Select Page
Password Wallets

Password Wallets

December is already upon us. WOW. Let’s take a moment and focus on security. After all, passwords are like underwear – they should be changed frequently. Sure, I get that. And I can set all my passwords to either:

  • be the same across all sites (definitely not a good idea), or
  • ignore this advice and never update my password (also, definitely not a good idea).

OK, what if I want to change my passwords periodically but suffer from any sort of memory issues. How can I:

  • use a unique password for each site I use,
  • keep my passwords (actually passphrases) long and complex, and
  • remember to change them from time to time?

Short answer – use a password wallet.

What is a Password Wallet?

In the same way you probably keep your folding money in an actual wallet and keep it close to you, a password wallet is a secure spot to store your passwords. It is a bit of software. It can be available only to you (perhaps on a USB drive – you recall those, don’t you) or it can be stored in the cloud (someone else’s computer). Regardless, access to the password wallet is controlled by a password (or preferably, a passphrase). Unless you know the password/ passphrase to access the wallet, the contents are not readily accessible. In a similar manner, the folding money in your wallet is not readily available to the world. Generally, contents in a password wallet are encrypted. This means if the data store is ever stolen, it is not of any use unless one knows the access word or phrase.

Yes, many browsers provide the ability to store your passwords these days. Many operating systems also provide this capability. That is always one alternative. Although we are not recommending/ endorsing any specific technology, it is important to know what options are available beyond your browser or operating system. Some examples of password wallets include:

  • KeePassXC (you can store your access credentials on a thumb drive). This software is open source and OSI certified.
  • LastPass (there are free and paid versions).
  • NordPass (if you use Nord as your VPN, this paid version may be appropriate).

There are many other choices, Search engines are helpful, aren’t they?

Selection Criteria

Once you decide to that it might be useful to store your passwords in a secure wallet, here are some things to consider (this is not a complete list).

  • How secure is my data? Does the wallet securely encrypt the contents? If you forget your password/ passphrase, you will likely not be able to access the contents. Confirm that no one can decrypt the contents (particularly if the password wallet is online).
  • Is there a limit to the number of passwords/passphrases I can store? Some free versions limit you to 50 or 100 passwords. Of course, you get what you pay for.
  • How much does it cost? Yes, many of these services cost. That is how they keep their software up to date (defending against the most current known vulnerabilities). Many services offer a discount if you pay annually.
  • Password/ passphrase generator? The longer the password/ passphrase, typically the better. You should be able to specify the length. Also, you should be able to copy the information for a short period of time. When you use longer passwords, it is helpful to copy, then paste the contents into your browser. But, you don’t want that information remaining in your clipboard too long.
  • What other services are included? Many paid options offer additional services (such as multi-factor authentication, or being able to selectively share information with family or co-workers). You decide what is necessary for you.
  • Reminder to periodically change your password? It is a good idea to periodically change your passwords. Typically, we forget to do this. It is helpful if your software provides you with the ability to set a reminder for a given site.

Should I use one?

Ultimately, that decision is up to you. However, these days, one needs many passwords (and they should be unique for each site). Personally, my memory is simply not capable of remembering passwords for thousands of sites. And you want to make certain you periodically change important passwords. Those item alone likely dictate you should consider such an approach.

All this being said, I strongly recommend using 2 factor authentication in addition to a password/ passphrase on any given site. This means you must provide both your username and password along with a unique code to access a site. Most sites offer this option. Many allow you to use a technology like Google Authenticator or to receive a SMS text message with a unique code. These codes are typically only good for a minute or so.

 

November, 2022, Desktop View

Here at Web Professionals Global, we hope everyone has been experiencing a successful November. It is time again to focus on a few items which caught our attention during the month. We never cease to be impressed at how quickly web technologies change. Let’s briefly focus on these areas for now:

  • CSS,
  • Accessibility, and
  • Security

CSS

Browsers are beginning to support media query range syntax. Sure, it is not supported in all browsers on all devices yet, but knowing this is coming is huge. It should save significant time coding CSS. Instead of having to specify specific media sizes, we may soon be able to employ mathematical symbols such as >, <, <=, and so forth. Perhaps we can avoid min-width and similar bits as this is supported more and more. Readers are encouraged to follow the above link (it will open in a new tab) to learn more. Please let us know what you think about the possibilities of this via comments.

