ReportWire

Tag: Passwords

  • Browser Password Managers Are Great, and a Terrible Idea

    By default, Google manages your encryption key, but it allows you to set up on-device encryption, which functions similarly to a zero-knowledge architecture. Your passwords are encrypted before being saved on your device, and you manage the key. Regardless of how the encryption works, Google uses AES, which is still the gold standard for security among password managers.

    It was trivial to decrypt Chrome passwords previously, requiring little more than a Python script and knowledge of where the files are stored. But even there, Google has pushed the security bar up. App-bound encryption has invalidated those methods, and cracking passwords is far more involved than it used to be. Further, Google has integrated with Windows Hello. If you choose, you can have Windows Hello protect your passwords each time you log in by asking for your PIN or biometric authentication.

    Other browsers aren’t as secure. Firefox, for instance, makes it clear that, although passwords saved in Firefox are encrypted, “someone with access to your computer user profile can still see or use them.” Brave works in a similar way, though I suspect most people using Brave are using a third-party password manager (and probably a VPN) already.

    Regardless, storing your passwords in even a less secure browser like Firefox is leaps and bounds better than not using a password manager at all. And the browsers at the forefront of market share, Chrome and Safari, have vastly improved their security practices over the past few years. The problem isn’t encryption—it’s putting all your eggs in one basket.

    Let’s Talk OpSec

    OpSec, or operational security, is normally a term used when talking about sensitive data in government or private organizations, but you can look at your own security through an OpSec lens. If you were an attacker and wanted to swipe someone’s passwords, how would you go about it? I know where I’d look first.

    Even with better security measures, the goal of a browser-based password manager is to get people using password managers. That has to be balanced against how easy the password manager is to use. In a blog post announcing changes to Google’s authentication methods from Google I/O this year, the company mentions reducing “friction” seven times, while “encryption” isn’t mentioned at all. That’s not a bad thing, but it’s a testament to how these tools are designed.

    You don’t need to pick out words from a blog post to see this focus. Google gives you the option to turn on Windows Hello or biometric authentication with the Google Password Manager. Each time you want to fill in a password, you’ll need to authenticate. That’s undoubtedly more secure than not authenticating each time, but the setting is turned off by default. It creates friction.

    Jacob Roach

    Source link

  • Swedish Death Cleaning, but for Your Digital Life

    What do you want people to have now? Why wait for death to share things you want to share? For example, you might want to give people access to photos and videos. You might also share important documents that are actively in use—health files, children’s immunization records, pet health records—with one or two trusted people.

    The best cloud storage services let you securely share files and folders. Keeping documents in cloud storage also means they’re backed up, so copies of your documents are safe in the event of a fire, flood, theft, or local data loss.

    What do you want a trusted person to access quickly and easily if you’re incapacitated or die unexpectedly? One of my fears is that I’ll be hospitalized and no one will remember that I prepared and signed an advance health care directive. If you don’t have a lawyer who holds your important documents (and maybe even if you do), make sure at least two people can access digital copies of them quickly and easily.

    Just as with other important documents, you can share these files securely via cloud storage, but put them into a clearly labeled folder, like _IMPORTANT FILES. Using an underscore ensures that the folder appears at the top of the list when files are sorted alphabetically. Because these documents contain sensitive information, make sure you review the security settings when you enable sharing so that only your trusted persons can access them.

    Examples of papers to include are your will, power of attorney form, advance health directive, deeds and titles, certificates (birth, marriage, divorce), and identity papers (Social Security cards, naturalization papers).

    What do you want people to have only after you die? You might not want your sibling or your spouse to have the keys to your email or your Instagram account now, but do you want them to post on your behalf after you die? Do you want them to permanently delete any accounts once you’re gone?

    Jill Duffy

    Source link

  • Where Do Your Passwords Go When You Die?

    It’s not fun to talk about, but there’s only one thing certain in life. You need to have a plan for your digital legacy, just like you make a plan for your physical assets; otherwise, your accounts, services, and logins will rot away in a data center before they’re inevitably erased by a data retention policy.

    Some services recognize how important digital legacy is. Apple and Facebook have legacy contacts that can gain access to your accounts, and the American Bar Association is still grappling with the legalities of accessing online accounts when someone passes away. Most online services don’t.

    Recognition of digital legacy is still spotty, and without dedicated legacy contacts, accessing the deceased’s online accounts often involves court orders or legal documentation (and plenty of time). Digital legacy doesn’t need to have so many hurdles, though. Password managers have digital legacy features built in that can unlock your digital life in the event of an emergency.

    Table of Contents

    Defining a Digital Legacy

    There’s a lot that goes into your digital legacy, from your online banking login to any digital assets you own, but even a seemingly straightforward online life can quickly snowball into a mess. Does the Netflix account just keep draining the checking account until you can break in and change the payment option? Are photos that have been uploaded to the cloud now lost in a data center, never to be recovered? Add some passkeys, maybe some social sign-on features, and you have a complex web of data that’s almost impossible to untangle.

    So-called digital executors exist, operating in the same way as the executor of the will, just for digital assets. It’s a good idea to set up a digital executor to ensure your digital assets are handled properly, but that doesn’t help in the immediate aftermath of someone passing away. The probate process can take at least a few months, and sometimes several years.

    Password managers like Bitwarden offer a shortcut. You can transfer access to a trusted relative, spouse, or even your closest friend, along with a rundown of what to do with your accounts.

    The legality of this is a little murky, with the American Bar Association noting that accessing someone else’s account, even with their username and password, isn’t legal if it violates the platform’s terms of service. The law regarding digital assets varies from state to state, so it’s still a good idea to consult an attorney for long-term access.

    Here’s the advice NordPass gave: “For anyone thinking about digital legacy, the best step is to set up Emergency Access in advance, clearly communicate the use cases of the credentials with your trusted contacts, and follow the terms of service of respective platforms.”

    Immediate access is still important, not only in the event of death but also in the event of incapacitation. If you, for whatever reason, can’t access your online accounts, you can transfer those accounts easily using an emergency contact feature available in a password manager.

    Password Managers With Digital Legacy Features

    There are some excellent password managers, and most of them have some way to unlock your account in the event of an emergency. They go about it in different ways, however. Here are the three I recommend for most people. (Read more in our Best Password Managers guide.)

    Proton Pass

    Courtesy of Proton

    Proton recently added an emergency access feature, and it’s not just restricted to Proton Pass. Unlike most password managers, Proton Pass is just one app available in the Proton suite. Proton also makes our favorite VPN, and it offers an encrypted crypto wallet, cloud storage, and even a calendar.

    Emergency access isn’t restricted to one app with Proton. Rather, it’s access to your entire account, so if you have multiple Proton apps, you can pass them along. It’s not hard to see where this could be useful, especially if you have a lot of data stored in Proton Drive or money in your crypto wallet.

    Jacob Roach

    Source link

  • Proton Pass Finally Has the Goods to Compete With Other Password Managers

    You can rename your vaults, but you can also assign them one of a few dozen icons, as well as choose from a handful of color presets. It’s a small addition, but a little color-coding goes a long way in finding what you need at a glance.

