View this email in your browser

Resolve to Be Diligent and Safe
January 2019

Regarding Collection #1

As of late last week, Troy Hunt of Have I Been Pwned fame wrote on the topic of the Collection #1 credential dump. In a nutshell, the massive credential dump online contained almost 773 million unique email addresses and 21.2 million unique passwords for a wide variety of services and sites. You've probably seen a few news articles circulating this week reporting on this topic.

For the average person, this could mean a significantly heightened risk of personal or even professional security breach. We hope the information provided here gives insight for NocTel users on the risk of weak passwords associated with the credential dump and what users can do to protect and create strong login credentials for their NocTel account and other online services. ​​

How is This a Security Risk?

A lot of the associated risk with having your email address and potentially password leaked in plaintext online lies with the typical pattern of us humans reusing the same handful of passwords for the majority of sites and services we access - both personally and professionally. Because most of our memory is associative, unless we have a strong association with something or recall it frequently, we're more likely to end up forgetting altogether. It doesn't help when thousands of others are also using "password" as their password - even worse if you're one of them.

An attacker might attempt to walk through various well-known services like online banking, Netflix, Amazon, etc. to see if you happened to be lazy and used the same email and password combination across one or more sites, which takes advantage of our natural tendencies. How badly personal accounts are compromised then becomes relative to how many different sites/services you used the same credentials at.

In smaller companies lacking proper IT management policies like password complexity requirements and regular password reset/rotation, users are more likely to intermingle personal - and potentially weak - passwords in the professional environment. Access into an employee's system or account on a business application could turn into a foothold for an attacker to do much more harm in time. An attacker could gain access to an employee's email account to then use it as a method to distribute malware, which not only harms the affected employee but also the reputability of your company.

Since NocTel control panel access and credentials are not managed by customer organization IT departments, the passwords users set are their responsibility both in setting a strong password and managing that password. In our interaction with customer organizations we've also found that many implement GPO to manage passwords within the customer organization, but do not provide password managers for applications and services users access outside of it. This makes the likelihood of even one user per customer organization using a weak password for NocTel control panel access uncomfortably likely with little IT can do to help mitigate risk.

How Can I Protect Myself?

Worry not, we have a handy list to point you in the right direction as well as serve as a basic primer on the how and why these actions are good personal security practice:

1.) Get a password manager. We poor humans don't have the greatest memory for accurately remembering many complex patterns, so we tend to simplify things down to several simple patterns or just use a couple complex ones. Password managers like 1Password and LastPass are among some of the best choices for convenience, security, and reliability in the market. Having a password manager allows you to create strong, random passwords for sites and services that require credentials for access and remove the burden of remembering every password you access it. They also allow for simple sharing of these credentials with others as appropriate, and both are available on every major operating system (Windows, Mac OS, iOS, and Android) and integrate with major web browsers (Edge, Chrome, Firefox, Safari).

This item takes number one for our recommended actions because it helps end behaviors that would allow poor passwords to continue to be used and likely forgotten at some point while making adopting good practices very easy. NocTel staff make wide use of 1Password for individual accounts as well as safely sharing credentials with pertinent teammates. This alone has made bad practices of employees keeping Excel spreadsheets or sticky notes on desks of credentials completely obsolete.

2.) Check your email addresses and passwords against Have I Been Pwned. The name might sound a bit dubious, but HIBP's intent is to help safely inform people if their email addresses or passwords have appeared in any dump of credentials like Collection #1. This serves as a wakeup call to go change those passwords and take additional steps to securing accounts (like enabling 2FA noted later on).

If you're not comfortable with this, you can always read through HIBP's Privacy Policy to better understand how these credential lookups occur. They also have a bit of a "Hall of Fame" of breaches with a short blurb about who was affected and to what degree.

Because NocTel employees are all outfitted with 1Password everyone was able to complete this item very quickly through the Watchtower feature, which actually checks all credentials stored in the employee's 1Password vaults against HIBP.

3a.) Change all email addresses/passwords that are affected - everywhere. Start with services/accounts that possess the most value to you, such as online banking, investment accounts, etc.. Naturally, don't use yet another password you've used somewhere else or something that minimally meets password requirements. Having a password manager from our top recommendation makes this process a lot simpler. Plus, you don't even have to remember what you set that password to!

