The National Institute of Standards and Technology has issued a draft document on “Digital Identity Guidelines,”and it contains some surprises if you follow traditional password practices. Section 5.1 is the relevant section on ?memorized secret authenticators,? more commonly known as passwords or PINs. The advice is based on the latest research, so it’s worth paying attention to even if it’s a change from current practice. The National Institute of Standards and Technology has issued a draft document on “Digital Identity Guidelines,”and it contains some surprises if you follow traditional password practices. Section 5.1 is the relevant section on ?memorized secret authenticators,? more commonly known as passwords or PINs. The advice is based on the latest research, so it’s worth paying attention to even if it’s a change from current practice. The minimum length for user-selected passwords should be 8 characters, and ones with 64 characters or more should be allowed. The number of possible passwords goes up exponentially with their length, so a long one is a strong one. Letting the user store a hint about the password is a really bad idea. It makes it easy to remember, but also easy for someone who sees the hint to guess. A service should check the user’s chosen password against a list of easily guessed ones. If there’s a match, the user should be required to pick another one. Too many people will pick obvious ones like ?123456? (which is also too short) or ?password.? Passwords should never be stored directly on the server. Instead, it should store a hash of the password that meets certain minimum requirements. A hash is a value which is algorithmically derived from the password but doesn’t allow the password to be regenerated from it. This way, even if someone gets the password data from the server, the actual passwords aren’t compromised. The number of login attempts in a session should be limited. Password entry should use a secure connection. Those requirements shouldn’t surprise many people, but now it gets interesting: The service shouldn’t ?impose other composition rules.? That means it shouldn’t require, for instance, digits and special characters. NIST says that ?users respond in very predictable ways to the requirements imposed by composition rules.? Adding a digit to the end of a password or replacing ?o? with ?0? doesn’t do much good. The service shouldn’t require periodic password changes for their own sake. It just makes people choose easier passwords or write them down next to the computer. Users should have the option of seeing their password as they’re entering it. Hiding it is good if others might see the screen, but it makes it hard to enter complex passwords, especially on a mobile phone keyboard where typing errors are easy. Information theory says that a strong password is one with high entropy. Entropy, roughly speaking, is a measure of randomness. When applied to passwords, it’s measured in bits. The idea is that the number of possible passwords someone would have to guess from is the number of alternatives you can express in that many bits. Each additional bit doubles the amount of work needed to guess the password. The NIST document, though, finds this concept too vague to be useful and says that methods of calculating entropy aren’t very accurate. A known password has just one […]

On July 29th, it was discovered that cybercriminals had ?exploited a U.S. website application vulnerability to gain access to certain files,? according to the company. In the statement released on August 7th announcing the breach, Equifax reported that those responsible had managed to access information including names, birth dates, addresses, Social Security and Driver’s license numbers. 209,000 people also lost their credit card information, and dispute documents with personally identifiable information were accessed affecting another 182,000 people. The scope of this attack is staggering, especially considering that the total population of the United States is estimated by the Census Bureau to be 324 million adults. A quick calculation tells us that the 143 million potentially affected makes up a full 44 percent of the country?s total adult population. As if this situation isn?t bad enough for Equifax, the activities of some of the company leadership are also being called into question. Chief Financial Officer John Gamble Jr., U.S. Information Solutions President Joseph Loughran, and Workforce Solutions President Rodolfo Ploder sold almost $2 million in company shares mere days after the breach was uncovered. While it is not yet clear if the breach and these sales are connected, Equifax has released a statement stating that the men had no knowledge of the intrusion when the sales were made. The company?s stocks fell by more than 12 percent shortly afterward. Equifax is currently working with state and federal authorities, including the FBI, and is actively alerting those whose information was accessed through the mail. We suggest that you keep an eye on your mailbox in case you have been breached. There are plenty of websites and services, including one from Equifax, dedicated to determining whether or not your personal information was accessed–all you have to do is give these sites and services access to your personal information. In light of what has happened, we do not recommend taking this route. Instead, you should be careful to monitor your own financial information and to report any oddities to the proper authorities. You may also be tempted to enroll in an identity protection service. Equifax themselves are offering a free year of monitoring from their service, called TrustedID. However, there have been reports that enrolling in this service will leave you ineligible to participate in a class action lawsuit against Equifax. If you decide to enroll, make sure you understand all of the fine print. Otherwise, you should make sure to go through and change your passwords and watch your credit statements for suspicious activity. This is especially true if you utilized any of Equifax?s business services, as your business could be affected as well. If you suspect that your information was stolen, the Federal Trade Commission offers a helpful guide to determining if that is the case. If so, you need to report it to the Federal Trade Commission as well as place a fraud alert on your credit report.