    Beyond logins, you can also generate and store email aliases, similar to NordPass. It’s a standard feature, even if you don’t subscribe. Free users are capped at 10 aliases, while paying users can create as many as they want.

    It’s not just a fake email tied to a real one. You can set up aliases like that, but Proton allows you to forward emails to multiple addresses, create catch-all addresses, and even reply directly from the web app. I appreciate the activity log most, though. Proton automatically creates contacts for everyone who interacts with your alias, and you can block spammy addresses without ever opening your email client.

    No Desktop App

    Proton Pass via Jacob Roach

    Proton Pass was originally available only as a browser extension, but it now has apps for Windows, macOS, and even Linux, as long as you’re on a Fedora- or Debian-based distribution. I mainly used Pass in the browser, not only because it’s convenient but also because the extension is available on just about everything—Chromium-based browsers have access, and there are separate extensions for Firefox, Safari, and Brave.

    The browser app has everything you need, and it works a treat when it comes to password capture and autofill. Proton occasionally asked me to save a password a second time after initially dismissing a capture notification. But outside of that small hiccup, I never encountered an issue with autofill for forms, logins, or credit cards.

    Inside the app, you have a few features that aren’t available through the extension. The key feature is Pass Monitor, which is Proton’s security watchdog feature. It’ll show you weak passwords, accounts where you can enable 2FA, and critically, accounts that have been victims of a data breach. If you want to go further, you can turn on Proton Sentinel, as well.

    Pass Monitor is great, but breach notifications have a problem. By default, Proton only monitors the email associated with your Proton account. If you’re importing passwords from another app, as I did, and you have different emails, those aren’t a part of the monitoring by default. And Proton doesn’t tell you that. You have to click into breach details and manually add addresses.

    Proton Pass Review Finally Standing Tall

    Proton Pass via Jacob Roach

    Jacob Roach

    Source link

  • 1Password Is Still the Gold Standard for Securely Managing Your Passwords

    Password managers are spotty on Android and iOS in general, and 1Password isn’t above that issue. I’d estimate somewhere around 10 to 15 percent of the fields I encounter on mobile just don’t register with 1Password, sending me out to the app to copy my password over manually. This is more of an issue with how apps categorize different fields and expose them to other apps running, and less of a 1Password-specific problem.

    1Password at least attempts to get around this with linked apps. As you start signing into apps using entries in your vault, 1Password will connect your login to whatever app you’re logging into. That doesn’t eliminate autofill problems on mobile, but it helps in the cases where 1Password is looking for a specific URL to autofill, and the mobile app isn’t operating with that URL.

    Outside of autofill, using 1Password on Android and iOS is a breeze. You can enter your account password each time you unlock your account if you want, but 1Password supports biometric authentication on Android and iOS, including Face ID support. After a certain amount of time has passed (you can change the amount of time in the settings), 1Password will ask you to re-enter your account password. Thankfully, if you don’t want to use biometrics, you can set up a PIN or passcode, as well.

    Quick access is important because 1Password is extremely limited on mobile, and that’s a good thing. Even switching to another app or locking your phone will also lock your account, and if you swipe through your list of open apps, you’ll only see the 1Password login screen.

    You’re free to change these settings, from the amount of time you need to re-enter your account password to when 1Password should clear your keyboard history. The defaults work well, but if you can’t be bothered, you can turn these extra security measures off.

    Unique Security

    1Password may function similarly to other password managers, but its security design is unique. The company has a white paper you can read through for all the gory details, and it maintains a list of certifications and recent penetration testing. The core of 1Password’s security, however, is a zero-knowledge approach. It’s designed in such a way that, even if 1Password wanted to, it has no means to decrypt the contents of your vault.

    This works due to what 1Password calls two-secret key derivation, or 2SKD. It takes your account password and a secret key that’s generated on your device when you first sign up for 1Password, and uses them to derive a key encryption key (KEK). Also on your device, 1Password generates a public-private key pair. Your private key is encrypted with the KEK, while your public key is shared.

    There are several layers of nested encryption beyond this, but what’s important is that 1Password doesn’t have a copy of your private key, nor a copy of your account password that’s necessary to derive the KEK. And when you authenticate, everything happens locally on your device, including encryption and decryption. Your KEK, master password, and private key never leave your device.

    Jacob Roach

    Source link

  • Passwords Won’t Secure Your Identity. Here’s What Will. | Entrepreneur

    Opinions expressed by Entrepreneur contributors are their own.

    Our lives have migrated to a virtual world to the point where our emails have become an entry point to our identity. Medical records, employment history, education, world views and all that comes to mind, which pertains to who we are as people, likely have some form of digital footprint that can be traced back to us. While this can translate to seamless convenience, whether personalized recommendations or quick product deliveries, there remains a risk of exposure that threat actors constantly exploit.

    The tech titans who handle our data and boast a robust security infrastructure are the same ones who lost control of our data. With 16 billion Apple, Facebook, Google and other passwords leaked, a large question mark looms over the reliability of traditional security systems. The centralized databases and login processes of yesteryear are simply unable to keep up with today’s increasingly sophisticated cyber threats. Our passwords and two-factor authentication fall short in securing our digital identities.

    Related: Why Businesses Should Implement Passwordless Authentication Right Now

    Digitization outpacing security

    Digitization has become deeply entrenched in the fabric of how we operate as a society on a global scale, with 5.56 billion people online today and 402.74 million terabytes of data generated on a daily basis. The dizzying numbers demonstrate the breakneck speed with which every aspect of our lives has taken a virtual shape, and with it, the proliferation of the conversation about how we secure the digital world we have created.

    With the current security measures in use, cybercrime is expected to cost over $639 billion in the United States this year, with the costs expected to balloon as far as $1.82 trillion by 2028. In light of such projected costs, the development of a secure infrastructure is a priority that requires immediate attention, one that could compromise digital identity if disregarded.

    Decentralize to prevent compromise

    The centralized databases of tech titans mean that there is one location, one source of truth, that if compromised, all that it contains is leaked, as was the case with the passwords that were leaked. If not a leak, then a ransomware attack that disrupts the systems on which our digital lives operate. This kind of disruption can cascade to fundamental services such as healthcare, as a recent ransomware attack caused a system-wide tech outage at a large network of medical centers in Ohio, cancelling inpatient and outpatient procedures.

    Centralization’s single point of failure calls for a shift in how to operate tech infrastructures — a shift to decentralized data storage. Unlike centralized systems, blockchain networks distribute data across a large multitude of nodes that are in constant verification of one another through cryptographic consensus. To verify the data, the majority of nodes must be in agreement, a majority that rejects tampered “blocks” or compromised nodes. This means that there is no single repository that can be compromised, as attackers would need to compromise the majority of the nodes, a task immensely more challenging than the common compromise of a centralized server.

    Related: Passwords Are Scarily Insecure. Here Are a Few Safer Alternatives.

