If you invited me to try and crack your password, you know the one that you use over and over for like every web page you visit, how many guesses would it take before I got it?

Let’s see… here is my top 10 list. I can obtain most of this information much easier than you think, then I might just be able to get into your e-mail, computer, or online banking. After all, if I get into one I’ll probably get into all of them.

1. Your partner, child, or pet’s name, possibly followed by a 0 or 1 (because they’re always making you use a number, aren’t they?)
2. The last 4 digits of your social security number.
3. 123 or 1234 or 123456.
4. “password”
5. Your city, or college, football team name.
6. Date of birth - yours, your partner’s or your child’s.
7. “god”
8. “letmein”
9. “money”
10. “love”

Statistically speaking that should probably cover about 20% of you. But don’t worry. If I didn’t get it yet it will probably only take a few more minutes before I do…
Read the rest of this entry »

In the recent past I’ve done a lot of harping on the security woes of financial institutions (see here, here, and here) so when I saw this announcement I was both extremely happy and a little disappointed at the same time.

PayPal is about to issue SecureID cards to all business clients in order to provide further account security. Now this is what I’m always talking about when I speak of defense in depth! PayPal will combine layers of security, in this case something I have (SecureID password generator), with something I know (my username/password combo) to ensure it’s actually me accessing the site.
Read the rest of this entry »

Everyone has been driven crazy by a poorly staffed call center, sitting behind a horrible Interactive Voice Response Unit (IVRU) while calling a service provider like the phone company, cable company, government office or technical support. Well, help has now arrived.

Paul English, the CTO of Kayak.com, decided to build a site to help people get through to a real human after one such frustrating call. The result is GetHuman.com.
Read the rest of this entry »

According to the Epoch Times, in five years, the U.S. government will cease to use SHA-1 (Secure Hash Algorithm) and convert to a new and more advanced “hash” algorithm, according to the article “Security Cracked!” from New Scientist.

The reason for this change is that associate professor Wang Xiaoyun of Beijing’s Tsinghua University and Shandong University of Technology, and her associates, have already cracked SHA-1. This marks the fifth straight encryption method that Xiaoyun’s team has broken (SHA-1, MD5, HAVAL-128, MD4, and RIPEMD).

What does this mean for the rest of us?
Read the rest of this entry »

I hate to be the one to continually complain about security, but that doesn’t mean I won’t keep doing it. I would estimate that 95% of people are FAR too lax when it comes to security measures, and that another 4% are just plain old lax.

This latest story focuses on a concept called social engineering as a weak link in the chain (among other issues). Social engineering is the process of causing a security breach through submersive human interaction - in this case fooling bank personnel into believing you are someone you are not.
Read the rest of this entry »

The Internet is not a safe place. I’m not talking about your kids, I’m talking about YOU!

Recently my financial institutions have begun implementing “security enhancements” in order to fain compliance with guidelines set by the FFIEC. In a nutshell, the recommendation is as follows:

Using nothing more than a login ID and password to access banking and financial transaction services via the Web is insecure. Instead, financial institutions should turn to multi-factor authentication schemes to ensure client safety.

In order to understand what this means, here is a quick security lesson.
Read the rest of this entry »