NEW YORK – Last April researchers discovered the Heartbleed security bug. Dubbed “the most dangerous security flaw on the web”; it affected over 500,000 websites and dominated national news for weeks.

One year later, a new Dashlane study finds that an alarming 86% of Americans have not heard of Heartbleed.

Concerned by the growing frequency of hacks, breaches and other online security vulnerabilities, Dashlane commissioned the study (conducted on their behalf by Harris Poll in March 2015 among over 2,000 US adults ages 18+) to gauge public awareness and knowledge about online privacy, security and protection. Other notable findings include:

  • 65% – Believe the Obama administration has done LESS than corporations to protect them from hackers, breaches, and online security threats in the year following the Heartbleed bug.
  • 43% – Would rather have explicit photos/videos of themselves leaked than have hackers steal $1,000 from their bank account.
  • 32% – Chose themselves (more than anyone else) when asked which organization or person(s) they expected to do the best job protecting their interests from hackers, breaches and online security threats.
  • 1% – Chose their private email as the personal information they are most concerned with online hackers stealing, despite email being an easy front door to valuable and exploitable personal information.

Emmanuel Schalit, Dashlane CEO, states:

That almost 9 out of 10 people have never heard of the most dangerous security flaw of the past year is mind-blowing. Much work remains in educating the public about the dangers that exist online. Attacks such as Heartbleed are becoming more commonplace, and larger in scale, and it’s critical that everyone is aware and educated about the threats as they affect all of us.

Expert Video:  http://youtu.be/MEaX2tjUxQE

Full report + methodology and infographic: Dashlane.com/heartbleed

Experts Weigh In

As part of its Heartbleed Study, Dashlane assembled a team of experts from the realms of business, advocacy and academia to provide the public with an assessment of the fallout from Heartbleed, as well as analyze the online security and privacy challenges that lie ahead. Their responses were compiled into a video that can be accessed via the link above. The team included:

 

  • Nuala O’Connor – CEO & President, Center for Democracy & Technology
  • Catherine Lotrionte – Director, Georgetown University Cyber Project
  • Todd Simpson – CSO, AVG Technologies
  • Sunday Yokubaitis – President, Golden Frog

Mr. Simpson explained, ”Very few people registered Heartbleed as affecting their daily Internet lives”, a statement echoed by Professor Lotrionte who said, “The average citizen is not especially worried unless there is a tangible threat they can understand.”

Sunday Yokubaitis compared some Americans to teenagers when it comes to online security and privacy as, “They want to get on the motorcycle, go fast and completely ignore security for the sake of convenience and speed.” Nuala O’Connor, a recent participant in President Obama’s Cybersecurity Summit, stated, ”We’ve just seen the tip of the iceberg in terms of securing our digital lives, reputation and security.”

“Everyone in the digital world needs to know that they are their own first line of defense when it comes to online security”

The experts were in agreement that the biggest online security challenge is public education. All believed that a massive public education program, rivaling or exceeding that of the anti-smoking campaigns, is needed to generate the scale of awareness necessary to change behaviors.

An example of this is the public’s lack of understanding the risks associated with their email. Nearly 3 out 4 (72%) Americans in the Dashlane study said they were more afraid of hackers getting access to their Social Security Number or bank account than private email (1%). This sentiment was reflected in Dashlane’s own internal data as users changed 63 times more passwords on banking and finance websites in the month following Heartbleed than they did for email.

In fact, of the 14 websites that experienced the highest percentage of changed passwords following Heartbleed, 11 were related to banking, finance and payments. Yet, most people fail to realize that email is even more critical as it’s a gateway hackers use to steal exploitable information; a situation that was played out during the Sony hack.

The study also asked consumers who they expect to best protect them from online threats, and nearly 1/3 (32%) of Americans chose themselves. Schalit believes this self-reliance shows that some consumers have the right intuition, but believes this figure should be even higher.

“Everyone in the digital world needs to know that they are their own first line of defense when it comes to online security. There is, without a doubt, a role for governments and technology companies to play in making the online world safer for everyone, but the benefits these organizations can provide are marginal if the average citizen is not educated about the threats that exist and the actions they should take.”

