First of all thanks to everyone for coming out this morning. We’re going to start in a few minutes with some questions that were sent in from other customers over the last week.
If you have any questions, feel free to add them below and @TylerM will get to it as fast as he can.
Our first question comes from Dean O. who asks:
What is the current stance on the frequency a password should be changed?
The next question comes from Robin T. who asks:
Which are the least secure states?
Ethan K writes in:
Which areas globally are worst for ransomware? Phishing?
We’ve got a great report that covers this here if you want to dive in.
Our first question comes from Dean O. who asks:
What is the current stance on the frequency a password should be changed?
Most industry standards are every 90 days, but those also state arbitrary things like at least 8 characters with uppercase and special characters. Length is strength, especially when $5000 of hardware can make a password cracking machine that can crack 15 characters of length in 15 hours. As long as you have enough length, aren’t reusing passwords across multiple accounts, and aren’t sharing them, you can go longer than 90 days.
The next question comes from Robin T. who asks:
Which are the least secure states?
The top 5 riskiest states are
1. New York
2. California
3. Texas
4. Alabama
5. Arkansas
Teri M. writes in:
What is the number one thing that makes a business most vulnerable to cyber threats?
Anestis P. wants to know more about 2FA. Anestis writes:
Is 2fa a safe solution?
Arnold wants to know:
Are biometric safeguards helping or hurting the state of cyber-security overall?
Teri M. writes in:
What is the number one thing that makes a business most vulnerable to cyber threats?
I would say the lack of protection against the full surface area of attack. Especially now with everyone working from home, are they working on their own devices? Do they have adequate security? Backups? Encryption of data at rest and in transit? Enough educated IT personnel? Computers set up for remote access protected? 2FA?
Joe R. wants to know about the impact COVID-19 has had on cyber-security best practices:
How has the global pandemic affected cyber-security practices? Are passwords more likely to be shared via teams/live chats now everyone is remote?
Anestis P. wants to know more about 2FA. Anestis writes:
Is 2fa a safe solution?
2FA is a great and very safe solution and I suggest that everyone implement it wherever they can. It’s only going to increase security posture.
However, this is not to say that 2FA is infallible. There have been many cases (mostly cryptocurrency exchanged) where advanced phishing tactics have still implemented a capture of 2FA and then logged into accounts.
Arnold wants to know:
Are biometric safeguards helping or hurting the state of cyber-security overall?
This is more of an opinion…
It’s a double-edged sword where it’s definitely more secure than inputting a 4 digit code, but there are definitely issues where facial recognition has been defeated with printed images of faces. Not to mention the privacy concerns of what private companies will do with our biometric data or if they were to be breached. This will be a larger concern as the future arrives and there is more adoption of these technologies
David J. wants to know more about creating strong passwords:
Is it best to use special caracters such as @#?.!" in passwords?
Joe R. wants to know about the impact COVID-19 has had on cyber-security best practices:
How has the global pandemic affected cyber-security practices? Are passwords more likely to be shared via teams/live chats now everyone is remote?
I would certainly hope not. Password sharing is just about the riskiest behavior out there other than falling for a phishing attack. Check out our blog on how to stay cyber resilient during a pandemic
https://www.webroot.com/blog/2020/03/19/staying-cyber-resilient-during-a-pandemic/
Eden P. is curious about what to look for in a password manager:
Would you recommend a password manager and if so, which one?
David J. wants to know more about creating strong passwords:
Is it best to use special caracters such as @#?.!" in passwords?
Length is strength, not special characters. When criminals are brute forcing credentials, it doesn’t matter the special characters, but the length. Currently criminals can crack 15 characters in 15 hours with about $5000 in hardware using tools like hashcat
An easy and clever way to devise a memorable, yet secure, password is phrases. The length of this phrase is important as each character you add makes it that much harder to crack with brute force tools. Be sure to include spaces into your password if the site allows.
Take the phrase “snow white and the seven dwarves”. If spaces aren’t allowed, it could be altered to “SnowWhite&the7Dwarves” It’s still easy to remember yet much more difficult to guess or crack.
One of the most basic cyber hygiene practices is to refrain from using the same password for multiple sites or platforms. For many people this can be difficult, as they don’t think they could possibly remember all their different password combinations. However, developing your own unique yet consistent password style with only a few changes per the login site could help.
For example, take the password “Snow White and the Seven Dwarves Amazon” (log in for Amazon). You could then adjust this format to suit your other logins, thereby creating an easy to remember password style while also having a unique password for each of your platforms. Facebook would be: “Snow white and the Seven Dwarves Facebook” and so on.
Matt W. wants to know where passwords are going:
Have I Been Pwned is an excellent service for illustrating to people the dangers of re-using passwords as well as highlighting that password theft is not a case of if but when? However passwords are still flawed - they have to be stored somewhere, and 2FA is not ubiquitous. What do you see is the next step in security beyond the password?
Eden P. is curious about what to look for in a password manager:
Would you recommend a password manager and if so, which one?
I have used roboform and lastpass and have no complaints. Just make sure that the master password is not used anywhere else. Also make sure that the computer using the pw manager can’t be remote into, the attacker could steal all your passwords that way.
recommend extreme caution saving passwords using google chrome or other browsers as those can be dumped easily.
Just a few minutes left… tick tock tick tock…
Matt W. wants to know where passwords are going:
Have I Been Pwned is an excellent service for illustrating to people the dangers of re-using passwords as well as highlighting that password theft is not a case of if but when? However passwords are still flawed - they have to be stored somewhere, and 2FA is not ubiquitous. What do you see is the next step in security beyond the password?
I still like to use super long phrases as passwords that are different for each accounts. While it’s been safe so far, I can’t say for how long. Length is strength here, but at a certain point we’ll reach the limit of what you can expect the average human to be able to do. I believe the majority of the public will gladly hand off their privacy for the convenience of biometrics as they become easier and more widespread. That is the most likely future of passwords. *cue distopian cyberpunk future where megacorps own your identity*
That does it for today!
Thanks to everyone who submitted a question and to @TylerM for answering and spending time with us.
I hope everyone learned something new and will hopefully take some of these tips to heart. If you haven’t had a chance to do so, be sure to read our 2020 Most and Least Cyber-Secure States report and as always, thanks for being a part of the Webroot Community.