April 30, 2022

Malware uses stolen code signing certificates from Nvidia

Malware uses stolen code signing certificates from Nvidia

Following the hacking of its information systems, stolen certificates from Nvidia have been discovered by researchers in malware. An attack that continues to make waves.

The group of cybercriminals, who recently broke into Nvidia’s systems delivered two old code signing certificates from the company. Researchers warn that the drivers could be used to sign kernel-level malware and load it onto systems with a driver signature verification feature. These certificates were recovered from an archive of nearly 1 TB in which the source code and documentation of the GPU driver API was also located. Nvidia confirmed that it was the target of an intrusion, saying that the hackers stole “employee passwords and some proprietary Nvidia information,” without confirming the extent of the data theft.

Looking back at the data breach

On Feb. 24, a ransomware group calling itself LAPSUS$ said publicly that it had gained admin access to several Nvidia systems over the course of about a week and managed to exfiltrate 1TB of data, including hardware schematics, source code for drivers, firmware, documentation, tools and private development kits. And “everything related to Falcon”, a hardware security technology built into Nvidia GPUs and intended to prevent malprogramming of these GPUs. While Nvidia has confirmed the cyberattack and data breach, the company has not provided any details about the stolen data. But as evidence, LAPSUS$ has published 20GB of information from the alleged cache.

The group also claims to have information about Nvidia’s Lite Hash Rate (LHR) technology. Introduced in the RTX 30 series GPUs, the LHR detects if the GPUs are used for Ethereum crypto-currency mining and reduce their performance, in order to make the graphics cards less attractive to crypto-currency miners. Indeed, the latter are capturing the entire GPU market, drying up the market, to the point of making it nearly impossible for gamers to buy GPUs due to a constant stock shortage and overpricing.

To prove that they have this information, the LAPSUS$ group even released a tool that the hackers claim gives users the means to bypass the LHR limitation without resetting the GPU firmware. After this publication, the group changed its demands, asking Nvidia to deliver its GPU drivers in open source for all systems, including Linux. Indeed, for many years, the Linux community has been complaining about the lack of an open source Nvidia driver for this environment.

Importance of code signing certificates

Code signing certificates refer to Microsoft certificates, especially in Windows. It is still possible to run applications that are not signed in Windows, but these trigger more visible security alerts than applications signed by a trusted developer. More importantly, by default, Windows does not allow the installation of a driver that is not digitally signed with a trusted certificate. Applying the digital signature to drivers is an important security feature because, unlike normal user mode applications, drivers run with kernel-level privileges. They therefore have access to the most privileged areas of the operating system and can disable security products.

Before the introduction of this security feature, rootkits (root-level malware) were commonplace in Windows. Digital file signatures are also used by application whitelisting systems to restrict which applications can be run on systems and, to some extent, by antivirus programs, although the existence of a digital signature alone is not sufficient to determine whether a file is legitimate or malicious. Code signing certificates have already been stolen from developers and hackers can even buy them through different channels.

Samples discovered

The problem is that certificate revocations or expirations are not checked or enforced by all Windows security mechanisms, including the one that checks whether loaded drivers are signed, as Zoom security researcher Bill Demirkapi explained at a DEF CON conference on Windows rootkits. Since the introduction of the Secure Boot restriction in Windows 10 build 1607 and later, drivers must be signed with EV (extended validation) certificates. EV certificates require extensive verification of the identity of the person or entity requesting the certificate and are therefore more difficult to obtain and more expensive. The Nvidia code signing certificates published by LAPSUS$ have expired since 2014 and 2018, respectively, and are not EV. But they can still be used to sign malicious code that will be loaded into the kernel of older Windows systems. They can also be used to try to evade detection by some security products.

