Passwords leaked - LinkedIn, eHarmony, Last.fm

Recently many password databases have been compromised and released publicly. LinkedIn, Last.fm, and eHarmony. If you are a user of any of these services your password may have been one of those leaked.

How do I tell if my account was compromised?

Lastpass, a service I recommend for password and account security, has put together a page for each of the breaches wherein you can submit your password and it will tell you if your password is in the publicly available lists. This is done in a secure manner, Lastpass never gets your unencrypted password, but rather compares your hashed input to the hashes publicly available. For those of you who don’t know what a hash is, just think encrypted.

Was My LinkedIn Password Hacked?
Was My eHarmony Password Hacked?
Was My Last.fm Password Hacked?

What now?

Even if the above pages say you are not compromised, now would be a good time to make sure you are using unique, secure and new passwords on those sites. I also suggest that you take this chance to start using a password vault, Lastpass and KeePass are good ones I’ve used in the past.

How do I keep this from affecting me in the future?

Always use different passwords for different sites. This limits the damage that can be done when any particular service is compromised. Imagine that you used the same login for your email account as your LinkedIn account and that information got out. Not only would you lose your LinkedIn account but potentially your email as well. Also remember that most accounts have a “forgot your password?” link that just email you password reset instructions. An attacker using those links can have access to any account you have ever had.

You can read more password recommendations in previous posts, specifically Password Best Practices Part 1 and Password Best Practices Part 2.

0 notes

How to properly clean your monitor or HD TV

LCD screens are the standard now for both computer monitors and TVs. They look great, come in large sizes, are expensive, and fragile. The days of grabbing a bottle of windex and cleaning your 100 pound screen with anything you had handy are gone. If you try this with todays screens you will be left with a yellowed, foggy, and probably scratched monitor.

How do I safely clean my LCD?

The only safe way recommended by manufacturers is with a soft, lint-free cloth and distilled water. Do not use any chemicals or anything made of paper. Mist the cloth with the water and buff the screen as softly as you can. Pressure can and will scratch or crack the screen.

What can I get away with?

Pure water is great advice, but sometimes you need a deeper cleaning. Water doesn’t dissolve oils such as fingerprints, smoke, and many other contaminants. To stay within the manufacturer guidelines the answer is to just deal with it, though for many of us that isn’t a solution.

I can offer up suggestions based on my personal experience but this comes with a warning: Your mileage may vary.

There are many commercial products made for cleaning LCD screens, some are good, some not so much. They can be expensive and caveat emptor (Let the buyer beware). Make sure that you read reviews before buying such a solution and avoid anything containing ammonia like the plague. One product that has good reviews by people I trust is Klear screen products.

I have had great success with a solution of mostly distilled water, isopropyl alcohol, and some white vinegar. I’m still working on the best ratios for this cleaner to maximize the cleaning power, reduce streaking, and minimize the risk of damage to the screen.

As for cloths, a lens cleaning cloth from a camera shop is what I use.

Spray your cleaning solution directly onto the cloth and lightly buff the screen. Gentle pressure is the key. Do not spray onto the screen as the solution can run down the screen and into the bezel, shorting out the computer or monitor.

That’s it?

That’s all there is to it. You can use this same technique with the outer surfaces of most electronics as well. Your laptop, computer case, keyboard, or mouse. Just remember to shut everything down before you clean and you will be fine.

0 notes

Password Best Practices (part 2)

Problems to be solved regarding passwords

Passwords provide authentication, an answer to the question “Who are you?”  We’ve covered selecting a password that is hard to crack, but there is a different problem to be solved today; passwords being used across multiple websites.

A single security breach often gives an attacker all of your passwords

When a site you have an account with has a security breach and their database is stolen, the attacker has a list of username and password combinations and often email addresses.  This allows them to access different sites and try those combinations.  Most people use the same credentials everywhere, giving the attacker virtually all their accounts with one security breach.

The solution to this problem is to use a different password for each site.

The challenge then becomes: remembering and keeping straight all of the different passwords required.  My favorite solution is a service called LastPass.

