Placeholder Content Image

Use these 10 passwords at your own peril

<p dir="ltr">With cyberattacks increasing by the month, it’s crucial to have a strong grasp or what is - or isn’t - a strong enough password to hopefully deter hackers.</p> <p dir="ltr">And with the cybercriminals capable of unveiling 921 passwords each second, people all over have become easy targets with their choices - whether that’s from including easy-to-guess terms like the word “password” itself or common sequences like “123456” and “qwerty” - as reported by <em>9News</em>.</p> <p dir="ltr">And as analysis by <em>CyberNews</em> has revealed, just 13 per cent of leaked passwords - from a review of almost 15 billion - were actually unique. </p> <p dir="ltr">According to them, two of the most popular names to appear in the selection were “Eva” and “Alex”, with a total of seven million respective uses. “Food” and “pie” were regulars, as well as the season “summer”.</p> <p dir="ltr">While these might be easy for users to remember, and appealing for that, My Business general manager Phil Parisis had a clear warning in store when he explained that “if it’s easy for you to remember, chances are it’s also easy for cybercriminals to guess.</p> <p dir="ltr">“That's not only putting you at risk but also exposing the businesses and corporations that you work for.</p> <p dir="ltr">"Another common inclusion is a year - often their birth year or another significant year in their life."</p> <p dir="ltr">Having the right information and advice at your disposal is crucial when it comes to protecting yourself, so with all of this in mind, the 10 passwords that you should avoid at all costs the next time you’re asked to come to up with one are the following: </p> <ul> <li dir="ltr" aria-level="1"> <p dir="ltr" role="presentation">123456</p> </li> <li dir="ltr" aria-level="1"> <p dir="ltr" role="presentation">123456789</p> </li> <li dir="ltr" aria-level="1"> <p dir="ltr" role="presentation">qwerty</p> </li> <li dir="ltr" aria-level="1"> <p dir="ltr" role="presentation">password</p> </li> <li dir="ltr" aria-level="1"> <p dir="ltr" role="presentation">12345</p> </li> <li dir="ltr" aria-level="1"> <p dir="ltr" role="presentation">qwerty123</p> </li> <li dir="ltr" aria-level="1"> <p dir="ltr" role="presentation">1q2w3e</p> </li> <li dir="ltr" aria-level="1"> <p dir="ltr" role="presentation">12345678</p> </li> <li dir="ltr" aria-level="1"> <p dir="ltr" role="presentation">111111</p> </li> <li dir="ltr" aria-level="1"> <p dir="ltr" role="presentation">1234567890</p> </li> </ul> <p dir="ltr">To further protect yourself, it can be of great benefit to mix your upper and lowercase letters in your passwords, as well as throwing in a range of symbols and numbers to further disguise your intended terms. </p> <p dir="ltr">For example, and as <em>9News</em> noted, the likes of “password123” is considered a weak password, while something like “MySecurePa$$word785!” is considered much stronger, and much more protected.</p> <p dir="ltr">And the Australian Cyber Security Centre have further suggested that internet users consider using passphrases - a number of random words put together in a string -, as they’re “harder to guess but easier to remember” than common passwords. But most of all, they recommend avoiding obvious, significant, and easy-to-guess words, like the names of children and beloved family pets. </p> <p dir="ltr"><em>Images: 9News </em></p>

Technology

Placeholder Content Image

Don't leave yourself vulnerable to hackers in 2022

<p><br />Passwords are just as vitally important as they are frustrating. However, making a mistake with our passwords could leave us exposed to hackers and other fraudulent activities online.</p><p><br />According to the Australian Competition &amp; Consumer Commission, Australians lost a record $323.7 million to scams and identity theft in 2021, with phishing scams up 62% on the previous year.</p><p><br />It’s not just your main accounts like social media or online banking that are at risk. As our list of logins grows, all it takes is one data breach to compromise everything. So, what can you do in order to protect yourself?</p><p><br /><strong>1. Don’t use the same password across multiple sites</strong><br />If you use one password across multiple platforms or sites, you’re at greater risk.<br />“By far the biggest mistake people make with passwords is using the same one across multiple sites,” says Val Quinn, Sunrise tech expert.<br />“Because if one site gets hacked, then the hackers have the same password that they can use on different sites to try to login under your name.”</p><p><br /><strong>2. Use a passphrase instead</strong><br />“Hackers can use special tools where they can actually brute force guess your passwords,” says Quinn.<br />“That means we have to make them very complicated, long combo of letters, characters and numbers, upper and lower case.”<br />For extra protection, try using a passphrase instead of a traditional password. But – make sure to remember that phrase!<br />It’s also a good idea to ensure it’s not a common or popular quote or song that can be easily guessed by somebody who knows you.</p><p><br /><strong>3. See if you’ve been breached</strong><br />Sites like <a href="https://haveibeenpwned.com/" target="_blank" rel="noopener">Have I Been Pwned?</a> allow you to check if your email address or password have been caught up in known data breaches.<br />Started by Australian cyber security consultant Troy Hunt, who is also Microsoft’s regional director, the site aggregates known issues, providing a snapshot of that sites where your data may have been compromised.</p><p><br /><strong>4. Don’t use personal information</strong><br />This tip sounds simple but a lot of people continue to fall into the trap of using personal information. Avoid using obvious things like a pets name or birthday.</p><p><br /><strong>5. Use a password manager</strong><br />Most of us have passwords across email, social media, banking, streaming services and online shopping.<br />Keeping track of login details can be daunting, that’s where password managers come in handy.<br />“A password manager is almost a must,” explains Quinn.<br />“It really helps ensure you use different passwords for all of the sites you log into, otherwise you just can’t remember very easily.”<br /><br />Most common passwords of 2021<br />According to NordPass, these are the most common passwords globally in 2021, all of which the tech company estimates take under one second to hack.</p><ul><li>123456</li><li>123456789</li><li>12345</li><li>qwerty</li><li>password</li><li>12345678</li><li>111111</li><li>123123</li><li>1234567890</li><li>1234567<br /><br /></li></ul><p>NordPass research also revealed these were the most common passwords in Australia.</p><ul><li>123456</li><li>password</li><li>lizottes</li><li>password1</li><li>123456789</li><li>12345</li><li>abc123</li><li>qwerty</li><li>12345678</li><li>holden</li></ul><p><em>Image: Getty</em></p>

Technology

Placeholder Content Image

This New Year, why not resolve to ditch your dodgy old passwords?

