" password Archives - HIPAA News, Web & Email Security Tips & News - Plus More | LuxSci
LuxSci

Posts Tagged ‘password’

Don’t Make Me Change My Passwords!

Friday, October 27th, 2017

2017 NIST changes affect the need to require period periodic password changes…yay!

Read the rest of this post »

Think you know how to protect yourself from phishing? Think again.

Wednesday, March 22nd, 2017

This year kicked off with a sophisticated phishing scam that fooled users and cybersecurity experts alike. Users were giving away their passwords to scammers through a seemingly legit Gmail login page. The scam had all the markers of a legitimate email, including the appearance that it was sent from a known sender.

There are many articles out there about the warning signs of phishing scams. We know the rules: Don’t click on URLs you don’t know, beware of emails that sound urgent or feel pressuring, etc. The reality is that many of these tips aimed to protect against phishing attacks would not have worked in the case of the Gmail attack.

Phishing

Gmail’s spam filters already capture many emails that display common signs of scamming (formal language, unknown senders, etc.). However, phishing scammers and hackers, in general, are becoming more sophisticated in their techniques. A greater understanding of security will help you keep up with hackers in 2017. Here we’ll dive into the details of what made the Gmail scam so unique and address some sophisticated phishing scam avoidance tips you can start trying out today.

Read the rest of this post »

12 Email Security Tips to Protect You in 2015

Tuesday, December 30th, 2014

2014 has been a year of public security awakening … high profile breaches, extensive and terrible vulnerabilities in pervasively used software, and a fear and awareness of eavesdropping by governments and covert organizations.

2015 is poised to continue the trend.  Security has transformed from being something you take care of by buying a product and forgetting about it, to an escalating war with security professionals constantly parrying against increasingly sophisticated attacks.  More and more the burden is being placed on individuals and small businesses to have an awareness of the security landscape, to understand the risks of online activities, and to use common sense and evolving tools to protect themselves.

As 2014 winds to a close, here are 12 things that you can be doing to proactively protect your email accounts and identity in 2015:  

Read the rest of this post »

10 Steps to make your email more secure

Monday, August 11th, 2014

Your email is the doorway into your life.  For most people, it interfaces with almost everything that you do.  Even the passwords to the myriad of web sites that you use for everything from meet ups to banking can often be reset via access to your email.  The integrity, privacy, and security of email is high on the minds of everyone these days, even folks who historically had little or no insight into how anything works, technically, and didn’t really want to know.  Everyone is wary.

There is good reason for this as data breaches and password theft is happening every day, is in pop culture (last comic standing), in the news left and right … such as the purported case of 1.2 billion passwords being stolen recently.

What steps can you take to bolster the security of your email?

Read the rest of this post »

Simplicity is: logging in without a username or password

Monday, July 28th, 2014

“I really like what I can do in the web interface, but having to enter my username and password to login each time is extra work.”

We’ve seen the above comment many times.  Identity verification, as everyone who has not been lost on a desert island for 10 years knows, is really, really important these days.  But like many aspects of security, it can be rather annoying.

On the bright side, there are a number of ways to get around this step and make the login process simpler without necessarily making your account less secure.  Here is how we have helped many customers simplify their Internet life.

Read the rest of this post »

LuxSci Tips and Tricks to Dazzle your Coworkers and Friends

Wednesday, August 14th, 2013

Or Cool Things We Like, this is the blog post we have written for the winning suggestion in our blog contest.

There are many cool and interesting features of LuxSci that can help you improve workflow, get things done, and accomplish tasks not easily done elsewhere.  Some of these are not well known.  Below, we present a brief overview of some of these tricks and features we at LuxSci most like and use.  We hope some of them make your life easier, too!

Read the rest of this post »

Securing WordPress. Protect your Site or Blog from Escalating Attacks!

Thursday, July 11th, 2013
For a deep dive, see our white paper: Securing WordPress

WordPress is used by about 15% of the top 1 million web sites on the web and manages about 22% of all web sites as of August 2011.  It has only been growing since then.  Indeed, a large fraction of our hosting clients use WordPress, as does LuxSci for many different applications (e.g. blog, server status, video blog, etc.).

Unfortunately, WordPress has a history of being attacked, having significant security vulnerabilities, and being a source of security pain for web site administrators.

