Archive for the ‘Security’ Category

5 ways to keep track of your passwords (not all of them good)

Thursday, April 3rd, 2014

On my last post, I made some suggestions to assist you with managing passwords. How many ways can there be to do this, though?

1) Just use the same username and password on every site. This is really a bad idea. If someone gets ahold of the information needed to sign in to one site, this person (or persons) can now sign in as you to every site where you have an account. While it might not seem bad to you if your e-mail account is compromised (“I don’t have anything important or secret there” is the most common thing I hear), now it can be used to send spam. Now your online retailer accounts are no longer secure. Then goes your bank. Then anything else.

2) Use good passwords for “important” sites (e.g. banks), but don’t worry about the rest. While on the surface this seems like a good idea, it’s not. Much of the time, all someone needs to do is get into your email account and then do password resets on your other accounts. The tools to do this get sent to your email account which has now been compromised. Essentially, this is not more secure than the first option.

3) Memorize everything. Awesome idea if you can pull it off. Bad if something happens to you which disrupts your memory. Realistically, most of us cannot do this. The details of all those login credentials get mired in our brains.

4) Write it down. This method is only as good as the physical security of the book (or paper or stone tablets) you use to maintain this. As long as you can keep it where no one can get access to it without authorization, it can be greatly effective. However, it’s not very convenient as you can only sign on to sites you haven’t memorized when you are near your “little black book.”

5) Use some kind of software. I recommend this method as long as the software allows some kind of synchronization across devices. Part of this is for convenience (you’ll always have it with you). Part of this is for redundancy (the loss of one device won’t mean the loss of your credentials). Like option 4, it’s only as secure as the software and password you use. Dashlane and Strip both use excellent encryption on the database so all you need is a good password. Sync Strip with Dropbox or pay for Dashlane’s service and you have ready backups on all your devices.

Have you made better passwords, yet?

Monday, March 31st, 2014

Recently, a new list of the post popular passwords has been making the rounds. I’ve talked about this kind of thing before, and I usually discuss this kind of issue with clients on a regular basis, but no one ever seems to take me seriously.

Passwords are the primary keys we use on the locks of our personal information. The tough ones are when people tell me they have nothing important worth protecting. I’m sure if someone got into your e-mail account and took all of the things saved there, you’d see how important it was.

So, what are you supposed to do? The ideal situation is to create different passwords for different sites. Having different user names can increase the security of your information, but often you’ll still have issues with how many e-mail addresses you’ll use for the sites (most people use only one e-mail address for all their communication). However, using a different password for every site can be difficult to manage. Using a tool will help greatly.

Which tool to use is going to depend on you. Some can get by with a “little black book” so to speak. However, writing down your passwords leaves you open to someone else reading the book (which usually has no security of its own) or leaving the book behind when you need to use the password while you’re away from your computer.

There are many different software titles and a few websites you can use to help manage your passwords. Depending upon the solution, it can allow you to have access to your passwords regardless of where you are at or which computer you are using. The downside is you then have to rely on the security of the application or website.

I chose a solution which rated highly on the security of its database (essentially, the database was uncrackable compared to other solutions available at the time of the review). Unfortunately, it’s not as convenient to use (e.g. synchronizing across devices is done manually, it doesn’t automatically fill in forms). This article from a couple of years ago goes over some analysis of popular password managers for the iPhone.

Because of that article, I stopped using the password manager I had been using and switched to Strip. They don’t appear to have a free version any more, but it’s inexpensive enough to be a relative no-brainer to just go out and buy. Their licensing terms are also very reasonable; you buy it once for each operating system and can use it on as many devices as you own. For myself, I had to buy the Mac, Windows, and Android versions. It only cost me $25. If I had an iOS device, it would only add another $5 to my cost.

You can synchronize your various devices using a cloud service such as Dropbox or Google Drive.

Another popular product I’ve seen recommended is Dashlane. While the application is free, to synchronize across all your devices, you’ll need to pay for their service at about $30 per year. It has the convenience of filling in web forms for you and the synchronization is automatic.