    Use the physical to verify the virtual

    The beauty of blockchain technology is its ownership element. As everything is secured by cryptography, the only way to “decrypt” the data and access it is through your own private keys. However, if a threat actor is to gain access to your private keys, they also gain access to your data and funds, posing a threat that puts in question how secure the shift from centralized to decentralized storage really is.

    If a private key is proof of one’s identity, then its loss equates to the loss of one’s digital identity, a compromise that can only be secured by undeniable proof that the owner of the keys is indeed who they claim to be. This is where biometric authentication becomes the final piece in the puzzle of securing one’s digital identity in a decentralized infrastructure.

    Using one’s fingerprint in an offline environment for identity verification not only ensures ownership of data and its security but also prevents the exposure of biometric data to a server where it could be breached. This creates a new paradigm that deems passwords and two-factor authentication obsolete. Building on such a methodology opens pathways for a secure digital identity and KYC verification on a decentralized infrastructure, leaving no room for threat actors to compromise digital identities.

    The conversation on digital security is the result of an absolute necessity in the face of increasingly sophisticated cyber attacks. However, adding uppercase letters, symbols and numbers to your password will not be enough. The added layer of two-factor authentication will not be enough either. More steps do not equate to more security. The future of security lies in an infrastructure shift from the centralized to the decentralized, protected by a layer of biometric authentication that ensures that one’s digital identity is secured.

    Our lives have migrated to a virtual world to the point where our emails have become an entry point to our identity. Medical records, employment history, education, world views and all that comes to mind, which pertains to who we are as people, likely have some form of digital footprint that can be traced back to us. While this can translate to seamless convenience, whether personalized recommendations or quick product deliveries, there remains a risk of exposure that threat actors constantly exploit.

    The tech titans who handle our data and boast a robust security infrastructure are the same ones who lost control of our data. With 16 billion Apple, Facebook, Google and other passwords leaked, a large question mark looms over the reliability of traditional security systems. The centralized databases and login processes of yesteryear are simply unable to keep up with today’s increasingly sophisticated cyber threats. Our passwords and two-factor authentication fall short in securing our digital identities.

    Related: Why Businesses Should Implement Passwordless Authentication Right Now

    The rest of this article is locked.

    Join Entrepreneur+ today for access.

    Venket Naga

    Source link

  • These are the Password Managers You Should Use Instead of Your Browser

    Setting up and migrating to Dashlane from another password manager is simple, and you’ll use a secret key to encrypt your passwords, much like BitWarden’s setup process. In practice, Dashlane is very similar to the others on this list. Dashlane offers a 30-day free trial, so you can test it out before committing.

    After signing up, download the app for Android and iOS, and grab the browser extensions for Firefox, Chrome, and Edge.

    Best for Bundled Services

    Photograph: Nordpass

    You might know Nord better for its VPN service, but the company also offers a password manager, NordPass, and a pretty nice online storage system, NordLocker. A part of the appeal of NordPass comes in bundling it with the company’s other services for some compelling deals. As a password manager, NordPass offers everything you need. It uses a zero-knowledge setup in which all data is encrypted on your device before it’s uploaded to the company’s servers. Unlike most services here, NordPass uses XChaCha20 for encryption. It would require a deep dive into cryptography to get into the differences, but the short story is that it’s just as secure and maybe slightly faster than the AES-256 encryption used by other services.

    There’s a personal information storage feature to keep your address, phone number, and other personal data safe and secure, but easy to access. NordPass also offers an emergency access feature, which allows you to grant another NordPass user emergency access to your vault. It works just like the same feature in 1Password, allowing trusted friends or family to access your account if you cannot.

    Other nice features include support for two-factor authentication to sign in to your account, as well as security tools to evaluate the strength of your passwords and alert you if any of your data is compromised. Note that NordPass Premium is theoretically $3 a month, but there are always sales that bring that much lower.

    The downside, and my one gripe about all Nord services, is that there is no monthly plan. As noted above, the best deal comes in combining NordPass, NordVPN, and NordLocker for a bundled deal. A free version of NordPass is available, but it’s restricted to only a single device.

    After signing up, download the app for Android and iOS, and grab the browser extensions for Firefox, Chrome, and Edge.

    Best DIY Options (Self-Hosted)

    Want to retain more control over your data in the cloud? Sync your password vault yourself. The services below do not store any of your data on their servers. This means attackers have nothing to target. Instead of storing your passwords, these services use a local vault to store your data, and then you can sync that vault using a file-syncing service like Dropbox, NextCloud, or Edward Snowden’s recommended service, SpiderOak. There are two services to keep track of in this scenario, making it a little more complex. But if you’re already using a file-syncing file service, this can be a good option.

    You can also properly host your own vault with network-attached storage or a local server.

    Screenshot of Enpass password manager app on desktop

    Courtesy of Enpass

    Enpass does not store any data on its servers. Syncing is handled through third-party services. Enpass doesn’t do the syncing, but it does offer apps on every platform. That means once you have syncing set up, it works just like any other service. And you don’t have to worry about Enpass being hacked, because your data isn’t on its servers. Enpass supports syncing through Dropbox, Google Drive, OneDrive, iCloud, Box, Nextcloud, or any service using WebDAV. Alas, SpiderOak is not currently supported. You can also synchronize your data over a local WLAN or Wi-Fi network.

    All of the features you expect in a password manager are here, including auto-generating passwords, breach-monitoring, biometric login (for devices that support it), auto-filling passwords, and options to store other types of data, like credit cards and identification data. There’s also a password audit feature to highlight any weak or duplicate passwords in your vault. One extra I particularly like is the ability to tag passwords for easier searching. Enpass also makes setting up the syncing through the service of your choice very easy. Enpass added support for passkeys, too.

    Scott Gilbertson, Jacob Roach

    Source link

  • 2.5 Billion Gmail Users At Risk from Data Breach – KXL

    MOUNTAIN VIEW, Cal. — Google has sent out an updated warning to billions of Gmail users about a massive data breach.

    They say around 2.5 billion users are urged to reset their passwords immediately.  And to tighten security after the contact information of small and medium sized businesses was hacked.  KXL Tech Expert Brian Westbrook says Gmail users should also be on guard for phishing attacks.  He recommends when users do change their passwords, they make sure it’s unique.  And also to retire your old Gmail password while using 2 factor authorization moving forward.

    More about:

    Brett Reckamp

    Source link

  • The War on Passwords Is One Step Closer to Being Over

    The War on Passwords Is One Step Closer to Being Over

    The password-killing tech known as “passkeys” have proliferated over the past two years, developed by the tech industry association known as the FIDO Alliance as an easier and more secure authentication alternative. And although superseding any technology as entrenched as passwords is difficult, new features and resources launching this week are pushing passkeys toward a tipping point.

    At the FIDO Alliance’s Authenticate Conference in Carlsbad, California, on Monday, researchers are announcing two projects that will make passkeys easier for organizations to offer—and easier for everyone to use. One is a new technical specification called Credential Exchange Protocol (CXP) that will make passkeys portable between digital ecosystems, a feature that users have increasingly demanded. The other is a website, called Passkey Central, where developers and system administrators can find resources like metrics and implementation guides that make it easier to add support for passkeys on existing digital platforms.