<p>Most of the classic New Year resolutions revolve around improving your health and lifestyle. But this year, why not consider cleaning up your passwords too?</p> <p>We all know the habits to avoid, yet so many of us do them anyway: using predictable passwords, never changing them, or writing them on sticky notes on our monitor. We routinely ignore the <a href="https://theconversation.com/choose-better-passwords-with-the-help-of-science-82361">recommendations for good passwords</a> in the name of convenience.</p> <p>Choosing short passwords containing common names or words is likely to lead to trouble. Hackers can often guess a person’s passwords simply by using a computer to work through a long list of commonly used words.</p> <p>The <a href="https://nordpass.com/most-common-passwords-list/">most popular choices</a> have changed very little over time, and include numerical combinations such as “123456” (the most common password for five years in a row), “love”, keyboard patterns such as “qwerty” and, perhaps most ludicrously, “password” (or its Portuguese translation, “senha”).</p> <p><span>Experts have long advised against using words, places or names in passwords, although you can strengthen this type of password by jumbling the components into sequences with a mixture of upper- and lowercase characters, as long as you do it thoroughly.</span></p> <p>Complex rules often lead users to choose a word or phrase and then substitute letters with numbers and symbols (such as “Pa33w9rd!”), or add digits to a familiar password (“password12”). But so many people do this that these techniques don’t actually make passwords stronger.</p> <p>It’s better to start with a word or two that isn’t so common, and make sure you mix things up with symbols and special characters in the middle. For example, “wincing giraffe” could be adapted to “W1nc1ng_!G1raff3”</p> <p><span>These secure passwords can be harder to remember, to the extent you might end up having to write them down. That’s OK, as long as you keep the note somewhere secure (and definitely not stuck to your monitor).</span></p> <p>Reusing passwords is another common error – and one of the biggest. Past data leaks, such as that suffered by <a href="https://www.ncsc.gov.uk/blog-post/linkedin-2012-hack-what-you-need-know">LinkedIn in 2012</a>, mean billions of old passwords are now circulating among cyber criminals.</p> <p>This has given rise to a practice called “<a href="https://www.wired.com/story/what-is-credential-stuffing/">credential stuffing</a>” – taking a leaked password from one source and trying it on other sites. If you’re still using the same old password for multiple email, social media or financial accounts, you’re at risk of being compromised.</p> <h2>Pro tip: use a password manager</h2> <p>The simplest and most effective route to good password hygiene is to use a <a href="https://www.choice.com.au/electronics-and-technology/internet/internet-privacy-and-safety/buying-guides/password-managers">password manager</a>. This lets you use unique strong passwords for all your various logins, without having to remember them yourself.</p> <p>Password managers allow you to store all of your passwords in one place and to “lock” them away with a strong level of protection. This can be a single (strong) password, but can also include face or fingerprint recognition, depending on the device you are using. Although there is some risk associated with storing your passwords in one place, experts consider this much less risky than using the same password for multiple accounts.</p> <p>The password manager can automatically create strong, randomised passwords for each different service you use. This means your LinkedIn, Gmail and eBay accounts can no longer be accessed by someone who happens to guess the name of your childhood pet dog.</p> <p>If one password is leaked, you only have to change that one – none of the others are compromised.</p> <p>There are <a href="https://en.wikipedia.org/wiki/List_of_password_managers">many password managers</a> to choose from. Some are free (such as Keepass) or “freemium” (offering the option to upgrade for more functionality like Nordpass), while others charge a one-off fee or recurring subscription (such as 1Password). Most allow you to securely sync your passwords across all your devices, and some let you safely share passwords between family members or work groups.</p> <p>You can also use the password managers built into most web browsers or operating systems (with many phones offering this functionality in the browser or natively). These tend to have fewer features and may pose compatibility issues if you want to access your password from different browsers or platforms.</p> <p>Password managers take a bit of getting used to, but don’t be too daunted. When creating a new account on a website, you let the password manager create a unique (complex) password and store it straight away – there’s no need to think of one yourself!</p> <p>Later, when you want to access that account again, the password manager fills it in automatically. This is either through direct integration with the browser (typically on computers) or through a separate application on your mobile device. Most password managers will automatically “lock” after a period of time, prompting for the master password (or face/finger verification) before allowing access again.</p> <h2>Protect your most important passwords</h2> <p>If you don’t like the sound of a password manager, at the very least change your “critical” account passwords so each one is strong and unique. Financial services, email accounts, government services, and work systems should each have a separate, strong password.</p> <p>Even if you write them down in a book (kept safely locked away) you will significantly reduce your risk in the event of a data breach on any of those platforms.</p> <p>Remember, however, that some sites provide delegated access to others. Many e-commerce websites, for example, give you the option of logging in with your Facebook, Google or Apple account. This doesn’t expose your password to greater risk, because the password itself is not shared. But if the password is compromised, using it would grant access to those delegated sites. It is usually best to create unique accounts - and use your password manager to keep them safe.</p> <p><span>Adopting a better approach to passwords is a simple way to reduce your cyber-security risks. Ideally that means using a password manager, but if you’re not quite ready for that yet, at least make 2022 the year you ditch the sticky notes and pets’ names.</span></p> <p><em>Image credits: Getty Images</em></p> <p><span><em>This article first appeared on <a rel="noopener" href="https://theconversation.com/this-new-year-why-not-resolve-to-ditch-your-dodgy-old-passwords-172598" target="_blank">The Conversation</a></em>.</span></p>

Technology

Placeholder Content Image

A computer can guess more than 100,000,000,000 passwords per second. Still think yours is secure?

<p>Passwords have been used for thousands of years as a means of identifying ourselves to others and in more recent times, to computers. It’s a simple concept – a shared piece of information, kept secret between individuals and used to “prove” identity.</p> <p>Passwords in an IT context <a href="https://www.wired.com/2012/01/computer-password/">emerged in the 1960s</a> with <a href="https://www.techopedia.com/definition/24356/mainframe">mainframe</a> computers – large centrally operated computers with remote “terminals” for user access. They’re now used for everything from the PIN we enter at an ATM, to logging in to our computers and various websites.</p> <p>But why do we need to “prove” our identity to the systems we access? And why are passwords so hard to get right?</p> <p><strong>What makes a good password?</strong></p> <p>Until relatively recently, a good password might have been a word or phrase of as little as six to eight characters. But we now have minimum length guidelines. This is because of “entropy”.</p> <p>When talking about passwords, entropy is the <a href="https://www.itdojo.com/a-somewhat-brief-explanation-of-password-entropy/">measure of predictability</a>. The maths behind this isn’t complex, but let’s examine it with an even simpler measure: the number of possible passwords, sometimes referred to as the “password space”.</p> <p>If a one-character password only contains one lowercase letter, there are only 26 possible passwords (“a” to “z”). By including uppercase letters, we increase our password space to 52 potential passwords.</p> <p>The password space continues to expand as the length is increased and other character types are added.</p> <p>However, the problem with depending on password complexity is that computers are highly efficient at repeating tasks – including guessing passwords.</p> <p>Last year, a <a href="https://www.cbronline.com/news/stolen-user-credentials">record was set</a> for a computer trying to generate every conceivable password. It achieved a rate faster than 100,000,000,000 guesses per second.</p> <p>By leveraging this computing power, cyber criminals can hack into systems by bombarding them with as many password combinations as possible, in a process called <a href="https://www.kaspersky.com/resource-center/definitions/brute-force-attack">brute force attacks</a>.</p> <p>And with cloud-based technology, guessing an eight-character password can be achieved in as little as 12 minutes and cost as little as US$25.</p> <p>Also, because passwords are almost always used to give access to sensitive data or important systems, this motivates cyber criminals to actively seek them out. It also drives a lucrative online market selling passwords, some of which come with email addresses and/or usernames.</p> <p><strong>How are passwords stored on websites?</strong></p> <p>Website passwords are usually stored in a protected manner using a mathematical algorithm called <a href="https://www.wired.com/2016/06/hacker-lexicon-password-hashing/">hashing</a>. A hashed password is unrecognisable and can’t be turned back into the password (an irreversible process).</p> <p>When you try to login, the password you enter is hashed using the same process and compared to the version stored on the site. This process is repeated each time you login.</p> <p>For example, the password “Pa$$w0rd” is given the value “02726d40f378e716981c4321d60ba3a325ed6a4c” when calculated using the SHA1 hashing algorithm. Try it <a href="https://passwordsgenerator.net/sha1-hash-generator/">yourself</a>.</p> <p>When faced with a file full of hashed passwords, a brute force attack can be used, trying every combination of characters for a range of password lengths. This has become such common practice that there are websites that list common passwords alongside their (calculated) hashed value. You can simply search for the hash to reveal the corresponding password.</p> <p>The theft and selling of passwords lists is now so common, a <a href="https://haveibeenpwned.com/">dedicated website</a> — haveibeenpwned.com — is available to help users check if their accounts are “in the wild”. This has grown to include more than 10 billion account details.</p> <p>If your email address is listed on this site you should definitely change the detected password, as well as on any other sites for which you use the same credentials.</p> <p><strong>Is more complexity the solution?</strong></p> <p>You would think with so many password breaches occurring daily, we would have improved our password selection practices. Unfortunately, last year’s annual <a href="https://www.securitymagazine.com/articles/91461-the-worst-passwords-of-2019">SplashData password survey</a> has shown little change over five years.</p> <p>As computing capabilities increase, the solution would appear to be increased complexity. But as humans, we are not skilled at (nor motivated to) remember highly complex passwords.</p> <p>We’ve also passed the point where we use only two or three systems needing a password. It’s now common to access numerous sites, with each requiring a password (often of varying length and complexity). A recent survey suggests there are, on average, <a href="https://www.newswire.com/news/new-research-most-people-have-70-80-passwords-21103705">70-80 passwords per person</a>.</p> <p>The good news is there are tools to address these issues. Most computers now support password storage in either the operating system or the web browser, usually with the option to share stored information across multiple devices.</p> <p>Examples include Apple’s <a href="https://www.computerworld.com/article/3254183/how-to-use-icloud-keychain-the-guide.html">iCloud Keychain</a> and the ability to save passwords in Internet Explorer, Chrome and Firefox (although <a href="https://www.howtogeek.com/447345/why-you-shouldnt-use-your-web-browsers-password-manager/">less reliable</a>).</p> <p><a href="https://tech.co/password-managers/what-is-a-password-manager">Password managers</a> such as KeePassXC can help users generate long, complex passwords and store them in a secure location for when they’re needed.</p> <p>While this location still needs to be protected (usually with a long “master password”), using a password manager lets you have a unique, complex password for every website you visit.</p> <p>This won’t prevent a password from being stolen from a vulnerable website. But if it is stolen, you won’t have to worry about changing the same password on all your other sites.</p> <p>There are of course vulnerabilities in these solutions too, but perhaps that’s a story for another day.</p> <p><em>Written by Paul Haskell-Dowland and Brianna O’Shea. Republished with permission of <a href="https://theconversation.com/a-computer-can-guess-more-than-100-000-000-000-passwords-per-second-still-think-yours-is-secure-144418">The Conversation.</a> </em></p>

