Discuss

last person joined: 7 hours ago 

Ask a question. Give advice. Share resources. Looking for software or hardware recommendations? Want to know how others are using text messaging in their work? Trying to find examples of IT policies? The NTEN Discuss forum is a great resource for all of the above and more! It's the general discussion list for the NTEN community, and folks all over the US (and the world) are sharing their questions, answers, and news about nonprofit technology.

Important and doable cybersecurity actions for individuals

  • 1.  Important and doable cybersecurity actions for individuals

    Posted Jan 01, 2019 12:09
    1. Happy New Year NTEN'ers!


      We're doing a free cybersecurity awareness webinar on June 15th and we want to include 5-10 actionable recommendations for individuals. Our working list is below. We will be presenting this in the form of "If you do ONE thing, do this. If you do TWO things, do this and then this. If you do THREE things do, this, this and this." So the priority order is also important.


      We would love input/feedback on any additions or changes people would make.


      1. Verify - slow down and always verify before taking any action (even clicking a link) based on an email, text message or phone call.
      2. Update - keep your devices (phones, tablets and computers) completely up-to-date with current software
      3. 2FA - turn on 2FA everywhere you can, but especially with email, document management and database applications
      4. Passwords -  Start using a password manager such as LastPass, 1Password or Dashlane. If you are already using one, work to improve your security score
      5. Wi-fi - Avoid using public wi-fi wherever possible. Use your mobile hotspot instead.
      6. VPN - Use a virtual private network (VPN) such as NordVPN or ExpressVPN as much as possible, but especially if you have to use public wi-fi.
      7. Encrypt - Encrypt your devices, emails and communications. Start using using apps like Signal for messaging, voice and video.
      8. Monitor - Sign up for HaveIBeenPwned or Firefox Monitor to get alerts if any of your email addresses show up in data breaches
      9. SIM - Protect your mobile number from being stolen.
        1. https://motherboard.vice.com/en_us/article/zm8a9y/how-to-protect-yourself-from-sim-swapping-hacks
      10. Learn - Stay informed about good practices and new threats by subscribing to at least one newsletter or podcast on cybersecurity.  
        1. https://www.cisecurity.org/resources/newsletter/
        2. https://itunes.apple.com/us/podcast/cyber/id1441708044?mt=2




    ------------------------------
    Joshua Peskay
    Vice President
    RoundTable Technology
    joshua@roundtabletechnology.com
    www.roundtabletechnology.com
    ------------------------------
    Tech Accelerate


  • 2.  RE: Important and doable cybersecurity actions for individuals

    Posted Jan 02, 2019 08:27
    Cool, thanks for the summary! It's always good to have a reminder. I guess putting your passwords on a post-it on the monitor is out then! (Just kidding)

    Would Norton password manager be OK?
    ...and really, no public WIFI?!

    ------------------------------
    Ariel Jensen-Vargas, MPA
    Digital and Communications Strategist
    NY United States
    ------------------------------

    Tech Accelerate


  • 3.  RE: Important and doable cybersecurity actions for individuals

    Posted Jan 03, 2019 06:19
    Ariel,

    I haven't used Norton Password Manager, but the reviews I've read aren't great. That said, if you're using it and liking it, great!

    My recommendations are LastPass or Dashlane, both of which are consistently top-reviewed password managers and both of which I've seen multiple organizations implement with success.

    As for the public wi-fi question - Greg Galloway and I had a good back and forth on that in this thread so I'll not rehash it. But if you have any questions about using public wi-fi after reading over the exchange between Greg and myself, please add them.

    Thanks!

    -JP




    ------------------------------
    Joshua Peskay
    Vice President
    RoundTable Technology
    joshua@roundtabletechnology.com
    www.roundtabletechnology.com
    ------------------------------

    Tech Accelerate


  • 4.  RE: Important and doable cybersecurity actions for individuals

    Posted Jan 03, 2019 11:21
    Thanks Joshua that was super-helpful!

    ------------------------------
    Ariel Jensen-Vargas, MPA
    Digital and Communications Strategist
    NY United States
    ------------------------------

    Tech Accelerate


  • 5.  RE: Important and doable cybersecurity actions for individuals

    Posted Jan 03, 2019 10:24
    It is super super super important that if you use a public wifi to forget the network after its used. Phones, tablets and computers will all remember saved networks. And it is very easy for a hacker to present the public network to you and your device will connect even thou it isnt that network.