    “To me, both announcements are part of the broader story of the industry working together to stop our dependence on passwords,” Andrew Shikiar, CEO of the FIDO Alliance, told WIRED ahead of Monday’s announcements. “And when it comes to CXP, we have all these companies who are fierce competitors willing to collaborate on credential exchange.”

    CXP comprises a set of draft specifications developed by the FIDO Alliance’s “Credential Provider Special Interest Group.” Development of technical standards can often be a fraught bureaucratic process, but the creation of CXP seems to have been positive and collaborative. Researchers from the password managers 1Password, Bitwarden, Dashlane, NordPass, and Enpass all worked on CXP, as did those from the identity providers Okta as well as Apple, Google, Microsoft, Samsung, and SK Telecom.

    The specifications are significant for a few reasons. CXP was created for passkeys and is meant to address a longstanding criticism that passkeys could contribute to user lock-in by making it prohibitively difficult for people to move between operating system vendors and types of devices. In many ways, though, this problem already exists with passwords. Export features that allow you to move all of your passwords from one manager to another are often dangerously exposed and essentially just dump a list of all of your passwords into a plaintext file.

    It’s gotten much easier to sync passkeys across your devices through a single password manager, but CXP aims to standardize the technical process for securely transferring them between platforms so users are free—and safe—to roam the digital landscape. Importantly, while CXP was designed with passkeys in mind, it is really a specification that can be adapted to securely exchange other secrets as well, including passwords or other types of data.

    Lily Hay Newman

    Source link

  • The US Could Finally Ban Inane Forced Password Changes

    The US Could Finally Ban Inane Forced Password Changes

    Researchers found a vulnerability in a Kia web portal that allowed them to track millions of cars, unlock doors, honk horns, and even start engines in seconds, just by reading the car’s license plate. The findings are the latest in a string of web bugs that have impacted dozen of carmakers. Meanwhile, a handful of Tesla Cybertrucks have been outfitted for war and are literally being-battle tested by Chechen forces fighting in Ukraine as part of Russia’s ongoing invasion.

    As Israel escalates its attacks on Lebanon, civilians on both sides of the conflict have been receiving ominous text messages—and authorities in each country are accusing the other of psychological warfare. The US government has increasingly condemned Russia-backed media outlets like RT for working closely with Russian intelligence—and many digital platforms have removed or banned their content. But they’re still influential and trusted alternative sources of information in many parts of the world.

    And there’s more. Each week, we round up the privacy and security news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

    A new draft of the US National Institute of Standards and Technology’s “Digital Identity Guidelines” finally takes steps to eliminate reviled password management practices that have been shown to do more harm than good. The recommendations, which will be mandatory for US federal government entities and serve as guidelines for everyone else, ban the practice of requiring users to periodically change their account passwords, often every 90 days.

    The policy of regularly changing passwords evolved out of a desire to ensure that people weren’t choosing easily guessable or reused passwords; but in practice, it causes people to choose simple or formulaic passwords so they will be easier to keep track of. The new recommendations also ban “composition rules,” like requiring a certain number or mix of capital letters, numbers, and punctuation marks in each password. NIST writes in the draft that the goal of the Digital Identity Guidelines is to provide “foundational risk management processes and requirements that enable the implementation of secure, private, equitable, and accessible identity systems.”

    The US Department of Justice unsealed charges on Friday against three Iranian men who allegedly compromised Donald Trump’s presidential campaign and leaked stolen data to media outlets. Microsoft and Google warned last month that an Iranian state-sponsored hacking group known as APT42 had targeted both the Joe Biden and Donald Trump presidential campaigns, and successfully breached the Trump campaign. The DOJ claims the hackers compromised a dozen people as part of its operation, including a journalist, a human rights advocate, and several former US officials. More broadly, the US government has said in recent weeks that Iran is attempting to interfere in the 2024 election.

    “The defendants’ own words made clear that they were attempting to undermine former President Trump’s campaign in advance of the 2024 U.S. presidential election,” Attorney General Merrick Garland said at a press conference on Friday. “We know that Iran is continuing with its brazen efforts to stoke discord, erode confidence in the US electoral process, and advance its malign activities.”

    The Irish Data Protection Commission fined Meta €91 million, or roughly $101 million, on Friday for a password storage lapse in 2019 that violated the European Union’s General Data Protection Regulation. Following a report by Krebs on Security, the company acknowledged in March 2019 that a bug in its password management systems had caused hundreds of millions of Facebook, Facebook Lite, and Instagram passwords to be stored without protection in plaintext in an internal platform. Ireland’s privacy watchdog launched its investigation into the incident in April 2019.

    “It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data,” Irish DPC deputy commissioner Graham Doyle said in a statement. “It must be borne in mind that the passwords, the subject of consideration in this case, are particularly sensitive, as they would enable access to users’ social media accounts.”

    The digital anonymity nonprofit the Tor Project is merging with privacy- and anonymity-focused Linux-based operating system Tails. Pavel Zoneff, the Tor Project’s communications director, wrote in a blog post on Thursday that the move will facilitate collaboration and reduce costs, while expanding both groups’ reach. “Tor and Tails provide essential tools to help people around the world stay safe online,” he wrote. “By joining forces, these two privacy advocates will pool their resources to focus on what matters most: ensuring that activists, journalists, other at-risk and everyday users will have access to improved digital security tools.”

    Lily Hay Newman

    Source link

  • Google Just Made Entering Passwords on Desktop a Thing of the Past

    Google Just Made Entering Passwords on Desktop a Thing of the Past

    Taking a page out of Apple’s book, Google is trying to make logging in across devices much easier via passkeys.

    Previously, Google only allowed passkeys on the Google Password Manager for Android. In a blog post posted Thursday, the company announced that it’s extending the passkeys feature on its proprietary Password Manager to cover your desktop, too, hoping to “[move] us one step closer to a passwordless future.”

    The update has already been rolled out to Windows, macOS, and Linux, with ChromeOS being in beta testing at the moment. Support for iOS is reportedly in the works too, though Google has only said that it will be “coming soon,” according to Tom’s Guide,

    While you could previously use the passkeys on Google Password Manager on other devices, you were required to scan a QR code using your Android device. This extra layer has now been removed. To sign in to sites on a desktop now, you can simply use fingerprint or face lock, which is not only much quicker than entering a password, but considerably safer, too. Though it’s obvious that Google isn’t only trying to make logging in faster and easier, but also making sure that we’re using it to sign in across all new sites and apps.

    Once your passkeys are synced across your devices, all you need is your biometrics to sign in. But to create passkeys, access saved ones on your devices, or start using passkeys on a new device, Google will require you to input a six-digit end-to-end encrypted PIN that it claims “can’t be accessed by anyone, not even Google.” This will add an extra layer of security to the biometrics login. You’d also be able to unlock your Android screen to use passkeys on a new device for the first time.

    The six-digit PIN option is what’s available by default. If you’re not comfortable with the thought of all your precious data being behind six digits, you can go into PIN options and create a longer alpha-numeric PIN.

