GR,

READ ME.  Please.

As you all know, security is a big concern for all of us working in a digital word.  Usernames and complex passwords or passphrases are no longer enough to protect your sensitive data.  The biggest companies get compromised not by extreme hacking (this isn’t the movies), they are compromised by somebody inside that reveals credentials.  Once in the door, they start opening more doors.

If you haven’t seen this short documentary from the New York Times The Teenager Who Hacked Twitter you should watch it.  Interesting.  He had the keys to the Kingdom and only went after crypto.  Could have wreaked havoc.  If you were on Twitter at the time, you remember it happening but maybe didn’t know the full story.

Phishing attempts can’t be stopped by spam filters.  They depend on tricking the end user into revealing their login credentials and then the real trouble begins.

Many people use the same username and passwords repeatedly.  It seems simple.  Passwords are hard to remember, inconvenient and a general pain in the a** but it is the world we live in.

Here is the problem with that practice.  The phisher steals your email or some other account and then tries your password everywhere else.  You set your password reset to go to your email.  They now reset your passwords.  You get locked out and they go after every account imaginable or simply hold you for ransom.  Your compromised password gets posted to lists on the Dark Web and the phishing fun never stops.

Now you are just trying to get your stuff back and trying to change all those simple, reused passwords all over the place – Amazon, Meta, Twitter, Instagram, your bank, your Venmo…

See it everyday in our MS365 sign-in logs.  Here is an example from today.  Seems Sarah is working from Shanghai today.  Hope she has time to enjoy the city this Valentine’s Day.  The person probably has an old password, and they can’t get past MFA.  They are trying a single sign-on which means username and password but no MFA. Most likely wrong password but they got it from a list on the Dark Web and are knocking on every door using that password.

Here are two password programs that can make your life more secure. They do more than logins as you can store credit cards, secure notes and lots of stuff in a personal vault.

LastPass (I’ve used this for the last decade) and 1Password .  Check them out.

Using Chrome for passwords?  Seems safe enough but all I need is your local password to export all your passwords.  Can’t tell you how many times I have been handed a laptop with full access to all personal websites and passwords.  I’m not just talking TikTok and Instagram.  I’m talking about bank accounts and investing accounts. Hand your stuff to a 3^rd party tech or the Apple Genius Bar?  Better hope that the person that touches your equipment is ethical.  That stuff is easily sold on the Dark Web.

All that said, in the coming weeks we will be changing MFA (multi-factor authentication).  You will no longer receive a text with an OTP (one-time passcode) to authenticate.  Why?  Because attackers have found a way to steal that security token transmitted over the web.  They steal that OTP and now have access to MS365 and the games begin.  They get very clever on how they will exploit that breach.  You won’t know what is happening in the background.

We will move to using the Microsoft Authenticator or Google Authenticator (if you already use the Google one). New employees using it and others have made the change on their own.  I use it along with Mike, Griffin, Emily and Sarah A.

Don’t worry, it will be painless.  You can approve sign-in requests on your smartphone and use facial recognition if your smartphone supports it.  No OTP being entered into your browser to be stolen in transit.  Nothing is 100% secure but this gets us closer.

Stay tuned.

Rudy