Accessibility

Adrian Roselli posted an article earlier this year on buttons, enter and space.  From a user experience perspective, this is a great refresher on what happens when you use native keyboard interactions. Adrian even provides a working example (with counters). His last word in the article is something we advocate all the time – test. What are your thoughts about keyboard interactions?

Let’s not overlook e-commerce accessibility either. We came across this article specifying UI elements using roles. As many of our readers know, specifying the purpose of UI elements is critical when visitors to a site rely on assistive technologies. We thought this article provided a great number of insights and examples. We look forward to your thoughts on this topic as well.

Security

As we approach the end of the year (and many of us have to provide tech support to family and friends as they receive new devices), it might be wise to bookmark the OUCH newsletter site. Disclosure, Mark (your executive director)  is one of the monthly reviewers of these articles before they go live. Each month, a security professional provides a timely overview of one aspect on security. Articles are kept short and are suitable for sharing with those not as savvy in various aspects of technology.

That is all for our November desktop view. We know your time is valuable and appreciate you reading this post. If you would like us to include additional articles or focus on additional aspects, please let us know via your comments below. Until next time…

Best always,
Mark DuBois, Executive Director
Web Professionals Global (aka World Organization of Webmasters)

What to Know About Employee Burnout in Cybersecurity

What to Know About Employee Burnout in Cybersecurity

Today we are highlighting one of the emerging trends in the world of the web: cybersecurity teams dealing with burnout that is leading to increased vulnerability for individuals and organizations.

As ZDNET has reported, there has been a sharp rise in attacks and disruptions in the cyber world in recent years. Rates of ransomware, corporate espionage, and IP theft have all increased. As a result, cybersecurity professionals are experiencing high rates of burnout and both employee recruitment and retention are suffering. A recent study by Mimecast revealed roughly one-third of those who work in cybersecurity have considered leaving the profession, and it is becoming increasingly difficult to attract new professionals to the field. The shortage of qualified cybersecurity professionals has many worried that it is causing a domino effect of labor shortages across the entire IT industry.

One of the primary drivers of employee burnout is due to time and effort spent by cybersecurity teams cleaning up the mistakes of others. A 2020 study conducted by Tessian and Stanford University showed that nearly 90% of data breaches are caused by human error, which puts increased pressure on IT and cybersecurity teams. The Mimecast study found that over half of cyber attacks cost more than $100K to fix, which is comparable to what many companies spend on their cybersecurity plan. Additionally, cyber attacks often attract significant negative media attention, such as the Colonial Pipeline attack in May 2021.

Of course, this issue grows more complicated as more individuals work from home and may not be using a business computer for all their work.

Developing a Cybersecurity Plan

Web Professionals Global has been deeply involved in raising awareness of cybersecurity issues for web professionals, including this article in which we discussed safe practices regarding passwords and security. It is crucial that web professionals stay up to date on the latest cybersecurity trends to avoid data breaches and more. And companies and organizations must ensure they keep employees informed and aware of risks they may encounter, whether working from the office or from home. This may include increasing budgetary resources for more frequent and adequate cybersecurity training. After all, any organization is only as strong as its weakest link.

Web professionals can do the following as a start to protect against cyber threats:

  • Keep software up to date
  • Keep anti-virus protection up to date
  • Use unique passwords
  • Use two-factor authentication (2FA)
  • Back up data regularly
  • Avoid using public wifi networks (where possible, use a VPN)
  • Avoid mixing personal and work accounts and devices

Career Pathways in Cybersecurity

You might be interested in exploring what it is like to work in the world of cybersecurity. It is a high-paying and in-demand career path due to the reasons we have discussed in this article. According to the U.S. Bureau of Labor Statistics, information security analyst hiring is expected to grow 35 percent from 2021 to 2031, faster than the average for other career tracks. This equates to almost 20,000 openings for information security analysts each year. As of May 2021, the average salary for the profession was just over $102K. Web developers are right behind, with a projected 30% rate of growth over the same period of time. Cybersecurity is an industry that will need talent for many years to come. 