    I use a password keeper. Much better than the old spreadsheet method.

    ------------------------------
    Anthony Caufield
    Organizer
    Tech4Good-LV
    North Las Vegas, NV
    ------------------------------

    Tech Accelerate


  • 6.  RE: Important and doable cybersecurity actions for individuals

    Posted Jan 04, 2019 08:33
    Thanks this is really helpful!

    ------------------------------
    Ariel Jensen-Vargas, MPA
    Digital and Communications Strategist
    NY United States
    ------------------------------

    Tech Accelerate


  • 7.  RE: Important and doable cybersecurity actions for individuals

    Posted Jan 02, 2019 08:33
    Thank you! These are great reminders.

    Doubling up on the Public Wifi question: Is public wifi with a log-in via browser just as bad as public wifi with no log-in required?

    Thanks again!

    --
    Greg Galloway | Director of ABA Technology
    greg@bookweb.org | www.BookWeb.org | www.IndieBound.org
    Direct: 914.406.7568    Main:914.406.7500

    American Booksellers Association
    333 Westchester Avenue, Suite S202
    White Plains, NY 10604

    Please consider the environment before printing this email



    Tech Accelerate


  • 8.  RE: Important and doable cybersecurity actions for individuals

    Posted Jan 02, 2019 10:00
    Good questions about using public wi-fi. I'm interested to hear what others have to say, but here is the advice I give in my trainings and that I follow.

    1. I avoid using public wifi when possible. I use my mobile data hotspot whenever I can.
    2. If I have to use public wi-fi, I check with the host to verify the correct wifi network. For example, if I am at a Marriott Hotel and I see four different wifi networks that say "Marriott", I will check with the front desk and ask them which network is the one I should use. I do this to mitigate against rogue wifi hotspots.
    3. If I have to use public wi-fi, I first close all my applications, then connect to to the wifi, then start up my VPN (virtual private network), then begin using applications.
    4. If I have to use public wifi WITHOUT a VPN, then I limit my activities to basic web browsing and avoid logging into anything sensitive (like email or banking) and avoid conducting any online transactions (like purchases). 
    5. I disable wifi on my mobile devices when not in use (it's a 2-second action to toggle off). 

    One of the biggest threats with insecure wi-fi is a type of attack known as a "Man in the Middle" or MITM attack. Simplest way to explain this is that if an attacker can insert themselves between a sender/receiver communication (which can be easy on insecure wifi) then they can intercept, read and even modify communications. This has all sorts implications for mischief. Simple visual below.



    ------------------------------
    Joshua Peskay
    Vice President
    RoundTable Technology
    joshua@roundtabletechnology.com
    www.roundtabletechnology.com
    ------------------------------

    Tech Accelerate


  • 9.  RE: Important and doable cybersecurity actions for individuals

    Posted Jan 04, 2019 08:38
    This is so fabulous and there is obviously so much interest! One more question, Joshua if you don't mind. Can you recommend any VPNs?

    ------------------------------
    Ariel Jensen-Vargas, MPA
    Digital and Communications Strategist
    NY United States
    ------------------------------

    Tech Accelerate


  • 10.  RE: Important and doable cybersecurity actions for individuals

    Posted Jan 05, 2019 07:09
    Ariel,

    Re: VPN recommendations. I have a short answer and a long answer (to avoid being annoying and only giving a long answer).

    Short answer: ExpressVPN or NordVPN

    Long Answer: Read this article from Krebs on Security from November 2017. Most relevant excerpt here;

    These are only some of the many factors that are important to weigh when selecting a VPN provider. I asked my favorite source for online privacy - the Electronic Frontier Foundation (EFF) - if they had any recommendations for VPN providers. Alas, their press folks told me the EFF has not yet sought to vet the claims made by various VPN companies. Instead, their media folks referred me to this site, which covers many of the concerns raised in this post in greater detail, and includes what appear to be fairly straightforward reviews and side-by-side comparisons of many popular VPN services.

    Hope that's helpful, Ariel. And thanks for all the great questions!

    -JP

    ------------------------------
    Joshua Peskay
    Vice President
    RoundTable Technology
    joshua@roundtabletechnology.com
    www.roundtabletechnology.com
    ------------------------------

    Tech Accelerate


  • 11.  RE: Important and doable cybersecurity actions for individuals

    Posted Jan 07, 2019 14:06
    Re: VPN, Private Internet Access is known to not keep user data. It's what I suggest folks use. RiseUp recently launched a VPN service as well and I'd trust them. 