LastPass is a password vault with many features that make it both secure and available anywhere.  You use LastPass so you don’t have to remember or type your password for any site ever again.  This allows you to use very secure passwords that are unique to each site, without the hardship that would otherwise entail.

I use LastPass exclusively to store my passwords (over 200 at last count).  This allows me to keep them unique and hard to crack.

Let me show you how I use LastPass to make life easier.

Plugins, plugins everywhere

LastPass is available as browser plugins for all major browsers across all major platforms.  It is available for Mac, Windows, or Linux.  Open  any major browser on virtually any computer, login to LastPass and you will have all your passwords at your fingertips.

I use more computers than most people, due to my job and addiction to technology.  I use my iMac, iPad, iPhone, MacBook Air, my wife’s Windows 7 computer, and a couple of test Android devices almost daily and never have to scramble for login credentials when I need to get something accomplished.

Password generation

Coming up with unique, hard-to-crack passwords for each site is tedious, to say the least.  LastPass plugins provide a password generation tool.  This allows you to generate secure passwords that are long, random, and unique.

I use it’s generator for all the passwords I use.  Since LastPass frees me from remembering or typing passwords, it’s a perfect solution.

Two-factor authentication

If you keep all your passwords in LastPass, a thief who accesses your account will have ‘all the keys to the castle’.  To further secure your account, LastPass supports many different forms of two-factor authentication.  Two-factor authentication is a method that ensures you are who you say you are by not only requiring a password (something you know), but requiring a code from a device or piece of paper (something you have), greatly increasing security.  LastPass supports the YubiKey, the Google Authenticator, paper-based Grid Multifactor Authentication, Sesame: Multifactor Authentication with a USB Thumb Drive, Fingerprint Authentication, or Smart Card Authentication.  Don’t worry if you don’t know what each of those are, just notice that you have many different options to increase the security of your LastPass account.

I personally use a YubiKey to secure my account against theft.

One-time passwords

You may need to log into your account from an untrusted computer, such as a public computer or someone else’s machine.  This is dangerous since you do not know if the computer has a key logger installed.  To mitigate this risk, LastPass supports the use of one-time passwords.

One-time passwords are also useful to bypass your two-factor authentication in the off chance that you’ve lost or misplaced your two-factor authentication device or paper.

I always keep a sheet of 10 one-time passwords in a safe place.

Security check

LastPass provides what they call a security check feature.  It searches your saved credentials and gives you a score based on the difficulty of your passwords and password reuse.  It identifies sites that you use the same password on so you can change them to something unique or more difficult.

I make it a habit to go through this process every 3-4 months, since I have a tendency to be lazy.  I think of it as a security tuneup.

Form filling

LastPass can also fill forms for you.  Never again will you have to fill in complicated shipping address or registration forms.  It uses the same secure storage and synchronization routines to keep this data safe, so you can trust it with credit card numbers.

Phishing protection

LastPass knows all the URL rules that are hard for a human to know and recognize.  A human cannot distinguish http://pаypаl.com and http://paypal.com.  The former is actually a different site, as the ‘a’ characters are cyrillic (Russian glyphs), though visually identical in almost all fonts.  LastPass can tell the difference and will only enter in credentials for the real PayPal site.

Much more

  • Secure Notes
  • Offline Backup
  • Import and Export
  • Favorites
  • Sharing
  • Identities
  • History
  • Virtual Keyboard
  • Bookmarklets

You can find details about all I’ve discussed here and more in LastPass’s User Manual.

1 note

Care and Maintenance of Batteries

Our modern lifestyle depends on batteries. They are in our phones, laptops, tablets, music players, and more technology coming in the future.  Right now, the most common kind of battery is Lithium-ion, which often costs 10-50% of the price of the device it powers.

I’ve killed my fair share of Lithium-ion batteries over the years, done some research, tested anecdotally, and come up with some specific advice to maximize the life of your batteries.

Rules of thumb

Keep the electrons flowing

When a battery is kept at 100% charge for long periods of time it tends to age prematurely.

Keep the temperature down

Heat is the real enemy of Lithium-ion batteries.  High heat stresses them, damaging the cells inside and reducing their ability to keep a charge.

