Big news!The world’s most popular password is no longer “password”!
It’s the much more complicated “123456”!
What’s shocking about lists of passwords that come out annually or whenever there is a big data heist is how much they don’t change. Most people, it seems, use the same terrible passwords over and over again no matter how many times we try to scare them out of it.
Why does this happen? Here are some simple reasons.
1. You have so many accounts that need passwords.
In 2011, the average internet user had to remember 10 passwords a day. And that was 3 years ago. We’ve all created hundreds of online accounts. For most of these, people seem to use the same passwords over and over, which isn’t a big deal unless…
2. You don’t differentiate between important and unimportant accounts.
Certain accounts require far more secure passwords than others. Not only should all of your most important accounts — online banking, email, credit cards — each have their own unique password, you should make sure that you never use your work passwords for your personal accounts. Imagine the nightmare of realizing your personal hack put your work security in danger. For that reason you shouldn’t use your work email as a contact for non-work accounts either.
3. Good passwords are hard to remember.
You can’t use any word from the dictionary, any term on your social media profiles, it much include a character, a symbol, the square root of Pi divided by nine…
4. You’ve gotten away with it for this long.
The biggest reason that we don’t change is that we don’t have to. Even when people get their email hacked, they often just change that password and go on as nothing happened because the consequences aren’t bad enough yet.
5. You don’t use a password manager.
Creating and remembering strong, unique passwords is hard. Password managers make it easy. That’s why F-Secure Labs suggests that you start using one now. And, of course, we recommend that you use ours: F-Secure Key.
[Image via marc falardeau via Flickr.com.]
The recent statements from FBI director James Comey is yet another example of the authorities’ opportunistic approach to surveillance. He dislikes the fact that mobile operating systems from Google and Apple now come with strong encryption for data stored on the device. This security feature is naturally essential when you lose your device or if you are a potential espionage target. But the authorities do not like it as it makes investigations harder. What he said was basically that there should be a method for authorities to access data in mobile devices with a proper warrant. This would be needed to effectively fight crime. Going on to list some hated crime types, murder, child abuse, terrorism and so on. And yes, this might at first sound OK. Until you start thinking about it. Let’s translate Comey’s statement into ordinary non-obfuscated English. This is what he really said: “I, James Comey, director of FBI, want every person world-wide to carry a tracking device at all times. This device shall collect the owner’s electronic communications and be able to open cloud services where data is stored. The content of these tracking devices shall on request be made available to the US authorities. We don’t care if this weakens your security, and you shouldn’t care because our goals are more important than your privacy.” Yes, that’s what we are talking about here. The “tracking devices” are of course our mobile phones and other digital gadgets. Our digital lives are already accurate mirrors of our actual lives. Our gadgets do not only contain actual data, they are also a gate to the cloud services because they store passwords. Granting FBI access to mobile devices does not only reveal data on the device. It also opens up all the user’s cloud services, regardless of if they are within US jurisdiction or not. In short. Comey want to put a black box in the pocket of every citizen world-wide. Black boxes that record flight data and communications are justified in cockpits, not in ordinary peoples’ private lives. But wait. What if they really could solve crimes this way? Yes, there would probably be a handful of cases where data gathered this way is crucial. At least enough to make fancy PR and publically show how important it is for the authorities to have access to private data. But even proposing weakening the security of commonly and globally used operating systems is a sign of gross negligence against peoples’ right to security and privacy. The risk is magnitudes bigger than the upside. Comey was diffuse when talking about examples of cases solved using device data. But the history is full of cases solved *without* data from smart devices. Well, just a decade ago we didn’t even have this kind of tracking devices. And the police did succeed in catching murderers and other criminals despite that. You can also today select to not use a smartphone, and thus drop the FBI-tracker. That is your right and you do not break any laws by doing so. Many security-aware criminals are probably operating this way, and many more would if Comey gets what he wants. So it’s very obvious that the FBI must have capability to investigate crime even without turning every phone into a black box. Comey’s proposal is just purely opportunistic, he wants this data because it exists. Not because he really needs it. Safe surfing, Micke