    --ken
    Ken Montenegro
    Gender Pronouns: he/him
    Information Technology Director
    Asian Americans Advancing Justice | Los Angeles

    1145 Wilshire Blvd. Los Angeles, CA 90017
    T: (213) 977-7500 (213) 241-0219
    C: (323) 545-4904
    F: (213) 977-7595
    advancingjustice-la.org
    Building upon the legacy of the
    Asian Pacific American Legal Center



    Tech Accelerate


  • 12.  RE: Important and doable cybersecurity actions for individuals

    Posted Jan 02, 2019 08:35
    Edited by Mary Gaughan Jan 02, 2019 09:05
    This is a good list for all of us. One thing I would change is to spell out "two factor authentication" in the description of that item. It took me a moment to figure out what you meant.
    Mary



    Tech Accelerate


  • 13.  RE: Important and doable cybersecurity actions for individuals

    Posted Jan 02, 2019 10:13
    Thanks again, Joshua.

    Contributing to the differing opinions I've heard on the criticality of the public wifi issue relate to the fact that so much of what we do on the web is conducted over https. In theory, the secure connection between my browser and Gmail, as an example, ought to give me high confidence that even if someone was intercepting those communications on that public wifi network, the browser-based encryption would make it awfully difficult for them to decode and read my mail.

    Does that logic hold up? And is "awfully difficult" a sufficient standard for transmissions that aren't exactly nuclear-launch-code sensitive?

    ------------------------------
    Greg Galloway (he/him)
    White Plains, NY
    ------------------------------

    Tech Accelerate


  • 14.  RE: Important and doable cybersecurity actions for individuals

    Posted Jan 02, 2019 16:20
    Greg,

    You are correct in that limiting communications to websites using HTTPS (or even better, using the EFF plugin HTTPS Everywhere) mitigates the risk of a man-in-the-middle intercepting and being able to use information.

    However, sophisticated attackers using a MITM attack can reroute your traffic and do other things to trick you into providing information (like a login or a credit card). Verifying both the correct wifi network AND the correct requirements for accessing (e.g. the password needed) can help.

    This short video may help: Cyber Attacks: "The Evil Twin"

    And to your larger question, Greg, there is usually (but not always) a tradeoff between security and convenience and it is absolutely up to each individual to make their own choices and up to each organization to decide an appropriate security posture. This list is in no way meant to be an audit or checklist that everyone should complete to be secure. It's a suggested list of actions people can take if they want to be more secure than they are now.

    Thanks for your questions! I hope these responses are helpful (and to other out there - keep the questions coming and if you disagree with anything I write here, please tell me!)

    -Joshua

    ------------------------------
    Joshua Peskay
    Vice President
    RoundTable Technology
    joshua@roundtabletechnology.com
    www.roundtabletechnology.com
    ------------------------------

    Tech Accelerate


  • 15.  RE: Important and doable cybersecurity actions for individuals

    Posted Jan 02, 2019 16:34
    Thanks again, Joshua. Your answers are definitely helpful.
    Lots to chew on here in 2019!



    Tech Accelerate


  • 16.  RE: Important and doable cybersecurity actions for individuals

    Posted Jan 02, 2019 21:02
    This is a great idea! My takes:
    1. On the Encryption bullet, not to make it unwieldy, there should be something about "learn to manage your keys" because that's such a barrier to key based encryption; there should also be something related to appropriate, "for communications that could put your clients at risk, use Signal or another end to end encrypted application". I'm worried that we're losing so much critical HR and organizational knowledge when we're using non-organizationally owned/controlled applications. You can't create an archive of Signal messages that live/stay with the organization when the employee leaves.
    2. I'd put Update at the top of the list because an updated computer is truly the foundation, after educated/trained users, for security IMHO.
    Great work Joshua and happy new year!
    --ken
    Ken Montenegro
    Gender Pronouns: he/him
    Information Technology Director
    Asian Americans Advancing Justice | Los Angeles

    1145 Wilshire Blvd. Los Angeles, CA 90017
    T: (213) 977-7500 (213) 241-0219
    C: (323) 545-4904
    F: (213) 977-7595
    advancingjustice-la.org
    Building upon the legacy of the
    Asian Pacific American Legal Center



    Tech Accelerate


  • 17.  RE: Important and doable cybersecurity actions for individuals

    Posted Jan 03, 2019 07:47
    Hi all,

    I really appreciate this conversation about cybersecurity awareness.