Contact us Today

Our work in cybersecurity is core to our mission of “Community, Education, Certification.” We are committed to training web professionals to fill the skills gaps in cybersecurity and other web sectors. To learn more about Web Professionals Global and our work in cybersecurity and other areas, contact us today.

October, 2022 Desktop View

It has been some time since I posted some thoughts on the current state of web technologies. A lot has happened during recent months. Let’s focus on several key areas:

  • web accessibility,
  • security,
  • JavaScript,
  • and CSS.

More areas may be the focus of subsequent articles. Stay tuned. As always, we at Web Professionals Global are interested in what you think. Let us know in the comments or contact us directly.

Web Accessibility

WCAG 3 has been released as a draft (published in December, 2021). Latest editors draft updated as of July, 2022. The approach is iterative with content ranging from temporary (just a placeholder for future content) to mature (ready for publication). This version is somewhat evolutionary in that it will be easy to understand and provide guidance. A key differentiator is that this version has a broader scope (beyond web content). I encourage you to view the above links and consider helping develop the next version of Web Content Accessibility Guidelines.

Of course, there is also a new ARIA authoring practices guide website. Lots of patterns and resources. Check it out.

Security

This is a bit beyond web security, but definitely something readers should be aware of – ransomware attacks which target home PCs (delivered by fake Windows 10 or anti-virus updates). This is called Magniber (details can also be found at this ZDNet article). Essentially, a visitor is directed to a website (although it looks legitimate, it is controlled by malicious individuals). That site informs the visitor their computer operating system or software is out of date and they need to update it as soon as possible. The visitor is tricked into downloading a malicious JavaScript file which contains the malware payload. Once installed (via as technique called DotNetToJscript) the individual’s hard drive is encrypted. They are directed to a link to negotiate payment to recover their contents. More details can be found in the above article.

As web professionals, we should remind ourselves (and our clients of some fundamental tactics which help mitigate these sorts of attacks.

At a minimum, never act on anything that purports to have an extreme sense of urgency. That is what malicious individuals want. Act before you have a chance to think about the implications. It is also good practice to never click on links in emails or text messages. Instead, open a browser and type the site directly (or use a reliable search engine). Lastly, only install updates from trusted sources (and use the traditional channels where those updates are distributed).

JavaScript

The creator of JSON made an interesting comment about JavaScript a couple months ago. Douglas Crockford stated that “The best thing we can do today to JavaScript is to retire it.” Yes, JavaScript is the world’s most popular programming language (used by over 65% of developers according to a StackOverflow survey). Yes, it is bloated (and is becoming more so over time. However, it powers the majority of web sites. Of course, JavaScript is supported in every browser so making a change to something else would be a monumental undertaking. We are curious what your thoughts are about JavaScript. Is Douglas Crockford correct? Please discuss in the comments below.

CSS

Remember the days of aural style sheets (yes, they were a thing). Of course, no browsers supported them. However, a recent article (October, 2022) has raised some hope for me again. Why we need CSS speech is the article. What are your thoughts about CSS speech? Again, reach out to us in the comments.

Of course, there are many enhancements in the works for CSS. These include items such as:

  • The ability to nest selectors is presently in the works. This is possible a good way to organize your CSS code. Of course, no browsers yet support this.
  • Cascade layers (which give authors the ability to group their CSS and affect how the cascade applies). The linked article should give you a much better understanding. This is like nesting selectors, but much more. Is this feature ready for prime time? No, but you might want to start learning about them.
  • CSS subgrid allows for styling on a page to inherit the parent’s grid styling. MDN has a nice overview with examples. That is the reference linked at the start of this bullet.