    This update reminded me of Apple making logging in across devices easier with the introduction of the Passwords app announced for its new software, iOS 18, iPadOS 18, and MacOS 15, at its annual Worldwide Developers Conference in June. Just like Google, Apple also already managed passwords via its iCloud Keychain, but decided it was time for a dedicated password manager app to make the process more efficient, especially since Keychain was notorious for being glitchy.

    Dua Rashid

    Source link

  • The US Government Is Asking Big Tech to Promise Better Cybersecurity

    The US Government Is Asking Big Tech to Promise Better Cybersecurity

    The pledge offers examples of how companies can meet the goals, although it notes that companies “have the discretion to decide how best” to do so. The document also emphasizes the importance of companies publicly demonstrating “measurable progress” on their goals, as well as documenting their techniques “​​so that others can learn.”

    CISA developed the pledge in consultation with tech companies, seeking to understand what would be feasible for them while also meeting the agency’s goals, according to Goldstein. That meant making sure the commitments were feasible for companies of all sizes, not just Silicon Valley giants.

    The agency originally tried using its Joint Cyber Defense Collaborative to prod companies into signing the pledge, according to the tech industry official, but that backfired when companies questioned the use of an operational cyberdefense collaboration group for “a policy and legal issue,” the industry official says.

    “Industry expressed frustration about trying to use the JCDC to obtain pledges,” the official says, and CISA “wisely pulled back on that effort.”

    CISA then held discussions with companies through the Information Technology Sector Coordinating Council and tweaked the pledge based on their feedback. Originally, the pledge contained more than seven goals, and CISA wanted signatories to commit to “firm metrics” for showing progress, according to the industry official. In the end, this person says, CISA removed several goals and “broadened the language” about measuring progress.

    John Miller, senior vice president of policy, trust, data, and technology at the Information Technology Industry Council, a major industry trade group, says that change was smart, because concrete progress metrics—like the number of users using multi-factor authentication—could be “easily misconstrued.”

    Goldstein says the number of pledge signatories is “exceeding my expectations about where we’d be” at this point. The industry official says they’re not aware of any company that has definitively refused to sign the pledge, in part because vendors want to “keep open the option of signing on” after CISA’s launch event at RSA. “Everyone’s in a kind of wait-and-see mode.”

    Legal liability is a top concern for potential signatory companies. “If there ends up being, inevitably, some type of security incident,” Miller says, “anything [a] company has said publicly could be used in lawsuits.”

    That said, Miller predicts that some global companies facing strict new European security requirements will sign the US pledge to “get that credit” for something they already have to do.

    CISA’s Secure by Design campaign is the centerpiece of the Biden administration’s ambitious plan to shift the burden of cybersecurity from users to vendors, a core theme of the administration’s National Cybersecurity Strategy. The push for corporate cyber responsibility follows years of disruptive supply-chain attacks on critical software makers like Microsoft, SolarWinds, Kaseya, and Change Healthcare, as well as a mounting list of widespread software vulnerabilities that have powered ransomware attacks on schools, hospitals, and other essential services. White House officials say the pattern of costly and often preventable breaches demonstrates the need for increased corporate accountability.

    Eric Geller

    Source link

  • 23andMe says hackers accessed 'significant number' of files about users' ancestry | TechCrunch

    23andMe says hackers accessed 'significant number' of files about users' ancestry | TechCrunch

    Genetic testing company 23andMe announced on Friday that hackers accessed around 14,000 customer accounts in the company’s recent data breach.

    In a new filing with the U.S. Securities and Exchange Commission published Friday, the company said that, based on its investigation into the incident, it had determined that hackers had accessed 0.1% of its customer base. According to the company’s most recent annual earnings report, 23andMe has “more than 14 million customers worldwide,” which means 0.1% is around 14,000.

    But the company also said that by accessing those accounts, the hackers were also able to access “a significant number of files containing profile information about other users’ ancestry that such users chose to share when opting in to 23andMe’s DNA Relatives feature.”

    The company did not specify what that “significant number” of files is, nor how many of these “other users” were impacted.

    23andMe did not immediately respond to a request for comment, which included questions on those numbers.

    In early October, 23andMe disclosed an incident in which hackers had stolen some users’ data using a common technique known as “credential stuffing,” whereby cybercriminals hack into a victim’s account by using a known password, perhaps leaked due to a data breach on another service.

    The damage, however, did not stop with the customers who had their accounts accessed. 23andMe allows users to opt into a feature called DNA Relatives. If a user opts-in to that feature, 23andMe shares some of that user’s information with others. That means that by accessing one victim’s account, hackers were also able to see the personal data of people connected to that initial victim.

    23andMe said in the filing that for the initial 14,000 users, the stolen data “generally included ancestry information, and, for a subset of those accounts, health-related information based upon the user’s genetics.” For the other subset of users, 23andMe only said that the hackers stole “profile information” and then posted unspecified “certain information” online.

    TechCrunch analyzed the published sets of stolen data by comparing it to known public genealogy records, including websites published by hobbyists and genealogists. Although the sets of data were formatted differently, they contained some of the same unique user and genetic information that matched genealogy records published online years earlier.

    The owner of one genealogy website, for which some of their relatives’ information was exposed in 23andMe’s data breach, told TechCrunch that they have about 5,000 relatives discovered through 23andMe, and said our “correlations might take that into account.”

    News of the data breach surfaced online in October when hackers advertised the alleged data of one million users of Jewish Ashkenazi descent and 100,000 Chinese users on a well-known hacking forum. Roughly two weeks later, the same hacker who advertised the initial stolen user data advertised the alleged records of four million more people. The hacker was trying to sell the data of individual victims for $1 to $10.

    TechCrunch found that another hacker on a different hacking forum had advertised even more allegedly stolen user data two months before the advertisement that was initially reported by news outlets in October. In that first advertisement, the hacker claimed to have 300 terabytes of stolen 23andMe user data, and asked for $50 million to sell the whole database, or between $1,000 and $10,000 for a subset of the data.

    In response to the data breach, on October 10, 23andMe forced users to reset and change their passwords and encouraged them to turn on multi-factor authentication. And on November 6, the company required all users to use two-step verification, according to the new filing.

    After the 23andMe breach, other DNA testing companies Ancestry and MyHeritage started mandating two-factor authentication.

    Lorenzo Franceschi-Bicchierai

    Source link

  • Get a Lifetime of Password Protection for $20 During the Labor Day Sale | Entrepreneur

    Get a Lifetime of Password Protection for $20 During the Labor Day Sale | Entrepreneur

    Disclosure: Our goal is to feature products and services that we think you’ll find interesting and useful. If you purchase them, Entrepreneur may get a small share of the revenue from the sale from our commerce partners.

    Cyber attacks may seem like an abstract threat, but there are very real things you can do to help prevent threats to your business. A recent TraceSecurity report found that 81% of company data breaches were just caused by poor passwords.

    Improving your password security involves a bit more than adding a few digits to your company login. If you want more comprehensive password security assistance, the trick is to get a good password manager like Sticky Password. This Premium Password Manager can generate, save, and autofill an unlimited number of encrypted passwords, and it has been marked down to $19.97 during the Labor Day Sale.

