Cyber-Mindful On the Road

50's-era family in a station wagon traveling a country road

It’s the time of year when we pack up our sunscreen and suitcases to visit exciting new locales for a brief summer respite. But when traveling, don’t forget to pack your cyber-mindfulness! If you’re taking tech on your trek:

  • Back everything up before you go
  • Update software and apps before departure
  • Enable screen locks and passwords
  • Leave devices with sensitive data at home (or remove the data)
  • Make digital copies of important documents like passports, visas and important phone numbers in case of an emergency
  • Avoid using public wi-fi and computers for sensitive transactions like banking or shopping (take this 7-question quiz to test your knowledge of public wi-fi safety).
  • Consider bringing a portable USB charging device in case your battery dies at an inconvenient time
  • Wait until you’re home to post details of your trip on social media
I don't bring my work phone on vacation. If it's an emergency, call my shell.

2FA on the Go
If you’ll be accessing UD resources while traveling, like your UD mail or Isidore, you’ll need to bring your 2FA device along for the ride. If that’s your smartphone, remember it can issue a passcode (just like a token) with no cell or wi-fi connectivity. Just open the Duo app and click the “key” icon to generate a 6-digit number you can type into the 2FA authentication screen.

Cyber-Mindful Summer Camp

In the spirit of the season, we’ll be issuing a few “campy” activities you can complete to snag swag. This month’s challenge: Send us a picture of something you encounter that’s “Cyber-Mindful Orange”.

The Phish Commish Says: Give That Email Content the Sniff Test

Is the sender asking me to click on a link or open an attachment to avoid a negative consequence or to gain something of value? Is the email out of the ordinary or does it have bad grammar or spelling errors? Is the sender asking me to click a link or open an attachment that seems odd or illogical? Do I have an uncomfortable gut feeling about the sender’s request to open an attachment or click a link? Is the email asking me to look at pictures? Is it asking me to look at compromising or embarrassing pictures of myself or someone I know?When it comes to the decision to “click or not click,” sometimes you have to go with your nose. This isn’t to be confused with curiosity clicking. One is prudent, the other has been fatal to felines. While administering the sniff test, ferret out hints of impropriety: is there anything “off” about the message? Are you being pressured or rushed? Is the message pandering to curiosity?

If you whiff even the slightest suspicious aroma, ask yourself this: What if click? What if I DON’T click? What if I go crazy not knowing what’s behind that link? What if I just drag this faintly fusty message to the trash?

Ah, the bittersweet conundrum we call email.

Taking Control of Passwords: Password Manager Round Up

This month we tackle The Big Question: What’s the best password management tool?

Here’s a brief Lego overview reviewing the rationale for password management:

Play video button

On Keeping the Horse Before the Cart
Before we start down this long, winding road, remember - if our goal is to keep login info out of the hands of hackers, our most important defenses have little to do with password management tools. Consider the following:

  1. Is your computer/phone physically secured? Is it likely to get into the hands of a nefarious someone walking by your desk?
  2. Is your computer/phone technically secured? Have you enabled a time-based screen saver that requires your password or PIN to get back in?
  3. Is your computer/phone behaviorally secured? Are you staying cyber-mindful to protect your device from social engineering scams via phishing emails or web-based “click this” ploys?

Because, in the end, if someone gets to your device through any of those holes, no computer-based password management system can stop damage. Password management tools provide convenience and security benefits, but they’re no silver bullet.

PSA over . . . on with the show!

Option 1: Password Management Software
Despite rumbles about security risks associated with putting all your passwords into one system, experts seem to (mostly) agree that compared to the alternative of memorizing one password and re-using it everywhere, password managers are a smart call.

Over the last several months, we’ve done a lot of reading, talked with our IT security experts and experimented with (free versions of) several password management packages. We expected to find compelling differences leading to clear recommendations for all of you. But it turns out the top contenders are pretty similar. Ratings are similar, functionality is similar, ease of use is similar. . .