Methodology

This survey was conducted online within the United States by Harris Poll on behalf of Dashlane from March 10-12, 2015 among 2,014 adults ages 18 and older. This online survey is not based on a probability sample and therefore no estimate of theoretical sampling error can be calculated. For complete survey methodology, including weighting variables, please contact Ryan Merchant (Ryan@Dashlane.com).

About Dashlane

Dashlane makes identity and payments simple with its password manager and secure digital wallet app. Dashlane allows its users to securely manage passwords, credit cards, IDs, and other important information via advanced encryption and local storage. Dashlane has helped over 3 million users manage and secure their digital identity, and has enabled over $2.6 billion in e-commerce transactions. The app is available on PC, Mac, Android and iOS, and has won critical acclaim by top publications including The Wall Street Journal, The New York Timesand USA Today. Dashlane is free to use on one device and Dashlane Premium costs $39.99/year to sync between an unlimited number of devices. Dashlane was founded by Bernard Liautaud and co-founders Alexis Fogel, Guillaume Maron and Jean Guillou. The company has offices in New York City and Paris, and has received $30 million in funding from Rho Ventures, FirstMark Capital and Bessemer Venture Partners. Learn more at Dashlane.com.

View all posts by ryan Posted in Heartbleed, Infographics, Privacy, Security | Leave a comment

Want to know why your “random” password might just be w0rthle$$ ru66i5H?

Password Mistakes

Think that your cleverly twisted password is keeping your data safe and secure? You might need to think again. A huge investigation into over 15 million passwords, published this week, has revealed that not only are the vast majority of people using the same tricks – but that hackers already know these tricks inside out.

Carried out by hosting platform WP Engine, their investigation analyzed passwords from two major sources. The first was login details for five million email accounts, mostly consisting of Gmail, leaked on a Russian bitcoin forum in September. The second was a list of 10 million leaked user names and passwords – most of them no longer active – collected by security consultant Mark Burnett as a project to improve security. The result? Some fascinating insights into the password habits of 15 million people – from CEOs to scientists. And some lessons we can all learn…

  1. Don’t let your fingers do the talking

The biggest revelation was that people were using the same seemingly random strings of characters, which suggested those passwords weren’t random at all. For example: “qaz2ws” or “adgjmptw”. Both may appear secure, but they are actually among the most commonly used passwords – which means they’re not safe at all. WP Engine analysts found that the first is from the two leading diagonal columns on a keyboard. Adgjmptw, meanwhile, is the 20th most common keyboard pattern found – and it is produced by pushing the numbers 2 through to 9 on an alphanumeric keypad. So beware: password crackers such as Passpat use keyboard layouts and clever algorithms to measure the likelihood that a password is made from a keyboard pattern. You can see examples of these here.

  1. Avoid the number 1

Adding a number or two at the end of a text phrase may be the easy option – but it is also by far the most common trick. And, as it can easily be broken by malicious bots and brute-force attacks, totally insecure. Analysts found that almost half a million passwords did this — and in 20 per cent of those all people did was put the numeral “1” at the end.

  1. Keep it random – stay away from a “base phrase”

Passwords which are alphanumeric and use case sensitive characters certainly make for a stronger code, however a password requires one more thing for it to at its most secure…it needs to be RANDOM.

Analysts found that even supposedly sophisticated passwords which used common phrases – so for example changing the word “password”, the base phrase, to Pa55w0rd – where still relatively easy for purpose-built password-breaking software to guess it. Software like HashCat, for instance, can take 300,000 guesses at your password a second starting with the most probable ones. Even passwords using a combination of upper and lower case letters and numbers will be vulnerable to attacks like this, if they are not randomly generated.

  1. Don’t show your love

WP Engine found that people born in the 1980s and 1990s were more likely to use the word “love” in a password – analysts found it 40,000 separate times in the 10 million passwords and a lot in the 5 million Gmail credentials too. Notably, women used it twice as much as men. Although happily – if not securely – “iloveyou” appeared ten times as often as “iloveme”.

