Category: Security

Results of one of the largest password re-use studies ever

Last month a Turkish student Ata Hakçıl studying computer engineering at the University of Cyprus did one of the largest password re-use studies ever. He analyzed more than 1 billion-plus leaked credentials from data breaches at various companies. These data dumps have been around for several years, and have been piling up as new companies are getting hacked.

Out of the 1 Billion credentials, 168,919,919 were passwords. The most common password 123456 was spotted 7 million times per billion credentials. The average password length was 9.5 characters and 87.96% of passwords didn’t contain special characters. And 34.41% of all passwords end with digits, but only 4.522% of all passwords start with digits.

Cool Stats

  • From 1.000.000.000+ lines of dumps, 257.669.588 were filtered as either corrupt data(gibberish in improper format) or test accounts.
  • 1 Billion credentials boil down to 168.919.919 passwords, and 393.386.953 usernames.
  • Most common password is 123456. It covers roughly 0.722% of all the passwords. (Around 7 million times per billion)
  • Most common 1000 passwords cover 6.607% of all the passwords.
  • With most common 1 million passwords, hit-rate is at 36.28%, and with most common 10 million passwords hit rate is at 54.00%.
  • Average password length is 9.4822 characters.
  • 12.04% of passwords contain special characters.
  • 28.79% of passwords are letters only.
  • 26.16% of passwords are lowercase only.
  • 13.37% of passwords are numbers only.
  • 34.41% of all passwords end with digits, but only 4.522% of all passwords start with digits.

Here’s my takeaway from this:

  1. Massive amounts of people need to start using a password manager. This would allow for longer and more complex passwords and eliminate the need to re-use them.
  2. Only 12.89% of passwords contain special characters and only 4.52% of passwords start with a digit. So pick a password that starts with a number and includes special characters to avoid brute forcers.

If you’re not using a password manager then get started now. I’m using is Bitwarden. Bitwarden is open source, simple to use and best of all it’s FREE.

If you would like to see if any of your passwords have been breached you can check them at HaveIBenPwned.

How Rob lost control of his bank accounts to a phone scammer

I’ve been following Rob’s blog for several years. I enjoy reading what he writes about. He is also the developer of a couple of Mac apps that I use.

I felt bad for Rob after reading his blog post about how he had recently lost control of his bank accounts to a phone scammer. His story is well worth reading. It may save you from falling for the same or similar phone scams.

How I lost control of our bank accounts to a phone scammer | The Robservatory

Holiday Sale: Save 50% on all Enpass password manager plans

This is directed at those of you who are in the market for a password manager. I’ve been using Enpass for several months and am very happy with it.

I’ll mention that Enpass moved to subscription a few weeks ago but they also have a lifetime license and with the sale you, can get a lifetime license for just $24.99.

A special deal for the Holidays: 50% off on all Enpass plans

Enpass will be on sale with a discount of 50% on all app stores – while you can get a lifetime license for only $24.99, you can also get an Enpass Premium subscription starting for as low as $0.49 per month. And, of course, the full-featured desktop versions of Enpass – macOS, Windows, Linux – are completely free.

Note that this is a limited time offer, starting from December 24, 2019 and valid till January 2, 2020. So, don’t wait and unlock the full version of Enpass at this special discounted price. Spread the word to help your friends and family members get started with safe and secure password management.

My choice for a Safari 13 content blocker on Mac

With Safari 13 my favorite Mac ad and tracker blocker uBlock Origin, along with a few other extensions, no longer work. Because of this, I have switched to Firefox as my main browser. That said there will still be times when I will want to use Safari and will want an ad and tracker blocker.

I tried Ghostery Lite but I had two issues with it. It doesn’t block YouTube ads and I didn’t like the way it handles space left behind by blocked ads.

For now, I’ve settled on Wipr. Wipr blocks all ads, trackers, cryptocurrency miners, EU cookie and GDPR notices, and other annoyances. I also switched to Wipr for Safari on my iPhone and iPad in place of BlockBear. BlockerBear was working fine but for consistency, I switched to Wipr.

Day One encryption

I have been using Day One for going on three years now. One concern I’ve had is that journals by default are encrypted but with Day One holding the encryption key. This means that someone at Day One might be able to access my journals. Journals with Standard encryption are also exposed to a data breach or security glitch. This has caused me to limit what I write in them.

Now, after reading Shawn Blanc’s ”Best Journaling App for iPhone, iPad, and Mac” on The Sweet Setup I’ve taken his advice and enabled End-to-end encryption for all my journals.

Shawn Blanc:

End-to-end encryption is not turned on by default for providing the best type of security for your journal entries, as users must maintain their encryption key at all times to unlock journals if necessary. As Day One’s FAQ puts it:

When using end-to-end encryption, it is essential you save your encryption key in a secure location. If you lose your key, you will not be able to decrypt the journal data stored in the Day One Cloud. You’ll need to restore your data from an unencrypted locally-stored backup.

