May 27, 2012

Do you participate in social media?

If you participate in social media, or your kids do, or you know other people who do (that you care about), you might want to have a listen to at least part of this podcast from Risky Business.  It's one of my favorite security podcasts. 

The Zetas Cartel and social media

It's rather scary stuff, but better to know what you are facing than to be totally unaware... at least in my world.

The podcast starts with an introduction and Patrick giving an overview of the show.  Then there is security news.  I like that part very much, but it may not be your cup of tea, so if you want to skip to the presentation about the Zetas, go to minute 21 in the podcast and start from there. 

Last of all Patrick talks to Brad Arkin from Adobe about their efforts in fixing code to prevent malware attacks.  I have to say, after listening to Brad speak with Patrick on several shows, I have revised my poor opinion of Adobe and their patching practices.  They are making a concerted effort to fix their code and get patches out in a timely manner.  Kudos to them and to Brad for being such a wonderfully articulate spokesperson.

Posted by: Teresa in WebTech at 12:41 PM | No Comments | Add Comment
Post contains 213 words, total size 1 kb.

May 10, 2012

Let's Talk Passwords - now updated with a significant point

I was just reading a lament by a friend on Facebook who had accounts compromised because of weak passwords.  Therefore, you lucky readers now get an entire post on passwords.   Aren't you thrilled!  Okay - don't throw things at me.

Let me first state - this does not begin to cover everything to do with the subject at hand. It's just a blog post not a dissertation (although some of you may be wishing for a simple dissertation before I'm done and others stamping in a rage because I "forgot" something important). Consider it a glancing blow pointing out a few items that might help you stay a bit safer online.  The vast majority of information will be omitted.  That's life.

Passwords.  What can we say about passwords?  Well, the entirety of the username/password type of access system sucks.  Period.  It completely and totally sucks pond water.  That will not change in the near future much as we all hate it.  Until computers evolve enough to find better ways to know "we are who we say we are", we have to deal with it.  This post won't be about better ways to do it.  Those topics are fun to talk about but completely irrelevant to this discussion.   We have to work with what we've got the best way we can.

So what's the number one problem with passwords?  Remembering them.  If you forget, you either give it up in disgust or you have to jump through hoops to get back in the system. We hate hoops. They waste time and cause massive irritation. We just want things to work.  That is the entire problem in a nutshell.

So, what do people do about this?  When they are at home and are not under the tyranny of computer security people at work, they go for the easiest solution.  Pick a password that is memorable and use it everywhere.  This would be what I call: Huge ass mistake number 1.

Here's one list of

The 25 worst passwords of 2011

Do you use any of these?  Yeah? You might want to consider changing things in that case... just sayin'...

Everyone wants things to be easy.  Security is not easy. It's a huge wet smelly blanket thrown over all the fun in life.  If it was easy, this post wouldn't be necessary.

Let us move on to:

Huge ass mistake number 2. No one will know.

Ah yes, the "obscurity factor".  No one will know what I choose for a password, they aren't sitting here, they can't see me type it.  They can't possibly know so how could they guess? There's no way they can figure it out, it's not even a real "dictionary" word.  (here's a hint: the hackers  don't figure it out - they let computer tools figure it out - way easier)

It really is a toss up as to which of the 2 huge ass mistakes listed above are the worst.  Both are parts of human nature and both make it very easy for people to totally ignore any advice that might help keep them safer online. Because... really... can't we all find something better to do with our limited free time?   Like there is always a good excuse not to workout at the gym, there is always a good excuse to not to "worry" about passwords we use. 

Of course, there is another difficulty.  Even if you take as many precautions as possible, bad guys can still manage to make your life a misery.  They have the advantage.  They only need to find one way in, you have to block all ways in.  Not fair and very tiring, but there it is. We're at a disadvantage before we start.  Even people who are very good and try to do everything right can be "gotten" by a bad guy (especially if they are specifically targeted).  So why should you make an effort? Because:

You don't want to be the low hanging fruit.

If the bad guys really want to get you, make them work for it!  You don't want them to steal a username/password database like the RockYou data breach or the Gawker data breach, take that info and start trying to apply it to email accounts, credit card companies, or banks.

