Online Security

The arrival of spring gives many of us the urge to refresh and renew – clearing our homes, offices and minds of any junk from the sluggish winter months. So, while you’re cleaning out those dusty wardrobes, why not tidy up your online security, too?

When it comes to managing your accounts online, think of Dashlane as your personal butler. By following a few simple data protection steps, you can enjoy convenience and simplicity without compromising trust or security. So if you’d rather spend those glorious summer months not worrying about all that, read on…

  1. Polish Your Passwords

Still typing password1234 at every security prompt? Or do you have some complicated personal system – but use it across 20 or so different logins? You can be hacked in three minutes, and with the majority of us not taking due diligence by enabling different passwords for each online account, chances are you’re not secure. Create a complex code for each login using combinations of letters, cases, numbers, and special characters.

  1. Vacuum for viruses

Last week’s discovery of the “Freak” encryption vulnerability was just the latest in a long line of software flaws that might expose your data. As well as practicing solid password management, the time to invest in further security is now. Install any updates to your operating system, software and apps to protect your computer and devices from new attacks. And consider each flagged-up security breach a reminder to run a check for the latest patches.

  1. Clean out your inbox

Time to scour your system for toxic spam mail, eliminating the security fear factor as well the frustration factor. Delete any suspicious looking messages and obviously don’t click any links they contain or download any attached files. Set up your inbox to divert spam to your junk mailbox. Some email services – such as Google’s Gmail – can attempt to unsubscribe you from random services that clog your inbox. Unroll.me is also a great tool for cleaning up your inbox, letting you unsubscribe from emails with ease.

  1. Weed out your web browser

Your internet browser is like a dog – treat it well, train it correctly, and it’ll be your best ally out in the cyber world. All browsers will let you control and limit pop-ups, and plugins are available that watch for any rogue sites that attempt to install malware. But enabling certain features to increase convenience or functionality may, on the other hand, leave you more vulnerable to attack. So examine your settings, and choose options that meet your needs without putting you at increased risk. Dashlane adds auto-fill and auto-login for a secure extra layer of protection on site authorizations and online payments so you’re covered on all ecosystems anyway. Get ahead of the curve, now.

  1. Out with the Old

Finally, take a moment to review your security setup in general, to see if there are things you should overhaul or – like the old tins of paint you’re pointlessly keeping in the garage – discard completely. From simple things – like do you write your passwords down? Are they safe? – to adding safeguards to the online lives of those around you. And always have a backup: nominate a trusted emergency contact, colleague or friend for key online accounts should you forget or get locked out of password-protected accounts. Dashlane’s Emergency feature lets you do just that.

Get Dashlane. It's FREE.

View all posts by Tom Posted in Security | Leave a comment

Mothers Day Online Security

This weekend, millions of us will be frantically rushing out to buy flowers, chocolates, cards and more to the woman who delivered us into the world. Yes. It’s almost Mother’s Day in the UK. It’s THIS Sunday. March 15 (calm down the US, yours is May 10). But maybe you forgot? Just like maybe you’ll forget your password to let you login to buy her some flowers or authorise the payment? But even then, your mother is still cleaning up the mess. And it’s all down to her maiden name.

Incredibly, even now in 2015, plenty of us are still relying on our mother – and specifically, her maiden name – to help bail us out of sticky security moments online. Think about it. How many times have YOU used your mother’s maiden name as a security authentication online? Chances are you may have even done it when you ordered those Mother’s Day flowers, either to recover lost login details or complete a transaction…

But is it a reliable authentication? That depends. It’s reliably memorable to the user authenticating themselves, certainly. But as far as online security goes? It’s information that can be easily obtained online, and which when coupled with a hacker whose computer can crack your lazy password in around 180 seconds, it’s best to ensure your online security is looked after by more than just mother. She’s done enough, don’t you think?

So, give her a break. Always use a randomly-generated, complex eight-character alphanumeric password to beef up your resilience to any breach – with a potential 218,340,105,584,896 permutations, it’ll take a computer 14 years to crack it. Apply a different password to each site you use. Change these regularly. And always store them in an encrypted format. Fortunately, you don’t need your mother: password managers can do all this hard work for you, and even better, with just a few clicks. Super secure. Super simple.

Trust us: mother approves. Now get those flowers sent off…

Get Dashlane. It's FREE.