    The discussion regarding the avoidance free public wi-fi is a good reminder that not everyone can afford to make that decision. There are many whose only option to connect is in places that provide unsecure free networks. Do folks have any suggestions for those who must use public wi-fi? What can they do to mitigate the risk?

    Best,
    Deb

    Deb Socia
    Executive Director
    Next Century Cities
    617.251.8358



    Tech Accelerate


  • 18.  RE: Important and doable cybersecurity actions for individuals

    Posted Jan 06, 2019 06:11
    Deb,

    You asked,

    "There are many whose only option to connect is in places that provide insecure free networks. Do folks have any suggestions for those who must use public wi-fi? What can they do to mitigate the risk?"

    This is an excellent question, Deb. Thanks for asking this. Here's a list of tips I would provide in order of ease to implement and priority.

    1) Verify the public wifi you are using. If it's at a library, ask a librarian for both the correct name of the library's wi-fi and how it's accessed (password, zip code, etc.). Educate public wi-fi users that if a seemingly OK wi-fi (like "My-Library-free-wifi") asks for unexpected information (like an email, phone number or credit card) that's reason for suspicion.

    2) Update - If using your own mobile device, ensure it is up-to-date with current software and patches.

    3) Two-Factor Authentication (2FA) - Encourage the use of 2FA on all sensitive accounts (especially email). Note that if using publicly available computers then I double-down on the 2FA advice since keystroke loggers (and other tools to capture credentials) are more of a threat on public computers.

    4) All the tips on the original list of ten can mitigate risks of using public wifi. Of the ten (10) tips, only two (2) of them have any cost (#5 - using a mobile hotspot instead of public wifi and #6 using a VPN)​. All of the other tips are free to implement. (Note that Password managers have paid plans, but both LastPass and Dashlane have free versions)

    Thanks for asking this, Deb. I hope this response is helpful.

    -JP

    ------------------------------
    Joshua Peskay
    Vice President
    RoundTable Technology
    joshua@roundtabletechnology.com
    www.roundtabletechnology.com
    ------------------------------

    Tech Accelerate


  • 19.  RE: Important and doable cybersecurity actions for individuals

    Posted Jan 07, 2019 07:23
    Great suggestions, Joshua.

    I'll be sharing this info!

    Best,
    Deb

    ------------------------------
    Deb Socia
    Executive Director
    Next Century Cities
    Washington, DC
    ------------------------------

    Tech Accelerate


  • 20.  RE: Important and doable cybersecurity actions for individuals

    Posted Jan 03, 2019 08:02
    We have three of us joining your cybersecurity training and it sounds like it's going to be great!

    I hope this is related enough - I've been asked for examples of security agreements that other organizations have their staff sign and I can't find *anything*.  I've found one or two, but they're pretty bad, and then I've found templates.  Does anyone else have some sort of security guideline they give to their staff? Is anyone willing to share theirs?

    ------------------------------
    Shubha Bala
    Director of Technology
    Center for Court Innovation
    ------------------------------

    Tech Accelerate


  • 21.  RE: Important and doable cybersecurity actions for individuals

    Posted Jan 05, 2019 11:16

    Shubha,

    You asked,

    "I've been asked for examples of security agreements that other organizations have their staff sign and I can't find *anything*.  I've found one or two, but they're pretty bad, and then I've found templates. Does anyone else have some sort of security guideline they give to their staff? Is anyone willing to share theirs?"

    I'm not 100% sure what you mean by "security agreements." My guess is that you mean something along the lines of an Acceptable Use Policy (AUP) and/or best practices guidelines for security that staff are expected to adhere to (and maybe sign off on).

    I really like these persona templates (below) we adapted from an Access now publication.

    Here's two different versions you can take a look at, Shubha. We like these because they are visual, focus on the important things, and may actually be read, understood and practiced by staff.

    IT Policy Persona Templates

    Cybersecurity Persona Templates

    If you want to go the traditional route of multiple page policy documents, the SANS Institute has a free library of templates available: https://www.sans.org/security-resources/policies/.

    Hope that's helpful.

