“What’s that password again? Wait, I changed it … Harrumph. I don’t remember!” We’ve all been there, sometimes many times a day. Password autofill on our Web browsers felt like the sun was shining on our online activity again. Sorry to tell you, but this convenience may not be entirely safe.

Most browsers will ask after you’ve entered a new password into a site or changed a password if you want it stored for you. That way, when you revisit that site, the browser can autofill the access credentials for you. It saves you the struggle of trying to keep all your passwords straight.

The problem is that some sites, including legitimate sites, can be compromised with a hidden form. You’ll never see it, but your browser will. So, it will autofill that form, and in clear, unencrypted text. This allows bad actors to capture your username and password without your knowledge.

Another risk? Irresponsible digital marketers may use hidden autofill forms to track your online activity. That’s done without your consent.

Using browser autofill with a password manager can also cause confusion, especially if your browser autofills, whereas the manager asks before filling in forms. Using both at the same time you also run the risk of duplicating passwords, which could make it difficult to track your passwords and increase the risk of security breach.

How to disable autofill

You can protect your passwords by disabling autofill on any browser you use:

On Microsoft Edge, go to Settings, then Profiles, then Passwords, and disable “Offer to save passwords.”
On Google Chrome, go to Settings, then Passwords, and disable “Offer to save passwords.”
On Firefox, open Settings, then Privacy & Security, then Logins and Passwords, and “Autofill logins and passwords.”
On Safari, from the Preferences window, select and turn off Auto-fill.

Can I keep using password managers?

A password manager, such as LastPass or 1Password, typically provides more security than browser autofill. Password managers have strong encryption algorithms to protect your login credentials, which means that even if your device is compromised, your passwords are safe.

Still, if the manager autofills your credentials, you face the same risks. Most password managers have autofill disabled by default. That’s good. Leave preemptive autofill off. You might see it called “Autofill on page load.” Keep that turned off, too.

Our advice? Use a password manager that requires you to click a box before it fills in your credentials. This action avoids your information from automatically populating a hidden form.

Securing your online activity is an ongoing challenge. Our experts can help identify ways you can protect your privacy and data online. Contact us today at (888) 234-WDIT(9348).

News of data breaches is all too common. This company apologizes for six million accounts breached. That company acknowledges hackers accessed 35,000 users’ personal identifiable information. But the question that probably matters most: Is your data breached, too?

The company should contact you if your information is in a data leak, but you can’t rely on that. You can also find out if your phone number or email address has been leaked by visiting https://haveibeenpwned.com/.

HaveIBeenPwned has uploaded various breaches and consolidated the information to make searching easy. Enter your address and get a list of breaches that compromised that email. You’ll get a summary paragraph as well as a description of data compromised in each breach.

It is not uplifting reading!

Next, the question is what to do about your breached information.

Steps to Better Security
First, change your passwords for those breached accounts. If you use that same password to access other accounts, change those passwords, as well, even if they are not listed as leaked.

Always avoid reusing passwords. Yes, it can be a hassle to remember many different access credentials, but you risk exposing many accounts if you keep reusing one email address and password combo over and again.

Make using unique passwords for all accounts easier by using a password manager. A manager can store your many passwords in one place and generate strong ones to use. You can often download an app to your mobile device, which gives you the convenience of filling in your credentials when you’re on the go, too.

The next step is to use two-factor authentication (2FA).

Understanding 2FA
This adds a layer of difficulty for hackers trying to access your accounts. Even if they had your username and password, they would need a second way to verify your identity.

Using 2FA requires you to provide one of the following before you can gain access:

• something you know (e.g. the answer to a secret question);
• something you have (e.g. your smartphone);
• something you are (e.g. your fingerprint).

A bad actor would need to have not only your leaked credentials but also your other "something."

A common approach to FA is an SMS text message or voice-based authentication. You enter your credentials, then the site follows up with a text or phone call providing a separate code you must then enter. This is not the best method, however. Scammers can hack the SIM card associated with your device, and then use your number to make and receive calls and texts.

Software tokens for 2FA are a safer solution. You’ll download and install an application on your phone (e.g. Authy or Okta Verify). It can generate a unique verification code that is valid only for 30–60 seconds.

Want to learn more about password management and soft-token 2FA. We’re here to help. Contact us today at (888) 234-WDIT(9348).

The average individual has 100 passwords to remember, according to a NordPass study. Apparently, no one has studied how many we actually remember versus how many we reset over and over. No matter. New developments could save us from having to remember passwords altogether, as major players are moving to a single passkey sign-on approach.