Legal

Placeholder Content Image

Can police demand the password to my phone or computer?

<p>Many will recall last year’s <a href="https://www.sydneycriminallawyers.com.au/blog/fbi-cracks-apples-encryption/">battle between the United States Justice Department and technology giant Apple</a>, whereby the former spent millions of dollars trying to force the latter to unlock the IPhone of a gunman allegedly involved in the San Bernadino terrorist attack.</p> <p>The Justice Department felt the need to take such action because it knew the United States constitution would never allow the forced disclosure of an individual’s personal identity information in circumstances where it may incriminate them.</p> <p>However, the situation in Australia is different. Here, there is a legal mechanism for police to <a href="https://www.loc.gov/law/help/encrypted-communications/australia.php">force the disclosure</a> of an individual’s passwords, personal identification numbers and private encryption keys to enable them to access an individual’s smartphone or computer during the investigation of a <a href="https://www.sydneycriminallawyers.com.au/criminal/offences/commonwealth-offences/">Commonwealth offence</a>.</p> <p>That mechanism is contained in <a href="http://www.austlii.edu.au/cgi-bin/viewdoc/au/legis/cth/consol_act/ca191482/s3la.html">section 3LA</a> of the Crimes Act 1914 (Cth) (“the Act”), which provides that “a constable may apply to a magistrate for an order to provide any information or assistance that is reasonable and necessary” to allow them to access data stored on “a computer or data storage device.”</p> <p>A “constable” is defined by <a href="http://www.austlii.edu.au/cgi-bin/viewdoc/au/legis/cth/consol_act/ca191482/s3.html">section 3 of the Act</a> as “a member or special member of the Australian Federal Police or a member of the police force or police service of a State or Territory”.</p> <p>Police can apply to a magistrate for an “assistance order” requiring the owner or user of a computer or data storage device to provide such information they can establish <a href="https://www.sydneycriminallawyers.com.au/blog/police-powers-to-stop-require-identification-and-search-in-nsw/">a reasonable suspicion</a> that the device holds or can enable access to evidential material relevant to a crime.</p> <p>The subject of the order is not required to be suspected of any crime. He or she merely needs to be the owner of the device that police reasonably suspect holds information relating to an offence.</p> <p>If the application is successful, the subject will be required to provide the password/s enabling police to gain access to the device/s, as well as any decryption information in order to make data accessible and intelligible to police.</p> <p>Failure to comply with an assistance order is a criminal offence. When the law was first enacted, the maximum penalty was 6 months imprisonment. However, authorities have since raised the maximum penalty to 2 years behind bars.</p> <p><strong>A climate of paranoia</strong></p> <p>The <a href="http://www.austlii.edu.au/cgi-bin/viewdoc/au/legis/cth/num_act/ca2001112/sch1.html">Commonwealth Cybercrime Act</a> inserted section 3LA into the Crimes Act in October 2001. The Cybercrime Act was passed through federal parliament in a post-September 11 climate of mounting fear about the threat of terrorism and <a href="https://www.sydneycriminallawyers.com.au/blog/section-308h-of-the-crimes-act-computer-hacking-and-high-tech-offences/">cybercrime</a>.</p> <p>That Act created seven new criminal offences: three serious computer offences and four summary computer offences. It also extended police investigative powers in relation to search and seizure of electronically stored data.</p> <p><strong>The circumstances behind section 3LA</strong></p> <p>In his 2004 University of Queensland paper titled <a href="http://www.austlii.edu.au/cgi-bin/viewdoc/au/journals/UQLawJl/2004/1.html?context=1;query=%22ca191482">Handing Over the Keys</a>, Nikolas James points to several reasons why a law that provides police with such pervasive power was passed at the time.</p> <p>The EU’s Convention on Cybercrime recommended that countries implement laws that guaranteed authorities could access user data under the threat of imprisonment. And France suggested that the convention be open to all countries.</p> <p>The Australian laws at the time were seen as inadequate when it came to the growing threat of cybercrime. Police were pushing for new powers, as encrypted data represented a significant obstacle to the gathering of evidence.</p> <p>The Australian business community was also losing faith in the ability of law enforcement to guard against the rising cost of <a href="https://www.sydneycriminallawyers.com.au/blog/do-we-need-new-technology-laws-in-nsw/">cybercrime</a>. And the public’s perception of the threat posed by cybercrime helped enable authorities to broaden their reach.</p> <p><strong>Mass surveillance</strong></p> <p>Mr James also lists Australia’s involvement in the <a href="https://www.sydneycriminallawyers.com.au/blog/rip-government-accountability-in-australia-a-privacy-guide-for-journalists/">Five Eyes global electronic surveillance alliance</a> as a reason the law was allowed to pass with little fanfare. The alliance is comprised of the USA, UK, Canada, New Zealand and Australia, and was established under the <a href="https://www.my-private-network.co.uk/vpn-provider-14-eyes-country-something-know/">UKUSA Agreement</a> back in 1946.</p> <p>The Five Eyes agreement allows security agencies of these nations to collect and share private and commercial communications data with one another. In Australia, strong encryption had been hampering operations, and section 3LA helped facilitate data access.</p> <p><strong>The implications of section 3LA</strong></p> <p><a href="https://www.sydneycriminallawyers.com.au/blog/turnbull-continues-assault-on-civil-liberties/">Civil liberties</a> groups have always been highly critical of the provision. They point out that the wording of the section is vague and the scope of the investigative powers it provides is almost unlimited. They argue that the section’s intrusion on the privacy of the populace – including those who are not suspected of an offence – is not justified or outweighed by the benefit it provides to law enforcement.</p> <p>Electronic Frontiers Australia <a href="https://www.efa.org.au/Issues/Privacy/cybercrimeact.html">described</a> the passing the Cybercrime Act as a “knee-jerk reaction to recent well-publicised virus attacks,” that “introduces an alarming law enforcement provision requiring release of encryption keys or decryption of data, contrary to the common law privilege against self-incrimination.”</p> <p>The digital rights protection organisation <a href="https://www.efa.org.au/Publish/cybercrime_bill.html">further pointed out</a> that the law has the potential to lead to the imprisonment of an individual who has genuinely forgotten their password or encryption keys.</p> <p>The provisions under section 3LA also have the potential to enable police to access whole computer networks. If an officer has a reasonable suspicion a computer contains some evidential information, they can obtain an order, which will also provide access to any other computer it’s connected to.</p> <p>And with the scope of the internet, the potential reach is virtually unlimited.</p> <p><strong>Brandis plans to broaden powers</strong></p> <p>In July this year, Australian prime minister Malcolm Turnbull <a href="http://www.abc.net.au/news/2017-07-14/facebook-google-to-be-forced-to-decrypt-messages-fight-terrorism/8707748">announced</a> proposed new laws that will require social media and technology companies like Facebook and Google to allow Australian security agencies access to people’s encrypted messages.</p> <p>Attorney general George Brandis has actually been pushing for these laws <a href="https://www.itnews.com.au/news/attorney-generals-new-war-on-encrypted-web-services-375286">since early 2014</a>.</p> <p>In a submission to the Senate inquiry into the comprehensive revision of the <a href="https://www.legislation.gov.au/Details/C2013C00361">Telecommunications (Interception and Access) Act 2014</a>, the attorney general’s office stated that these laws “would operate in a similar fashion to orders made under section 3LA.”</p> <p>“Section 3LA permits agencies that have seized physical hardware… under a search warrant to apply for a further warrant requiring a person to ‘provide any information or assistance that is reasonable and necessary’ to allow information held on the device to be converted into an intelligible form,” the authors wrote.</p> <p>Co-convenor of the UNSW Cyberspace Law and Policy Community David Vaile told <a href="https://www.sydneycriminallawyers.com.au/about/">Sydney Criminal Lawyers®</a><a href="https://www.sydneycriminallawyers.com.au/blog/digital-surveillance-an-interview-with-the-cyberspace-law-and-policy-communitys-david-vaile/"> in August</a> that the trigger for social media companies starting to use encryption on a wider scale was revelations that the NSA had been hacking into Google data centres.</p> <p>This information was revealed when Edward Snowden leaked classified documents from the NSA in mid-2013. The thousands of documents exposed by Snowden informed the public that global surveillance programs were being conducted by the NSA, along with other Five Eyes nations.</p> <p><strong>Big brother is watching</strong></p> <p>In his 2004 paper, Mr James outlined that by “undermining the effectiveness of encryption, section 3LA redirects the flow of power away from business and private citizens towards law enforcement agencies.”</p> <p>Encryption empowers citizens to protect themselves against cybercrime without the need of police protection. But by applying the provisions of section 3LA, law enforcement can now shift that balance of power, making individuals more reliant on those agencies.</p> <p>The provision also works to monitor citizens through panoptic surveillance, according to Mr James.</p> <p>The panoptic surveillance effect of this law is that individuals are aware that, at any time, police have the potential to access their personal computers and smartphones. So people may begin to self-regulate their behaviour on these devices, as at any moment they might be subject to the investigation of authorities.</p> <p>Mr James warned that as the population becomes aware such provisions exist, “citizens will willingly and obediently reduce the space within which they feel free to live, to play, to act and to create away from authority’s scrutiny and judgment.”</p> <p><em>Written by Paul Gregoire. Republished with permission of <a href="https://www.sydneycriminallawyers.com.au/blog/can-police-demand-the-password-to-my-phone-or-computer/">Sydney Criminal Lawyers.</a></em></p>