Researcher Florian Roth has already found two samples of hacking tools signed with one of the certificates on VirusTotal: a copy of the Mimikatz password dumping tool and a copy of the Kernel Driver Utility (KDU) which can be used for process hijacking. Researcher Mehmet Ergene found even more malicious files signed with the certificate, including a Remote Access Trojan (RAT) for Discord. And more malware abusing the legitimacy of Nvidia certificates is expected to appear. Florian Roth and Mehmet Ergene have published a YARA rule and a query for Microsoft Defender for Endpoint (MDE) that security teams can use to scan their environments for files signed with these certificates. Microsoft also offers a Windows Defender Application Control policy to block malicious drivers, which can be customized by adding new controls, and an Attack Surface Reduction (ASR) rule for Microsoft Defender for Endpoint.

Google confirms acquisition of Mandiant for $5.4 billion

Google confirms acquisition of Mandiant for $5.4 billion

The investigation and incident response specialist Mandiant is being courted more and more. And it is finally Google Cloud that announced the acquisition of the specialist in investigation and incident response for an amount of $ 5.4 billion.

After the split with FireEye, Mandiant’s future was in question. At the beginning of February, the financial press reported an interest from Microsoft to acquire the investigation and incident response specialist. According to The Information (on subscription), a second player, and not the least, Google, would be positioned to buy Mandiant. The Mountain View company would have made an offer in this sense.

Just like Microsoft, Google could thus strengthen its security offer in its cloud offer, especially in the incident response and remediation area. For several months, Google Cloud has been gaining power in this area of security, as shown by the acquisition of Siemplify last January for $500 million. However, the security business is still marginal compared to Microsoft, which generated more than $15 billion in revenues in this area last year.

With this renewed interest, Mandiant’s share price soared by more than 16% yesterday to $22.49 per share. The company is valued at $5.26 billion. The company is growing rapidly, with revenues of $133 million in Q4 2021 (ended December 31), up 21% year-on-year. It regularly intervenes with victims of hacking. In the context of the Ukrainian conflict, Mandiant’s expertise could become even more valuable. Will we see a bidding war?

UPDATE: From rumor to reality there is only one step. Google Cloud has just announced that it has signed a definitive agreement with Mandiant for its acquisition. The cloud provider is proposing a price of $23 per share for a total of $5.4 billion.

NSA urges companies to adopt zero trust

NSA urges companies to adopt zero trust

The U.S. intelligence agency recommends that IT administrators take several security measures to protect their companies’ infrastructure from threats.

Recently, the National Security Agency (NSA) made several detailed recommendations for companies to secure their network infrastructure against attacks. One can only imagine that the war in Ukraine had something to do with the release of this report. The proposals include secure configuration tips for the most common network protocols. The agency also insists on the adoption of basic security measures for all networks. While the NSA report emphasizes the importance of zero-trust principles for protecting networks, the bulk of the recommendations focus on specific steps network administrators should take to protect their infrastructure from compromise.

Using secure, frequently renewed passwords for all administrator accounts, limiting login attempts and updating potentially vulnerable systems are among the tips. The report also describes secure configurations for Secure Shell (SSH), HTTP and Simple Network Management Protocol (SNMP). “Improper configuration, improper handling of configurations and weak encryption keys can expose vulnerabilities in the entire network,” the report says. “All networks are at risk of being compromised, especially if devices are not properly configured and maintained.”

Focus on AAA servers

In addition, the NSA recommends the use of network access control systems that add an extra layer of security to enterprise networks. The idea is to have a robust system in place to identify individual endpoints on a network, as port security can be difficult to manage and tracking connected devices via MAC address can be circumvented by an attacker. The agency also considers the use of centralized authorization, authentication and account management (AAA) servers as a strong security measure. Indeed, according to the NSA, this usage facilitates the passage of potentially vulnerable traditional authentication technologies, as they do not rely on credentials stored on connected devices, which are potentially easy to compromise. “Doubling the deployment of AAA servers – which manage requests for system resources – provides a level of redundancy and helps to more easily detect and prevent malicious activity,” the agency further states in its report.