What is passkey sign-on?Apple, Google, and Microsoft have joined forces to support “passwordless” sign-in across all their mobile, desktop, and browser platforms. The initiative, announced in May to coincide with World Password Day, is expected to roll out in 2022/23.

What does passkey login involve? Users choose a physical device to use to authenticate them on apps, websites, and other digital services. For many of us, this would be a mobile phone. You’d unlock the phone as you normally do. Then, you could enter a PIN, draw a pattern, or use your fingerprint to sign into the digital services you need.

To put it simply, it’s a four-stage process:

1. You navigate to the site or app or service you want to use.
2. You approve access using your passkey device.
3. A public passkey (mirroring the private one on your device) is shared.
4. Login is completed.

You don’t need a password, because the login is done using a cryptographic token (the passkey). Your selected device shares that passkey with the website, app, or other online services.

Advantages of the passkeyUsing a passkey means you need to remember only the one PIN or pattern to unlock access … or have fingertips! And you don’t have to come up with a complicated passphrase either, which means no more frustrating upper and lowercase character, number, and symbol combo.

The passkey sign-in method is touted as more secure. Passwordless authentication makes it more difficult for hackers to compromise login details. After all, they would need access to the physical device you use to access digital services, apps, and websites.

You keep personal information safe and cut password vulnerabilities that plague us today:

• Phishing attacks, which use fake websites to capture login details, won’t work.
• Brute-force attacks, which use trial and error to guess credentials, won’t get anywhere.
• Spoofing your device will no longer work, as the passkey device must be near the computer.

Another plus? Passkey security is being set up to offer multi-device authentication. You’ll be able to sign in to an app or service from almost any device, and it won’t matter what platform or browser you’re using. So, you could sign in to Google Chrome and run Microsoft Teams using your iPhone, for instance.

Making the most of multi-factor authenticationPasskey security will use a FIDO standard to authenticate you in different contexts. This is a passkey protocol already supported in some online environments, but major players are now coming together to make it more widespread.

With a passkey that is unique to you, you’ll no longer have to worry about keeping track of multiple passwords.
​
Still, until this technology is available, you’ll want to protect your online activity. Our experts can help secure your home networks and set you up with a password wallet. Contact us today at (888) 234-WDIT(9348).

​All of us like to think we are unique. That thinking extends to our passwords too, right? We’re special and distinct, so no one could guess our chosen collection of letters, numbers and symbols. Well, it’s surprisingly easy for algorithms to determine passwords and to do so extremely quickly. So, a password manager is a smart move, as you’ll have more complex, different passwords stored. Still, it’s important that your master password for that manager be 100 percent original.

Sure, your password may be difficult for a human to guess – it would take forever. But, computers can run through the possible combinations in seconds. Password Depot found that a password consisting of five characters (three lowercase letters and two numbers) can be hacked in 0.03 seconds.

Add characters and the volume of possible configurations increases, and that adds time. A seven-character password (one capital letter, six lowercase letters) will take approximately nine minutes. At eight characters (four lowercase letters, two special characters, and two numbers) things get more complicated. Trying all the possible permutations will take 2.6 days.

That’s a data-driven argument for complex passwords with many letters and numbers. But the problem is that they are so much more difficult to remember, and that’s why it’s a good idea to use a password manager.

The power of a password manager

A password manager offers top-notch encryption to protect passwords. You can use a password manager as a vault for all your passwords. When you want to log in online from your desktop, it can prefill your username and password. Often, there is also an app that allows you to do the same on mobile devices.

Industry-leading password managers also notify you if credentials are weak or get compromised. They may also flag that you are repeating access credentials, which is not a good idea.

Don’t forget your master password

Part of the appeal of a password manager is its zero-knowledge approach. They are set up so that they can’t see your stored passwords. The password is encrypted before it reaches the manager’s server and can’t be deciphered.

This means you have to be careful not to forget your master password. The master password is the one you use to access the password manager. Without it, you’ll have to try to recover your account using several stages of authentication.

Make your master password unique, and don’t use it anywhere else. Repeating passwords, as mentioned above, increases your risk of getting hacked. If the other site is hacked, the bad guys could try that same password on other sites, too. It’s low-hanging fruit for them.