Things have gotten markedly worse recently:

  1. Bot Net Attack:  Wordpress sites all across the Internet are being attacked by a botnet that is attempting to guess administrative and user credentials by brute force.  This is compromising sites and causing significant load on web hosting servers.  This attack is “light” now, but expected to get only worse says CloudFlare, a cloud security firm. Indeed, LuxSci.com sees these attacks constantly on all WordPress sites that we host. We have measures in place to auto-block IP addresses that appear to be attacking WordPress sites; however, as the attack is coming from more than 90,000 different, unrelated IP addresses, they are hard to block outside of WordPress itself (see below for how to block them). These attacks are going after “wp-login.php”, the user name “admin” and trying the most common 1000 or so passwords.  Besides that, the sheer burden of the massive, if simple, attack is straining web hosting servers across providers.
  2. Vulnerabilities: Most problems with compromised WordPress sites arise due to vulnerabilities in the WordPress software or installed plugins.  Vulnerabilities are continuously found and corrected and new versions of the software released.  However, the vast majority of WordPress sites do not update their software, or seldom update. Attackers troll the Internet looking for outdated WordPress installs and then attack them with known vulnerabilities to gain control over these sites.  With more and more WordPress sites out there, there are more and more sites that are not keeping abreast with security updates.  They are ripe for the picking.
In this article, we discuss the best practices for securing your WordPress site.  Wordpress is a great tool if used properly.

Read the rest of this post »

Revised Password Strength Criteria and Requirements

Tuesday, June 18th, 2013

LuxSci allows customers to choose a minimum level of password strength for their users, that is applied when users are created and when they change their passwords.  We have made several improvements to this process to help users choose more secure passwords:

  1. Symbols: Good passwords used to require the inclusion of both letters and numbers.  This has been relaxed and made more secure by now allowing the use of “numbers or symbols”.  E.g. passwords with symbols (like “$” or “%”) and/or spaces can be used even if there are no numbers involved.  This is actually more secure.
  2. More Characters: Customers can set the minimum number of characters in their user passwords.  Previously the largest minimum you could choose was 8 characters. Now, customers can choose to require passwords to contain at least 10, 12, or 16 characters.
  3. Hard to Guess: In addition to password length, LuxSci uses a measure to determine if the password is “hard to guess”.  We have updated this determination so that it uses a new method that is much better at determining what computers can and cannot easily break.

Read the rest of this post »

Protect your LuxSci Account with Two-Factor Authentication and Other Barriers

Thursday, May 23rd, 2013

Two-Factor Authentication (supposedly patented by Kim DotCom)– using a password plus “something else” to gain access to your account and to prevent lost, stolen, or guessed passwords from impacting you — is finally becoming fashionable.

First, it was a cool idea, then some places such as LuxSci started supporting it, but it was rarely used due to people not wanting to bother with an extra step to login to their accounts.  Now, with Twitter adding 2-factor authentication to help stem the tide of account compromises, security is now fashionable.

This turn about is really fantastic as it brings security consciousness much more into the mainstream — so much so that popular Radio hosts are talking on the air about how to secure accounts.  This can only be good for the adoption of better security practices overall and a decrease in compromises due to laziness … and in cases like HIPAA, laziness can be a terrible thing.

In this post, we’ll go over how to secure your LuxSci account against intrusion using Two Factor authentication and other methods.

Read the rest of this post »

New Self-Service Password Reset System

Saturday, April 20th, 2013

Since its inception in 1999, LuxSci Support has manually handled all password reset requests that were not handled by the account administrators.  

Why? Security reasons, of course. We are aware of:

  • Poor Security Questions: very often users have poorly chosen answers to security questions,
  • Hackers: that people often try to use password reset systems to gain unauthorized access to users’ accounts
  • Lack of Information: users often do not have enough solid information in their profiles to reliably verify their identities

By manually processing these requests, we can effectively block password resets in the face of poor identity verification information and subjectively identify “fishy” requests.

However, we have come to determine that this manual process, while it provides the best security, is not actually in the best interests of our customers because:

  1. Time: Manual identity verification takes time and delays in password resets can be detrimental to our customer’s ability to get work done.
  2. Better Questions: We have improved our user security questions in the last few years so that the questions and answers are generally of much better quality than they used to be.
  3. Mobile Phones: Most people have mobile phones capable of receiving text messages now and these can be used for identity verification.
  4. Simulating our Manual Process: We find that we can provide an automated self-service password reset process that simulates our manual review and verification process to a very large degree without a significant loss in security.