Phishing Email ALERT: “ITHelp Desk”

A screenshot of the message.

Please be advised that a phishing email with the subject: “ITHelp Desk” has been sent to some users. The body of the message reads:

Important information from Web Support Security Service.

You have 1 new important message pending Click Here to use the message retriever page to retrieve missing message.

Thank You.

Help-desk

Copyright @2017

Clicking the link brings users to a page where they are asked to enter personal information.

A screenshot of the phishing page.

If you believe you have received this phishing message, please do the following:

  • Do not respond to the message
  • Do not provide any information such as username and password
  • Do not open any attachments
  • If you did respond to the email, provided confidential information, or opened an attachment, please contact Fordham IT Customer Care ASAP at (718) 817-3999 for instructions on how to manually reset your password.
  • Delete the message

Please note: Fordham IT will NEVER ask you for your username and password or ask you to click any links to validate or verify your account or password. If you receive questionable or suspicious emails, contact IT Customer Care and allow the University Information Security Office (UISO) to validate the legitimacy of these emails.

Further information about phishing scams and other IT security topics are available on our IT Security website at: www.fordham.edu/SecureIT or from our blog at secureit.fordham.edu.

If you have any questions or concerns, please contact IT Customer Care at (718) 817-3999 or via email to: HelpIT@fordham.edu

Phishing Email ALERT: “FORDHAM UNIVERSITY:An Improved Business Stability Program for Employees”

Please be advised that a phishing email with the subject: “FORDHAM UNIVERSITY:An Improved Business Stability Program for Employees” has been sent to some users.

If you believe you have received this phishing message, please do the following:

  • Do not respond to the message
  • Do not provide any information such as username and password
  • Do not open any attachments
  • If you did respond to the email, provided confidential information, or opened an attachment, please contact Fordham IT Customer Care ASAP at (718) 817-3999 for instructions on how to manually reset your password.
  • Delete the message

Please note: Fordham IT will NEVER ask you for your username and password or ask you to click any links to validate or verify your account or password. If you receive questionable or suspicious emails, contact IT Customer Care and allow the University Information Security Office (UISO) to validate the legitimacy of these emails.

Further information about phishing scams and other IT security topics are available on our IT Security website at: www.fordham.edu/SecureIT or from our blog at secureit.fordham.edu.

If you have any questions or concerns, please contact IT Customer Care at (718) 817-3999 or via email to: HelpIT@fordham.edu.

IRS Scam Leverages Hacked Tax Preparers, Client Bank Accounts

Via: KrebsonSecurity

“Identity thieves who specialize in tax refund fraud have been busy of late hacking online accounts at multiple tax preparation firms, using them to file phony refund requests. Once the Internal Revenue Service processes the return and deposits money into bank accounts of the hacked firms’ clients, the crooks contact those clients posing as a collection agency and demand that the money be “returned.”

In one version of the scam, criminals are pretending to be debt collection agency officials acting on behalf of the IRS. They’ll call taxpayers who’ve had fraudulent tax refunds deposited into their bank accounts, claim the refund was deposited in error, and threaten recipients with criminal charges if they fail to forward the money to the collection agency.

This is exactly what happened to a number of customers at a half dozen banks in Oklahoma earlier this month. Elaine Dodd, executive vice president of the fraud division at the Oklahoma Bankers Association, said many financial institutions in the Oklahoma City area had “a good number of customers” who had large sums deposited into their bank accounts at the same time.

Dodd said the bank customers received hefty deposits into their accounts from the U.S. Treasury, and shortly thereafter were contacted by phone by someone claiming to be a collections agent for a firm calling itself DebtCredit and using the Web site name debtcredit[dot]us.

“We’re having customers getting refunds they have not applied for,” Dodd said, noting that the transfers were traced back to a local tax preparer who’d apparently gotten phished or hacked. Those banks are now working with affected customers to close the accounts and open new ones, Dodd said. “If the crooks have breached a tax preparer and can send money to the client, they can sure enough pull money out of those accounts, too.”

Several of the Oklahoma bank’s clients received customized notices from a phony company claiming to be a collections agency hired by the IRS.

The domain debtcredit[dot]us hasn’t been active for some time, but an exact copy of the site to which the bank’s clients were referred by the phony collection agency can be found at jcdebt[dot]com — a domain that was registered less than a month ago. The site purports to be associated with a company in New Jersey called Debt & Credit Consulting Services, but according to a record (PDF) retrieved from the New Jersey Secretary of State’s office, that company’s business license was revoked in 2010.

