When employees travel abroad here are ten electronic devices security tips I pulled from  a recent New York Times article, “Traveling Light in a Time of Digital Thievery” by Nicole Perlroth. Nicole discusses electronic devices security policies and practices of the State Department, Google, Bookings Institution, and McAfee executives when traveling to China and Russia.

However, because Cyber Warfare has no geographical boundaries I suggest these electronic devices security tips be used whenever anyone travels anywhere overseas; or, depending on the circumstance, travel anywhere.

Ten Electronic Devices Security Tips When Traveling Abroad

1. Leave personal cell phones and laptops at home.
2. Bring a burn phone (prepaid, disposable cell phone) and a loaner laptop dedicated for travel only.
3. Erase the EEPROM, Flash and hard drive memory of both devices before leaving the country and immediately after returning. As a personal side note, never plug this laptop into any network before first wiping it and use a very good wipe program.
4. Disable all Bluetooth and Wi-Fi functionality from all devices. This includes ear pieces.
5. Never let your phone or laptop out of your site.
6. In meetings, don’t just turn off your phone but also remove the battery. It is possible that the microphone can be turned on remotely. So, be sure you have a phone that you can get to the battery. An iPhone is not a good choice when traveling.
7. Connect to the internet through secure, encrypted channels.
8. Use a password manager so you don’t have to remember or type them.  I recommend a smartcard password manager over a USB thumb drive because of the added security smartcards offers.
9. If customs or any outsider has touched or turned on your computer, do not plug it into the company network without first scrubbing it.
10. Your company needs to have an electronic device security travel policy, employee re-training before every trip, and all devices returned to IT before the employee is allowed back into the building.

Cyber attackers are clever in hiding what they do, but the number one behavior they rely on is employee carelessness. Scott Aken, a former F.B.I. agent who specialized in counterintelligence and computer intrusion made a great summation, “We’ve already lost our manufacturing base. Now we’re losing our R.& D. base. If we lose that, what do we fall back on?”

Each Friday I will post a review on this book: Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners, and today I am sharing what I am reading in…

Chapter 2: The Cyberspace Battlefield

All wars have a battlefield and cyber warfare is no different. Where conventional warfare have solders within a country’s border, terrorism has expanded the fighter’s deployment and cyberspace has obviated both deployment and borders. A cyber attacker can actually be located within your own country, be a fellow citizen or even one of your allies. What is also ironic is that human suffering is collateral damage since the actual attack is not human against human or machine against human, but machine against machine. Human life is devastated by what happens when a machine malfunctions.

Cyber warfare’s virtual battlefield is analyzed in three ways: logical, physical and organizational.  Cyber security is designed to build a defense wall around a network. This is not much difference than the historic defenses of a medieval castle (moat, drawbridge, battlements, etc.) But now we have logon passwords, firewalls, anti-virus, etc. Castles also had weapons to kill their attackers (spears, arrows, catapults and burning hot oil), but currently cyber security does not have much in the way of weapons of destruction. We are too busy going on the defense after something catastrophic happens.

Once the networks are protected, the cyber attackers will target the physical infrastructure like the HVAC, electricity, people, etc. Here companies are vulnerable to surveillance, sabotage, vandalism and blackmail. Finally, an attack is also determined by its organization: Government (federal, state, or local) or Commercial (multi-international corporation, SMB or home business). Ironically, governments have far more money available for defenses and retaliation, but they also have some of the oldest equipment that are vulnerable to attacks. Businesses have the most up to date equipment but only invest money in security based on ROI and risk assessments. From an attackers perspective both are easy prey.

Arming yourself against cyber warfare will not be tremendously effective if you don’t understand the enemy and their threats. In the Art of War by Sun Tzy there is a very prophetic quote: “If you know neither the enemy nor yourself, you will succumb in every battle.”

Attackers fall into six categories: Script kiddies, criminals, hacker groups, insiders, political/religious and APT/Nation states. There are more script kiddies than nation states, but the damage they can do is the inverse. Then the final piece in the puzzle are the motivations of the attacker (money, espionage, fame, terrorism, hacktivism, etc.)

In conclusion, the authors have written a very compelling chapter that helps one understand the cyberspace battle field by making comparisons to the physical world.

It is through understanding your attacker, the damages and the motivations that we can full understand and appreciate this quote:  “Success in warfare is gained by carefully accommodating ourselves to the enemy’s purpose.” ~Sun Tzy.