The current best practice as far as passwords go is to use a passphrase with a mix of alpha-numeric symbols. This gives you a length of between 20 and 30 characters. You can use a variety of uppercase and lowercase letters, numbers, and symbols. Some examples of passphrases include:

• My_Fave_Person_is_My_Fish_761
• Mytrip-2-Paris-Was-Magnifique
• YouRemindMeoftheBabe!!

The passphrase means something to you, so it is more memorable. Yet it isn’t easy for hackers to crack. Also, you’re not using specific personal details that you may reveal on social media (unless you are constantly posting pics of your fish, and its name is actually 761).

Protecting your online identity
​
Want to know more about protecting your online identity? Need help with setting up security procedures for your home computer and network? Our tech experts are available to help. Call us today at (888) 234-WDIT(9348)!

The main advantage of a password manager is obvious to anyone with more than one account online (i.e. everyone). Instead of remembering all 100 usernames and passwords, the password manager autofills them. It’s a boon. But it’s not the only reason to use a password manager. This article shares several more unexpected benefits.

Password manager programs generate, manage, and store many different passwords. You may be concerned about whether a password manager is safe to use. But, the cybersecurity industry consensus is “yes, it is.”

A password manager uses top-notch encryption to protect passwords. Plus, they take a zero-knowledge approach. They can’t actually see the passwords they store and prefill on sites. The password is encrypted before it reaches the manager’s server and can’t be deciphered. This is why you need to be so careful not to forget your master password!

That said, the password manager offers more than a vault for encrypted credentials.

More Benefits of Password Managers

For one thing, many password managers have apps for download onto mobile devices. Then, you can use the password manager to prefill forms on those, too. This gives you the advantage of convenience not only on your desktop computer but also on the go.

Some password managers offer added security benefits, as well. They might:

• warn you of weak password and login credentials;
• remind you to change your passwords;
• notify you if your passwords may have been compromised in a breach;
• advise you against repeating access credentials if you’re about to do so.

Another advantage is that you can conveniently share passwords with others. Maybe you want to give family members shared access to streaming accounts or allow a work colleague access to applications you’re using remotely. A managed password sharing feature can allow them to see selected passwords. You aren’t showing everything: you can pick what you make available. Plus, when you change your credentials, the password will change on their end, too. This doesn’t need to be permanent either. You can easily revoke password sharing.

You can also use a password manager to secure other important information. You might store things such as credit card numbers or other personal identifying information. Keeping that kind of data in an unencrypted note on your desktop or mobile device is unsafe, but you can take advantage of password manager encryption to safely store those precious details.

Secure your passwords with a manager
​
You can’t expect to remember all your unique passwords. Yet the days of writing down passwords on Post-it notes are over. Use cloud-based password management to secure your passwords and do more.

Contact our IT experts today to find out more about password management. We’re happy to suggest the best solution for your needs and set it up, too.

Call us now at (888) 234-WDIT(9348)!

Every time you’re online and a site sends a separate code to check your identity, you’re using two-factor authentication. It’s become the norm. So, of course, hackers have figured out how to get around this, too. This article shows you how they do it and how to stay safe.

With billions of usernames and passwords leaked, access credentials everywhere are at risk, especially if you are reusing your log-in information on more than one site (don’t do it!).

Business websites want to offer a secure user experience, so two-factor authentication (2FA) has become the norm. It’s meant to help stop automated attacks in which bad actors use the leaked usernames and passwords.

Still, if the site you’re visiting uses short message service (SMS) to send a one-time code to your phone, you could still be at risk.

Hackers, using information they have from a data leak, can call your telephone company. They use your name, date of birth, and other identifiers available on the Dark Web, to impersonate you. Then, say you’ve lost your phone, they transfer your phone number to a device with a different SIM card.

That means when the one-time SMS code gets sent your phone number, the message will instead go to their device.

Android Users Also Beware
On Android devices, hackers have an easier time getting access to text messages. If they have access to your leaked Google credentials, they can log into your Google Play account. From there, it’s simply a matter of installing a message-mirroring app on your smartphone.

The app synchronizes notifications across your different devices. It’s for when you really need to be connected, and you’ll be able to see your phone’s SMS alerts on your tablet!

The app won’t work unless you give it permission when prompted to do so, but too many people don’t stop to read alerts from their own accounts: they assume it’s another necessary update and go on with their day. Otherwise, the hacker might call you in a social engineering ploy pretending to be a legit service provider. They’ll be familiar to you, so you’re more likely to listen when they ask you to give permission.