  1. Build your entropy

In simple terms, the more entropy a password has, the more difficult it is to guess or hack. Your level of entropy increases the longer you make your password, and the greater variation of characters that you include. Analysts found that the average Gmail password was just eight characters long, with an entropy score of only 21.6 out of 100 – a score of over 60 is deemed sufficient to deter hackers or password cracking software – so most of clearly have a way to go before we can say our passwords are up to scratch.

View all posts by Tom Posted in #fixtheinternet, Security | 2 Comments

A new report from the UK government has revealed that when it comes to cyber insurance for cybercrime and attacks, a staggering 98% of British firms aren’t covered. And 22% of SMEs admit they “don’t know where to start” with online security. And even something as simple as password management has them scratching their heads.

Cyber Insurance

The report – available in full here – was commissioned by the UK’s own Cabinet Office, and draws attention to the chaos and damage that can result from cyber-attacks. Whether these are state-sponsored, from private enterprise or even hacktivists, these damages can include:

  • Theft of intellectual property (IP)
  • Business disruption
  • Data and software deletion / destruction
  • Direct financial loss through extortion / theft
  • Reputational loss
  • Investigation and response costs ranging from £65k ($97k) to £1.15m ($1.72m) for serious breaches

In 2014 alone, 81% of large businesses and 60% of small businesses suffered a security breach. In a separate report on World Economic Global Risks 2015, cyber-attacks ranks above even natural catastrophes and state collapse – and only marginally below weapons of mass destruction – as a major risk in terms of likelihood and impact. Here’s the graph in question for reference.

The message is clear: cyber-attacks are a real global threat to business, whatever the size of the company, be it a world-conquering conglomerate or a Start-up. And while even the most technophobe CEOs will likely be looking to clarify whether the correct cyber insurance is in place for such attacks, businesses must ensure other safeguards are put in place as well.  For example, implementing a sound password policy will considerably help shore up defenses against this escalating global risk.

To simplify this, think of your business as a car. You insure that car against risks. But that doesn’t stop you physically locking and unlocking it with a key. Your passwords ARE that key. Making these as difficult as possible to crack could spare you from ever making that call to the cyber insurance claims team.

Get started now. Check out our 5 Steps To Spring Clean Your Security post and stay tuned for more advice on how to keep your company safe. And why not tell us whether you think you’re covered for cyber insurance at @Dashlane.

Get Dashlane. It's FREE.

View all posts by Tom Posted in Security, Startup life | Leave a comment

What comes to your mind when you think of our military grade encryption? Hopefully you feel assured that it means your personal data and passwords are safe, secure and sophisticatedly scrambled – which it is – but do you actually know what it means?

Our guess is many of you might be a bit unsure of the facts, so we thought we’d break it down in today’s blog post so you know exactly how your data is being protected. Sound good?

Dashlane Explains Military Grade Encryption

Let’s start with the basics…What’s encryption?

Encryption is the process of encoding messages or information in such a way that only authorized parties can read it. It transforms data that you send across the internet into a format which is only readable when in possession of a decryption key, which provides the code to decipher the encryption.

What’s this encryption key and how does it keep my data safe?

Think of sending a letter to someone in a secret language which needs a special dictionary to translate it. The secret language would be the encryption and the dictionary would be the decryption key. Only when someone has both can they then read that message. Providing of course that the secret language is sophisticated enough to not be broken without the key. Make sense?

Got it. So what makes your encryption “military grade”? What does that mean?

Military grade encryption refers to what’s called AES-256 encryption. Short for Advanced Encryption Standard, it was the first publicly accessible and open cipher approved by the National Security Agency (NSA) to protect information at a “Top Secret” level. It is now widely-accepted as the strongest encryption there is – and used by governments, militaries, banks and other organizations across the world to protect sensitive data.

How does it work?

Remember we mentioned that the “secret language” needs to be complicated so it is tough to crack? Well, AES is just that. It’s is based on a system of encoding called the Rijndael cipher, developed by two Belgian cryptographers, Joan Daemen and Vincent Rijmen. In simple terms, it divides your data into blocks of 128 bits each, and then uses the encryption key – made up of 256 bits – to scramble them beyond all recognition using 14 different rounds of encryption.