To ensure the security of enterprise networks, the agency also recommends the use of robust logging techniques. According to the NSA, “ensuring that the network infrastructure captures a sufficient amount of logging data makes identifying and tracking a potential attack much simpler than it otherwise would be.” Login attempts, both successful and unsuccessful, are particularly important in this regard, but the agency notes that generating too many messages could complicate log review. The NSA report, available for download, goes into detail about how Cisco IOS users should apply the majority of the recommendations it suggests, but the general principles are valid for users of any vendor’s network equipment.

Dirty Pipe flaw threatens Linux and Android distributions

Dirty Pipe flaw linux

A vulnerability in the Linux kernel has been discovered and relatively easy to exploit. It affects several Linux distributions, as well as Google’s Android.

During an analysis of a problem raised by a customer of the hosting company Ionos, an expert discovered a flaw in the Linux kernel. Classified as CVE-2022-0847 and a CVSS severity score of 7.8. Max Kellermann, a developer at Ionos named this flaw Dirty Pipe echoing a similar breach named Dirty Cow (CVE-2016-5195), which was revealed in October 2016. In its analysis, the specialist found “a surprising case of corruption” affecting web server access logs. Specifically, the flaw is located in the Linux kernel and gives attackers the ability to overwrite data in any read-only file and take complete control of the affected systems.

A Poc published

According to Max Kellermann, the vulnerability exists since version 5.8 of the Linux kernel and leads to “an elevation of privileges, as unprivileged processes can inject code into the root processes”. In detail, the weakness lies in the way pipes are managed. Short for pipeline, a pipe is a one-way inter-process communication mechanism in which a set of processes are chained together. To use the flaw, according to the specialist, you have to: create and fill a pipe with data, empty the pipe, cut the data from the target read-only file and write arbitrary data to the pipe.

He demonstrated his work with a PoC of the exploit. Attackers can perform a number of malicious actions on a system, including altering sensitive files such as /etc/passwd to remove a root user’s password adding SSH keys for remote access and even executing arbitrary code with the highest privileges. “To make this vulnerability more interesting, it not only works without write permissions, but also with immutable files, on read-only btrfs snapshots and on read-only mounts (including CD-ROM mounts),” Max Kellermann points out.

Patches to be installed urgently

The problem was fixed in Linux versions 5.16.11, 5.15.25 and 5.10.102 as of February 23, 2022, three days after it was reported to the Linux kernel security team. Google, for its part, integrated the patches into the Android kernel on February 24, 2022. Given the ease with which the flaw can be exploited and the release of the PoC exploit, users are recommended to update Linux servers immediately and apply patches for other distributions as soon as they are available.

Digital transformation: no success without integrated cybersecurity

Digital transformation- no success without integrated cybersecurity

Salesforce recently took significant steps to strengthen its security protocols, requiring all users to implement multifactor authentication (MFA) to access its products, solutions and platforms. The requirement complements initiatives launched by other tech giants, such as Google and Twitter, and comes as sophisticated cyberattacks continue to target businesses of all sizes and industries.

Tribune – According to Charles Cao, Chief Operating Officer and Chief Strategy Officer at Conga, this acceleration of action by players involved in the digitalization processes is necessary in an environment where cyber risks are very high for organizations, which must put cybersecurity at the forefront:

“For two years now, we have observed a significant acceleration of digital transformation within companies to meet the changing needs of customers. These major and rapid changes have allowed organizations to maintain or even boost their business in the face of a rapidly changing society. For many companies, digital has generated a significant number of business opportunities.

At the same time, these transformations have exposed organizations to new threats that they now face. They have to deal with new ways of working, dispersed employees, between office and remote work, and thus the need to assess the risks linked to the proliferation of connected devices, both professional and personal. As a result, the volume of sensitive and critical data in circulation has increased considerably, as has the attack surface. Coupled with more stringent regulations and compliance requirements, it is imperative that organizations realize the strategic value of cybersecurity as a driver of sustainability and growth.