View all posts by Tom Posted in Security | Leave a comment

UK City Password Strength

Living in the safest place in the UK has long been an accolade worth bragging about. However what about the safest place to live “online”? Quaint little towns from the Cotswolds to the Scottish borders have won numerous awards for having the lowest crime rates, however what happens when we take our online security into account?

At Dashlane, we decided to uncover which town in the UK has the best online security in our inaugural Dashlane UK Password Watch. And what we found was rather surprising…

It turns out that when it comes to password security, the North wipes the floor with the South.

The research found that northern cities dominated the top rankings of password scores, with no southern cities even making the top 10. Derby came out on top, with Newcastle, Leeds, Manchester and Aberdeen completing the top five.

For the UK Password Watch, Dashlane analysed strictly anonymised security scores, based on intelligent algorithms, from over 17,000 of its most active users in the UK and Ireland. These scores are based on the strength and diversity of users’ online passwords and help to expose their risks of being hacked.

Oxford was the top ranked southern town (12th), while tech hubs such as London and Bristol only received mid-table rankings – 15th and 16th respectively. When the regions of England were taken into the account, the South-East and South-West were found to have the weakest passwords.

When looking at the average password strength across the home nations, Ireland and Scotland shared the honours as the nations with the best password security. Northern Ireland collected the ‘wooden spoon’, with England and Wales finishing mid-table.

Take a look at the full rankings below to see where your town placed. Does it fill you with pride to be in the UK’s online security elite? Or, does your town need to wise up to the threats online?

Get Dashlane. It's FREE.

Ranking City Password Strength Score
1 Derby 60.8 (out of 100)
2 Newcastle Upon Tyne 60.7
3 Leeds 60.6
4 Manchester 60.3
5 Aberdeen 60.3
6 Wakefield 60.0
7 Sheffield 60.0
8 Birmingham 59.8
9 Swansea 59.2
10 Coventry 58.8
11 Edinburgh 58.6
12 Oxford 58.3
13 Glasgow 58.3
14 Stoke-on-Trent 57.8
15 London 57.3
16 Bristol 56.2
17 Brighton 55.1
18 Exeter 55.0
19 Cardiff 54.8
20 Leicester 54.7
21 Norwich 54.7
22 Liverpool 54.3
23 Nottingham 54.2
24 Bradford 53.8
25 Wolverhampton 53.3
26 Belfast 53.3
27 Bolton 53.2
28 Southampton 52.1
29 Wigan 51.0
30 Sunderland 49.8
View all posts by Tom Posted in Security | Leave a comment

A major flaw in web encryption was disclosed earlier this week. Dubbed the FREAK flaw, the vulnerability has been around for more than a decade, affecting the security of your Android and Apple devices and their built-in browsers.

Here’s everything you need to know about the FREAK flaw…what it is, how it affects you, and how to protect yourself from it.

What is the FREAK flaw?

According to freakattack.com, “The vulnerability allows attackers to intercept HTTPS connections between vulnerable clients and servers and force them to use ‘export-grade’ cryptography, which can then be decrypted or altered.”

Plainly, there’s a flaw in the way your browser connects you to a site, and that flaw allows an attacker to intercept and alter communications between you and that site.

How does it affect your Dashlane account?

In short, it doesn’t.

  • Your Dashlane account remains safe.
  • Your Master Password is safe because it is never transmitted anywhere.
  • If/when your personal data is transmitted, it is always ciphered locally with AES-256, so even if an attacker eavesdrop, he won’t be able to read your data.

Vulnerabilities and exploits are why we’ve made sure you’re the only person with the keys to your castle.

Are you at risk? 

The FREAK flaw affects more browsers than initially thought. At the time of this post, it affects around 10% of Alexa’s top 1 million domains (down from 12%). If in the last 10 years you’ve accessed a vulnerable site using a vulnerable device and public WiFi, you could be susceptible to a man-in-the-middle attack.

According to freakattack.com, here are the vulnerable browsers:

  • Internet Explorer
  • Chrome on Mac OS and Android
  • Safari on Mac OS and iOS
  • Blackberry Browser
  • Opera on Mac OS and Linux

You can also view a list of Alexa’s top 1 million domains that were affected here.

Unless you happen to be a public figure (or a government agency), then it’s unlikely that an attacker spent the time and energy to attack you, personally. However, just because your perceived risk feels small, your perception may be distorted. There are a lot of unknowns that come along with a disclosure like this, so you should still take action to protect yourself.

What should you do to protect yourself?

