own: Your house, your Stingray garage, your business office, your mailbox… You get my point? Worst of all, you left a copy of the key taped to the front door of your house, right in plain sight.

Unique Passwords: We often recommend in these articles that you make sure and use unique passwords for the bucketload of websites you log into. Certain sites are more critical, for example, your email account, as well as your bank account and other accounts containing your financial information. Use a password manager like Bitwarden. If you use a long, unique passphrase, instead of a short password, and you use a different passphrase for each site you visit, then you reduce the chance of becoming a credential stuffing victim.

Dan Gavin 9, Jan, 2021

Blog

Passwords Are Like Dental Floss

Flossing is Hard: Passwords are the dental floss of the internet. They take precious time to use, everyone hates them, they cause mild discomfort, and the consequence of negligence could spell doom. Not immediate doom. But eventual in inevitable doom. Oh and by the way, China knows your password! Your favorite one. The really complex one you made up 6 years ago that combines your sister’s phone number, your son’s birthday, and the exclamation point at the end. They also know your other favorite one. “Sweetie”.

Password Strength: Last week I gave you a tripwire you could use to foil a ransomware attacker with a strong password. Continuing the theme, this week we discuss the importance of password hygiene. Password hygiene involves the strength, uniqueness, and practices of passwords.

The Longer the Better: Compare password hygiene to dental floss hygiene – make them long, change frequently, and don’t share. When it comes to length, longer = stronger. In fact, length is more important than complexity. So instead of using a complex array of gibberish letters, numbers and symbols, the best practice is to create a passphrase. A passphrase is a list of unrelated common words. It is easier to for you to remember and harder for a computer to crack. In this example from www.xkcd.com/936/ , the password Tr0ub4dor&3 is difficult to remember but can be cracked in 3 days. However, if we tie four common unrelated words together like “correct horse battery staple”, it would take 550 years to crack.

Don’t Re-use Your Floss: You may question, “If I create one strong passphrase, I could use it for all my accounts and I’ll be safe?” Well, not exactly. That’s where the second part of “treat-passwords-like-dental-floss” comes in. Don’t share. Today, you have so many accounts with passwords to remember. You have your email, company login, bank, investment, social media, gaming … the list goes on. Major breaches like LinkedIn and DropBox have exposed your username (typically your email address) and password. The information from these breaches eventually ends up on the Dark Web available for any cyber-criminal to peruse. To see if your email address is on the Dark Web, you can check it at www.haveibeenpwned.com. A trusted advisor can offer Dark Web checks for your business domains.

Try It Everywhere: When the hacker acquires your credentials, they will test them against popular websites hoping you reused the password. Maybe you have a Wells Fargo, or Merrill Lynch account with the same username and password. If they succeed, the consequences could be disastrous.

Password Managers: You may want to reconsider letting your browser manage your passwords. The saved password feature of browsers is great for ease of use for you – and a cyber-criminal. These passwords are stored in clear text in the browser can easily be stolen.

Consider the Consequences: Since there are so many long passwords to remember, using a Password Manager can ease your password woes. A Password Manager can create, encrypt, store, and autofill your passwords for multiple accounts and make it harder for hackers to get them. Password managers can also protect you from Some recommend free managers are: Apple Key Chain, Bitwarden and KeePass. You may hate to floss. You may hate password hygiene. But until there is something better, consider the consequences.