Now you know a little more about what is happening with respect to web accessibility, security, JavaScript, and CSS. Please let us know if you find this information helpful and provide more thoughts in the comments below.

Best always,
Mark DuBois, Executive Director
Web Professionals Global (a.k.a. World Organization of Webmasters)

 

 

Taking a Look at Passwords and Security

Taking a Look at Passwords and Security

We often talk about web security because we believe it is an extremely important topic that will remain relevant for as long as the internet is around. If you missed it, we touched on it in our article on the next 25 years of the web. One of the most important aspects of security is password security.

Let’s dive into what security actually means. If you look at an environment like Moodle, your username and password are not only encrypted, but they are also encrypted with a salt value. A unique string of numbers, letters, and special characters are added, which is fairly long. And that is used to encrypt your username and password to begin. So when you log in, the data store retrieves the salt value, takes what you typed in, and marries those two together in a rather unique manner. It then encrypts it and compares that value to the value stored in the Moodle database. If they match (bit for bit), you’re in. And if not, you can’t get in. That in itself is a fairly high level of security. It is as close to military-grade security without two-factor authentication. 

Here at the Web Professionals Organization, we maintain information in our learning management and certificate testing system. However, we are careful not to keep track of personally identifiable information. We only keep the student’s first name, last name and email. This is the minimum we need to allow students to self-enroll. We do not allow users to attach any phone number, address, social media links or profile names. In some cases, schools will ask that we completely anonymize the accounts, and for this we will create complex passwords and dead drop emails for each user. 

If a hacker were to actually steal our data store, it would be useless because they would need to know the salt value. The salt value is stored in a different place—not in the database. The hacker would then have to be able to do a reverse lookup by using a rainbow table or something similar. And it would be impossible to do a binary reverse lookup. It’s just not possible today to crack those username and password combinations—and that’s by design. 

How do hacks happen?

Let’s imagine we have a WordPress site that uses a MD5 hash. MD5 is a message-digest algorithm and cryptographic protocol that can be used for authenticating messages, content verification and even digital signatures. MD5 is quite secure. To hack it, you could create a rainbow table and start with lowercase “a” as the password. You would then encrypt that. Then you would store the value that you started with and the encrypted value in two separate columns. And then go on to lowercase “b”, “c”, “d”, and encrypt each of those. Then go on to uppercase “A”, “B”, “C”, and so forth. And then 1, 2, 3, and continue on (for example, a1, b1, c1). Obviously, the table gets larger and larger as you get more and more characters. For even eight characters, you are looking at a significant amount of data—multiple gigabytes, if not a terabyte. 

So now you have these two fields—one field contains the safe value, and the other contains the encrypted value. Then you can download a data store from a WordPress site that’s been hacked. You would be able to see that there is an encrypted value and do a binary search on that encrypted value. Once you have the encrypted value, it can be found in the large table. And as easily as that you could have the username of “admin” and password of “123456” which you can use to log in. 

password security

Ensuring password security

It’s important to make it as difficult as possible to hack your accounts. Many people like to use their initials or identifiable information so that they remember the password. However, you can use random letters, numbers and characters in your usernames and passwords. In fact, many security experts recommend 15-20 characters. You can even go up to 40 or more these days. Sites like Correct Horse Battery Staple are helpful to create randomly generated passwords and allow you to set parameters. And encrypted password vaults like NordPass and LastPass are a good way to ensure password security without needing to write them down and keep track of each one. 

There are all sorts of bad actors out there who have wide-ranging hacking capabilities and could likely hack into any of your accounts. However, most hackers will have trouble hacking into your accounts if you use unique passwords. It’s like someone walking down the street at night and trying to open car doors. If yours is locked, it’s likely they will move on to the next car that is open and leave yours alone. That’s what you’re doing by making it more difficult for people to get into your website or your information. You can even put your list of passwords on a USB stick or hard drive and avoid connecting it to the internet, thereby creating an extra level of security.