Though an attack seems unlikely, it’s not impossible. Thus, you should use precaution and take action to protect yourself. Here’s what you can do:

  • Change the passwords of any accounts that you’ve accessed on your mobile device. You should change them now and again after more sites and devices have been patched. Also, if you’re reusing your passwords in lots of places, well…it’s time to clean those up.
  • Remove any public WiFi connections from your devices. As nice of an option as being connected all the time is, you really shouldn’t use public WiFi to access important accounts. Even if it’s password protected, it doesn’t really matter if everyone knows the password.
  • For now, use Firefox to browse on mobile and Mac. Apple and Google are working to push fixed versions of Safari and Chrome. However, on Android devices, you’re going to have to update your operating system to get the fix, which Android users notoriously don’t do. So, make fast friends with Firefox.
  • When you’re prompted to update your operating system on your mobile device or Mac computer, do it. These next updates will include important security fixes. If it’s been a hot minute since you’ve processed any updates, know that by staying behind on your updates, you’re staying vulnerable. (…and need to use Firefox.)

 

 

 

 

View all posts by Ashley Thurston Posted in Security | 11 Comments

This week sees the annual Mobile World Congress take place in Barcelona, one of the biggest events in the global technology calendar. This year has already again seen a number of exciting technologies and innovations surface in the mobile technology space, including new phones from the likes of Microsoft and Sony to Google announcing a new wireless surface.

Biometrics Dashlane

Another area which has been ripe with announcements is the security sector. Notably, Fujitsu has announced that it has managed to create a smart eye tracking device that can recognize each user’s unique iris, taking biometric authentication a step further than the current de-facto touch IDs we find on many of our devices. This latest take on biometric authentication will require the appropriate hardware to run, so don’t expect to see it on your smartphone any time soon. However the real question is this. What are the pros and cons of biometric authentication?

There are traditionally three classes of authentication factor: knowledge of a piece of information (passwords, PINs, or secret questions); ownership of a physical device (tokens, cards); and an inherited physical characteristic (iris signature or fingerprints).

Enterprise or government systems that store highly sensitive information often use a combination of multiple factors of authentication that combines two or three factors among these three classes. For convenience, most consumer websites rely on single-factor authentication based on login details and passwords.

Biometrics’ main advantage is that they can solve both identification (assessing your identity) and authentication (confirming your right to access something). On paper, biometrics is a great way to prevent identity theft and various kinds of fraud. The argument goes like this: “My credit card number and passwords can be stolen, but not my fingerprints.”

The problem is however that this premise has already been broken. Biometric authentication can be hacked, as can any other form of authentication. Last year, hackers from the Chaos Computer Club managed to reproduce fingerprints of the German Defense Minister from high resolution public photos and they know how to use them on consumer phones biometric sensors. On the lighter side, there have even been reported cases of “Sleep-Jacking”, when someone opens a person’s device using their touch ID by placing the device on the sleeping persons authorized finger.

Unlike passwords, biometric data that has been stolen cannot be changed: you cannot replace your stolen fingerprints with a new set. Even worse, if all your accounts were protected by the same stolen biometrics information, they would all become vulnerable at once. Biometrics authentication has other major limitations: it cannot be shared and it cannot be made anonymous. Sharing login data or using it anonymously is something increasing numbers of internet users do.

This is not to say that biometric authentication cannot be useful. As an additional layer of authentication, biometric authorization can provide another useful layer of security, particularly when using services which are especially sensitive like our bank accounts. However, the use of strong passwords as the main foundation will build up a stronger defence against breaches for the following reasons:

  • Passwords can be stolen, but if you use one unique password per website, the damage does not spread to other sites, as opposed to unique biometric data which is by definition the same everywhere.
  • Passwords can be shared, which is a necessity within groups of people such as families and work teams. Think about the Netflix account at home or the corporate Twitter account in a company. You cannot share your fingers or your eyes with someone else.
  • They preserve a kind of anonymity, a key attribute of the internet. Think about Twitter without anonymity.

Of course an effective password management strategy (unique, randomly-generated passwords) is tough to apply given the number of different accounts we now use on a daily basis. This is why many of us now use passwords managers like Dashlane to solve this problem effectively and with more ease than trying to do it yourself. Biometrics as a technology is a fantastic innovation with many useful applications. However, in its current guise, a password-killer it is not.

Want to get the low-down on some of the other latest developments in the security world? Check out our new Medium page here.

View all posts by Tom Posted in Features, Mobile, Security | Comments Off