“You may be puzzled by an erroneous payment from the Internal Revenue Service but in fact it is quite an ordinary situation,” reads the HTML page shared with people who received the fraudulent IRS refunds. It includes a video explaining the matter, and references a case number, the amount and date of the transaction, and provides a list of personal “data reported by the IRS,” including the recipient’s name, Social Security Number (SSN), address, bank name, bank routing number and account number.

All of these details no doubt are included to make the scheme look official; most recipients will never suspect that they received the bank transfer because their accounting firm got hacked.

The scammers even supposedly assign the recipients an individual “appointed debt collector,” complete with a picture of the employee, her name, telephone number and email address. However, the emails to the domain used in the email address from the screenshot above (debtcredit[dot]com) bounced, and no one answers at the provided telephone number.

Along with the Web page listing the recipient’s personal and bank account information, each recipient is given a “transaction error correction letter” with IRS letterhead (see image below) that includes many of the same personal and financial details on the HTML page. It also gives the recipient instructions on the account number, ACH routing and wire number to which the wayward funds are to be wired.

A phony letter from the IRS instructing recipients on how and where to wire the money that was deposited into their bank account as a result of a fraudulent tax refund request filed in their name.

Tax refund fraud affects hundreds of thousands, if not millions, of U.S. citizens annually. Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually due a refund from the IRS.

On Feb. 2, 2018, the IRS issued a warning to tax preparers, urging them to step up their security in light of increased attacks. On Feb. 13, the IRS warned that phony refunds through hacked tax preparation accounts are a “quickly growing scam.”

“Thieves know it is more difficult to identify and halt fraudulent tax returns when they are using real client data such as income, dependents, credits and deductions,” the agency noted in the Feb. 2 alert. “Generally, criminals find alternative ways to get the fraudulent refunds delivered to themselves rather than the real taxpayers.”

The IRS says taxpayer who receive fraudulent transfers from the IRS should contact their financial institution, as the account may need to be closed (because the account details are clearly in the hands of cybercriminals). Taxpayers receiving erroneous refunds also should consider contacting their tax preparers immediately.

If you go to file your taxes electronically this year and the return is rejected, it may mean fraudsters have beat you to it. The IRS advises taxpayers in this situation to follow the steps outlined in the Taxpayer Guide to Identity Theft. Those unable to file electronically should mail a paper tax return along with Form 14039 (PDF) — the Identity Theft Affidavit — stating they were victims of a tax preparer data breach.”

Source: https://krebsonsecurity.com/2018/02/irs-scam-leverages-hacked-tax-preparers-client-bank-accounts/

Scammers Mimic Apple in Latest Round of Phishing Campaigns

Via: Malwarebtes Labs

We’ve seen a number of Apple-related phishes in circulation over the last few days. While most of them already lead to deactivated phishing sites, we thought it was worth highlighting some of the tricks being used to bait people into handing over payment details at the moment.

Fake receipt emails
First up, a number of fake “receipt” emails ranging in date from February 2–6. While the content of some of the emails varies slightly, most of them use a subject line similar to the below:

[ New Statement ] Your receipt from Apple [ 02 February 2018 ]

In the cases we’ve seen, the mails claim to be receipts for a payment of $9.99 made out to, er, Mr. Edward Snowden. Apparently, privacy campaigns and 2 terabyte storage plans go together nicely.

 


The good news for potential clickers is, the site the scammers are trying to bounce through is already wise to the scam and has effectively killed the one-way street to the phish page. The phish link itself is also offline, so we can’t show you what may lay in wait. But we can confirm people won’t be losing money to this one anytime soon.

 

Someone else logged in
Elsewhere, we have a “Reminder” notification that someone else is logging in on your Apple account with an iPod in Monaco.

The email reads as follows:

[Reminder] [Notification Update] Statement new log-in your Apple account with other device
Fοuг уοuг ѕаfеtу, уοuг Αррlе ID hаѕ Ьееn lοсκеd Ьесаuѕе wе fοund ѕοmе ѕuѕрісіοuѕ асtіνіtу οn уοuг ассοunt. Ѕοmеοnе ассеѕѕіng уοuг ассοunt аnd mаκе ѕοmе сhаngе οn уοuг ассοunt іnfοгmаtіοn. This the details :
Country : Monaco
IP Address :
Date and Time : 13:09, 06 Feb 2018
OS : iPod
Browser : Safari
If you did not make these action or you believe an unauthorized person has accessed your account, you should login to your account as soon as possible to verify your information.