Business-critical data can be corrupted in a multitude of ways. Malware, hackers, hardware failure, and even user error could put your business in a very precarious position if you fail to set up contingencies. In fact, a majority of small and medium-sized businesses will fail within 18 months if they are faced with a major data-loss incident. Our network-attached backup and disaster recovery system will ensure data that is lost isn?t lost for long. The BDR works wonders because organizations understand that in order to have any continuity in the face of disaster, critical information must be maintained. The device is attached to your network, and set up to your needs. Once you decide what business-critical data you want to protect, a full backup is performed. Subsequently the system will, at intervals that you choose, back up only files that are changed. This creates a much more lightweight solution than using traditional tape backups or manual HDD-to-HDD backups, as many organizations still do. The best part of the solution is that while the protected data is backed up on the NAS BDR, it is also automatically uploaded to the cloud. Hosted in an off-site data center, your data will be redundant in multiple places, both onsite and off, and ready for recovery when you need it. This provides the organization the secure data protection they are looking for in a backup system, without the manual work and downtime that many of yesterday’s top backup systems required. If you are looking for a way to protect your business from the threat of data loss, call White Mountain IT Services’s IT professionals at (603) 889-0800 to set up a consultation.

Accessible Pricing for Small Businesses That Want Enterprise-Grade Solutions: Enterprise phone systems are often designed to meet the needs of large firms and often have a price that is out of reach for many small business owners. With Allworx, small business owners have access to enterprise-grade services that are affordable, and easy to use. Mobile Integration with Allworx Verge for Small Business Workforce: Today, small businesses often have mobile or telecommute workforces. Allworx offers small business an enterprise solution to integrate mobile devices into phone systems with Verge. The Allworx Verge feature will allow you to: Receive, Forward, and Hold Calls-Managing calls on the go can be challenging. With the mobile app, you will be able to direct calls to where they need to go. Organize Contact Lists in System Directory and Mobile Devices-Finding contacts from your mobile device when you need them is often frustrating. With the Allworx mobile app, you will be able to access contacts from your business phone system or the contacts on your phone. You can also organize contacts in lists for easier access to contacts when you need to make calls. Integration with Any Mobile Device-It can be frustrating to have to take calls on your phone when you are using another device like a tablet. Allworx mobile app is compatible with IoS and Droid devices, so you will be able to take calls on any device you are using. Set Status and Route Calls Accordingly-You may be in a meeting or emergency where you cannot take calls. Use the mobile app to set your status as ‘away’ and set calls to automatically be directed according to the status you have set. Priority calls can override restrictions. With Verge, business phone systems are mobile and allow businesses to access all the features. Call Center Distribution to Management Developed for Small Business Needs: Call distribution is important in a busy office. With Allworx automatic call distribution, calls get to where they need to go and ensure that important calls are received by the right department. Some of the features of automatic call distribution include: Linear, Circular, Longest Idle or Ring All Distribution-Different businesses need to manage calls in different ways. The automatic call distribution allows you to choose the priority of calls and the manner they are distributed. Queue Management-With automatic call distribution, you will be able to manage queues to ensure calls go to the right person and are answered in a timely manner. Call Monitoring and Notifications-Small businesses that receive a large volume of calls need to be able to manage them efficiently. With Allworx, calls can be monitored and you can receive alerts for additional calls in queue. Automatic call distribution is an affordable call center solution to meet the needs of growing small business. It helps you to manage incoming calls to your business more efficiently. Performance Tracking, Security and Analytics to Better Manage Business: Allworx also has several features that help you manage your business phone systems. With performance tracking, security, and analytics features, it is easier to manage phone systems. The administrative features that Allworx features include: Analytics and Activity Reports-Allworx gives you data for your phone system performance. You can look at different metrics like incoming and outgoing calls or performance of employees that answer phones. Security and […]