Both of these applications will help you manage and create strong passwords. Every time I create new credentials, I use Strip to create a password for it and save the password in the program which I can now synchronize across all my devices.

As I see it, with these kinds of apps available, there really isn’t a good excuse for not maintaining good passwords for your sites. Each site can have a good, long, strong, and unique password.

What are prospective employers thinking?

Wednesday, March 21st, 2012

After reading this article, I was completely flummoxed. I thought I’d seriously entered the Twilight Zone and I should expect Rod Serling to be in the hall just out of sight, cigarette in hand.

The number of things wrong with this whole situation are too numerous to mention, but I’ll start with the big ones. For starters, what I do on a social media site is my business only. If I only share things with a select group and not publicly, again, that’s my business. The next, and likely bigger issue, is that most people still use the same credentials to log in to EVERY site they visit. I’ve rambled on this issue before, but it really hits home here.

I just can’t see the justification a company might reasonably use to ask for these kinds of credentials. Mind you, I know what they want. They want to see if you’ve been posting anything which would be potentially damaging or embarrassing which might create a distraction on the job.

A less invasive option is by the employers who want you to “friend” a human resources “person” so they can have a look at what you publish for friends, but not open publicly. I’m not certain I’d consider this option, but my response to give up important login credentials would likely give them cause to never hire me in the first place.

What would happen if you created a profile just to give the prospective employer who might ask for this? How would they know if you didn’t tell them?

I’m getting a little disjointed here as I’m really irritated by the idea of this being considered “okay” by any company.

That being said, if you post something publicly which could prove to be an embarrassment later, you should have considered your original actions a little better. Now, we all make mistakes, and I believe our stories as related to realizing our actions were mistakes and adjusting ourselves accordingly could show show people how we’ve improved and are likely to fix our errors as time goes on.

Americans are easily scammed

Tuesday, January 3rd, 2012

It seems sad, but I’ve observed evidence to support this with my own eyes (and a few times perpetuated by my own mouse clicks). I read an article on CNet which reports a survey on who is the most and least likely to be scammed. Unfortunately, my fellow Americans were more likely than UK or Australia users to provide personal information in an effort to get something for free.

I’ve witnessed many of my friends posting on Facebook “links” to videos of humorous or salacious content but which only end up being a survey scam or some other information grabber you need to fill before you’ll be granted access to the video (assuming there’s actually a video to watch). I’ve clicked on a few myself when I wasn’t paying attention and then had to go remove the reference from my Facebook wall before the link spread any further (if a professional geek posts it, it must be safe, right?).

In the past, it was banner ads purporting to give you a free “popular gadget of the week” by clicking a link, filling out a form, signing up for some “offers,” and then convincing a quantity of friends to do the same. I’m not even sure there were any “gadgets” to go around when all was said and done.

In the end, I’ve not seen a single one of these which were legitimate. They’ve all been scams unless the visible URL was something like YouTube. I’ve been able to view a few by using sites like BypassFanPages and simple Google searches. It turns out, the result is rarely as exciting as the title suggested. So, it’s best not to click on any of them.

Your router’s security may not be as secure as you think it is

Thursday, December 29th, 2011

I read a report from Sophos that there is a fairly critical security flaw in many consumer wireless routers. I’ve gone on before about how you should use the strongest encryption method available for your equipment to use (WPA2 if all your stuff can handle it). However, while these routers support that, they also have a feature called WPS (for Wi-Fi Protected Setup) which makes it easy for you to set this up by either pressing a button or entering a PIN on either the device connecting to the network or the router.

Using the PIN method is potentially risky if all you have to do is enter the PIN on your computer or other device. It seems the authentication method for the pin results in a mere 11,000 options remaining which can be brute-forced in less than two days.

When I setup a new router, I’ve always gone for the manual approach and determine a wireless network name (SSID) and key which the clients can remember or have easily available. I don’t even install the software which came with the router but instead go to its web-based administration. I’ll turn off WPS so that it’s not accidentally used (the first and only time I tried using WPS, it scrambled what I’d previously set to something random for both SSID and key).

This falls in line with how security decreases as convenience increases. I advise to disable WPS and do it by hand.