Tag: password security

Our UPDATED Guide to MFA (Multi-Factor Authentication)
Last year we had an article on our top picks for 2-factor authentication and we’ve touched on what makes a good password before. We thought it would be a good idea to refresh our advice on this topic and combine our tips into one easy to revisit guide.

One thing that we surprising haven’t recommended often before but would like to now is implementing Microsoft 365 2-factor authentication on your account. We utilize Microsoft products heavily in our business and we find many of our clients are the same, Microsoft software solutions are deeply woven into their day-to-day business activities. You can find our quick guide to implementing it in last week’s article here.

We’ve also touched on how implementing 2-factor on your Google account could decrease your odds of your account being hacked by half. In many cases it really is as easy as implementing the built in 2-factor settings in the accounts you utilize and you may not even need to install a 2-factor authentication software, you can simply have the codes texted to your mobile device.

Since this is a guide though we still want to give you a recommendation on that though, for us we’ve utilized Microsoft’s authenticator program for the most part. We also found that Google’s Authenticator and Authy’s Authenticator mobile apps are very easy to use as well.

It can be a little more convenient to have the 2-factor codes in one place, so you don’t have to request a code be texted every time you login (especially if you have a lot of different login’s you use throughout your workday).

You may be asking yourself at this point, what’s wrong with just my plain old password? You may have typing it in down to muscle memory and you don’t have to retrieve a code from anywhere. Well, this chart on how long it can take a crack a password based on specific criteria will tell you why:

Of course, the more complex your password is the greater the difficulty in cracking it, that brings us to our next bit of advice – utilize a password manager and have stronger (and varied) passwords.

Across the board for Valley Techlogic our employees are using LastPass, we like that it’s cross device and cross platform and enjoy the warnings and alerts it gives us if a password has been possibly compromised or if we’re trying to reuse a password we’ve used before.

However, any reputable password manager is going to be a big improvement over reusing simple passwords or trying to remember complicated ones.

Even with a password manager, your passwords being compromised online is the main reason you should consider enabling 2-factor or multi-factor on your accounts. You can have strong varied passwords and your passwords may be leaked due a breach that’s outside your control. Webpages are hacked all the time, and if your banking password is part of a data breach it can then become available to bad actors on the dark web.

With 2-factor enabled however, it won’t matter if they have your password as they would still need your authenticator program or your mobile device to login to the account. We think it’s worth the (very slight) inconvenience of a few seconds to have that level of security.

If you’re security conscious and want to go even further, you can also use a security token to lock your device (highly recommended for sensitive work devices). That means the device is useless without the security token to be able to unlock it.

Enabling multi-factor authentication across your business uniformly can be an uphill battle, but it is one we have experience with here at Valley Techlogic. As security regulations increase, this simple change will make a huge difference in your cybersecurity compliance level. Learn more today with a quick consultation.

Looking for more to read? We suggest these other articles from our site.
This article was powered by Valley TechLogic, an IT service provider in Atwater, CA. You can find more information at https://www.valleytechlogic.com/ or on Facebook at https://www.facebook.com/valleytechlogic/ . Follow us on Twitter at https://x.com/valleytechlogic.
July 7, 2022
If you enabled 2-factor authentication on your Google account recently, your odds of being hacked dropped by half
Google began requiring 2-factor authentication on some user accounts this past year, and while there’s always some inconvenience involved in making that switch the benefits definitely outweigh it.

Google enrolled 150 million members in the last three months of 2021 in their 2-factor authentication program, and they’ve found that instances of accounts being hacked dropped by half for those users.

Google utilizes two-step verification, or 2SV which involves having a login challenge beyond a simple password entry. This may be a message in Google’s own authenticator application or a hardware security key depending on user preference.

Google said in their blog post on the topic, “This decrease speaks volumes to how effective having a second form of verification can be in protecting your data and personal information, turn on 2SV (or we will!), as it makes all the difference in the event your password is compromised.” Indicating Google’s plan to initiate the requirement across the board in the near future.