Apart from the lazy typos (“Four your safety”) and awful sentence structure, they also make use of some Cyrillic characters in a likely attempt to bypass Beyesian filtering. While the destination site was offline again, it’s worth noting that all of the examples tried to send potential victims to HTTPs websites, instead of the plain old HTTP landing page. All phishers now want to look as “secure” as they possibly can—anything to help pull the wool over your eyes.

Always worth repeating: Just because a website is HTTPs, does not mean it is a legitimate website. Phish pages can lurk anywhere, no matter what security the page you’re on happens to be touting.

Apple care scare
There’s also some dubious texts going around claiming to be from Apple Care:

It reads as follows:

Final Notification
Your Apple ID is due to expire today. Prevent this by confirming your Apple ID at
appleid-revise(dot)com
Apple Inc

As you can see, there’s a big push to apply pressure to potential victims, and everything falls somewhere between the two extremes of “Payment made, quick do something!” and “So, your account is going to be terminated.” While we’re happy to say this is another one that came to our attention already DOA, even as texts were going out, the sad truth is that for every site taken down there are many more happily accepting credit card details and personal information.

Fake app purchases
We’ve also seen some fake app purchases, and this one rather spookily has an order number attached that was actually of some relevance to the recipient.

While one hopes this is just some horrible coincidence, it could just as easily have prompted the above individual to start visiting rogue links—and that’s all it really takes. Just one fragment of information from an otherwise garbled email missive could be enough to cost someone a small fortune—or even worse, a very large one.

If you’re worried about the pushy tone of a supposed Apple missive, contact them directly to check its validity, and wander over to their help page for more information on securing your Apple account. These are some of the most common scams around, and for as long as Apple IDs are tied to valuable purchases and personal information, criminals will continue target these accounts.

Read the full article.

Chrome to Start Blocking Annoying Ads February 15

Via: Gizmodo

On Thursday, the Chrome browser will begin to automatically filter out ads that don’t meet certain quality standards. Your browsing experience is about to change a little bit. Here’s what you need to know.

In April of last year, the news first broke that Google planned to integrate some form of ad-blocking into its browser that would be on by default. Since then we’ve seen a gradual rollout of the feature, beginning with the ability to mute autoplay videos with sound on the sites of your choosing. Now, Google going all-in with a set of criteria for what ads will be kosher in Chrome.

12 types of ads that Chrome will now automatically block.

Along with its fellow ad giant Facebook, Google is a member of the Coalition for Better Ads, an industry group that has performed research on what forms of web advertising annoys people the most. It’s created a list of the 12 types of web experiences that should ideally be avoided by advertisers. Now Google is going to enforce that list with Chrome, which is used by over half of all people accessing the web with a browser.

On Wednesday, the company published a blog post detailing how the system will work. Initially, Google will take a sample of various pages on a specific domain and analyze whether that page is serving any of the offending ad categories. It’ll be given a score of “Passing, Warning, or Failing.” Sites that don’t manage to get a passing grade will be notified by Google and they can review an ad experience report for details on what needs to change. If a site ignores multiple warnings, its ads will be blocked by default after 30 days.

If a user visits a site that’s being filtered by Chrome, they’ll see a message in the address bar that gives them the option to still allow ads—on mobile, users will see a pop-up at the bottom of the screen that will give them the same option. Yes, pop-up ads are blocked, and Google will be informing you with a pop-up notification.

View the full article.

 

What is CloudLock?

CloudLock is a service that helps ensure files within your Fordham Google Drive account that may contain Fordham protected and/or Fordham sensitive data are stored and shared appropriately and securely.

Why does Fordham have CloudLock?

Fordham has an obligation to the University community to protect information from unauthorized access and illicit use. Fordham IT is a partner in carrying out that obligation in order to ensure we use all available means to manage secure data in accordance with best practices and compliance regulations. CloudLock assists in ensuring that protected and sensitive data within a Fordham member’s Google Drive account is stored and shared in an appropriate and secure manner.

Is CloudLock looking at my Google Drive files?

