September 15, 2017, Cambridge, UK: Account and system security is an overriding concern for software technology companies and this is certainly true for RealVNC. Security is at the very core of all our software development strategies and our security team are constantly monitoring for various indicators to counter criminal activity.
It will come as no surprise to anyone that the number of attempted attacks against software infrastructure, including our own, is relentlessly rising. Make no mistake; there are major criminal networks at work and both the vendors and software users have a role to play in thwarting illegal activities.
One method of compromising accounts that is particularly prevalent is when criminals exploit the reuse of the same password for multiple accounts. We have all read about government and commercial organizations that have been compromised and customer account information stolen. Criminals purchase these stolen lists with emails and passwords then attempt to login to any number of online accounts. They count on the fact that people often use the same password for multiple accounts. Even the most secure software systems will struggle to stop criminals from accessing customer accounts if they are using a valid email and password.
The most effective way of preventing this type of system breach is to adopt a layered approach, where RealVNC and our customers work together to provide overlapping protection.
At the design layer, RealVNC have designed VNC Connect in such a way that even if someone gains access to your RealVNC account, they are not able to connect to any of your computers, as they would not have the VNC Server password. Many other similar fail-safe design principles are included in our software.
At the operational layer, we are constantly checking for suspicious patterns in login activity and other markers that help us identify attempts to illegally access your account, and blocking suspicious activity. We constantly review and update our defensive capabilities, to be both proactive and reactive to attackers changing their attack methodologies. However, this still leaves the everyday usage layer, where we have some advice on how you can help us to protect your RealVNC account from this threat:
- Choose a RealVNC account password that is different to any of your VNC Server passwords, so that even if people are able to sign in to VNC Viewer and discover your computers, they still cannot connect to them.
- Choose a RealVNC account password that is unique among all the passwords you use online, so that a data breach by another service does not compromise remote access. You can change your account password at any time on the Security page online: https://www.realvnc.com/sign-in.
- Turn on 2-step verification on the Security page, so signing in to VNC Connect requires your account email address, account password and a unique code generated by an app on your mobile device.
- Always select complex, long passwords that cannot be easily guessed – the safest method for this is to use a password manager to generate and store the password for you, so you don't need to remember it. There are different types of password managers, both online and offline - use one which fits your security and usability needs.
Failure to take these extra measures will leave your RealVNC account and your other online accounts exposed to illegal criminal activities. We have all come to rely on online accounts, so we must protect ourselves from the relentless growth in the number of attacks by cyber criminals. You are much less likely to become a victim if you make the extra effort to manage your account information in a secure and responsible way.
Please feel free to contact us if you have any questions about the security of your RealVNC account.
Visit the VNC Connect security resource page for general information on our security architecture: https://realvnc.com/connect/security/
See this Lifehacker article for good password managers: http://lifehacker.com/5529133/five-best-password-managers
Check to see if you have an account that appears on the public lists that criminals use to target people: https://haveibeenpwned.com/