    Get a password manager for life for Labor Day.

    Sticky Password is a simple service that generates, saves, and fills in your passwords for you. Once you log in, you can enter your passwords for each account you want to connect. Once a password is saved, Sticky Password will sync with the devices on your account. You can even save your password data locally so there’s no vulnerable information online.

    A Sticky Password Premium Plan comes with some extra bonuses suited to the more advanced security needs of a business versus an individual. The Premium Plan includes unlimited encrypted passwords and data storage, automatic form-filling, password generation, a secure digital wallet, support for two-factor and biometric authentication, and connection on all your mobile and desktop devices. Plus, you get a secure cloud backup with all your password data and priority support.

    It’s no wonder Sticky Password received a rave review from PCMag, which wrote, “Sticky Password Premium does everything you’d expect from a password manager and more. New biometric authentication and no‑cloud Wi‑Fi sync make it an even better choice.”

    Purchase privacy this Labor Day.

    Worried about your business’s online security? Start by protecting your passwords.

    During our Labor Day Sale through September 4 at 11:59 p.m. PT, get a lifetime subscription to Sticky Password Premium for just $19.97 — no coupon required.

    Prices subject to change.

    Entrepreneur Store

    Source link

  • Why Businesses Should Go Passwordless as Soon as Possible | Entrepreneur

    Why Businesses Should Go Passwordless as Soon as Possible | Entrepreneur

    Opinions expressed by Entrepreneur contributors are their own.

    In the privacy-driven business environment, passwords are gradually becoming obsolete. Did you know that the first digital password debuted in the 1960s? Until then, passwords had remained the same over time, despite several improvements to digital identification and verification.

    Certainly, passwords are a holdover from the era before when cyber crime and password-based attacks became a serious and pervasive issue. With the proliferation of technology and user accounts, major challenges have emerged due to passwords, including the need for users to remember numerous passwords, support expenses and — most importantly — the security concerns posed by stolen credentials. As a result, the reason for eliminating passwords from the authentication process becomes more compelling every day. This is where passwordless authentication comes to the rescue.

    Related: Here’s Why It’s Time to Move Away From Passwords

    What is passwordless authentication?

    Passwordless authentication eliminates the need for a password by allowing users’ identities to be verified by their biometrics or other possessions, thereby minimizing security vulnerabilities. Backing this statement, Microsoft claims that combining biometrics and possession authentication reduces account security risks by 99.9%.

    Considering the vulnerabilities of password-based authentications, businesses must take the necessary actions to implement passwordless authentication as soon as possible to secure their users’ data and identities. In light of that, I’ll explain why this is the ideal time for businesses to use passwordless authentication.

    Witnessing current technological advancements, it is evident that authentication techniques have also advanced significantly since former times, providing us with safer and more beneficial alternatives for authentication. Why do we still secure our data using old and ineffective techniques like password-based authentication?

    However, fortunately, businesses are now quickly evolving to replace passwords since technology and its users continue to grow along with the demand for branding, visibility and application efficiency, thereby leading to enhanced data privacy and security.

    Considering the potential dangers and inconveniences involved with using passwords, many businesses are now moving on from passwords eventually and switching to more secure authentication methods like passwordless authentication. Furthermore, given the surge in cyber attacks and credential theft, abandoning passwords is highly advantageous, and when done correctly, it increases security and convenience.

    Related: Here’s Why Passwordless Authentication Is Better for the Business Environment

    Why businesses should consider going passwordless right now

    When businesses adopt passwordless, they must first identify the drawbacks of using passwords and feel the benefits of a passwordless future. In that context, it is essential to consider security, authenticity and applicability. The critical justifications for businesses to take the passwordless route are outlined in the list below.

    Get rid of exhausting password management:

    For users, it’s easy to mistype or forget passwords for their accounts. They eventually develop weak passwords like p@ssw0rd or Password*12345 to make them easier to remember. Moreover, many users tend to write them down on sticky notes or save them in a computer document, compromising critical information security.

    However, there are no passwords to remember with passwordless authentication since they only involve authentication factors like email or SMS OTP, magic links and biometrics. Also, businesses can save users’ time by eliminating the need to hunt up the right passwords or frequent password resets, thereby making the user experience seamless.

    Reduce the cost of IT support:

    According to Forrester research, businesses spend up to $1 million annually on equipment and personnel to handle password resets. Fortunately, password-related expenditures, including password storage and administration costs, can be drastically reduced with passwordless authentication.

    Decrease the likelihood of password-based attacks:

    Businesses are becoming increasingly susceptible to password-based attacks, but only a few are equipped to defend against them. Passwords are highly vulnerable to cyber attacks, which can be deceptively subtle and take various forms. However, by using passwordless authentication, this risk is minimized. Going passwordless necessitates an initial infrastructure investment, but it can eventually lower the cost of password management.

    Users’ information is safer when passwords are eliminated:

    Years of experience have made it easy for cyber criminals to guess, steal or acquire passwords. For instance, Microsoft reported that 44 million accounts were at risk of account takeover due to stolen or compromised passwords.

    Also, a Google poll revealed that 65% of users repeat passwords across numerous accounts or websites. Given these statistics, it is probable that passwords have already caused threats and will continue to do so to the detriment of businesses and their users. Businesses cannot fully influence users’ behavior, but by going passwordless, they may decrease the likelihood of a cyber attack.

    Passwordless authentication increases conversion rates:

    Businesses that make login processes more seamless for users get higher conversion rates. When logging in with passwords, users often give up halfway through the procedure since they find it too difficult or time-consuming to complete. For instance, VTEX, a cloud-based ecommerce platform, claims that getting rid of password-based logins that reduce login friction can increase conversions by up to 54%.

    Related: Passwords Are Scarily Insecure. Here Are a Few Safer Alternatives.

    The aforementioned reasons are some critical aspects that should drive businesses to adopt passwordless as soon as possible.

    Since the risks associated with passwords continue to rise, businesses must swiftly move on from passwords in preference for efficient passwordless multi-factor authentication systems. Businesses that implement it correctly will increase security while enhancing user comfort for authentication. The decision to start a passwordless journey depends on your business model and needs.

    Going passwordless is more likely to be an evolutionary rather than a revolutionary process. Even though it won’t happen overnight, businesses can gradually transition to a passwordless future by carefully planning their strategy and roadmap toward the end vision. And businesses aware of all the considerations and standards will be in a good position to design a passwordless journey to prevent identity threats, provide excellent digital experiences and increase brand exposure.

    Deepak Gupta

    Source link

  • How to Protect Your Business Through Secure Digital Experiences | Entrepreneur

    How to Protect Your Business Through Secure Digital Experiences | Entrepreneur

    Opinions expressed by Entrepreneur contributors are their own.

    Passwords were once seen as a credible way to improve security, but with the advancing threat landscape and the increase of bad actors using easy-to-crack passwords as an entry point for far-reaching crimes, passwords have outlived their usefulness in providing the necessary level of security. From social engineering to phishing and brute-force attacks, passwords can be one piece of the security puzzle, but a multi-layered approach is now best for ultimate cyber resilience.