The hesitancy with users to utilize such an effective security measure seems to stem from inconsistent implementation as well as a general lack of education on the topic. We thought it would be helpful to present this “cheat sheet” on multi-factor authentication and other cybersecurity acronyms.

With breaches being ever more common, having that additional step past just a password before a hacker can access your account can make all the difference. A password you use across multiple website (which is also a bad idea) may be leaked without you even being aware of it, and the prompt from a multi-factor authentication application may even be your first clue that your accounts are being accessed by someone other than yourself.

Google’s own authenticator is found on the Play Store and the Apple App Store and is a solid option, however we suggest users use whatever they feel most comfortable with or whatever is offered by the the websites they frequent (especially for important sites like banking or for work related web portals).

To add to your security effectiveness, we suggest using a password manager as well so you can work on having more varied passwords – especially for sites that don’t currently offer multi-factor authentication as an option.

If you’d like tangible security, hardware security keys are a good option and many of them have widespread support for your online accounts such as email, social media, or even your password manager (adding another layer).

Your devices also probably come with multi-factor security options built in, we’ve been pleased with the implementation of Windows Hello for Windows devices (even when we’re bleary eyed in the early morning, it always seems to recognize us). Fingerprint scanners for mobile devices have also come a long way and is a pretty convenient (and secure) way to keep access to your phone limited to just you.

If you’re a business owner in the Central Valley and want to embark on the process of enabling multi-factor authentication within your business, Valley Techlogic can help. Our security experts can help you with enabling multi-factor authentication within your business as well help you meet your cybersecurity compliance goals. Reach out to us today to learn more.

Looking for more to read? We suggest these other articles from our site.
This article was powered by Valley TechLogic, IT service provider in Atwater, CA. You can find more information at https://www.valleytechlogic.com/ or on Facebook at https://www.facebook.com/valleytechlogic/ . Follow us on Twitter at https://x.com/valleytechlogic.
February 10, 2022
Your Information Was Leaked in a Major Breach, Now What?
In what seemed to be major news for only a brief period of time, over 500 million Facebook account details were leaked last week. The data included things like profile names, Facebook ID numbers, email addresses, and phone numbers. While this data may be online in other forms the combined data together makes it a treasure trove for phishers and scammers.

The colossal total of 533 million accounts was accessed by hackers exploiting a bug in a Facebook address book contacts import feature. It was confirmed by Facebook that the exploit was patched in August 2019, but it is unclear how many times the bug was used before then. The information featured users from 106 different countries.

It’s clear from Facebook’s response that this data has been out there for a while, and no one knows how it’s currently being utilized by bad actors to phish and scam people. It hasn’t been released that password data was a part of the breach, but it’s still our recommendation that you change your password any time you hear news of a major breach from a service you utilize. As well as making sure you use different passwords for different sites (if you don’t already).

But what else can you do? Here are our 5 tips to protect yourself after a breach occurs with a service you use or have used in the past.
1. Keep an Eye Out for An Alert from The Company Affected. We feel companies should be duty bound to let their users know if a breach has occurred. You should keep an eye out for an email detailing the steps they have taken to protect your data after a breach, what may have been compromised, and what you should do to protect yourself.
2. Monitor Your Financials. If the breach happened within a financial institution you utilize, or even one we all utilize by default (such as the Equifax breach) you want to take the time to monitor your financials for suspicious activity. Many banking and credit card issuers offer free credit reporting as part of their services now. You can even freeze your credit to be extra sure but keep in mind if you do try to open a new credit card or loan the freeze will affect you as well.
3. Change Your Passwords. We recommend changing passwords if a major breach has occurred even if the business confirms no password data was leaked, you really can never be too careful. If you need help remembering your passwords for various sites as well as creating stronger passwords, we recommend our article on the top 3 password managers we recommend.
4. Be Extra Wary of Suspicious Emails. Following a data leak, phishers and scammers will use this newly obtained information to try and reach out and trick you into handing over your financial or other personal information. They may have names of relatives or other people you know to utilize and try to get you to send them money. If you receive a suspicious email it is best to report it to your email provider.
5. File Your Taxes Early. If your social security number was stolen as part of a breach, you may want to be prepared to file your taxes as soon as possible to avoid having your tax refund stolen by scammers.
In addition to these five tips if the company that was breached offers assistance in the form of either monitoring your credit or tips on how to safeguard your account, we recommend accepting their offer. Data breaches occur so often now that the public is desensitized but they are still a threat that should be treated seriously.