    -Joshua



    ------------------------------
    Joshua Peskay
    Vice President
    RoundTable Technology
    joshua@roundtabletechnology.com
    www.roundtabletechnology.com
    ------------------------------

    Tech Accelerate


  • 22.  RE: Important and doable cybersecurity actions for individuals

    Posted Jan 05, 2019 12:25
    Hi Shubha,

    There are lots of confidentiality policies and forms from universities and nonprofits on AASP's fundsvcs site.

    ------------------------------
    Robert

    Robert L. Weiner Consulting
    San Francisco, CA
    415/643-8955
    robert@rlweiner.com
    www.rlweiner.com
    Twitter: @robert_weiner

    Strategic Technology Advisors to Nonprofit and Educational Institutions
    ------------------------------

    Tech Accelerate


  • 23.  RE: Important and doable cybersecurity actions for individuals

    Posted Jan 03, 2019 11:31
      |   view attached

    Hello Joshua,

    This is a great list.  Another useful piece of information is the Australian Government's "Strategies to Mitigate Cyber Security Incidents".  The action items in this strategy complement the information you have provided and give a few other suggestions such as application whitelisting, restrict administrative privileges, and macro settings.  It provides 37 action items ranks in order of "relative security effectiveness rating" from essential to limited.



    ------------------------------
    William Rankin
    Manager, Compliance Services
    571.405.5378
    wrankin@networkats.com
    ------------------------------

    Attachment(s)

    Tech Accelerate


  • 24.  RE: Important and doable cybersecurity actions for individuals

    Posted Jan 04, 2019 09:18

    For what it's worth, for password managers I've heard good things about Enpass (enpass.io) and KeePassXC (keepassxc.org).

     

    The EFF is a great resource for various recommendations around security:

    https://ssd.eff.org

     

    Martin

     


    Martin Hansen
    Senior Consultant / R&D Lead
    519.725.7875 x2120 | 888.817.3048


    http://www.peaceworks.ca/sites/default/files/sig/pwsqlogo.png

    PeaceWorks™ Technology Solutions
    101 - 554 Parkside Drive,
    Waterloo ON  N2L 5Z4
    www.peaceworks.ca

     

    Mission driven technology solutions

    http://www.peaceworks.ca/sites/default/files/sig/facebook.png

    http://www.peaceworks.ca/sites/default/files/sig/bcorp.png

    http://www.peaceworks.ca/sites/default/files/sig/linkedin.png

    http://www.peaceworks.ca/sites/default/files/sig/rss.png

    This communication is intended for only the party to whom it is addressed and may contain information that is privileged or confidential. Any other distribution, copying or disclosure is strictly prohibited and is not a waiver of privilege or confidentiality. If you have received this telecommunication in error, please notify the sender immediately by return email and delete this message from your computer.

    Please note: If you do not wish to receive promotional emails from us, please reply to this message indicating your preference and we will refrain from sending further promotional emails.

     




    Tech Accelerate


  • 25.  RE: Important and doable cybersecurity actions for individuals

    Posted Jan 22, 2019 13:02
    Thanks for introducing this thread Joshua! One thing I would add to your list of recommendations is to consider whether single sign-on is right for one's organization.

    (Full disclosure, I work for Okta, the leading independent provider of SSO and identity management tools. Before Okta I spent 10 years in nonprofits.)

    Single sign-on (SSO), as the name suggests, allows your employees to access all of the technologies they need to do their work with a single username and password. We also recommend adding multi-factor authentication (MFA) as you already suggested! Benefits to your organization include increased security, faster and easier adoption of new technologies, and a much simpler daily experience for your employees.

    Check out this NTEN article about how and why Beyond 12 chose to implement SSO and MFA: https://www.nten.org/article/the-basics-of-multi-factor-authentication-and-single-sign-on/

    Okta offers the first 25 user licenses for free for nonprofits. Click here to learn more, or reach out to me directly.

    ------------------------------
    Adam Rosenzweig
    He/Him/His
    Program Manager, Nonprofit Success | Okta For Good
    650-400-9348
    adam.rosenzweig@okta.com
    ------------------------------

    Tech Accelerate


  • 26.  RE: Important and doable cybersecurity actions for individuals

    Posted Jan 22, 2019 14:41
    Edited by Joshua Peskay Jan 22, 2019 15:31
    Adam,

    Thanks for the input. I very much like Okta and agree whole-heartedly that SSO is a great idea for organizations to consider as part of their security infrastructure.

    The list that launched this thread, however, was aimed at  "Important and doable cybersecurity actions for individuals," and since SSO is more of an organizational thing, I do not have SSO in the list of 5 actions we recommend for individuals.