Travel Tips

Placeholder Content Image

Netflix promises to crack down on users who share passwords

<p><span style="font-weight: 400;">Netflix have promised to crack down on users that share their passwords with friends or family members.</span></p> <p><span style="font-weight: 400;">This means that if you borrow someone’s login, you might have to start paying for your own account in full.</span></p> <p><span style="font-weight: 400;">Netflix offers account-sharing features, but they’re designed to let people in a single-household use one login.</span></p> <p><span style="font-weight: 400;">The streaming giant is worried that users are sharing their logins among different households.</span></p> <p><span style="font-weight: 400;">Netflix product chief Greg Peters spoke at Netflix’s Q3 2019 earnings and said that the company wants to address the issue of password sharing without “alienating a certain portion of the user base”.</span></p> <p><span style="font-weight: 400;">“We continue to monitor it so we’re looking at the situation,” he said, according to </span><a href="https://www.news.com.au/technology/home-entertainment/tv/netflix-vows-crackdown-on-users-who-share-logins-with-pals-or-family-and-could-make-you-pay-extra/news-story/09630a28861854c2aa32201a4dae3e25"><span style="font-weight: 400;">news.com.au</span></a><span style="font-weight: 400;">.</span></p> <p><span style="font-weight: 400;">“We’ll see those consumer-friendly ways to push on the edges of that.”</span></p> <p><span style="font-weight: 400;">Experts have said that users are already seeing signs of a crackdown.</span></p> <p><span style="font-weight: 400;">“They are policing this (already) by blocking the third concurrent screen if two screens are in use at the same time,” said Michael Pachter, a top analyst at Wedbush Securities, speaking to </span><a href="https://www.thesun.co.uk/tech/10180393/netflix-account-sharing-price-family-pay-extra/"><span style="font-weight: 400;">The Sun</span></a><span style="font-weight: 400;">.</span></p> <p><span style="font-weight: 400;">“That doesn’t help if the users are in different time zones, as many households with kids in college are.</span></p> <p><span style="font-weight: 400;">“However, it definitely cracks down on widespread password sharing.”</span></p> <p><span style="font-weight: 400;">He added: “They also have a way to track device usage and can require two-factor authentication, although they’ve haven’t rolled that out yet.”</span></p> <p><span style="font-weight: 400;">The news follows an announcement by tech firm Synamedia about a new AI system that cracks down on account sharing by using machine learning technology to track shared passwords on streaming services.</span></p> <p><span style="font-weight: 400;">“Casual credentials sharing is becoming too expensive to ignore,” said product chief Jean Marc Racine, speaking at the CES event in Las Vegas this year.</span></p> <p><span style="font-weight: 400;">“Our new solution gives operators the ability to take action.</span></p> <p><span style="font-weight: 400;">“Many casual users will be happy to pay an additional fee for a premium, shared service.</span></p> <p><span style="font-weight: 400;">“It’s a great way to keep honest people honest while benefiting from an incremental revenue stream.”</span></p> <p><span style="font-weight: 400;">The technology, once it has located shared passwords across streaming services, could be used to force users to upgrade to a premium service or even shut down their account.</span></p>

Technology

Placeholder Content Image

Google Chrome security breach: Why your private passwords are at risk

<p><span style="font-weight: 400;">A new hack has alarmed people who use the internet browser Google Chrome as it has been revealed that anyone can gain access to your online passwords with a few simple clicks. </span></p> <p><span style="font-weight: 400;">All a hacker needs to do is just click in the right spots to gain access to your passwords.</span></p> <p><strong>How to unlock every password on Google Chrome</strong></p> <ul> <li style="font-weight: 400;"><span style="font-weight: 400;">Open Google Chrome</span></li> <li style="font-weight: 400;"><span style="font-weight: 400;">Click on the Menu (three dots icon in the top right corner of the browser window)</span></li> <li style="font-weight: 400;"><span style="font-weight: 400;">Click Settings</span></li> <li style="font-weight: 400;"><span style="font-weight: 400;">Under Autofill, click on Passwords.</span></li> <li style="font-weight: 400;"><span style="font-weight: 400;">When asterisked passwords pop up, click on the eye symbol</span></li> <li style="font-weight: 400;"><span style="font-weight: 400;">In the Username and Password bar, enter the computer login</span></li> </ul> <p><span style="font-weight: 400;">It’s really that simple. </span></p> <p><strong>However, there are a few ways that you can protect yourself</strong></p> <ul> <li style="font-weight: 400;"><span style="font-weight: 400;">Ensure no one knows your computer password</span></li> <li style="font-weight: 400;"><span style="font-weight: 400;">Regularly change your password</span></li> <li style="font-weight: 400;"><span style="font-weight: 400;">Avoid using password auto save or auto fill</span></li> <li style="font-weight: 400;"><span style="font-weight: 400;">Ensure your computer locks after inactivity</span></li> </ul>