Cyber attacks are on the rise in 2012. That is the prediction by many security experts. Individuals, industries and agencies are all trying to find safeguards that will reduce the risk of an attack. But what is the best solution? Do you use Public Key Infrastructure (PKI), One Time Passwords (OTP), Single Sign-On (SSO) or Password Management (PM)? Before I, or anyone else can answer that you first need to understand your environment, what are you protecting, what are the risks and who else would have access.

No one solution works for everyone and every environment. They all have their advantages and disadvantages. For this discussion, let’s just address Password Management. While I have developed Power LogOn® to offer solutions to a number of issues, I also recognize that it may not be entirely the best solution for everyone. So first off, if you are using any type of password manager and generator you are ahead of most internet users. Congratulations.

Instead of doing a product, feature-by-feature comparison with the intention to eliminate one product/competitor from another, I want to discuss some topics you need to consider in picking any password manager.

1. Target Customer: Password manager solutions typically target two different customers – Consumer and Industrial. While the basics of protecting passwords are similar, the differences is how much customization is allowed, integration into existing servers/networks and additional functions.
2. Authentication: Security experts all say that the more ways one authenticates themselves to the computer/network/site the better. The security industry standardized on three types of authentications: Something you have (card or token), something you know (PIN or Password), and something you are (biometrics). Security is strengthened by incorporating any two of the three types or using all three. A single PIN or Password does not authenticate the user; it only authenticates that a someone knows the secret but not the person. The tradeoff here is also that the more levels of authentication the higher the security costs.
3. Password Storage: Reading all the articles about the resent hacking attacks, the target has been the password database. It does not matter how complex and unique your password is if someone breaks into the database. Therefore, another consideration has to be where passwords are stored (Hard Drive, Cloud or Token). Here are some considerations:
   

   • File Encryption: Do you encrypt the password files or are you using a service’s encryption? Is there any concern that the encryption could have a backdoor?
   • Authentication Access: Does the product/service have single or multi- factor authentication?
   • Files Access: Are the passwords stored on a sole computer, directory, cloud or token? How do you access your passwords if you are on different machines? Can someone else access your passwords/accounts it you are away from your machine?
   • File Encryption: Do you encrypt the password files or are you using a service’s encryption? Is there any concern that the encryption could have a backdoor?
   • Networks and clouds: Does an IT administrator have access, where are the passwords stored, any back doors, what encryption is used, and how is authentication established?
   • False authentication lockout and recovery: Are there a limited number of authentication attempts before the password file is locked. If it is locked, what is the recovery processes? Will a “brute” force attack work?
   • Token based storage security: If you use a USB device, smartcard or even your smartphone what happens if the device is lost or stolen? How do you recover your passwords? Will others have access to your passwords if they find it?

4. Malware, Phishing, Virus protection: How does the password manager protect from phishing emails, keyloggers and viruses?
5. Additional Application: Many industrial solutions can incorporate other features into the same card. For example employee photo ID, building access control, electronic payment, etc. How will you handle card issuance and management? Some solutions require re-badging whereas others can work with the existing field-issued badges.
6. Customization: Does the security solution require that your conform to it’s default settings or does the technology allow it to be changed per your security policies?
7. Flexibility: Passwords are needed to log onto computers, networks, web sites and applications. Does the password management solution have the flexibility to address all these areas?
8. Multiple platforms: Will the solution work with different operating systems (Windows, Linux, Mac, Android, etc.) and with different browsers (IE, Firefox, Safari, Chrome, etc.)? Does it matter in your environment?
9. Price and cost-of-ownership: Are there any annual or subscription fees? Can licenses be transfers or recycled? What additional hardware and computer modifications are required? How long will it take to install? How much employee training is required to use a product?

While there are some pretty shoddy products on the market, but when dealing with a name brand solution you can rest assure that security and convenience is top notch. Trying to determine if one technology or solution is better than another is like comparing a Range Rover to a Bentley. It all depends on where it is to be used. If your try to use the Bentley for climbing mountain dirt roads and forging raging streams you might think that it is the worst vehicle in the world. But if you are going to the Oscars… well you decide.

Stupid Thing #1: You Undervalue Your Personal Data

Did you know that when a company goes through valuation by a venture capitalist the number of email accounts is reviewed? So while you might not value your information, corporate America does.