Again, when the one-time SMS code gets sent to your phone, because of the message-mirroring app, the hacker's device will also receive the code.

What Can You Do to Protect Yourself?
It starts with using unique passwords for all sites you visit. Worried you’ll forget them? A password manager can keep all your access credentials in one secure place for you.

You should also confirm that your credentials haven’t been compromised. If you use Google’s password service, you can head to the password manager site and tap “check passwords” to see if there are any issues. On Firefox, head to the Firefox Monitor page and “Check for Breaches.” On Safari, click on Preferences, and then on Passwords to see what recommendations they have for your security.
Change any passwords that have been involved in a leak!

To avoid the SMS concern specifically, avoid using one-time SMS codes to verify your identity. Instead, you can use a non-SMS authentication tool such as Google authenticator, which provides two-step verification services within the app itself.
​
Need help learning if your credentials have been leaked? Or want assistance setting up more security for your online activity? We can help. Contact our IT experts today at (888) 234-WDIT(9348).

Why would someone want to target your Instagram account? You share what you ate, maybe the books you read, the shoes you bought, or that really cool image of the sky above. How is that going to help a hacker? Read on to learn more.

OK. Your obvious love of chicken and waffles isn’t going to mean a lot to a cybercriminal, not unless your password is “chicknwaffles.” But there are people who make a living from Instagram. Influencers can make millions by posting a pic of their latest smoothie or the new pair of socks they love. Their IG accounts are their business. A hacker gaining access could destroy an influencer’s reputation, their livelihood.

Businesses, too, are moving to IG as a way to reach a targeted audience with vibrant visuals. They can’t afford to have their accounts taken over by an ill-intentioned hacker. That could lead to lost customers and brand damage.

Then, there’s you, the “average” IG user. Yes, the cybercriminal might still target your Instagram account. For one, they might use your IG handle to reach out to your friends and say, “I’m stuck overseas. I need some money.” Caring friends, not knowing it’s not you, could end up a victim of a scam.

How to Protect Your Instagram Account

#1 Go Private

Instagram lets individuals, influencers, and businesses show creativity. However, you want to control who sees what you post. You may not want everyone to see your photos. Limit your content visibility to friends and family in the Instagram profile window:

• Click on the three dots in the right corner.
• Scroll to the bottom of the options.
• Turn on the Private account setting (the button should turn blue).

You can also block followers you don’t know. Click on your Followers list, and tap on the users you don’t recognize. Tap on the menu button and choose “Block User.”

#2 Disable cross-app sign-ins

Using your IG account to sign in to other applications is convenient, because you have to remember only your IG access credentials. Still, by streamlining your sign-in you are also making it easier for a hacker to compromise your accounts. Now, they can get access to one account and use that as a way into the other connected accounts.

Log in to your account and review all connected applications. You can do this by visiting the Authorized Applications tap under the Edit Profile tab.

#3 Don’t overshare

Sure, that’s the golden rule of social media. Still, we’re talking here about reviewing personal information you share on Instagram. Take a look at your profile information and review whether all those details really need to be there. A hacker could use anything specific you write in your Bio to verify your identity elsewhere. Reconsider posting your birth date, alma mater, anniversary, favorite sports team, etc.

#4 Turn off location services

Instagram’s location services can let you check in at a particular place. But by doing this, you’re giving thieves extra information they can use against you. Instead, go into your phone’s Privacy settings and turn off location services for IG.

You also don’t want to cue criminals that you’re away for a vacation with posts from the beach. You might want to share that sunny sand pic. Then, you regret it when you come home to a burgled home.

#5 Enable two-factor authentication

Of course, the starting point is to pick a strong, unique password for your Instagram account, but Instagram has added two-factor authentication for an added layer of security.

In Instagram’s mobile app you click on the Options icon at the top right to get to a menu offering this option. You will get a short link to click on. Do so, and turn on the two-factor authentication. You’ll set it up using your mobile phone. Then, in the future, you’ll have to log in with the added security of a unique code sent to your phone via text message.

#6 Review your login activity

Keep an eye out for illicit use of your account by reviewing Login Activity. This is under Settings on the desktop app and shows a list of locations from which you’ve logged in. So, if you’ve never been to Thailand, but your IG account has, that would be a red flag. If you do spot locations you don't recognize, log out from your device, and change your password.
​
Need help securing your Instagram account or other social media channels? Our helpful IT pros have the expertise you need. Contact us today at (888) 234-WDIT(9348).