Technology

Placeholder Content Image

The scary new way hackers can find out your passwords

<p><span style="font-weight: 400;">New research from the University of Cambridge in England as well as Sweden’s Linköping University has explained that malware is now capable of accurately guessing your passwords by listening to the sound of your fingers tapping the screen.</span></p> <p><span style="font-weight: 400;">The hackers use the malware to listen via the microphone of your smartphone and use technology that can accurately guess where you’re touching the screen to get every password you use on the smartphone device. </span></p> <p><span style="font-weight: 400;">“We showed that the attack can successfully recover PIN codes, individual letters and whole words,” researchers wrote in the paper, according to </span><a href="https://www.9news.com.au/technology/iphone-android-hackers-can-find-out-your-passwords-by-hearing-how-you-type/bf7c66ce-0d49-4c26-8be2-1dd5c6196d30"><span style="font-weight: 400;">9News</span></a><span style="font-weight: 400;">.</span></p> <p><span style="font-weight: 400;">“We have shown a new acoustic side-channel attack on smartphones and tablets.”</span></p> <p><span style="font-weight: 400;">Research showed that during testing, the machine learning software correctly guessed a four-digit passcode 73 per cent of the time after ten tries.</span></p> <p><span style="font-weight: 400;">The software was also able to identify 30 per cent of passwords that ranged from seven to 13 characters in length after 20 tries.</span></p> <p><span style="font-weight: 400;">The malware is reliant on machine learning to predict which key a user has tapped by tracking which sound the microphone heard first. This is a detail that is picked up in a matter of seconds.</span></p>

Technology

Placeholder Content Image

World's most hackable passwords: Is yours on the list?

<p><span style="font-weight: 400;">Many people still stick to “easy” passwords to secure sensitive accounts, a study has suggested.</span></p> <p><span style="font-weight: 400;">The UK National Cyber Security Centre has released the top 100,000 passwords that have been exposed in data breaches around the world. Using the data from Troy Hunt’s </span><em><a href="https://haveibeenpwned.com/"><span style="font-weight: 400;">Have I Been Pwned</span></a></em> <span style="font-weight: 400;">site, the study aimed to identify the gaps in cyber-security knowledge and help reduce the occurrence of account breaches and exploitation.</span></p> <p><span style="font-weight: 400;">The most popular password on the list was 123456, which was used by more than 23 million breached accounts. On the second place was 123456789, followed by “qwerty”, “password” and 111111.</span></p> <p><span style="font-weight: 400;">The most common name to be used as a password was “ashley” with more than 430,000 appearances. Other top names included “michael”, “daniel”, “jessica” and “charlie”.</span></p> <p><span style="font-weight: 400;">Dan U, senior security researcher at the NCSC said blocking these common passwords would help users protect their accounts. “Security works when people act as a community, whether that's allowing people to realise how common their password is, or just giving them confidence that the password they've picked at work or home is more sensible,” he wrote in </span><a href="https://www.ncsc.gov.uk/blog-post/passwords-passwords-everywhere"><span style="font-weight: 400;">a statement</span></a><span style="font-weight: 400;">.</span></p> <p><span style="font-weight: 400;">More websites and Internet services have been hit with security breaches in recent years, including Facebook, Microsoft, </span><a href="https://money.cnn.com/2017/10/03/technology/business/yahoo-breach-3-billion-accounts/index.html"><span style="font-weight: 400;">Yahoo</span></a><span style="font-weight: 400;"> and more.</span></p> <p><span style="font-weight: 400;">The NCSC recommended choosing three random yet memorable words to create a strong password, such as “walltinshirt” or “coffeetrainfish”, and avoiding credential reuse. </span></p> <p><strong>Top 20 most popular passwords:</strong></p> <ol> <li style="font-weight: 400;"><span style="font-weight: 400;">123456</span></li> <li style="font-weight: 400;"><span style="font-weight: 400;">123456789</span></li> <li style="font-weight: 400;"><span style="font-weight: 400;">qwerty</span></li> <li style="font-weight: 400;"><span style="font-weight: 400;">password</span></li> <li style="font-weight: 400;"><span style="font-weight: 400;">111111</span></li> <li style="font-weight: 400;"><span style="font-weight: 400;">12345678</span></li> <li style="font-weight: 400;"><span style="font-weight: 400;">abc123</span></li> <li style="font-weight: 400;"><span style="font-weight: 400;">1234567</span></li> <li style="font-weight: 400;"><span style="font-weight: 400;">password1</span></li> <li style="font-weight: 400;"><span style="font-weight: 400;">12345</span></li> <li style="font-weight: 400;"><span style="font-weight: 400;">1234567890</span></li> <li style="font-weight: 400;"><span style="font-weight: 400;">123123</span></li> <li style="font-weight: 400;"><span style="font-weight: 400;">000000</span></li> <li style="font-weight: 400;"><span style="font-weight: 400;">iloveyou</span></li> <li style="font-weight: 400;"><span style="font-weight: 400;">1234</span></li> <li style="font-weight: 400;"><span style="font-weight: 400;">1q2w3e4r5t</span></li> <li style="font-weight: 400;"><span style="font-weight: 400;">qwertyuiop</span></li> <li style="font-weight: 400;"><span style="font-weight: 400;">123</span></li> <li style="font-weight: 400;"><span style="font-weight: 400;">monkey</span></li> <li style="font-weight: 400;"><span style="font-weight: 400;">dragon</span></li> </ol>

Books

Placeholder Content Image

Millions of Facebook user records exposed in data breach

<p><span style="font-weight: 400;">Researchers at the cybersecurity firm UpGuard have said that they’ve discovered the existence of two datasets that contain the personal data of hundreds of millions of Facebook users.</span></p> <p><span style="font-weight: 400;">Both datasets were publicly accessible.</span></p> <p><span style="font-weight: 400;">UpGuard explained in a </span><a href="https://www.upguard.com/breaches/facebook-user-data-leak"><span style="font-weight: 400;">blog post</span></a><span style="font-weight: 400;"> how they connected the databases. They connected the first one to a Mexico-based media company called Cultura Colectiva, which contained over 146GB of data. This amounts to over 540 million Facebook user records.</span></p> <p><span style="font-weight: 400;">The user records include comments, likes, reactions, account names, Facebook user IDS and much more.</span></p> <p><span style="font-weight: 400;">The second leak was connected to an app that was integrated with Facebook called “At the pool” and had exposed around 22,000 passwords.</span></p> <p><span style="font-weight: 400;">“The passwords are presumably for the ‘At the Pool’ app rather than for the user’s Facebook account, but would put users at risk who have reused the same password across accounts,” UpGuard said.</span></p> <p><span style="font-weight: 400;">The second database contained information about users’ friends, likes, groups and locations where they checked in using the app.</span></p> <p><span style="font-weight: 400;">Both datasets were stored in unsecured Amazon S3 buckets and could have been accessed by anyone. Neither bucket was password protected, but since UpGuard have reported on the breach, they have either been taken offline or made more secure.</span></p> <p><span style="font-weight: 400;">UpGuard explained the difference in the datasets: “The data sets vary in when they were last updated, the data points present, and the number of unique individuals in each. </span></p> <p><span style="font-weight: 400;">“What ties them together is that they both contain data about Facebook users, describing their interests, relationships, and interactions, that were available to third party developers.”</span></p> <p><span style="font-weight: 400;">UpGuard then added: “As Facebook faces scrutiny over its data stewardship practices, they have made efforts to reduce third party access. But as these exposures show, the data genie cannot be put back in the bottle. Data about Facebook users has been spread far beyond the bounds of what Facebook can control today.”</span></p> <p><span style="font-weight: 400;">Facebook were quick to work with Amazon to take down the databases and release a statement saying that they’ve done so:</span></p> <p><span style="font-weight: 400;">“Facebook’s policies prohibit storing Facebook information in a public database. Once alerted to the issue, we worked with Amazon to take down the databases. We are committed to working with the developers on our platform to protect people’s data.”</span></p> <p><span style="font-weight: 400;">However, the damage has already been done.</span></p> <p><span style="font-weight: 400;">UpGuard has warned users of the app to change their passwords and say that the breach “puts users at risk who have reused the same password across accounts.</span></p> <p><span style="font-weight: 400;">Have you been impacted by the breach? Let us know in the comments.</span></p>