CloudLock assesses files in Fordham Google Drive accounts and looks for patterns within those files that match those of protected and sensitive data (such as Social Security numbers, credit card numbers, Fordham ID numbers, etc.) and may not be shared in a secure manner in accordance with Fordham’s Data Classification Policy.

What is considered protected and sensitive data?

Protected data contains personally identifiable information (PII) such as Social Security numbers and credit card numbers.

Sensitive data has been deemed as such based on internal standard operating procedures. It contains data such as employee compensation and annual budget information. You can read more on how Fordham’s data classification Fordham’s Data Classification Guidelines. The Data Classification Grid describes regulations and policies governing protected and sensitive data. Use it to determine where and how to store your files.

What does CloudLock do when it finds a file with protected and sensitive data?

If CloudLock finds protected or sensitive data in a file. You will receive an alert from”no-reply@cloudlock-ops2.com”  notifying you that the file was shared in an inappropriate manner. The file is not modified, but when you receive the alert it is advised that you perform the following steps:

  1. While viewing or editing the shared file, from the drop down menu, select File | Share
  2. Change the option “Anyone at Fordham University with the link can view” to “OFF – only specific people can access”
  3. In the “People” section add the names of the individuals you would like to share the file with

 

 

 

Educational Institutions Attractive Target for Cybercriminals

Via: NJ Cybersecurity and Communications Integration Cell

The NJCCIC assesses with high confidence that educational institutions across the globe will remain attractive targets for a range of cyber-attacks designed to disrupt daily operations, steal sensitive data, instill fear in the community, and hold critical operational data for ransom. In October 2017, the US Department of Education issued an updated Cyber Advisory warning schools about a new method of cyber extortion impacting institutions across the country.

In recent attacks, cyber-criminals demanded large ransom payments in exchange for sensitive student record information obtained via schools’ compromised networks. In some instances, cyber-criminals made direct threats to the safety of students and staff members via SMS messaging. According to Verizon’s 2017 Data Breach Investigations Report, the education sector was impacted by approximately 455 security incidents in 2016, with at least 73 of these events involving the disclosure of data. As the use of technology within the classroom is increasingly required for educational purposes, more schools are implementing Bring Your Own Device (BYOD) policies, allowing students and employees to connect their personal computers, tablets, and mobile phones to their networks. Unfortunately, if BYOD is not implemented with security in mind, schools could be exposing their networks and sensitive data to an increased risk of compromise created by vulnerable and infected devices. Sophisticated and profit-motivated threat actors are cognizant of this fact and will continue to target universities and school districts as many of them do not have adequate resources, funding, or staffing to properly protect and defend their networks.

  • The NJCCIC recently alerted its education sector members to a cyber-extortion campaign targeting educational institutions in Florida. In this targeted attack, emails were sent to the presidents of several colleges and universities threatening mass shootings and bombings if a payment of 1.2 Bitcoin, approximately $18,000 USD at the time, was not received. The emails originated from onlyfair[@]protonmail.com and reportedly contained threats of imminent violence against students and staff.

 

  • In November 2017, SchoolDesk, a company that provides website hosting solutions for schools, suffered a breach by a hacking group known for distributing ISIS propaganda videos. The breach resulted in the defacement of the Bloomfield Public School District website, where an ISIS-sponsored video was displayed for approximately two hours before being detected and removed. Although no sensitive information was accessed or released, the ability of threat actors to gain remote access to web servers highlighted the impact that third-party vendor vulnerabilities can have on educational institutions.

 

  • A group known as The Dark Overlord claimed responsibility for the breach of numerous school districts in several states across the US in late 2017, including the Johnston Community School District in Iowa, the Splendora Independent School District in Texas, and the Columbia Falls School District in Montana. The breaches stemmed from compromised servers that exposed confidential information including names, phone numbers, and addresses of students, parents, and staff. In some instances, students and parents received violent, threatening messages from the attackers resulting in school closures and canceled extracurricular programs.

Recommendations
The NJCCIC advises our education sector members to take proactive steps to reduce their cyber risk, beginning with comprehensive audits of their networks to identify and patch existing vulnerabilities in outdated operating systems, applications, servers, and websites. Continuously monitor systems for indicators of compromise by running reputable and up-to-date antivirus software and maintain network traffic logs in accordance with your data retention policy. Limit user privileges to only those systems and files required by one’s job functions, and implement strict authentication policies incorporating mandatory password resets, minimum character requirements, and multi-factor authentication for email, web services, and remote access tools. Additionally, encrypting systems and databases that contain sensitive personal data, financial information, and user credentials can mitigate the impacts of data breaches and render stolen data useless. Have an incident response plan in place and report cyber-attacks to your local police department, the FBI, and the NJCCIC.