To meet these challenges, cybersecurity must be integrated into the design and development of the digital transformation strategy. It should not be treated as a simple reflection once the process is underway. Today, organizations have begun to recognize the need to establish a solid security strategy and successfully implement it. This is because leaders increasingly understand that they need to go beyond compliance and ensure they have the capabilities to keep the business running and the data secure. Data security is essential to protect intellectual property and to build trust with employees, partners and customers.

This includes adopting tools that can identify malicious activity, respond to attacks and recover quickly to minimize the impact on business operations. Organizations also need flexible and scalable solutions to verify that users are who they say they are. This includes restricting access to corporate resources and protecting identities to reduce the risk of data loss and unauthorized access.

In addition to technology, organizations also have an important role to play in raising employee awareness. People are often the weakest link in the chain. A solid strategy cannot succeed if employees are not trained in cybersecurity issues, company policies and incident reporting. Even the best protection tools are not foolproof when employees commit malicious actions, intentional or not. Education and awareness of company policies and best practices, through regular training and simulations, is the best way to reduce negligence as well as the risk of compromise.

If digital transformation is now a must for businesses, so is cybersecurity in light of today’s cyber threats. Cyber risk is omnipresent and no organization is immune. It is no longer a question of if an attack will occur, but when; which is why it is essential to integrate security into your digitalization strategy. It is a crucial issue for the sustainability of activities, but also a real competitive advantage, since the slightest cyber attack can have major consequences from an economic and financial point of view, but also in terms of reputation.

Entrusting passwords and credit cards to your browser: what are the limits, what are the risks?

The integrated password and credit card storage integrated into all browsers is so convenient that it is difficult not to succumb to it. Why bother taking your credit card out of your wallet when your web browser can memorize it for you? A practical functionality, yes, but with limitations. Whether it is Chrome, Firefox, or Safari (and even Edge), all of them now offer features to remember or generate passwords or credit card numbers and synchronize them between different devices. On condition, of course, that you link your browsers to user accounts.

The main limitation: the main account that can be hacked

Are your passwords and credit cards secure when they are stored on your browsers? Overall, yes. If we stick to Chrome, accessing your passwords (in plain language) requires you to enter your Google Account password systematically. It is both the primary security (your Google Account password is robust, isn’t it?), but also the greatest weakness of this system: if a hacker manages to access your account (there are many techniques), he also manages to get his hands on the rest of your passwords. It is this limitation that probably explains why credit card numbers are only stored locally by Chrome and are not synchronized with Google Account.

The best solution at the moment: use a password manager

Today, nothing prevents you from using Chrome, Firefox, or Safari to remember your passwords or from using their memory to remember your credit card numbers. But there are tools specifically designed to retain and protect your sensitive data: these are password managers.

The principle is simple: the application records all passwords, credit card numbers, personal documents, or private notes and protected by a master password. It is the only password the user must remember. Besides, many additional layers of security are much more secure than a web browser.

Each time you connect to a new device, you must connect from an approved device to ensure your identity. Some have double authentication that limits the risks of brute force attacks and hacking.

Once passwords and credit cards have been registered, the application automatically informs them about the websites or applications concerned, without ever showing them in cleartext. And mainly whatever the device used. Indeed, in the Premium version, this type of application can be synchronized on all the user’s devices on which the application is installed: on a computer (PC, Mac or Linux), but also mobile (Android or iOS).

Why do you need to use a secured password manager in 2019?

Gemini 2 software

Any IT security expert will tell you: it is never too late to optimize your password management system. Here is a small selection of software to make the task easier.

The most secure way to store a password is, of course, to erase it from any online device and remember it. But not everyone has this ability. It must be said that the right password consists of letters and numbers with different casing and special characters. From the outset, the situation becomes more complicated. Besides, every time a database is hacked, we are told that it is better to choose a different password for each of our accounts. The brain can, therefore, quickly overheat with the increasing amount of platforms we use everyday..

Of course, we know the password managers embedded in browsers, but some software goes a little further and offers more comprehensive and robust services. On the one hand, not all browsers store passwords encrypted on the user’s machine. On the other hand, the process may not be available on all platforms. Finally, these managers most often lack functionalities.