Technology

Placeholder Content Image

How to change your iPad password with ease

<p><span style="font-weight: 400;">Whether you keep forgetting your code or found an old iPad that you want to start using again, changing the password is easier than you think.</span></p> <p><strong>If you know the password to your iPad but want to change it</strong></p> <p><span style="font-weight: 400;">If you already know your password but want to change it, that’s simple to do once you know the steps.</span></p> <ol> <li style="font-weight: 400;"><span style="font-weight: 400;">Log into your iPad with the current password</span></li> <li style="font-weight: 400;"><span style="font-weight: 400;">Go to the “Settings” app which looks like grey gears</span></li> <li style="font-weight: 400;"><span style="font-weight: 400;">Scroll down until you find “Passcode”. This can be called “Touch ID &amp; Passcode” on newer devices</span></li> <li style="font-weight: 400;"><span style="font-weight: 400;">Enter in your current passcode and scroll down to “Change Passcode”. You will enter in your current passcode again (they’re very secure).</span></li> <li style="font-weight: 400;"><span style="font-weight: 400;">You can now enter in your new code. Your code can be 6-digit numbers, a custom alphanumeric code, a custom numeric code or the standard 4-digit numeric code.</span></li> <li style="font-weight: 400;"><span style="font-weight: 400;">Enter in your new password twice and you have successfully changed your passcode.</span></li> </ol> <p><strong>If you don’t know the passcode and forgotten it</strong></p> <p><span style="font-weight: 400;">The only way to fix this is to restore your iPad to factory settings. Make sure you’ve backed it up before you’ve done this, otherwise you will lose all of your data.</span></p> <p><span style="font-weight: 400;">However, if you’re definitely unable to remember the code, say goodbye to your data on the iPad.</span></p> <p><span style="font-weight: 400;">There are two ways to reset your iPad. One is via iTunes and the other is via your iCloud account online.</span></p> <p><strong>Method one: via iTunes</strong></p> <ol> <li style="font-weight: 400;"><span style="font-weight: 400;">Plug in your iPad and load up iTunes.</span></li> <li style="font-weight: 400;"><span style="font-weight: 400;">Open the device in iTunes by clicking on the little icon underneath the sound bar.</span></li> <li style="font-weight: 400;"><span style="font-weight: 400;">Once you have opened the device, click on “Restore iPad”.</span></li> <li style="font-weight: 400;"><span style="font-weight: 400;">iTunes will warn you that you will lose all of your data by doing this. Click on the “restore” button anyway.</span></li> <li style="font-weight: 400;"><span style="font-weight: 400;">Your iPad will start up as a brand-new device, which you can access from iTunes</span></li> </ol> <p><strong>Method two: via iCloud account online</strong></p> <p><span style="font-weight: 400;">You are able to remotely erase the data on your iPad thanks to iCloud.com. This method is usually used if the device has been stolen or is lost but can also be used to erase data off your iPad.</span></p> <ol> <li style="font-weight: 400;"><span style="font-weight: 400;">Go to iCloud.com and log into your iCloud account. This is the same as your Apple ID.</span></li> <li style="font-weight: 400;"><span style="font-weight: 400;">Click on “Find my iPhone”, which is located at the top of the screen. Click “All devices” and select your iPad’s name.</span></li> <li style="font-weight: 400;"><span style="font-weight: 400;">Click on “Erase iPad”.</span></li> <li style="font-weight: 400;"><span style="font-weight: 400;">You will be warned that your data will be lost, and you will be unable to track your device anymore. Click on “erase”.</span></li> <li style="font-weight: 400;"><span style="font-weight: 400;">Your device is now restored to factory settings.</span></li> </ol> <p><span style="font-weight: 400;">Did you know of the iCloud method for restoring your iPad? Let us know in the comments.</span></p>

Technology

Placeholder Content Image

New scam warning for ANZ bank customers – beware of this email

<p>ANZ are warning customers of a new email scam that’s targeting their internet banking login details.</p> <p>This is a sophisticated email scam, as the email address that’s being used looks similar to ANZ’s support email. The scam email address is: @anzsupport.cf. </p> <p>The body of the ANZ-branded email goes into detail, explaining that the bank will be introducing “challenge questions” to protect customers and add an extra layer of security.</p> <blockquote class="twitter-tweet" data-lang="en"> <p dir="ltr">Warning: Be wary of this <a href="https://twitter.com/hashtag/phishing?src=hash&amp;ref_src=twsrc%5Etfw">#phishing</a> <a href="https://twitter.com/hashtag/email?src=hash&amp;ref_src=twsrc%5Etfw">#email</a> scam mimicking <a href="https://twitter.com/ANZ_AU?ref_src=twsrc%5Etfw">@ANZ_AU</a> . Directing users to confirm their ‘challenge questions’, the emails look legitimate, complete with the bank’s branding &amp; logos. Don’t click on any <a href="https://twitter.com/hashtag/links?src=hash&amp;ref_src=twsrc%5Etfw">#links</a>. More details in our blog soon <a href="https://twitter.com/hashtag/fastbreak?src=hash&amp;ref_src=twsrc%5Etfw">#fastbreak</a> <a href="https://twitter.com/hashtag/zeroday?src=hash&amp;ref_src=twsrc%5Etfw">#zeroday</a> <a href="https://twitter.com/hashtag/hacked?src=hash&amp;ref_src=twsrc%5Etfw">#hacked</a> <a href="https://t.co/TOLJvzVUr9">pic.twitter.com/TOLJvzVUr9</a></p> — MailGuard (@MailGuard) <a href="https://twitter.com/MailGuard/status/1103064693629845505?ref_src=twsrc%5Etfw">March 5, 2019</a></blockquote> <p>Once you click on the link to confirm your challenge questions, customers are taken to an authentic ANZ login page, which asks for your customer registration number and password.</p> <p>Naturally, once you enter these details in, the hackers have your internet banking login details and the sensitive information is handed over.</p> <p>Once the details are entered, customers are then taken to a page where you can choose your three challenge questions and provide answers.</p> <p>Once you’re finished with the questions, you’re taken back to the official ANZ AU page, which makes the scam even more convincing to customers due to the consistent ANZ branding all the way through.</p> <p>Email security firm <a rel="noopener" href="https://www.mailguard.com.au/blog/warning-anz-bank-impersonated-in-phishing-email-that-asks-users-to-confirm-challenge-questions" target="_blank">MailGuard</a> explains why the criminals have gone into such great detail.</p> <p>“Cybercriminals have taken great pains to replicate official landing pages from ANZ – including incorporating the bank’s branding and logo using high-quality graphical elements.</p> <p>“If you tell the scammers your security question, it allows them to attempt other fraudulent actions, such as calling them back and trying to access your accounts.”</p> <p>ANZ have advised their customers to be on the lookout, as they do not send emails asking for personal information or security credentials.</p> <p>If you’ve received an ANZ scam email, here’s some steps you can take</p> <ul> <li>Do not open any attachments or enter in any personal information.</li> <li>Forward the suspicious email to <a rel="noopener" href="mailto:hoax@cybersecurity.anz.com" target="_blank">hoax@cybersecurity.anz.com</a>.</li> <li>Delete the message from your inbox.   </li> </ul> <p>Have you received this scam ANZ email? Let us know in the comments.</p>