Stupid Thing #2: You Submit Sensitive Information Over an Insecure Connection

Besides the https:// servers, users also have to have anti-malware protection that blocks keylogger programs from capturing your credit card information. Use an electronic wallet application that allows you to input credit card information without typing it. 

Stupid Thing #3: You Feed the Trolls

I can’t add much more here.

Stupid Thing #4: You Leave Private Information in Your Web Browser

Sadly, the number one group responsible for committing identity theft is spouses. Other things to protect your accounts include: 1) not saving passwords in the browser, 2) don’t click those “save my password” boxes, 3) don’t use the same password everywhere and 4) use complex passwords that are changed periodically. I recommend a multi-factor password manager that blocks family and friends from getting into your accounts if they are on your computer.

Stupid Thing #5: You Don’t Keep a Backup of Online Data

Also, if you must backup data using online services, encrypt the data before uploading. You don’t know where your data is really being stored and if there are any backdoors in the service’s encryption algorithm. Remember, if there is a security breach at the online service you are still responsible and liable for compromising your customer’s private information.

Stupid Thing #6: Assuming Your Posts and Comments Are Anonymous

Unless you are really skilled, McGee of NCIS fame will find you. Corporate Human Resources department are looking more at a candidate’s Facebook account and less on a resume. So think first before you hit or click that submission button.

Stupid Thing #7: You Let People Track Your Whereabouts

It is fairly easy to track if a person is going to be home. Here’s how: 1) Pick your targets. 2) Send them informative emails and establish a Twitter and Facebook relationship. 3) use the target’s own Facebook account to find other family members of your target. 4) Build a social media relationship with those family members. 5) and sit back and wait for that “Out Of Office” reply, check all of the social media for comments from the family member and 80% of the time you will know when a house will be vacant. So, maybe you want to tell your kids what and when to place information on their fan page.

Stupid Thing #8: You Use an Insecure Password That You Rarely (or Never) Change

This is the topic closest to my heart and I have written many articles, posts, a book and white papers on this topic. Please check out my website for tips and topics about securing passwords. When picking any password manager solution you need to also evaluate how the individual actually authenticates themselves to the service. Also there is a big difference between commercial and corporate password management products and solutions.

For me, the best way to educate myself on critical events in my industry is to start reading some of the latest books on the market. “Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners” by Jason Andress and Steve Winterfeld is one such book that I  am studying. It promises that “the concepts discussed in this book will give those involved in information security at all levels  a better idea of how cyber conflicts are carried out now, how they will change in the future and how to detect and defend against espionage, hacktivism, insider threats and non-state actors like organized criminals and terrorists”.

Even though I am very much a online security professional, I wanted to approach this topic from a layman’s perspective and help develop some strategies that even the small business owner or individual can easily understand and deploy to protect their data.

I will be doing a series of posts that highlights some lessons and thoughts I learned in each of the different chapters of this book and bring out some key points the authors are making. I will not be doing a Cliff Notes version of the book but rather give enough insight to encourage you to also want to read the book and learn how to protect your online presence.

In the Foreword a shocking statement caught my eye that scared the holy pajesus out of me. It needs to be the default text message whenever you start up any computer.

“Identity theft is so commonplace it is no longer [considered] newsworthy. There is just so much stolen data, [that] the criminals have not yet figured out how to use it all. But they will.” – Stephen Northcutt, President, The SANS Technology Institute.

Chapter 1: What is Cyber Warfare?

Being that the title of the book is Cyber Warfare, it would seem that a standard, acceptable definition would be offered. However, that is not the case. It seems that trying to come up with a definition for Cyber Warfare is more difficult than imagined because there are no recognized definitions for “cyberspace” or “warfare”. This conundrum makes me want to paraphrase Supreme Court Justice Potter Stewart’s original quote on pornography and adjust it for this topic: “I may not know how to define Cyber Warfare; and perhaps I never will, but I know it when I see it.”

How I see it, “Cyberspace” is the theater of computer instructions (code) and information (data). “Warfare” is the strategies and tactics of one side using all available resources to achieve power and financial wealth while the other side uses all their available resources to protect their existing power and financial wealth. Cyber warfare is the control of both code and data to achieve/defend power and financial wealth.