The issue of mass government surveillance may have taken a back seat to other headlines lately, but the new Edward Snowden documentary is bringing it to light once more. CITIZENFOUR, the Laura Poitras film documenting the moments Edward Snowden handed over classified documents detailing the mass indiscriminate and illegal invasions of privacy by the US's National Security Agency, is getting rave reviews ahead of its world premiere. The film is already prescreening in the UK, and along with that, F-Secure's UK office is publishing a research report that highlights the growing concern of the public - specifically, the British public - with mass surveillance. The ‘Nothing to Hide, Nothing to Fear?’ report centers on the concern about surveillance being undertaken by the British government on its own people, as well as foreign nationals. The concerns are justified, as Snowden himself in recent comments warned that the British Government is even worse than its American counterparts, since the founding fathers of the US enshrined in law certain rights which the Brits – with no written constitution – cannot claim. Research* commissioned for the report shows that 86% of Brits do not agree with mass surveillance. Snowden’s leaks last year highlighted the extent to which Western intelligence agencies are snooping on the general populace, including their emails, phone calls, web searches, social media interactions and geo-location. And when you consider the fact that the UK has 5.9 million closed-circuit TV cameras (one for every 11 people, as opposed to one informant per 65 people in the Stasi-controlled East German state), the extent to which Britain has fallen into being a surveillance state becomes shockingly clear. The UK government, of course, insists that indiscriminate surveillance will protect national security. However, the UK's Regulation of Investigatory Powers Act (RIPA) contravenes Article 12 of the Human Rights Act: “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence.” “We are in unchartered territory and we appear to have sleepwalked here,” said Allen Scott, managing director of F-Secure UK & Ireland. “Little by little, our rights to privacy have been eroded and many people don’t even realise the extent to which they are being monitored. This isn’t targeted surveillance of suspected criminals and terrorists – this is monitoring the lives of the population as a whole.” With the future use of this data uncertain, the British people are showing their concerns. The research showed that 78% of respondents are concerned with the consequences of having their data tracked. This concern will only increase as more privacy-infringing schemes pervade UK government departments, offering up more personal data for GCHQ, the British intelligence agency, to use. Be sure to check out CITIZENFOUR once it hits your part of the world. And if you're in the UK, you can be among the first to see it – see pre-screening venues here: https://citizenfourfilm.com/ READ THE REPORT: Nothing to Hide, Nothing to Fear? See more of what Brits think about surveillance in our infographic: *Research conducted by Vital Research & Statistics on behalf of F-Secure. 2,000 adult respondents. 10-13th October 2014.
Is this China's digital riot police? A "particularly remarkable advanced persistent threat" has been compromising websites in Hong Kong and Japan for months, according to Volexity. The pro-democratic sites that have been infected include "Alliance for True Democracy – Hong Kong" and "People Power – Hong Kong" along with several others identified with the Occupy Central and Umbrella Revolution student movements behind the massive protests against the Chinese government. Visitors to the sites are being targeted by malware designed for "exploitation, compromise, and digital surveillance". In an analysis on our Labs Blog, Micke notes that it's possible that cybercriminals could be simply piggybacking on the news without any political motivation. However, the Remote Access Trojans (RATs) being used could provide serious advantages to political opponents of the movement. "A lot of the visitors on these sites are involved in the movement somehow, either as leaders or at grassroot level," he writes. "Their enemy could gain a lot of valuable information by planting RATs even in a small fraction of these peoples’ devices." And even leaders aren't compromised, the publicity around the attack will drive users away from the sites. This is a tactic that would definitely benefit those who want these see protests to end ASAP. And it would be a far more effective tactic if not for social networks like Twitter that can be accessed to plan resistance,even if the government blocks them -- as long as you have a VPN solution like our Freedome. If the goal is to cripple the protests by targeting protesters, "you don’t have to be a genius to figure out that China is the prime suspect," Micke writes. The significance a state-sponsored RAT attack -- or even a state-condoned attack carried out by privateers -- would be immense. Criminals use malware to target individuals, businesses and governments themselves. Government-sponsored cyberattacks on citizens practicing civil disobedience could be considered an escalation beyond even likely government-sponsored surveillance malware like Flame, which forces businesses to consider malware attacks from their own governments. Over the last year we've learned just how far suspicious governments will go to play defense against internet users who haven't been accused of any crime. Now we're seeing hints that a government may be willing to play offense too.