We recommend turning on end-to-end encryption whenever you create a new journal to ensure your data is always kept safe and secure. Save your encryption key in an app like 1Password or a locked note inside Notes.app and never lose the key.

Now no one has access to my journals without the encryption key. I keep it in 1Password.

Watch out for Apple Phone Phishing Scams

Security researcher Brian Krebs on his Krebs on Security blog recently outlined one of the latest phishing scams he’s seen, where an incoming phone call appears to be from a legitimate Apple support line. I’m writing about this to make you aware so that you don’t fall for the scam. Please take the time to read the blog post so that you know how the scam works.

Brian Krebs, writing for Krebs on Security Apple Phone Phishing Scams Getting Better — Krebs on Security

A new phone-based phishing scam that spoofs Apple Inc. is likely to fool quite a few people. It starts with an automated call that display’s Apple’s logo, address and real phone number, warning about a data breach at the company. The scary part is that if the recipient is an iPhone user who then requests a call back from Apple’s legitimate customer support Web page, the fake call gets indexed in the iPhone’s “recent calls” list as a previous call from the legitimate Apple Support line.

Jody Westby is the CEO of Global Cyber Risk LLC, a security consulting firm based in Washington, D.C. Westby said earlier today she received an automated call on her iPhone warning that multiple servers containing Apple user IDs had been compromised (the same scammers had called her at 4:34 p.m. the day before, but she didn’t answer that call). The message said she needed to call a 1-866 number before doing anything else with her phone.

Apple support also offers a document on how to Avoid phishing emails, fake ‘virus’ alerts, phony support calls, and other scams – Apple Support

Web Finds for October 2, 2018

Web Finds are from my web surfing travels. You’ll find some unique and informative news, apps and websites that you may have never known existed. Enjoy!

Apple, Firefox tools aim to thwart Facebook, Google tracking
New protections in Apple’s Safari and Mozilla’s Firefox browsers aim to prevent companies from turning “cookie” data files used to store sign-in details and preferences into broader trackers that take note of what you read, watch and research on other sites.
Via AP News

National Cybersecurity Awareness Month: Cybersecurity at Home | US-CERT
October is National Cybersecurity Awareness Month (NCSAM), an annual campaign to raise awareness about cybersecurity. The National Cyber Security Alliance (NCSA) has published general tips to help you increase your cybersecurity awareness—including whom to contact if you are the victim of cyber crime—and protect your online activities.

NCCIC encourages users and administrators to review NCSA’s guidance for online safety basicsand the NCCIC Tip on Avoiding Social Engineering and Phishing Attacks for additional information.
Via US-Cert

How to Delete Your Facebook Account: A Checklist
Here’s a guide on how to delete your Facebook account.
Via lifehacker

Previous Web Finds are here.

Facebook gets hacked again. 50 Million users personal information put at risk.

I’m sure you’ve already read or heard about the latest Facebook hack involving the personal information of at least 50 million users. The hack was revealed in a Facebook blog post yesterday. If you haven’t here are the details.

Mike Isaac and Sheera Frenkel, writing for the New York Times

Facebook, already facing scrutiny over how it handles the private information of its users, said on Friday that an attack on its computer network had exposed the personal information of nearly 50 million users.

According to TechCrunch, Instagram and other third-party sites that use Facebook Login may not be out of the woods either.

In a follow-up call on Friday’s revelation that Facebook has suffered a security breach affecting at least 50 million accounts, the company clarified that Instagram users were not out of the woods — nor were any other third-party services that utilized Facebook Login. Facebook Login is the tool that allows users to sign in with a Facebook account instead of traditional login credentials and many users choose it as a convenient way to sign into a variety of apps and services.

As I’ve written before, now is a good time to delete your Facebook account. Between getting hacked and selling your personal data for advertising purposes Zuckerberg and his gang just can’t be trusted.

Facebook is using your 2FA phone number to target you with ads

Facebook has stooped to the lowest possible level. TechCrunch has exposed the fact that Facebook is using 2FA phone numbers to target users with ads. Zuckerberg and his gang are taking the number users are using to additionally secure their accounts and using it for ad targeting.

Some months ago Facebook did say that users who were getting spammed with Facebook notifications to the number they provided for 2FA was a bug. “The last thing we want is for people to avoid helpful security features because they fear they will receive unrelated notifications,” Facebook then-CSO Alex Stamos wrote in a blog post at the time.

I guess the bug wasn’t a bug after all. Just another Facebook lie.

Facebook has confirmed it does in fact use phone numbers that users provided it for security purposes to also target them with ads.

Specifically a phone number handed over for two factor authentication (2FA) — a security technique that adds a second layer of authentication to help keep accounts secure.

Here’s the statement, attributed to a Facebook spokesperson: “We use the information people provide to offer a better, more personalized experience on Facebook, including ads. We are clear about how we use the information we collect, including the contact information that people upload or add to their own accounts. You can manage and delete the contact information you’ve uploaded at any time.”

If you haven’t deleted your Facebook account yet now would be a good time to do so.