The authors presented a very informative strategy and power comparison section between physical versus virtual fronts and how they relate to the Principles of War, the DIME factors and the types of national power. The conclusion I drew was that century old strategies still need to be kept in place; the weapons themselves will not be “Weapons of Mass Destruction”, but rather “Weapons of Mass Disruption” to the civilian population, and that safeguards could morph into monitor and control.

Presidents Bush and Obama both announced initiatives, directives, reports and czars. However, very little headway has been made, especially when the evening news reports another government agency hacked using malware infused emails, the release of confidential documents, the hacking of government smartcards, security protocols released and so on.  And while there may not be an actual Declaration of Cyber War there certainly been enough probes, skirmishes and terrorists activities to elevate a cyber DEFCON level to 3.

This first chapter set up some good ground rules and understanding of the political problems from first defining cyber warfare to managing it. It also raised questions in my mind on whether a cyber-attack on the private versus public sectors can also constitute as an act of war. How does one deal with Weapons of Mass Disruption when imposed by a government onto its own people?  If a citizen within a country attacks another country, how will both countries treat the incident? Is Cyber warfare the government’s excuse to implement a National ID? While these questions might be disturbing, I am excited to read this book and find out if these concerns are addressed.

Be sure to visit again to see what I learn.

The Smart Card Alliance released their weak response to the recent Sykipot Tojan attack which hijacked the Department of Defense authentication smartcards. Unlike hypothetical attacks on smartcards (the Chinese Remainder Theorem Attack comes to mind with the use of a microwave oven and a calculator) this is a real threat to the security of one’s network and data but not so much to the smartcard itself.

The Sykipot Tojan is taking advantages of the flaws and lack of security in Adobe’s PDF documents (zero-day attack) and Microsoft’s Windows OS and anti-virus suppliers are not blocking infected attachments.

How are these attacks happening? The attacker sends a phishing or spear phishing email with a malware infected attachment to an unsuspecting person or employee. The employee opens the attachment and launches the attack. The malware is a keylogger that captures the PIN of the smartcard, reads the user’s certificates within Windows, and then allows the attacker to use this information to log into unauthorized accounts.

The Smart Card Alliance offers only simplistic security strategies.

1. Educate users on safe computer and email practices.
2. Maintain up-to-date anti-virus, -malware and –keylogger software.
3. Implement user analysis and network forensics tools.
4. Include multi-factor authentication (I thought that was the whole purpose of the smartcard)
5. Buy a PIN pad smartcard reader. (Expensive)
6. Hardening the authentication between user, keyboard, and smartcard. (That’s what the OS is suppose to do)
7. Change your card PIN and certificates (Note: changing certificates can wreak havoc on documents, access rights, etc., that used the older certificate. Plus, the attackers will still have access to the older information.)

This is baloney. These recommendations are insulting at best, since it’s Security 101. For the public representatives of the smartcard industry to put out such namby pamby platitudes and either refuse, or even understand how to address the real culprits is an injustice to all of us in the smartcard industry who are working to make data secure and user authentication reliable.

What deeply concerns me about their response is that neither the smartcard industry nor the PKI industry is at fault. Prevention and security is wrongly placed on the user. The fault actually lies with the insecure applications (Adobe), the Operating System (Microsoft) and the network security that don’t detect corrupted files. The attack used was unsophisticated and has been know and experienced for years. Why hasn’t the computer industry addressed these known threats?

So here are my “Key Elements of Security”:

1. Scrap Windows 8 and develop an entirely new operating system from the ground up. Don’t make it backward compatible with anything. Make security an integral part of the design. Sure there will be the cost of new applications and drivers but which is worst? The cost of upgrading or the continuation of the multi-billion dollar identity theft loses which can bring down our economy?
2. Block all Adobe PDF attachments until they fix their problem. No older PDF attachments will be allowed into any computer.
3. Cloud and network manufacture’s products scan attachments for hidden files.
4. Charge these companies $1 billion for every security patch they have to release. Windows Patch Tuesday has been going on since Windows 98. Is the Microsoft Management so keen on profits that building a trusted system is of no real importance  to them? If the U.S. Postal Service needs a new campaign to get people to actually purchase stamps and other postal products then remind every American that “snail mail” is not affected by viruses and can’t take down your computer or network.