LastPass, the most comprehensive solution

LastPass is one of the best-known services in this market. Although the company has applications for Windows and OS X, they are only configuration wizards for creating a user account. All management is effectively based on an online interface.

Like Dashlane, LastPass does not just store passwords securely. There is a section where you can place secure notes. It is also possible to enter pre-filled forms, whether it is an identity card, an address, a credit card, or even a personalized way.

LastPass has a community dimension with the ability to share passwords securely and also offers to specify one or more contacts in case of an emergency. The Security Challenge section is attractive because it reviews all passwords and assesses their overall security, for example, by identifying duplicates.

Dashlane, an attractive but expensive application

Dashlane is a relatively new service since it dates back to 2012. Without any conventional measure, the interface is much more modern than that of KeePass, and the service goes beyond simple password management.

In the left-hand sidebar, there is indeed a section called “Portfolio,” which proposes to store personal data for the automatic filling of input fields on websites. It is also possible to fill in credit cards, save copies of identity documents or place payment receipts on them. In the “Contacts” section, it is possible to determine which data can be shared with a third party and also specify a privileged contact in case of an emergency.

Dashlane includes extensions for Google Chrome, Safari, Internet Explorer and Firefox browsers and, to some extent, for other Chromium-based browsers.

The user does not have access to the database created by Dashlane for one reason: it will not be possible to store it in a directory associated with an online storage service. The cross-platform synchronization option is indeed charged (from 40 euros per year). Subscription is also accompanied by unlimited sharing of notes and IDs with your favorite contacts, user account backup, and priority support.

KeePass, the leader of free softwares

KeePass is the open-source reference for password management. The software manages several databases, which are protected by a master key. The interface may seem relatively austere. In the left side panel, we find a tree structure with various default sections: Windows, Networks, Internet, eMail, Home banking.

Since its development is open source, KeePass has an extensive database of third-party plugins. For example, they will allow you to back up the database, or integrate the software into a browser, synchronize the database with an online service or ensure compatibility with another software when importing.

For added security, it is possible to automatically lock the application once the window has been reduced when another computer user session has been activated or before the machine enters sleep mode. In addition to secure password backup, the software offers to generate passwords for new accounts.

More on this ressource www.dtp-ag.com/et-si-nous-optimisions-le-temps-devant-nos-ecrans/

Quantum computers: a threat to the digital economy

We are increasingly called upon to evolve in the Cyberworld, either as an economic agent or as a citizen but now also as a patient or tourist. While we were quickly won over by the benefits of this Cyber world, we were slow to perceive the dangers we may encounter there. Recent events have forced us to do so abruptly. Ransomwares such as Wannacry have invaded the news and opened our eyes.

Fortunately, faced with the risks of these new uses, we have two significant advantages. We have at our disposal cryptographic algorithms that provide us on the one hand with the guarantee of identity and on the other side with the confidentiality of exchanges. The most used algorithm is based on asymmetric keys. In a communication, each participant has a private key and a public key that he provides to his interlocutors. The private key allows to sign messages, and recipients can ensure his integrity by verifying his signature with the public key.

The link between the public key and the private key also allows the recipient to verify the identity of the sender. They can also send an encrypted response with the public key, and only the person possessing the corresponding private key can decrypt it.

Very often, these keys have RSA keys, initial of the name of their inventors (Ronald Rivest, Adi Shamir, and Leonard Adleman). Their principle has been known since 1977. It is based on the difficulty of finding each of its prime numbers from the product of two large prime numbers.

However, the appearance of quantum computers is shaking up all this; indeed, the mathematician David Shor showed in 1994 that they could, in theory, be used to quickly factor large numbers, rendering broken not only the RSA keys but also those using elliptic curve mechanisms. The qubit is the elementary unit that these computers handle; unlike the bits of conventional machines, they do not correspond to a single possible state but a set of states. The number of qubits is a measure of the power of quantum computers.  These results were achieved using a D-WAWE 2000Q computer. As its name suggests, this computer consists of 2000 qubits, but these qubits are of a particular type that could not be used for the factorization problem. The quantum computers that can be used to run the Shor algorithm on them are currently much less powerful, with less than 80 qubits, because they are more complex to build.  It is, therefore, a significant step. If there is still a long way to go for 2048-bit number factorization, since the largest of the first factorized numbers is 18 bits, there is now a Damocles sword above the security of RSA keys.