Legal

Placeholder Content Image

The top 10 worst passwords for 2018

<p>Coming up with (and remembering!) a hard password can be difficult. Most of us tend to stick to easy to remember patterns or words that we use in our everyday lives. However, this makes your accounts easier to hack into.</p> <p>SplashData, who are a password management and security system organisation, took the time to evaluate over 5 million passwords that had been leaked on the internet. This was to evaluate what trends and habits users continued to fall into. It appears that none of us have learned to make more secure passwords, especially with five of the passwords in a row being numbers.</p> <p>Without further ado, the worst passwords for 2018 are:</p> <ol> <li>123456</li> <li>password</li> <li>123456789</li> <li>12345678</li> <li>12345</li> <li>111111</li> <li>1234567</li> <li>sunshine</li> <li>qwerty</li> <li>iloveyou</li> </ol> <p>The CEO of SplashData, Morgain Slain, explained why you should stay away from pop culture or movie references in your passwords as well.</p> <p>“Hackers have great success using celebrity names, terms from pop culture and sports, and simple keyboard patterns to break into accounts online because they know so many people are using those easy-to- remember combinations,” he said.</p> <p>It’s with these tips and tricks that hackers can gain access to your accounts. However, Slain states that the reason they publish the worst passwords is to raise awareness.</p> <p>“Our hope by publishing this list each year is to convince people to take steps to protect themselves online,” says Slain. “It’s a real head-scratcher that with all the risks known, people continue putting themselves at such risk year-after-year.”</p> <p>If you see your password in the top 10, maybe take this as a sign that it’s not as secure as once thought. Check out the full <a rel="noopener" href="https://www.teamsid.com/100-worst-passwords/" target="_blank">list here</a>.</p>

Technology

Placeholder Content Image

How to find the right online password

<p><em><strong>Alastair MacGibbon, Director at the Centre for Internet Safety, University of Canberra, explains how to find the right online password.</strong></em></p> <p>In 2004 Bill Gates pronounced <span style="text-decoration: underline;"><strong><a href="http://news.cnet.com/2100-1029-5164733.html" target="_blank">usernames and passwords dead</a></strong></span>. Gates, a man consistently thinking ahead of the crowd, was right. Most of us – including our employers and the online services we rely on – just haven’t caught up yet.</p> <p>Gates’ statement came at a time when the devastatingly simple consumer-focussed attack of <span style="text-decoration: underline;"><strong><a href="http://www.pcmag.com/encyclopedia/term/49176/phishing" target="_blank">phishing</a></strong></span> started. Designed to trick users out of their usernames and passwords, this was a turning point in cybercrime. Criminals showed an understanding that the end user – whether in a work or home environment – was a profitable target, and a softer one than central computer systems.</p> <p>Malicious software designed to steal usernames and passwords has augmented phishing. If the end user could be compromised, entry through the protected gates of corporate and government systems would be easier, sometimes guaranteed.</p> <p>Layered onto this security problem has been the increasing number of services we use that require passwords. As we all know, even after Gates’ prediction, the number of passwords we need to remember has gone up, not down.</p> <p><strong>How many passwords?</strong></p> <p>Usernames and passwords are still the key to protect most of what we do at home and work, despite the sheer number of massive breaches disclosed such as the <span style="text-decoration: underline;"><strong><a href="http://www.bloomberg.com/news/2014-10-02/jpmorgan-says-data-breach-affected-76-million-households.html" target="_blank">recent hacking</a></strong></span> of US bank JPMorgan.</p> <p>There is also the untold number that are brushed under the carpet and those that have gone unnoticed by the victim companies, in addition to all of the end users such as you and I who have unwittingly handed over our credentials via phishing.</p> <p>It would be fair to conclude that hundreds of millions of usernames and passwords have been exposed over the past few years with websites tracking the <span style="text-decoration: underline;"><strong><a href="http://www.privacyrights.org/data-breach/" target="_blank">data breaches in the US</a></strong></span> and <span style="text-decoration: underline;"><strong><a href="http://www.breachlevelindex.com/#sthash.fgWcE9Oh.BkvSSzva.dpbs" target="_blank">records lost</a></strong></span>. The numbers are so big accuracy is unimportant. We should just agree that there are a lot of them.</p> <p>So how do we go when it comes to our password discipline? Do we use complex, hard to guess passwords that combine letters, numbers and symbols? A different one for each account? Changed regularly?</p> <p>No, no and no.</p> <p>We know from the hackers who dump unencrypted passwords onto sites such as pastebin what the <span style="text-decoration: underline;"><strong><a href="http://www.news.com.au/technology/online/password-the-most-popular-passwords-of-2013/story-fnjwnfzw-1226807251451" target="_blank">most popular passwords are</a></strong></span> and they make you shudder:</p> <ol start="1"> <li>123456</li> <li>password</li> <li>12345678</li> <li>qwerty</li> <li>abc123</li> </ol> <p>We know from surveys that <span style="text-decoration: underline;"><strong><a href="http://www.zdnet.com/blog/security/survey-60-percent-of-users-use-the-same-password-across-more-than-one-of-their-online-accounts/9489" target="_blank">nearly two thirds</a></strong></span> (60%) of Australians use the same password across more than one of their online accounts. This means we are recycling our passwords. This isn’t a naming and shaming exercise, but we know who we are.</p> <p><strong>Are websites serious about security?</strong></p> <p>But it gets worse. Websites who use usernames and passwords are worried about one thing other than accounts being taken over, and that is a legitimate user not having access to their account.</p> <p>So the user forgets their password. No problem – click on the link and websites will generally do one of two things: email a password to your registered address, or ask you answers to what is known in the industry as “shared secrets”.</p> <p>They’re things such as your birth date, your mother’s maiden name, your dog’s name, your old school – questions you were asked at the time of registering the account.</p> <p>Now, emailing you a link to your email address seems fine, except it may be that the criminal also controls that email address (because they tricked you out of the password, or guessed it because you’ve given them the password for a different account, which has the same password).</p> <p>Now the criminal merely clicks on the link and resets the passwords. At this point the criminal might change the account details to make sure all future notifications go to them. Or they merely delete the “you have changed your password email” from your email account.</p> <p><strong>Not so secret secrets</strong></p> <p>So what about the “shared secret” process? If the criminal already controls another of your accounts, they may be able to simply look up the answers you gave to that account. More likely, they will just research you on the internet.</p> <p>You see, the problem with shared secrets is that we’ve started to share them a little too widely to still call them secrets.</p> <p>LinkedIn, Facebook, Twitter, electronic newsletters, blogs and so on all tend contain useful information that can be seen by others. The age of social media and the phenomenon of over-sharing came after the shared secret lock became the default for account security.</p> <p>Further still, if our password isn’t strong, and the web service hasn’t implemented the right controls, criminals can use what are called “brute force” attacks against accounts to try to force their way in.</p> <p>They do this by running a password “dictionary” against a site. It’s like trying hundreds of thousands of combinations against a combination lock. If a password isn’t complex, the criminal is in. See how long it would take a password similar to yours to be hacked with security firm Kaspersky’s <span style="text-decoration: underline;"><strong><a href="http://blog.kaspersky.com/password-check/" target="_blank">password check</a></strong></span> (don’t use your real password).</p> <p><strong>Passwords and underwear</strong></p> <p>They say passwords are like underwear: change them often. I agree, we should. But we know we don’t (change passwords, that is). So let’s try doing it twice a year to start with.</p> <p>Regularly changing passwords means that even if criminals trick you out of them via phishing, or steal them by compromising your computer or the organisation holding your data, the password they have simply won’t work.</p> <p><span style="text-decoration: underline;"><strong><a href="http://www.nytimes.com/2014/08/06/technology/russian-gang-said-to-amass-more-than-a-billion-stolen-internet-credentials.html" target="_blank">Criminals compile lists</a></strong></span> of usernames and passwords and trade them on the internet black market. Lists with old passwords have less value.</p> <p>The next step is coming up with stronger passwords, and having a unique one for each account. We can do this by using a pass-phrase system.</p> <p><strong>Your pA$$woRd!</strong></p> <p>Start with a phrase from a song or movie you like, or something similar. I’m going to use the phrase “the quick brown fox jumped over the lazy dog”.</p> <p><strong>Take the first letter from each word:</strong></p> <p><em>tqbfjotld</em></p> <p>Capitalise the first or any letter and add some punctuation:</p> <p><em>Tqbfjotld!</em></p> <p>It’s starting to look complex.</p> <p>Now do some number substitution using a system you devise. Maybe you look at your computer’s keyboard and decide to substitute any letters in your phrase which are below a number on the keyboard.</p> <p>So in this case our “q” becomes “1” and our “o” becomes “9”:</p> <p>T1bfj9tld!</p> <p>Now you have a password that is random letters, uses a capital and has numbers and symbols.</p> <p>But how do you make it unique for each and every website? Perhaps you do something like the name of the website in front, using the same number substitution as above.</p> <p>So, if this was my eBay account, I would add 3Bay to the password which now becomes:</p> <p>3BayT1bfj9tld!</p> <p>Take the next step</p> <p>Many websites now offer optional two-step authentication, such as an SMS code sent to your phone to gain access to the account, or if changes are made to the account.</p> <p>Always, always, always use these options if available.</p> <p>Of course, none of this is foolproof. Criminals have been known to take control of a victim’s mobile phone service so that they can intercept the authentication SMS and there are “man in the middle” attacks where hackers intercept passwords and codes to open another parallel session.</p> <p>But the two-step security is way better than just a user name and password.</p> <p>At a consumer level more robust biometric security on devices (such as fingerprint readers) is increasingly ubiquitous. Some companies providing services over the phone have started to explore voice biometrics.</p> <p>There are no silver bullet biometrics to full-proof account security. No doubt criminals will innovate and find cracks to exploit, but online crime is a volume game and our responsibility is to drive that volume down.</p> <p>Was Bill Gates right about passwords? Yes, but not for a while yet. Until that password-free world arrives, none of us can afford to let our guard down.</p> <p>Do you think you’ll try these tips?</p> <p><em>Written by Alastair MacGibbon. Republished with permission of <a href="http://www.theconversation.com" target="_blank"><strong><span style="text-decoration: underline;">The Conversation</span></strong></a>.</em><img width="1" height="1" src="https://counter.theconversation.com/content/31954/count.gif?distributor=republish-lightbox-advanced" alt="The Conversation"/></p>