    We also have a resource call "Ten Steps to Cybersecurity Maturity" on our website. Step 4 is "Passwords and Authentication" and I must confess we do not include references to SSO in that step (focus is on 2FA and password managers). I will absolutely consider adding SSO there, Adam.

    On a slight tangent, I think there is a fair amount of confusion around Password Managers (like LastPass and Dashlane), MFA solutions (like Duo) and SSO (like Okta). I could add further confusion by including OAuth in that group.

    Would you (Adam) have any interest on collaborating on an Identity Management webinar to shed some light on the overlap and differences between these things? We can't make it the Okta show, but we can certainly talk about where Okta fits in, what it can solve for organizations and, of course, the incredibly generous nonprofit donation available from Okta!

    Ping me privately if you'd like to discuss, Adam. I think this could be a real value to the community and I'd love to have a collaborator from the space.

    -JP


    ------------------------------
    Joshua Peskay
    Vice President
    RoundTable Technology
    joshua@roundtabletechnology.com
    www.roundtabletechnology.com
    ------------------------------

    Tech Accelerate


  • 27.  RE: Important and doable cybersecurity actions for individuals

    Posted Jan 23, 2019 12:37
    Adam and Joshua,

    An Identity Management Webinar would be amazing. I certainly have gotten bewildered a time (or two) between sorting out what tools are SSO, password managers, and MFA is now a new one to me (I'm assuming its not Masters of Fine Arts!). At any rate you've already got an audience of one if you decide to collaborate on a webinar.

    Kai

    ------------------------------
    Kai Williams
    Executive Director
    The IWRC
    Eugene, OR
    ------------------------------

    Tech Accelerate


  • 28.  RE: Important and doable cybersecurity actions for individuals

    Posted Jan 23, 2019 13:06
    Thanks Kai! Joshua and I talking offline about how we might collaborate to bring more info to this space. Stay tuned!

    In the meantime, this NTEN article does a great job explaining the value of multi-factor authentication (MFA): https://www.nten.org/article/the-basics-of-multi-factor-authentication-and-single-sign-on/

    ------------------------------
    Adam Rosenzweig
    Program Manager, Nonprofit Success
    Okta
    ------------------------------

    Tech Accelerate


  • 29.  RE: Important and doable cybersecurity actions for individuals

    Posted Jan 23, 2019 12:14
    Since we are on the subject, here's the link again to the google phishing test.  It's harder than some ....  (and no, this is not a phishing email).
    This is good to share with staff.

    Phishing Quiz
    Phishingquiz remove preview
    Phishing Quiz
    View this on Phishingquiz >



    ------------------------------
    Beth Camero
    Technology Manger
    Quality Care Health Foundation
    California Association of Health Facilities
    Sacramento, CA
    ------------------------------

    Tech Accelerate


  • 30.  RE: Important and doable cybersecurity actions for individuals

    Posted Jan 24, 2019 13:57
    This may go without saying but what about passwords.  I know it has been mentioned to use password keepers but what about the complexity of the passwords and what rules are used to create those passwords.  I know the standard is at least 1 capital letter, 1 symbol or number, at least 6 characters, unable to use password more than once and can't be  your first or last name, and of course blocking passwords like Password!234.  What are some other rules others are using for their passwords.   I know the password keeper I use has a "autogenerate" feature but those are almost impossible to remember.

    ------------------------------
    Tom Robey
    ------------------------------

    Tech Accelerate


  • 31.  RE: Important and doable cybersecurity actions for individuals

    Posted Jan 24, 2019 17:58
    Tom,

    Here's the most succinct advice I can give re: passwords.

    1. Use a password manager (LastPass, 1Password, Dashlane, etc). 
    2. Let the password manager manage most of your passwords. You don't need to know what they are. The password manager will autofill them. I have 500+ passwords. I know, maybe, 3 of them. 
    3. For passwords you actually need to remember and type in yourself, use nice long pass phrases. I recommend fully punctuated sentences such as "I like to eat 2 donuts on Wednesdays." It's easy to remember, easy to type, and quite secure. It's exponentially better than a password like "sBd$%12rdf$" which is nearly impossible to remember. Below is a gif explanation of why a LONGER password, even with a bunch of plain english words, is much stronger than a shorter gobblygook password. Complexity < Length.
    4. And please use 2FA where you can. Passwords are a problem, even when done well. 