The claim that the Common Access Card (CAC) has reduced network intrusion by 46% when replacing passwords is also very misleading. It has reduced the intrusion when you prevent the users from self-managing their passwords.  Time and time again we know that people will pick simple passwords, use the same password everywhere and write passwords on notes. Why? Because we can’t remember that many of them. But if you incorporate a smartcard-based, multi-factor authentication password manager you will see similar intrusion reductions; and, at a fraction of the cost and time. PKI is a great technology and it does some things better than any other technology, but it is not appropriate for everyone. So comparing CAC to self-managed passwords is disingenuous.

As you can see, I am quite distressed and more than a little angry. Not at the hackers, criminals or even the Chinese since they are doing their job and doing it very well. But with the computer industry that allows these attacks to continue. And at the Smart Card Alliance for not identifying the true culprits and offering solid security recommendations. The attack being waged was not sophisticated. So instead of Microsoft, Adobe and others coming up with a new, “pretty” interface, spend the money securing your software.

The cost of identity theft is more than the charges on a credit card. Victims have referred to it as “Identity Rape”. It is incumbent on us, the consumer, to protect our identities with all means that can be brought to bear. If you are interested in more ways to protect your identity, please check out my free book, “Online Identity Theft Protection for Dummies”.

Online  shoe and apparel shop Zappos, now owned by Amazon, reported earlier this week that 24 million users names, e-mail addresses, billing and shipping addresses, phone numbers, and the last four digits of credit card numbers may have been illegally accessed. In response to this breach, Zappos has expired and reset all passwords. They have also temporarily foregone using their 800 number phone service in an effort to redeploy customer-service representatives to respond to customer email.

Zappos CEO Tony Hsieh posted an open letter online to Zappos employees about a “cyberattack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky.” In this open letter, Hsieh wrote, “The most important focus for us now right now is the safety and security of our customers’ information.

Now, four days and counting after Zappos revealed user details had been breached in a digital intrusion, the company is still blocking access to Zappos.com from outside the U.S. In one tweet from a Zappos customer service representative, Rick Duggan apologized for the inconvenience, said that service had been restored to the United Kingdom and was “rolling out to other locations.”

Zappos says the attacker likely gained access to customer name, email address, billing and shipping addresses, phone numbers, the last four digits of the customer card numbers and the customer’s “cryptographically scrambled password.” But other payment data, such as full credit-card and payment information, is not believed to have been accessed by the attacker.

If you are a Zappos or Amazon customer we recommend that you take these steps right away;

1. Change your password immediately. If you use this password for other online accounts, change it there as well.
2. NEVER respond directly to information requests in emails. Retailers and banks  should never ask you to provide sensitive information like your credit card or Social Security number in an email. Even if the email looks official or directs you to a website that appears to be an official company website, do not provide personal information, or login. Instead, contact the company at a well-known, published web address or phone number.
3. Check your account statements regularly. Most financial institutions allow you to review your account online. Do a quick check of your credit, savings, and checking accounts. If you see suspicious activity, contact your bank or creditor immediately.

Are you sure you shredded last year’s bank statements? How about all that junk mail you tossed – no credit card offers in there, where there? If you are responsible for a corporate or small company, how likely is your administrative staff to shred or archive – NOT toss – sensitive documents?

Thieves will steal outgoing or incoming mail from your mailbox. They may also call you on the phone and pose as a company representative who needs to update their company’s files. If this happens, insist on returning their call and see how quickly they hang up on you!

You don’t even have to be the thief’s direct target when it comes to them trying to get to your information. They may go to a neighbor, friend, spouse, child, employer, or even pose as another company to get the information they seek.

The following is a list of other ways to for someone to physically steal your identity:

• Card skimming. Using a storage device to record your credit card or ATM magnetic stripe. When you hand your credit card to someone (think waiters) who then takes it away to process, it has now left your control and you have no idea what is actually being done with it while it is out of your possession.
• Computer theft. Stealing laptop or desktop computers with unprotected files has been active in the news, especially for companies and medical professionals. Individuals also store unprotected bank records, old electronic tax returns, stock portfolios, and other account information on their computers’ hard drives.
• Desktop snooping. The thief literally sits at your desk and rummages around looking for notes, sticky notes, pieces of paper, books, or anywhere you may have jotted down your passwords. So what is under your desk pad? Or on that sticky note in your top drawer?
• Dumpster diving. A person goes through another person’s or company’s trash looking for documents, cancelled checks, bank statements, employee records, addresses, pre-approved credit card applications and so much more.
• Fake ATM’s. What looks like an actual ATM machine is in reality a computer that record your PIN, copy all your magnetic stripe material, and then give the card back stating that the network is busy or out of service. The user then takes his/her card back and thanks nothing of it as he travels down the road looking for a working ATM.
• Filing a “Change of Address: form. The thief contacts a bank, post office, or utility company to put n a change of address request. This diverts your mail or statements to a new address that allows the thief access to your personal information until you actually realize that you are not getting your statements.
• Home/office burglary. Thieves break into a house or office to steal important papers, files and computers along with the easy to sell electronics, cash and jewelry. By making it look like a normal burglary, the identity thieves are obscuring the true purpose of the break-in, which is to obtain your personal identifying information.
• Postal mail theft. Stealing outgoing or incoming mail from a street-side mailbox. That red flat sticking up signaling that mail is in the box is not just letting your postal carrier know that there is mail in there. You are also letting thieve know that you are probably paying bills and they now have access to account numbers and your checking info if you are paying by check.
• Over-the-shoulder-surfing. Someone you know looks over your should while you type a password. This can be coworkers, friends and family members.
• Phone pretexting. Someone will call pretending to be from a legitimate company claiming that they need to update their records. Most people, recognizing that they do indeed do business with this company will give out their personal information without hesitation. Again, insist on calling them back.
• Purse and wallet theft. Pick pockets and purse snatchers are as active as ever due to all the important personal information that we keep in our wallets and purses. It is a very BAD idea to keep your Social Security card in your wallet!
• Social engineering attacks. Posing as a landlord, employer, or someone else who has legal, authorized access to your personal information. People all to often give out personal information to someone who looks authoritative and legitimate.

People are becoming increasingly aware of how physical identify theft occurs and are taking precautions such as shredding bills and other documents, renting post office box rather than leaving their mail at the curb and refusing to engage with telemarketers.  As a result, identity thieves are looking for, and finding, other ways to obtain your personal information.  The targets now are your computer, zip drives and of course, the internet.

Answer: employee’s carelessness.

Using social engineering attacks are still the best and cheapest way to distribute malware. Spam emails, phishing, spearfishing, etc., all utilize attachments that can hide the malware. It still is amazing that such an and old and simple method is still the most effective. An according to some experts, educating the employees about information security is a waste of time. I disagree since even if one person is helping by being educated and aware it is better than having none. But education alone is not the solution.

Technology applications, networks and operating systems have to incorporate security as one of their key design components. Stop the patching and all the backward compatibility design concerns and start create an entirely new OS from scratch. We don’t run DOS and Windows 98 anymore.

Software applications also need to incorporate high security standards like integration with multi-factor credentials. Using a smartcard that first authenticates the user to the card, then the card to the computer, then authenticates the card and server to each other, and finishes up with the user to the application can greatly improve a company’s security.

Public cloud services are still scary at best. Do you really know how and where your data is being stored? Plus, when some of the biggest public cloud companies are “sidestepping security” with protection clauses in their contracts should tell you something. Private clouds can have more security safeguards but it requires knowledgeable people to build and manage.

Security is only as strong as the weakest link and that link is the employee. I would wager that majority of the employee caused breaches are done through carelessness. Employees have to get their jobs done and will often circumvent security protocols so as to increase convenience and efficiencies. That is why any security plan has to take into account the user. Otherwise, corporate officers are lulled into a false sense of security. A 25-character random password that has to be changed every 7 days is super security but don’t be surprised when there is an increase in Post-it Note supplies because these passwords simply cannot be memorized by most employees.

Power LogOn® by Access Smart® has been delivering multi-factor authentication, smartcard-based password management solutions for years. Users are able to store multiple passwords on a single smart card, no passwords are ever stored with in a computer that others can access our hack, and when the card is removed from the computer no critical logon data is left behind on the computer. If the card is lost or stolen all the passwords are protect because the card authentication includes a limited number of false entries before it is locked and needs IT assistance. From the users perspective a lost card is easily recoverable without having to change all your passwords.

Users passwords need to be de-centralized and always in the possession of the user. Power LogOn is being used by individuals, small businesses, and large enterprises. So don’t wait for Windows 8 to think you can securely manage your passwords. Implement today and protect your data. Complex passwords are recognized as the way to secure accounts. Power LogOn allows businesses to securely manage all those passwords and for IT to be put back in control of logon security.