Technology

Placeholder Content Image

Why password sharing is becoming more common

<p>You'd forgive me for being perturbed when I recently noticed someone accessing their partner's smartphone using their fingerprint.</p> <p>Knowing your loved one's passcode for reasons of occasional access to their phone – say, when they are driving – is one thing. Having your fingerprint pre-loaded on their phone so it can be scanned for instant access? That tells me you're either way too close, or don't have enough trust in each other.</p> <p>Yet the sharing of passwords is common in most households. A Pew Research study found that 67 per cent of couples in committed relationships have shared passwords.</p> <p>Sharing passwords and other login details on everything from social media to streaming services makes sense for a lot of couples. It's probably out of convenience: sometimes your partner will ask you to log on to their computer and find an email, others you might want to buy and stream a movie on Google Play and you only have one account between you.</p> <p>The reality of password sharing is that 95 per cent of us share up to six passwords with others, according to password management service LastPass.</p> <p>The most commonly shared passwords are for wi-fi networks (58 per cent), followed closely by TV/film streaming accounts (48 per cent), financial accounts like online banking (43 per cent), and e-mail addresses (39 per cent).</p> <p>Who's doing this password sharing? Time magazine data says it matters little what age you are. Sixty-four percent of 18-29-year-olds share passwords, compared with 70 per cent of 30-49-year-olds, 66 per cent of 50-64-year-olds, and 69 per cent of people 65-plus.</p> <p>From an interpersonal point of view, the sharing of passwords likely means you have nothing to hide, and that's usually a good thing. From a privacy and security perspective, it also means you're ignoring a lot of risks.</p> <p>While 74 per cent of passwords are shared verbally, 15 per cent are shared by pen and paper, 5.8 per cent by text, and 4.4 per cent by e-mail. Only two per cent are shared using secure password sharing services.</p> <p>What's more, although 73 per cent of people agree that password sharing is risky, that same 73 per cent are unlikely to change a password after sharing it with someone.</p> <p>That's extremely problematic when it comes to the kind of data that is available over one's wi-fi network or financial accounts, and even more so because 59 per cent of people re-use their passwords across different online accounts.</p> <p>That means, giving somebody your Netflix password could likely mean you've given them your Twitter login and iTunes password, too.</p> <p>When it comes to sharing passwords amongst people who don't live in the same households, Reuters/Ipsos research suggests not many of us do it, but it does happen.</p> <p>Just 12 per cent of adults overall password-share for TV/film streaming services in this way, although 24 per cent of young people 18-24 do it.</p> <p>In the fine print of most tech companies' terms and conditions, there's often a stipulation that you're agreeing that only you will use that account. But this is something there's no policing on, and many services allow multiple access from different locations at one time without issues.</p> <p>From a personal perspective, there's only one area in my life where I share passwords - paywalled news sites.</p> <p>I have a group of about five friends and all of us subscribe to a different international outlet (they're usually around $10-15 a month), so we're all getting a "pay for one, get access to five" ad-hoc deal.</p> <p>Rationally, none of us would subscribe to all services and pay over $50 a month for our online news. At least we're paying something for quality journalism, we argue, and we are still being served up advertising on paywalled sites and aren't getting a completely free ride.</p> <p>The method we do this is theoretically the safest way to share passwords, if there is such a thing, and – if you're going to share any kind of them – how I'd advise you do proceed.</p> <p>We create a unique password for every service that does not feature elsewhere in anybody's digital lives. It's for that service, and that one only. Passwords are shared only in person, not via digital communication, and changed regularly.</p> <p>If we were to really take security seriously, though, we all acknowledge that what we're doing still counts as unsafe online behaviour and we shouldn't be doing it at all.</p> <p>Do you share passwords with your loved ones?</p> <p><em>Written by Lee Suckling. First appeared on <a href="http://Stuff.co.nz" target="_blank"><strong><span style="text-decoration: underline;">Stuff.co.nz</span></strong></a>.</em></p>

Technology

Placeholder Content Image

New online tool lets you find out if your password has been hacked

<p>A new online tool lets you find out if your password has been hacked and published online, as well as the steps to take if you have been caught out.</p> <p>Digital security expert Troy Hunt, founder of Have I Been Pwned, said users enter their details into a search box on his website, which is then cross-referenced with a database of leaked passwords online.</p> <p>The website will tell if your account details have been hacked and how to protect yourself.</p> <p>“Pwned Passwords are hundreds of millions of real world passwords exposed in data breaches. This exposure makes them unsuitable for ongoing use as they're at much greater risk of being used to take over other accounts. They're searchable online below as well as being downloadable for use in other online system. Do not send any password you actively use to a third-party service - even this one!” the website reads.</p> <p>Mr Hunt wrote on his blog, “If the password alone comes back with a hit on this service, that’s a very good reason to no longer use it regardless of whose account it originally appeared against.</p> <p>“As well as people checking passwords they themselves may have used, I’m envisaging more tech-savvy people using this service to demonstrate a point to friends, relatives and co-workers: ‘you see, this password has been breached before, don’t use it’.”</p> <p>While the service is doing a public good, Mr Hunt warns against sharing your current passwords on any third-party website.</p> <p> “It goes without saying (although I say it anyway on that page), but don’t enter a password you currently use into any third-party service like this!</p> <p>“I don’t explicitly log them and I’m a trustworthy guy but yeah, don’t.</p> <p>“The point of the web-based service is so that people who have been guilty of using sloppy passwords have a means of independent verification that it’s not one they should be using any more.</p> <p>“Mind you, someone could actually have an exceptionally good password but if the website stored it in plain text then leaked it, that password has still been ‘burned’.”</p> <p><strong><em>To test old passwords, visit <span style="text-decoration: underline;"><a href="https://haveibeenpwned.com/Passwords">Have I Been Pwned.</a> </span></em></strong></p>

Technology

Our Partners