Data breaches that affect businesses are a different animal entirely. There is much more to monitor and safeguard and it is not something you should try to tackle alone. Valley Techlogic is experienced in helping businesses recover from data breaches and we can help you recover your data and protect it from further attacks. Visit here to schedule a free consultation to learn more.

Looking for more to read? We suggest these tech articles from the last week.
This article was powered by Valley TechLogic, an IT provider in Atwater, CA. You can find more information at https://www.valleytechlogic.com/ or on Facebook at https://www.facebook.com/valleytechlogic/ . Follow us on Twitter at https://x.com/valleytechlogic.
April 7, 2021
This new California law means changes to your devices default passwords
California is used to being ahead of the game when it comes to technology. It comes as no surprise with our state being home to the mecca of technology, Silicon Valley. So of course, in an effort to regulate the Internet of Things (IoT) more seriously, California was the first state to introduce a law doing so.

Senate Bill 327 (SB-327) is the first law directed at the IoT and most of it’s measures are aimed at improving security of our devices. Cybercrime is a billion-dollar industry, so it makes sense to enact stricter regulations to protect consumers from having their devices hijacked and their networks held ransom.

Some of its most stringent requirements are aimed at password security. While it’s not mandating passwords at an OS or Software level (these are often set by the user), it is requiring changes be made to default passwords on a firmware level.

Starting January 2020 passwords on a firmware level must be randomized. The bill states:

1798.91.04.b Subject to all of the requirements of subdivision (a), if a connected device is equipped with a means for authentication outside a local area network, it shall be deemed a reasonable security feature under subdivision (a) if either of the following requirements are met:
1. The preprogrammed password is unique to each device manufactured.
2. The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.
This means if you purchase a router it can no longer have the Username admin/ Password admin or a similar login convention. Passwords for routers and other connected devices as defined by the bill “any device, or other physical object that is capable of connecting to the internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address” must have a randomized password and login name.

This may mean an extra bit of setup on the user’s part when purchasing a new device, and don’t toss that installation guide!

This gets even more complex when you think of devices such as servers, where rack scripting software may currently rely on every device having the same password to function. IT people will have their work cut out for them setting up new networks with these restrictions.

However, we applaud all efforts to make the internet a safer place, and we think SB-327 is just the beginning when it comes to regulating devices and the internet as a whole. With so much sensitive data being exchanged every day, it was a given change was coming to do more to protect it.

Also, while this bill only applies to devices in California it’s likely product developers will opt to have it in effect for other states as well.

With so many devices in our home and offices connected and listening, it makes sense to give these devices stronger protection with a stricter password to block hackers. We would like to see a bill that goes even further, regulating firmware updates and requiring companies to better support the devices they produce.

We outlined some of the pitfalls from companies failing update router firmware in this previous blog post.

As always, if you own a business in the Central Valley and are finding yourself trying to work with the new regulations from SB-327 or anything technology related, reach out to us for help or advice. We’re here to help.

Looking for more to read? We suggest these tech articles from the last week.
This article was powered by Valley TechLogic, an IT provider in Atwater, CA. You can find more information at https://www.valleytechlogic.com/ or on Facebook at https://www.facebook.com/valleytechlogic/ . Follow us on Twitter at https://x.com/valleytechlogic.

Looking for IT Services in Fresno, Modesto, Stockton, Ceres, Atwater, Merced, Visalia or Lodi? We cover all these areas and more!
October 7, 2020