How complex is the key?

The number of possible keys this 256-bit system allows is 2 to the power 256 – that’s a number that is 78 digits long. And to use AES, both the sender and the receiver must know and use the same secret 256-bit key. In Dashlane’s case, that is derived from your Master Password.

What do you mean, “derived”?

Dashlane uses another layer of protection – a method called PBKDF2 (Password-Based Key Derivation Function 2). This takes your password and applies random data – known as a salt – before scrambling it again many times over to produce a sophisticated cryptographic key.

Has AES ever been cracked?

No. A Microsoft research paper published in 2011 suggested that it was theoretically possible to recover an AES key using a technique called a biclique attack. But even breaking a 128-bit key (far less complex than Dashlane’s 256-bit system) would take billions of years with current computing power – and require storing about 38 trillion terabytes of data, which is more than all the data on all the computers on the planet.

So my data and passwords are safe with Dashlane?

There is no record of the 256-bit key or your Master password anywhere in the universe – not on your device, never on our servers and never transmitted on the web. If your data is intercepted, the encryption means that no-one will be able to decipher it.

Has our post helped you understand the complex world of encryption? What other areas of the Cyber Security world would you like us to delve into and deliver the facts?

Tweet us @dashlane with the hashtag #simplifysecurity.

Get Dashlane. It's FREE.

View all posts by Tom Posted in Security | Leave a comment

Yesterday at the 2015 South By Southwest Interactive Exhibition, Yahoo announced a new “on-demand” feature which sends a one-time password each time you need to log in to your email account.

Yahoo Password

The idea is similar to other methods of email or text authentication; however it tries to remove the other point of authentication that tends to go with this system – most commonly a password. We were curious as to how the system actually worked, so we decided to try it out…Here’s what we found out.

It’s great that Yahoo are looking into ways to increase security to an email account, however we feel there is a long way to go until this replaces passwords.

First off, when you register for the service you will still require your original password for your account. Once you provide your phone number you will then receive an initial verification code to allow you to access your email through individual passwords sent to your phone on each occasion.

So, now you can forget your password right? Wrong. Think about what happens when you have no mobile network signal? Or if your phone runs out of battery? In these case you will still need your password, or have Yahoo send a temporary password to another email address, which you will need to log into using your email account’s password. Furthermore, if you choose to change your phone number the likelihood is you will need to go through a tedious process to prove you are who you are, creating further friction.

Some users may also have mobile plans which involve costs when receiving text messages, effectively meaning that you have to pay each time you access your email. Yahoo may themselves have cost issues when sending messages through networks outside the US, where the feature is currently being trialled.

Besides these time and cost issues, there is another security concern. While this system does a good job of creating random passwords specific to your account, what happens if someone manages to hack your phone? Providing they can access your phone then they will be able to access your email, as they can simply request a code to be sent to the phone next time they want to log-in. Even if the user has other security in place on their phone it’s common for text messages to be displayed as notifications even when the phone is locked, so anyone who see’s this can then access your email. Leaving your phone on the table at work or lunch could now have repercussions…

Overall, this poses a great security threat to an account which is of great importance to your overall online security. Because if/when cracked, hackers will have the potential to open large parts of your digital identity through your email. In fact, even Dylan Casey, Yahoo’s vice president of product management, says himself that while on-demand passwords are designed as a convenience, it is not for everyone. Eventually, he said, Yahoo will be introducing authentication methods that are more secure than SMS, so he admits there is work to be done.

Services like Yahoo on-demand passwords show great progress in authentication methods and that’s good news. However don’t forget that most of these forms of authentication still rely heavily on passwords at various points. So, we still need to keep our passwords safe, even if we choose to use a feature that enables us not to use them every day. If you truly want to be able to forget your passwords, a password manager like Dashlane is still the only viable solution.

Want to get the low-down on some of the other latest developments in the security world? Check out our new Medium page here.

Get Dashlane. It's FREE.

View all posts by Tom Posted in Security | Leave a comment