PC Magazine’s 2017 ratings of free and paid password managers ranked LastPass highly in both categories; we thought it worked fine, but took some time to set up and get acclimated to. We also had good luck using AgileBits’ 1Password, especially from a smartphone. You may find password management software to be more trouble than it’s worth, but here’s the bottom line from our own experience.

Password management software may be for you if:

  • You have trouble remembering passwords you need to use across several devices (work & home computers, smartphone)
  • You’re sick of coming up with new, complex passwords on your own
  • You want an easy way to change your passwords in the event an account is compromised
  • You want a way for loved ones to get into your online accounts in case of an emergency (Dashlane and LastPass both offer this option)

But you should also know:

  • For access to all those bells and whistles, you’ll likely pay $30-40/year
  • You’ll need to invest some time getting used to the software and entering the information for all your online accounts to reap the full security benefits

Option 2: Password Management From Your Browser
You’ve probably noticed your web browser asking if you’d like it to “remember” your password for a site when you login. We’ll admit, this has always smacked of negligence. One of us has always saved passwords in her web browser and - full disclosure - done so with a heaping measure of guilt and stealth.

But - halleluia! - it turns out saving to your browser is actually safer than we thought. The major browsers (e.g. Chrome, Firefox, Safari) know we tend towards the path of least resistance and have improved security accordingly. Saved passwords are encrypted and available for use when you login to your computer (so you’d better have a good workstation password and screen saver enabled to protect access to those passwords!).

Additionally, many browsers now offer an additional layer of security and convenience by way of “master” or “sync” passwords. Once enabled, these may prompt you to “login” to your web browser before stored passwords are available for use (e.g. Firefox) or sync your browser passwords across different devices.

Storing passwords in your web browser may be for you if:

  • You’re not comfortable downloading, learning and configuring a whole new software program to manage your passwords
  • You don’t share your computer with a bunch of other folks
  • Your device itself is locked with a strong workstation password and screensaver

But you should also know:

  • Unlike a password manager, your browser won’t help with “password hygiene” by encouraging you to use strong passwords and avoid recycling old ones
  • Browsers lack other useful features like the ability to generate new passwords or quickly change them when needed - you’ll still have to do that manually
  • Security is just *one* part of what a browser is designed to do; security is the *only* thing a password manager is designed to do. For the more paranoid among us, that may be relevant to your decision.
  • We’ve found the Chrome “sync password” feature doesn’t play well at UD because of our campus Google Mail system; if you go this route, you may want to use Firefox or Safari as your primary browser.

Options 3 & 4: Password management from a spreadsheet or notebook
Last month we also mentioned managing passwords in an Excel spreadsheet on your hard drive or on a piece of paper. Honestly, either is fine, security-wise, so long as you’re attentive to those physical/technical security caveats (lock your computer, don’t leave the paper on your desk), though they’re likely to be less convenient overall.

Some Final Thoughts
No matter how you choose to manage your library of passwords, keep the following in mind:

Using the same password everywhere puts you at risk: A breach of your info on one site gives crooks the keys to your whole online castle. The best part of either option above is that you can easily manage different passwords for different services because you don’t have to remember them. For that reason alone, it’s worth taking the dive.

Protecting your primary email account is critical, mainly because that’s where sites will likely send your “forgot password” messages and other account info. So be sure to keep the password for that strong and unique.

2FA is still your best bet. If you want to secure your accounts, enable 2-factor authentication wherever it’s available. Believe us when we tell you - this recommendation comes up everywhere when we scour the interwebs for security tips, tricks and best practices. If a service you use offers a version of 2-factor, belly right on up to that bar.

Scam of the Month: Exposed Emails

Heads-up, UD - we were notified via one of the Higher Ed security listservs that over 1 billion email/password combos were exposed online recently. It’s not clear when the credentials were stolen, but they appear to be from a combination of multiple breaches and there’s a mix of old and relatively recent account information included.

There are several UD email addresses in this batch, many of them old-school @notes.udayton.edu ones. You might take a minute to visit Have I Been Pwned to see if any of your UD addresses show up in their logs.

If you find an active email address *was* compromised, change your password for any site or service for which you’ve used that address as part of your login info.

Reading Room