Meltdown & Spectre – How to Protect Yourself

Following up on our previous post sharing what was then breaking information about these vulnerabilities, the UISO would like to share some additional best practices to follow in order to reduce one’s risk to attack.

Install Operating System Updates on Personal Devices

Staying current with security updates on personal for security features is always advised, and all major operating systems not currently end-of-life have patches in place that aid in reducing risk. The following are guides for updating one’s operating system for those not familiar with the process.

Limit JavaScript in your Web Browser

One of the methods by which Meltdown and Spectre can be triggered is via JavaScript, which can be activated by visiting a website hosting malicious code intentionally or via a targeted advertisement. The UISO recommends adding a browser extension that limits exposure to potentially malicious JavaScript.

For performance purposes, it is recommended to install one or the other of these extensions, but not both.

 

Research is still underway, and as further methods to mitigate the risk posed by these vulnerabilities are assessed by the information security community we will share them accordingly.

As always, please subscribe to this blog, our Twitter feed, or our FaceBook page for updates, and contact the UISO with any questions or concerns.

Article:“Meltdown” and “Spectre”: Every modern processor has unfixable security flaws

A major security flaw has been revealed to be prominent in every modern processor. Details can be found below.

Via: Arstechnica

“Windows, Linux, and macOS have all received security patches that significantly alter how the operating systems handle virtual memory in order to protect against a hitherto undisclosed flaw. This is more than a little notable; it has been clear that Microsoft and the Linux kernel developers have been informed of some non-public security issue and have been rushing to fix it. But nobody knew quite what the problem was, leading to lots of speculation and experimentation based on pre-releases of the patches.

Now we know what the flaw is. And it’s not great news, because there are in fact two related families of flaws with similar impact, and only one of them has any easy fix.

The flaws have been named Meltdown and Spectre. Meltdown was independently discovered by three groups—researchers from the Technical University of Graz in Austria, German security firm Cerberus Security, and Google’s Project Zero. Spectre was discovered independently by Project Zero and independent researcher Paul Kocher.

At their heart, both attacks take advantage of the fact that processors execute instructions speculatively. All modern processors perform speculative execution to a greater or lesser extent; they’ll assume that, for example, a given condition will be true and execute instructions accordingly. If it later turns out that the condition was false, the speculatively executed instructions are discarded as if they had no effect.

However, while the discarded effects of this speculative execution don’t alter the outcome of a program, they do make changes to the lowest level architectural features of the processors. For example, speculative execution can load data into cache even if it turns out that the data should never have been loaded in the first place. The presence of the data in the cache can then be detected, because accessing it will be a little bit quicker than if it weren’t cached. Other data structures in the processor, such as the branch predictor, can also be probed and have their performance measured, which can similarly be used to reveal sensitive information.

Meltdown

The first problem, Meltdown, is the one that stimulated the flurry of operating system patches. It uses speculative execution to leak kernel data to regular user programs.

Our original coverage gave a high-level summary of how operating systems virtualize system memory, the use of page tables to map from virtual memory addresses to physical addresses, how processors cache those mappings, and how the kernel’s page table mapping is shared between processes in order to maximize the value of this special cache.

While all modern processors, including those from Intel, AMD, and ARM, perform speculation around memory accesses, Intel’s processors do so in a particularly aggressive way. Operating system memory has associated metadata that determines whether it can be accessed from user programs or is restricted to access from the kernel (again: our original coverage has more detail about this point). Intel chips allow user programs to speculatively use kernel data, and the access check (to see if the kernel memory is accessible to a user program) happens some time after the instruction starts executing. The speculative execution is properly blocked, but the impact that speculation has on the processor’s cache can be measured. With careful timing, this can be used to infer the values stored in kernel memory.

The researchers say they haven’t been able to perform the same kind of kernel memory-based speculation on AMD or ARM processors, though they hold out some hope that some way of using this speculation offensively will be developed. While AMD has stated specifically that its chips don’t speculate around kernel addresses in this way, ARM has said that some of its designs may be vulnerable, and ARM employees have contributed patches to Linux to protect against Meltdown.