It is crucial to prepare for these changes as soon as possible to ensure a smooth transition. It is challenging to predict when the first powerful enough quantum computers will be built or even if they will exist one day, but by the time they are there, it will be too late to act.

Tired of Google? Here are the best alternative search engines in 2019

privacy search engines

There are many search engines, but few of them are interesting. After combing through the endless lists of the “best” and testing them myself, I created this list that contains only the search engines that I would recommend. Take a look at the list below, and you’ll see that there’s a lot to be gained by leaving Google.

duck duck go ad against google

DuckDuckGo

DuckDuckGo is the best choice for those who want privacy without sacrificing simplicity and user-friendliness.

There are a ton of ways to try to keep your Internet activities private, but not all of them are practical or easy to use. If you switch to DuckDuckGo, you will find that it is an alternative search engine that offers an additional level of privacy without any friction. The home page and search results pages are immaculate and straightforward.

There are excellent privacy features, including blocking third-party ad network trackers, increasing encryption protection on websites you visit by default, not tracking searches, displaying a privacy level for the websites you visit, and more.

Bing

Bing is the only option to consider if you want a beautiful homepage, very relevant results, few ads, and a robust ecosystem that rivals Google’s.

One of Bing’s highlights, the home page, features a rotating selection of beautiful wallpapers from around the world, as well as non-intrusive news at the bottom. The search results offered by Bing are relevant, but they also provide suitable suggestions and links related to your query, much like Google does, and with very few ads compared to other search engines. Of course, you can log in with your Microsoft account, connect to a full suite of services like Outlook and Office, and even earn Microsoft Rewards points for your searches.

Yahoo

If you want a search engine that works, while putting the news that interests you first: Yahoo is the way to go.

Yahoo offers an experience you will remember from the good old days of the Internet, with the home page serving as a hub for news, weather, sports results, trends, and of course, a link to your Yahoo Mail account. Try it if you feel nostalgic and you might be pleasantly surprised.

Qwant

Qwant is a European alternative to Google, whose business model is based on the protection of its users’ personal data and privacy.

With this search engine, everything is done to protect confidentiality and privacy best. Thus, cookies are not installed on the user’s browser. Qwant also does not keep any history and does not market any collected data. Qwant only uses data provided voluntarily and publicly by users.

The results are very relevant, and the suggestions are reliable. There is no advertising to interfere with your experience. Try it if you feel concerned about your privacy.

Tips to secure your passwords

If your password looks like “123456”, “qwerty,” “password” or “iloveyou” then be prepared to change it. Your accounts are far from secure.

It is sometimes very easy for malicious people to discover a password, and when this happens, it is a direct entry into your data.

To avoid this situation, it is essential to strengthen your password, and here’s how to do it.

Create several passwords

Many of us use only one password for all our accounts for memorization purposes.

However, this is a practice to avoid because if someone were to discover your password, they would have easy access to all your data.

To avoid being hacked in cascade, use a unique password for each account.

Use a password generator

A simple solution, the password generator will provide you with a succession of random letters and numbers, difficult to remember, but also challenging to hack.

Dashlane is a recognized password generator that gives you the ability to choose the length of your password. You can even choose whether or not to include letters, numbers, and symbols.

Focus on length

If you do not want to use a password generator but prefer to create it yourself, bet on the length.

This means that you must insert more than ten characters, 12 and 14 being good averages.

The longer your password is, the more complicated it will be to guess.

Vary the characters

Beyond the number of characters, their type is also essential.