3b.) Consider using a passphrase instead. Password requirements have grown to require some rules that make a "safe" password rather difficult to remember. Passphrases, when done right, provide better security than passwords and also tend to be easier to recall. We've had some rather entertaining random passwords created that have included "phrases" like "2Organic_sealion_wigs".

A major part of what makes strong passwords strong is a property called entropy - basically a password's complexity based on how long it is and how many different values each character of the password can be. If you have a password that must be 8 characters long and can only be made up of digits, that means there are 10^8 possible password combinations. If we expanded that to say "0-9, lower and uppercase letters, and special characters and it can be up to 24 characters long" that greatly expands the possible number of passwords to 94^24. That's going to take almost anyone quite a long time to try to just randomly guess or brute force. Long, complex passwords or passphrases like this make trying to brute force access a waste of time for most attackers.

4.) Rotate your passwords periodically. Rotating your passwords and using a different randomly generated password even once every year can dramatically reduce the likelihood of unauthorized access on accounts. This is like changing the locks on your doors to your home every so often, so that even if someone did happen to get a copy of your key it's not going to work forever.

Again, this is something that goes much faster with the help of a password manager and a security practice NocTel staff employ annually.

5.) If sites and services you use support it, enable 2FA. 2FA (Two factor authentication) - sometimes referred to as MFA (Multi factor authentication) - adds another burden of proof on the individual trying to access an account.

Authentication is broadly classified as something you know, something you have, and/or something you are. This means things like passwords are "things you know", a key or fob is "something you have", and biometrics like fingerprint or retinal scans are "something you are". That's fine, but it's entirely possible for someone unauthorized to get a hold of one of those things and try to access a service or site posing as you. 2/MFA adds another barrier to entry requiring another proof of authorization before letting you (or an attacker) in.
We hope the above recommendations encourage you to review your personal passwords and tighten any gaps or known compromised passwords you may have in use. While the above recommendations will help ensure someone cannot merely guess your password or take advantage of any poor ones you may be using it is not a panacea for the many security risks all of us knowing or unknowingly face daily. NocTel understands that end user security only succeeds when there is a strong balance between practicality and effectiveness.

As the landscape of digital security continues to change, we hope to keep you safe with development and improvement of our security mechanisms as well as providing you actionable information to help you stay safe not just accessing NocTel, but all sites and services you may use personally and professionally.
What Makes a Bad Password?

Bad or weak passwords are often termed as such because they're predictable, have a specific pattern that can be exploited, or lacks enough entropy to present a reasonably large challenge to a typical modern computing system. Common passwords are particularly vulnerable since they are not random and with a higher volume of users with the same password, the more trivial it becomes to try passwords like "password" and "12345678" first and actually get into an account rather than starting with "aaaaaaaa" then "aaaaaaab" and so on.

Other properties that make passwords weak are the use of common words and words that frequently appear together - so words like "sunny" and "warm," for example. These traits are often used in dictionary attacks that take these patterns to make better educated (but still random) guesses at passwords. On the other hand, having the words "pancreatic" and "salmon" aren't strongly related nor are they very short words.

Overall, unless a password or passphrase is randomly created there is usually a pattern that can be discovered and exploited. This is also why some services prevent you from using multiple digits in succession. That particular pattern is one that's known to be exploitable and greatly reduce the effort needed to crack a password.
Reset a Forgotten NocTel Password

NocTel encrypts passwords so our support team doesn't have access to what your password might have been in plain text. If you have forgotten your password you will need to use the Password Reset Tool on the control panel login page. We have a guide on our public knowledge base that can guide you through the process.

Change Your NocTel Password

If you haven't forgotten your password but would like to change it to a more complex password, you can do so after you are logged in to the NocTel control panel. The action is performed under the User Setting menu option on the Reset Password tab. Check out our handy guide on our knowledge base for step by step instructions.

Account History

The NocTel control panel tracks changes made on your account to the specific user who made those changes. This is a security measure to allow for auditing activity not just to provide a paper trail to detect and correct actions made by a malicious user, but also to ensure that users who can perform various activities are making changes that don't negatively impact service operations.

This email was sent to <<Email Address>>
why did I get this?    unsubscribe from this list    update subscription preferences
NocTel Communications, Inc. · 3242 NE 3rd Ave # 230 · Camas, WA 98607-2408 · USA

Email Marketing Powered by Mailchimp