Since most username/password combos are email address/password, the first thing an intelligent hacker would do is try to use what they have to log into your email account. If you are a person who uses the same password everywhere - voilĂ ! They're in.  From there they can peruse your email and check out your bills and bank notices to figure out what to hit next.  Simple.

To that end, let's go with some tips to help you fix your passwords.  Let's start with where you'll keep them so you don't forget.

1. A database just for passwords.
Because it's best if you have a different password for every site where you log in, remembering becomes next to impossible.  That's where a password database shines.  You can use apps like 1Password (my preferred)  or LastPass among others to store your passwords safely.  This way you don't have to remember anything except the one password to log into your password database.  The database remembers everything else for you.  The good ones can also generate good random passwords and keep track of password changes among other things.   

2. A homemade spreadsheet option.
Okay you don't want to get a password safe, you can create your own spreadsheet to hold your information. Not exactly the safest way to do it, but certainly doable.  Point in favor, you don't have to pay for anything. You could even use the basic notepad app every system comes with.  However, it won't generate passwords for you and you will have to decide if you want encrypt the document in case your system is compromised or you lose your computer. 

3. Stone Age - paper and pencil.
At the very least, decide what accounts are your most important.  Banks, credit cards, utilities, email, social media (no one wants to try and unravel a breach through "facebook help" now do they?).  List out the places you find the most important and make sure the passwords you use for each are different.  Then you can use another single password for sites you don't consider important. Next, write them down in a notebook.  If you don't leave the notebook at the local coffee shop, this could work for you.

UPDATE (by VW in the comments) The only thing I would add, is that you really should use one of the options you list and make sure your significant other knows what the 1pass is or the location of the spreadsheet or written paper. 

How to create a decent password.  

Ah - therein lies the rub.  If you google it, you will get an endless list of helpful advice on how to create good passwords.  What is unclear is exactly how good any of the advice might be.

Let's just go for an overall set of "rules", for lack of a better word, you can follow to create passwords that aren't quite so guessable by your roving hacker. 

1. Check the website for any directions on what it will allow for passwords including length and types of characters.  Some sites have major restrictions so create your password accordingly.

2. Length is your best bet.  Go for between 10 to 15 characters if you can.

3. Use upper and lower case letters.

4. Use at least a couple of numbers.

5. If they allow it, use at least a couple of special characters such as !@#$%^_ ( or spaces.

But - how to remember it if you don't have a password database handy?  If you create your own, the best thing is to use something like book titles or sentences from a favorite book and then embellish.  (do not use family names, addresses, birthdates, that kind of thing)

A couple of examples might be like these I made up from Douglas Adam's Hitchhiker's Guide to the Galaxy

#D0n't^P4nick!
my_G@laxy-guiD3

Get creative.  Look at it as a fun exercise. 

As for changing passwords.  There is some controversy there too.  Once again it depends on your circumstances, who has access to your computer, that kind of thing.  And let's be realistic, you are not going to change anything on a regular basis are you.  Ha! Yes, I already know this.

If you ever think about changing passwords on important sites, when would be a good time?  Maybe right after you've been traveling, every 6 months to a year, or if one of your accounts is "owned" that would be a good time to go through and change things.  (as long as the attacker doesn't have access to your email account).

I think that covers the very very basics.   It could be made much more complicated, but what would be the point?  No one would do it then, just like they pretty much don't do it now. 

For anyone still reading - congratulations.  You deserve a medal for persevering to the end.  Now that you've read this, think about it. If your current password strategy is the bare minimum, you can always improve it and save yourself some headaches later on.  Or not. Up to you.

Now - you can go find something more fun to read. 

Posted by: Teresa in WebTech at 07:47 PM | Comments (10) | Add Comment
Post contains 1573 words, total size 10 kb.

<< Page 1 of 1 >>
37kb generated in CPU 0.03, elapsed 0.0296 seconds.
67 queries taking 0.0135 seconds, 228 records returned.
Powered by Minx 1.1.6c-pink.