For systems with Intel chips, the impact is quite severe, as potentially any kernel memory can be read by user programs. It’s this attack that the operating system patches are designed to fix. It works by removing the shared kernel mapping, an operating system design that has been a mainstay since the early 1990s due to the efficiency it provides. Without that shared mapping, there’s no way for user programs to provoke the speculative reads of kernel memory, and hence no way to leak kernel information. But it comes at a cost: it makes every single call into the kernel a bit slower, because each switch to the kernel now requires the kernel page to be reloaded.

The impact of this change will vary wildly depending on workload. Applications that are heavily dependent on user programs and which don’t call into the kernel often will see very little impact; games, for example, should see very little change. But applications that call into the operating system extensively, typically to perform disk or network operations, can see a much more substantial impact. In synthetic benchmarks that do nothing but make kernel calls, the difference can be substantial, dropping from five million kernel calls per second to two-to-three million.

Spectre

Owners of AMD and ARM systems shouldn’t rest easy, though, and that’s thanks to Spectre. Spectre is a more general attack, based on a wider range of speculative execution features. The paper describes using speculation around, for example, array bounds checks and branches instructions to leak information, with proof-of-concept attacks being successful on AMD, ARM, and Intel systems. Spectre attacks can be used both to leak information from the kernel to user programs, but also from virtualization hypervisors to guest systems.

Moreover, Spectre doesn’t offer any straightforward solution. Speculation is essential to high-performance processors, and while there may be limited ways to block certain kinds of speculative execution, general techniques that will defend against any information leakage due to speculative execution aren’t known.

Sensitive pieces of code could be amended to include “serializing instructions”—instructions that force the processor to wait for all outstanding memory reads and writes to finish (and hence prevent any speculation based on those reads and writes)—that prevent most kinds of speculation from occurring. ARM has introduced just such an instruction in response to Spectre, and x86 processors from Intel and AMD already have several. But these instructions would have to be very carefully placed, with no easy way of identifying the correct placement.

In the immediate term, it looks like most systems will shortly have patches for Meltdown. At least for Linux and Windows, these patches allow end-users to opt out if they would prefer. The most vulnerable users are probably cloud service providers; Meltdown and Spectre can both in principle be used to further attacks against hypervisors, making it easier for malicious users to break out of their virtual machines.

For typical desktop users, the risk is arguably less significant. While both Meltdown and Spectre can have value in expanding the scope of an existing flaw, neither one is sufficient on its own to, for example, break out of a Web browser.

Longer term, we’d expect a future Intel architecture to offer some kind of a fix, either by avoiding speculation around this kind of problematic memory access or making the memory access permission checks faster so that this time interval between reading kernel memory, and checking that the process has permission to read kernel memory, is eliminated.”

Source: https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-every-modern-processor-has-unfixable-security-flaws/

The Weakest Passwords of 2017

Via: USA Today

Strong passwords, these were not.

With Star Wars: The Last Jedi now in theaters, “starwars” made its debut among the worst passwords used in 2017, according to security company SplashData.

The password “starwars” entered their list in the 16th spot, ahead of passwords including “passw0rd” and “hello.”

“Hackers are using common terms from pop culture and sports to break into accounts online because they know many people are using those easy-to-remember words,” said Morgan Slain, CEO of SplashData, in a statement.

SplashData said in a statement Tuesday the list is based on more than five million passwords leaked during the year.

Once again, “123456” is the worst password of the year, followed by “password.” New entrants into SplashData’s list include “123456789” (No. 6) and “letmein” (No. 7).

The company estimates nearly 3% of people used the worst password on the list, while almost 10% have used at least one of the top 25.

To keep accounts secure, users can follow these tips:

Think passphrase, not password. Originally, experts suggested thinking of a super complex password with a variety of numbers, uppercase and lowercase letters, and symbols. The problem is they’re way too tough to remember. Instead, consider a phrase for your password, then tweak it with numbers or symbols you can more easily recall.

Use two-factor authentication. Most big websites offer an additional layer to the login process, where you can request a text message with numeric code or confirmation through an authenticator app to verify your identity.

Make passwords unique. Use a different password for every website. According to SplashData, if hackers get a password for one set of credentials, they will try them across other services.

Consider password managers. If you have a lot of logins to manage, password managers such as Dashlane and LastPass offer automatically generated passwords for the sites you use. The user will have one master password they need to remember to log in to the manager.

View the full article.