You can also make up answers for password security questions—for example, your mother’s maiden name—to make your accounts even more difficult to hack. Alternately, you could add a word like “flower” to the answer to each security question. For example, make of car “fordflower.” And you can use passphrases that you will remember (unrelated to your personal information), which can be helpful when utilized correctly. It should be said that you should be careful about revealing sensitive information anywhere on the internet—including social media. And you can use two-factor authentication and authentication apps for an added layer of security.

We should mention that we have never—and will never—sell student and member information to anyone. 

Wrapping up

Whatever happens in the coming years in the world of security, the Web Professionals Organization will be here to help web professionals however we can. If you are interested in learning more about our mission, contact us today.

 

Taking a Look at Cybersecurity

Taking a Look at Cybersecurity

With Russia’s invasion of Ukraine, there has been a renewed focus on one of the most important web topics: cybersecurity.

Cyberwarfare has been a major focus of Russia’s efforts to disrupt daily life in Ukraine. While there have not been large-scale attacks yet, there have been reports of smaller attacks. Last week, Google’s Threat Analysis Group (TAG) said that it has discovered phishing attacks from Russia aimed at Ukrainian and Polish officials. In fact, hundreds of threats emanating from Russia over the past twelve months resulted in warnings being issued to Ukrainian users. One of these threats is WhisperGate, a malware that displays a fake ransomware note to users, encrypts files and can destroy data and disable devices.

U.S. Army Cyber Command has been aiding Ukraine in improving its cyber defenses since the 2015 Russia-led attack on the Ukraine power grid that temporarily shut down Kyiv. The U.S. has continued to work with Ukraine in recent months to prepare for the types of cyber attacks occurring now as well as potential large-scale events like infrastructure attacks that would make it much more difficult for Ukraine to defend itself. 

There have also been reports of coordinated Russian campaigns aimed at disrupting U.S. firms that supply natural gas, as natural gas has become increasingly valuable in recent weeks following sanctions against Russia that affect exports.

Additionally, there have been reports of the hacking collective called Anonymous hacking Russian targets in retaliation, as well as Chinese hackers using the Ukraine crisis to target European officials for a variety of purposes. It’s clear that cybersecurity continues to be one of the most important web issues. 

One of the biggest cyber attacks in the U.S. took place in May of 2021, when the Colonial Pipeline suffered a ransomware attack carried out by the Eastern European hacking group DarkSide. The Colonial Pipeline supplies half of the East Coast’s gasoline, making it a high-value target for hackers. The pipeline was down for several days, which caused gasoline price spikes, shortages and panic buying. It was reported by Bloomberg that the hackers launched the attack after gaining access to a leaked password for an old account that had access to the virtual private network (VPN) used to remotely access company servers. 

The company eventually paid the $4.4 million ransom in bitcoin, and the U.S. Department of Justice has since tracked down and recovered roughly half of it by successfully tracing the bitcoins. However, the CEO of Colonial Pipeline Company admitted that the hack ended up costing the company tens of millions of dollars to restore systems.

Taking Action 

With cyber attacks on the rise, now is a good time to do a security check-up to make sure you and your organization aren’t susceptible to hackers. Many believe that these Russian-led cyber attacks will soon spread to businesses and individuals in other countries. Make sure that your organization has budget resources dedicated to ensuring your cybersecurity strategy is robust.  

Make sure you use private connections, inspect your code regularly, be cautious of suspicious-looking emails, employ a strong password strategy and have multiple backups of your information. Make sure that all employees, including new ones, understand the organizational strategy and policy for protecting against cyber attacks. Remember that hackers don’t always need to exploit multiple vulnerabilities—sometimes they only need one to do serious damage. 

Although the crisis in Ukraine has brought awareness of cybersecurity to the forefront, having a cybersecurity plan and committing to executing it year-round will help to ensure you and your organization stay protected from hackers and avoid costly disruptions.  

Read More: The Importance of Web Accessibility