    ------------------------------
    Joshua Peskay
    Vice President
    RoundTable Technology
    joshua@roundtabletechnology.com
    www.roundtabletechnology.com
    ------------------------------

    Tech Accelerate


  • 32.  RE: Important and doable cybersecurity actions for individuals

    Posted Jan 25, 2019 09:25
    Actually, this is pretty old school thinking on passwords. The National Institute for Standards and Technology updated their recommendations a year or two ago and threw out to mainstay rules - the requirement to change them often and to make them very complex. The new standard is to make them long (pass phrases, as opposed to pass words), and to be responsive to security breaches.

    My standard password policy and maintenance recommendations are:

    - 15 characters minimum
    - a phrase that you can easily remember, but isn't readily guessable (e.g. "Ask not what you can do for your org" or "The rain in espana"
    - Subscribe to "Have I Been Pawned" (https://haveibeenpwned.com/) and change passwords whenever they've been breached (they have a useful tool to see if your password has already been breached)
    - Use a password manager and/or SSO

    The new thinking recognizes that making passwords impossible to memorize and requiring that they change frequently makes it impossible for people to remember passwords, so people often do very insecure things in order to function, such as writing them down in plain text, using the same passwords on multiple systems, etc. They also acknowledge that we just have too many passwords to make it so difficult to maintain them.

    I'm advising clients that key to good information security is ease of use - the more we make our business systems different from our personal ones, the more we risk staff circumventing that sectrity, not for malicious reasons, but simply in order to get their work done.

    ------------------------------
    Peter Campbell
    CIO for Hire
    Raffa - Marcum's Nonprofit and Social Sector Group (as of 2/4/19)
    Washington DC
    https://raffatech.com/
    https://techcafeteria.com
    ------------------------------

    Tech Accelerate


  • 33.  RE: Important and doable cybersecurity actions for individuals

    Posted Jan 28, 2019 12:26
    Thanks for the information Peter, but is there any indication that this new standard will be implemented more widely anytime soon? Every website/secure portal I log into has different rules for their passwords, and all of them are still using the "outdated" security standards. It's very frustrating!
    I've had several people tell me to just use a password manager, but if I'm logging into sites from several different devices how can one password manager be used across platforms?

    ------------------------------
    Kara Brinkman-Addams
    Office Manager
    BRING Recycling
    Eugene, OR
    ------------------------------

    Tech Accelerate


  • 34.  RE: Important and doable cybersecurity actions for individuals

    Posted Jan 28, 2019 12:46
    Hi, Kara --

    Most, if not all password manager apps are cross-platform. I use Lastpass every day with my Mac desktop, Windows Laptop, and Android phone. There might be some Apple ones that don't acknowledge that other options exist. :)

    And, yes, I don;t know when the world will catch up with the NIST recommendations, which are almost two years old now. One of the problems is that financial and security auditors aren't moving too quickly to adopt them.

    What I'm waiting for is for authentication systems (and I'm looking at Google and Office365) to start incorporating breech awareness into their platforms, so that they can be configured to force password changes when a breech has occurred.

    ------------------------------
    Peter Campbell
    CIO for Hire
    Raffa - Marcum's Nonprofit and Social Sector Group
    Washington DC
    https://raffatech.com/
    ------------------------------

    Tech Accelerate


  • 35.  RE: Important and doable cybersecurity actions for individuals

    Posted Jan 28, 2019 14:20

    Hi Kara,

    I'm a big fan of password wallets. And, as Peter said, most can sync between multiple devices. However, many of them handle the sync by storing your login info on their own servers (AKA cloud-based sync). I don't want my login credentials stored elsewhere, so I prefer Sticky Password. It offers the option of a local wi-fi sync (that's not the default -- you need to select this option before your first sync). SpalshID offers the same feature. I believe that both work with Windows, Mac, Android, and iOS. (Neither firm pays me to say nice things about them.)

    (My favorite password wallet is RoboForm -- for whatever reason, I prefer its UI -- but it doesn't offer local wi-fi sync.)



    ------------------------------
    Robert

    Robert L. Weiner Consulting
    San Francisco, CA
    415/643-8955
    robert@rlweiner.com
    www.rlweiner.com
    Twitter: @robert_weiner

    Strategic Technology Advisors to Nonprofit and Educational Institutions
    ------------------------------

    Tech Accelerate