Ideally, your password should contain four different types of characters:

  • Capital letters
  • Lower-case letters
  • Some numbers
  • Special characters

Feel free to mix them well to obtain a random effect. Because precisely……

Prefer randomness

Your password should not have any particular meaning such as a date, a nickname, your dog’s name, a logical sequence of numbers and letters, etc.

Choose a random password, which means nothing.

Change your password regularly

For greater security, it is recommended to change your password regularly, especially in companies when they provide access to sensitive data.

If someone leaves your company or if you stop working with a service provider who has access to some of your accounts, change your passwords quickly.

Remember passwords without writing them down

Once your password is created to be secure, you realize that it is difficult to remember. Especially since you have several if you have followed advice #1.

Our reflex would be to write them down in a notebook, in our smartphone, in a text file… It’s a terrible idea! Unless you want your passwords to be easily stolen.

So how do we do it? You can use your memory or…

Use a password manager.

A password manager is a database in which you can securely store your IDs and passwords. To access it, you will, of course, have to enter a password, but it will finally be the only one to remember.

Why Change is Good; At least for Your Passwords

Why Change is Good; At least for Your Passwords

It almost seems that every website you visit today requires you to register for access. It’s great that the website is free, but not another registration. Oh great, another username and another password to remember.

If you’re like most people, you use the same username and password for all your website registrations and possibly even for your email accounts. Most respectable websites have privacy policies, as do most fraudulent ones. The validity of privacy statements are only as honorable as the people behind the websites.

Any dishonorable webmaster who collects usernames and passwords from his visitors could have access to any other website you have registered on or email accounts you use. There is absolutely nothing keeping a dishonorable webmaster from testing the password you provided in your registration against the email address you use.

For example, let’s say your email address is john_doe@hotmail.com. You register on Free-Acme-Widgets.com that claims they are giving away free widgets. After a few months, you realize you never received your free widget, but during that time you notice you’re having problems with your email account or totally lost access to it. Jack, who owns Free-Acme-Widgets.com could have been a dishonorable person, noticed you used john_doe@hotmail.com in your registration, went to hotmail.com and tried logging into your account with the same password you used in the registration for his website. If your password was the same, he now has access to your email account and can either read your email, use your account or steal it away from you.

So, how do you prevent this? Never, or rarely, use the same password. I use one email account for most of my website registrations and then change the email address in the account if I decide I need the emails from that particular website. I also use the same or similar password for website registrations that I could care less if someone else gets in under my account. Always keep your email and bank account passwords different than any other passwords.

A good rule to follow is; if you don’t want someone else to access that account, use a different password than what you’ve ever used on the net before.

Keeping Your Passwords Secure

As the web has evolved, so have the methods of collecting personal information. A large number of websites require visitors to register to gain access or participate. While the need for registration is understandable, tracking user names and passwords can be burdensome. Consider using software to store your passwords, in a safe accessible manner.

Most websites have privacy policies, but the value of privacy statements are only as honorable as the people behind the websites. Here are suggestions for keeping passwords and your information secure:

1.) change your password frequently
2.) never share your password with anyone 
3.) try to choose a password so it doesn’t need to be written down, but not so obvious others would easily guess the password 
4.) be sure your password is at least 6 characters 
5.) don’t use a password containing all the same characters 
6.) don’t send your password via email or provide it over the phone 
7.) don’t use pet, family or friend names 
8.) don’t use your telephone number, zip code or address 
9.) use a different password for each account 
10.) don’t use user name
11.) deactivate accounts for terminated employees 
12.) don’t allow shared accounts
13.) password contains upper, lowercase letters, non-letter characters and numbers

Resources
Password Software – http://www.password-software.com

Passwords are not foolproof. Do not rely on a password alone to protect sensitive information. Monitor accounts closely to ensure that security is not breached.

About the Author –
Sharon Housley manages marketing for NotePage, Inc. http://www.notepage.net a company specializing in alphanumeric paging, SMS and wireless messaging software solutions. Other sites by Sharon can be found at http://www.softwaremarketingresource.com , and http://www.small-business-software.net