Specific advice

Make sure there is a full charge cycle every month

If you usually use your device while it’s plugged in, run it until the device shuts off and then immediately charge it until full.  I do this monthly.  This accomplishes two things; it calibrates the software as to the actual battery charge, and more importantly, keeps the electrons flowing.

Store a battery at 40% charge

If a battery is to be stored, be sure to bring the charge down to 40% of it’s full charge.  This minimizes the aging of the chemicals inside.  Batteries will slowly fail from the moment they are manufactured.

Take the battery out when you plan to run your laptop from the power adapter for long periods of time

Two things occur when you have your laptop plugged in with a full battery, both of which will shorten its life.  When a laptop is plugged in, it’s battery is kept at 100% charge and stored underneath a hot device.  These two things combine into a perfect storm to age the battery.  Many sites claim that a Lithium-ion battery kept charged and under a hot laptop will last a maximum of two years.  This is over-optimistic, in my experience.

2 notes

Sane Password Policies for Businesses

Most companies have password policies. It is a requirement in today’s world. They want to keep their systems and data safe and secure, and authentication through passwords brings accountability to their systems.

In reality, password policies in most businesses encourage behavior, such as sharing passwords or using unsafe passwords, that undermine what the policies were created to accomplish. Without knowing that only Joe can log in as “joe”, there is no accountability or security.

I have created a set of policies that are sane and encourage good behavior. In short, policies that are effective.

Many of these policies run counter to common-knowledge best practices. If you are in a regulated field such as government or healthcare, you may not be able to implement these policies due to current laws or requirements of credit card companies. I encourage you to think critically about your policies and implement my suggestions where appropriate.

Password policies for users

Do not require frequent password changes

Frequent password changes encourage bad behavior; for example, writing passwords down somewhere unsafe. A post-it note is the most common example.

Do not enforce password reuse policies

If an administrator has to change someone’s password in order to log in as them, the user will not be able to change it back. This leads to the same bad behavior as if he required the user to change their password too frequently.

Do not require multiple passwords

This minimizes the risk that users will resort to post-its or insecure passwords. Use Single Sign-On technologies to keep the number of log-ins to a minimum. The purpose of passwords is user authentication, and users are already authenticated with the network when they log into their workstation.

Do forbid sharing of passwords or accounts

Accountability requires a one-to-one relationship between people and accounts.

Do require complex and long passwords

For passwords to be useful, they need to be secure and hard to crack. Long passwords make a bigger difference than complexity in cracking difficulty. This is even more important when you do not require your users to change passwords frequently.

Do provide help in selecting a strong, yet easy to remember password

Users are not equipped to think about passwords in a way that is effective. They need guidelines in how to select one that will not be a hardship when the policy is “16 characters and complex”. For this purpose, see my Password Best Practices post. You can download a PDF copy to distribute with a license that restricts alteration and requires attribution.

Password policies for administrators/help desk personnel

The same as above with the addition of:

Do not ever ask a user for their password

IT should set an example for users. If password sharing is forbidden, then asking users to violate that policy whenever it is convenient for IT teaches the wrong lesson. Use remote access tools to help your users. If you must log in as them and the user is unavailable, change the password rather than asking for it. With a sane password policy, it is rather trivial for users to change their passwords back.

Do use “user must change password on next login” flags

Most users will never change their password from “password.” Forcing them to change their passwords on next login will fix this vulnerability.

Do not use default passwords

Make sure that you authenticate users before giving them passwords; a default password will soon be known to everyone in the company. Authenticating users without passwords due to lost passwords, security lockouts, or IT password changes is just as important. I will cover this in a later post.

Password policies for service accounts/shared accounts

Try and minimize the use of shared accounts. Shared accounts limit accountability. If you think you need one, carefully think though the problem that needs to be solved. Sharing accounts indicates that there is an architectural problem.

Do require frequent password changes

Shared accounts and service accounts need frequent password changes, since every company has personnel turnover. A password change resets the number of people with knowledge of the current password. Any required change shorter than 90 days doesn’t make sense, six months to a year is more sane.

Do require different accounts for different purposes

The list of people who need access to a particular account will change over time in unpredictable ways. Separating accounts to particular uses ensures only the people who need access will have access.

7 notes