    A major inhibitor to password effectiveness is the inconvenience, which promotes the reuse of the same weak password across multiple accounts. A recent survey of consumers worldwide found that 61% will choose a competitor offering an easier login experience, and 59% admitted they abandoned an online experience because the login experience was too frustrating.

    In a convenience-wins world, one way to earn customer loyalty is to provide a passwordless experience where individuals aren’t burdened by the headaches of changing, managing and constantly inputting passwords while still feeling confident that their data is secure.

    Related: Passwords Are Scarily Insecure. Here Are a Few Safer Alternatives.

    Understanding passwordless

    Passwordless authentication can be delivered using multiple digital experiences, each with its own advantages, which can serve different types of users. For example:

    • Biometrics: physical characteristics captured by your device, like fingerprints or facial recognition, to verify a user’s identity.
    • Security keys: physical devices that generate one-time codes used for authentication.
    • Email magic link: sends a secure login link to your email address for seamless access.
    • QR codes: highly secure authentication that doesn’t require entering a username or password.

    The highly personal and multi-step nature of these authentication methods makes them more secure and more difficult to compromise. They’re also easier and more convenient and eliminate the need to remember multiple passwords or be tempted to reuse the same one across multiple accounts. Many of these methods can be implemented to support high-security requirements by using phishing-resistant standards (including FIDO and WebAuthN).

    Related: Passwords Are Now a Weakness — Here’s Why It’s Time to Eliminate Them.

    Tailoring authentication needs to the industry

    Retail, finance and insurance industries all have different requirements for authentication, and experiences need to be tailored to fit a range of security and consumer needs. The key is always ensuring that the online identity represents the real human it claims. This diligence is necessary for protecting against fraudulent activity and ensuring the security of sensitive information.

    Retail websites often require less complex methods, such as an email magic link. In contrast, insurance and financial websites may require more rigorous methods, such as document verification from a driver’s license or passport and biometric authentication to comply with regulatory requirements.

    Using machine learning in passwordless authentication

    One benefit of passwordless is that it can be simplified by using artificial intelligence to analyze user behavior, identify patterns, and assess risk. Using machine learning algorithms to analyze user activity and log typical (or flag atypical) behavior patterns is a good example. These patterns – such as how a user types on a keyboard, the websites they prefer to visit, or what time of day they log in – could then be used to authenticate the user without the need for a password.

    This intelligence also identifies potential threats and vulnerabilities by monitoring user activity and analyzing data. Organizations can identify patterns that may indicate a security threat or vulnerability and take action to mitigate the risk. Implementing the correct tools here can help prevent Bot and Account Take Over (ATO) attacks.

    Related: Why Physical Security For Your Business Is Just as Critical as Online Security

    Steps to creating a passwordless experience

    If you see the benefits of creating a passwordless experience for employees and customers, here is how you get there:

    1. Design a strategy that maps your customer journeys for their first visit and return visits, including which types of devices, computers, and browsers they will likely be using and how often they will be on the site. Ensure that your passwordless authentication methods are compatible with your customers’ devices and platforms.
    2. Assess the amount of identity assurance needed against the friction customers are willing to endure. Regardless of the type of website, choosing the right method is crucial. Organizations must select an authentication method that aligns with their customers’ needs and their platform’s requirements. For instance, facial recognition is a convenient option for mobile devices, while security keys are more suitable for desktop environments.
    3. Give a passwordless option, even if some customers keep passwords because they’re more comfortable with them. This allows a company to cater to a broader range of user preferences and needs. Include education on passwordless such as how it works and how to use it. Many users are accustomed to using passwords and may be hesitant to try a new authentication method. Providing clear and concise information on passwordless authentication and its security advantages can help steer customers toward this option.
    4. Use intelligence to reduce friction for a seamless user experience. Authentication should be simple and intuitive for users without requiring additional steps or creating unnecessary friction. Placing risk and context awareness toolsets in your authentication flow ensures friction is low and security remains strong.
    5. Extensively test with people who represent your user population. The people at your company are likely not the targets of your service, so be sure to test the right individuals to ensure its efficacy, compatibility and ease of use. Testing should be done with different devices, browsers, and operating systems.

    Achieving a passwordless future

    The security of a website isn’t solely dependent on the presence or absence of passwords. Other security methods, including encryption, access controls, and security protocols, also play a valuable role in website security. Still, passwordless authentication and verification are important aspects of a comprehensive security strategy.

    With the increasing security risks associated with passwords, the shift toward a passwordless future can provide significant benefits for both businesses and customers. With the right approach, passwordless authentication can become the norm for all customers as they access online accounts and services, making seamless and secure digital experiences commonplace.

    Jason Oeltjen

    Source link

  • AI Can Crack Most Passwords Instantly, Make Yours Safer Now | Entrepreneur

    AI Can Crack Most Passwords Instantly, Make Yours Safer Now | Entrepreneur

    In our ever-expanding digital world, passwords are an inevitability: email, apps, subscriptions and loyalty programs — nearly everything is designed to be secure behind a self-set code that permits entry. According to technology site TechCo, the average person has about 100 passwords, so it’s no surprise that when signing up for a new account, individuals can sometimes get lazy with word choice. However, there’s a new risk to password vulnerabilities: artificial intelligence.

    A new report by Home Security Heroes found that 51% of common passwords can be cracked in less than a minute using an AI password cracker, and 81% can be cracked in less than a month.

    Home Security Heroes used the AI password cracker PassGAN to run through a list of 15,680,000 passwords. The odds of AI decoding one’s password increase when a password has a minimal amount of characters and lacks variety (only using lowercase, only using numbers, etc.). Still, it found that it took PassGAN less than six minutes to crack a password of seven characters, even when it contained symbols.

    Related: Elon Musk Says We Should Stop Rapid AI Development Right Now — Here’s Why

    How to set a password that’s safe from AI:

    According to Home Security Heroes’ findings, it takes AI significantly longer to crack a password with more characters and variety. In essence: The longer the password and the more letters, numbers and symbols you use, the safer it is from AI.

    A password with 14 characters composed of upper and lower case letters, symbols and numbers takes AI an average of 187 million years to crack, as opposed to a password of seven characters composed of just upper and lower case letters — which takes AI an average of 22 seconds to crack.

    Although it might be more time-consuming, if you want to ensure password security as AI technology advances, it’s best to keep your passwords at least 10 characters long, with some combination of upper and lower case letters, symbols and numbers.

    Related: How AI Is Shaping the Cybersecurity Landscape — Exploring the Advantages and Limitations

    Madeline Garfinkle

    Source link

  • Keep Your Accounts Secure with This Password Manager, Now Just $23.97 for Life | Entrepreneur

    Keep Your Accounts Secure with This Password Manager, Now Just $23.97 for Life | Entrepreneur

    Disclosure: Our goal is to feature products and services that we think you’ll find interesting and useful. If you purchase them, Entrepreneur may get a small share of the revenue from the sale from our commerce partners.

    There are a lot of things to keep tabs on when you’re a busy entrepreneur. There’s simply not enough time to stay on top of all of your passwords for various sites and apps and jot them down. You also need to make sure they’re difficult to crack to avoid being hacked, as cyber risks continue to grow.

    As an award-winning password manager that keeps your important info secure, Sticky Password Premium helps with both of those tasks. And you can score a lifetime subscription to Sticky Password Premium for just $23.97 — that’s $170 in savings.

    Avoid hitting the dreaded “forgot password” prompt again with help from Sticky Password Premium. This password management solution helps protect your important logins online by not only providing super strong encrypted passwords but also remembers them all for you!

    Everything is managed by a single master password that you select, so your information stays secure, and all you have to do is remember one password of your choosing instead of dozens. Sticky also helps you automatically log in to any recognized site and helps you save and fill out passwords across the web.

    One user shared, “I recently started using Sticky Password to manage my passwords, and I’m very impressed with it. The interface is intuitive and easy to use, and I love that it can generate strong passwords for me.”

    A lifetime subscription to Sticky Password Premium is available for just $23.97, with no coupon code required, now through April 11 at 11:59 p.m. PT.

    Prices subject to change.

    Entrepreneur Store

    Source link

  • If You Have a Business, You Have Passwords to Manage | Entrepreneur

    If You Have a Business, You Have Passwords to Manage | Entrepreneur

    Disclosure: Our goal is to feature products and services that we think you’ll find interesting and useful. If you purchase them, Entrepreneur may get a small share of the revenue from the sale from our commerce partners.

    Working your way up to starting your own business is challenging, so it makes sense that many early startups are lean in terms of size and resources. While an IT team might be limited, the need for security and reliability remains as important as ever.

    Enter Dashlane. Dashlane helps streamline data security for companies of all sizes. It’s a password management platform that is trusted by over 20,000 companies — and for good reason: Dashlane keeps users’ data private and safe with best-in-class security.

    Dashlane encrypts all customer data with AES-256 encryption—the first open-cipher approved by the NSA to be made accessible to the public that protects information at a “Top Secret” level. Dashlane also uses ARGON2, cutting-edge cryptography features, and automatic user-vault updates to keep your data as safe as possible.

    When you set your team up with Dashlane, you’ll save time and energy with easy deployment, end-to-end protection, and compatibility with G Suite, Microsoft, and several other identity providers. You’ll also get proactive breach notifications for everyone in your organization, and you can ensure maximum protection through effortless 2FA enforcement.

    There are many examples of how your Dashlane membership will save you and your business time. With Dashlane, you can access and manage all of your passwords in one place. You can share unlimited passwords without actually revealing them, and you can access accounts easily with seamless autofill features. A user can also store financial, medical, and personal information in their Dashlane vault.

    With its never-been-breached record, Dashlane maintains impressive average ratings of 4.5/5 stars on Trustpilot from over 4,000 reviews and 4.5/5 stars on the Google Play store from more than 175,000 reviews. It was also named App of the Day on the App Store.

    For more specific success stories, head to Dashlane’s website and learn how it helped organizations like Mercy Medical, which reported that it sped up access to its systems by 60 percent after signing up while improving both cybersecurity posture and HIPAA compliance. You also might enjoy the excellent case study chronicling how Dashlane helped RevGenius reduce its offboarding risks.

    Looking to try Dashlane for your business? Start a free trial today.

    StackCommerce

    Source link

  • Here’s Why It’s Time to Move Away From Passwords

    Here’s Why It’s Time to Move Away From Passwords

    Opinions expressed by Entrepreneur contributors are their own.

    It’s time to wake up to an uncomfortable truth: Passwords aren’t going to keep us safe online anymore. A recent breach of Fast Company’s content management system (CMS) should prove it. The hacker, known as Thrax, seemed more interested in posting offensive messages and highlighting the weaknesses than in stealing data, but the situation nevertheless provides a stark reminder that passwords aren’t secure anymore.

    Related: Passwords Are Scarily Insecure. Here Are a Few Safer Alternatives.

    So, what’s the alternative?

    Granted, Fast Co.’s password management didn’t align with password management recommendations. Their CMS was protected by just a default password that would take modern cracking software about .00002 seconds to beat (it was pizza123. Yes, really). The fact that Fast Co. bills itself as a tech-savvy online publication doesn’t excuse this oversight, but it’s by no means unique. How many of us do the same — leaving easy-to-remember passwords in place across many of our accounts? Just like Fast Co., we assume there’s nothing there for a hacker to want and that we’re not a good target. But that doesn’t matter anymore, and it’s time we eliminate the password altogether. It has officially outlived its usefulness.

    Today, there are much better options than the humble password. Facial biometrics is the key to a world without passwords because of how unique our faces are. There are still challenges to sort out, of course, but as algorithms improve in accuracy, we’ll see a wholesale shift to face ID for identity verification.

    The most dependable path to widespread facial authentication is a digital identity wallet. This form of identity management differs from the type of face ID which unlocks your phone in the rigorous fraud prevention technology underpinning it. Liveness detection and other advances can prevent fraud, the likes of which might otherwise fool less-sophisticated facial recognition — techniques like using a photo, a deep fake or a 3D prosthetic mask.

    Your face, validated against an authentic government ID, allows you to unlock your device, access accounts and provide personal data to anyone. As a result, users and businesses can be more sure that their data is safe from fraud and theft. Instead of a password you know, your password becomes something you are, which is much more difficult for thieves to steal.

    Related: Recycled Passwords Are Putting Your Company at Risk

    Passwords are frustrating — and they don’t work

    It’s hard to imagine a digital world without passwords. They’ve become ubiquitous, and we take their existence for granted, which means that additional security measures are just that — an addition to the password. But a password isn’t very secure, even in the rare circumstance when someone is diligent enough to follow best practices. Unfortunately, best practices happen to be incredibly difficult to manage, so businesses have added things like one-time passcodes or similar two-factor authentication (2FA). But it’s not enough — even 2FA can be simple to hack.

    Moving away from passwords will make for a much less frustrating user experience while strengthening security. Isn’t it effortless to unlock your phone with your face? Compare that with an experience that everyone has shared — forgetting a password. You have to click a link, receive a new link, then come up with a new, complex password you’ve never used before. If there’s one more step in the process, like receiving a verification code, it’s even worse. And the unfortunate point is that if your email has been compromised, anyone can reset your password. Your password has become a weakness allowing a hacker to access your most personal data.

    Passwords are also bad for companies. Businesses spend a significant amount of operational dollars on login issues. With facial biometrics, they could re-allocate these dollars to other initiatives. The cost savings from eliminating password reset-related costs and instead implementing a digital wallet technology typically generates a positive ROI over time, especially when you factor in the savings from the added security.

    We keep clinging to the password because we can’t imagine online life without it. The funny thing is, we’ve already caught glimpses of what life could be. Everything can be as easy as unlocking our phone with our face, and we’re not sacrificing security with facial biometrics. We are actually making our authentication processes stronger than ever. Our passwords have become a weakness in managing our identities, and it’s time to let them fade away for good.

    Jeff Jani

    Source link