Password best practices (part 1)

Why is this important?

With more and more of our personal information going into the “cloud” and one of the most common crimes being identity theft, account security is of the utmost importance. I’ll cover many different aspects of maintaining a secure presence online, but today am focusing on passwords.

Why is password security hard?

The human brain is not well equipped to handle good password security like it is with physical security. That which makes passwords hard to crack also make them hard to remember. For example, a good password following traditional advice is: TR9rIMwT^JXkns^&$XU&v9!x. Do we really have the capability to remember such a password? This is a problem almost everyone faces when dealing with password security.

What’s the solution?

The solution comes in two parts. This post will cover selecting a secure password that is both hard to crack and easy to remember. It is called “Password Haystacks” and comes courtesy of Steve Gibson of GRC.com.

Lifted from his site:

Which of the following two passwords is stronger, more secure, and more difficult to crack?

D0g…………………
PrXyc.N(n4k77#L!eVdAfp9

You probably know this is a trick question, but the answer is: Despite the fact that the first password is HUGELY easier to use and more memorable, it is also the stronger of the two!

If you want a semi-technical explanation, go to GRC’s Haystacks page. If not, keep reading for my layman’s explanation below.

Steve did some number crunching and realized that when it comes to cracking a password, length almost always trumps complexity. If you have a minimum of complexity (at least one character from the uppercase, lowercase, numbers and symbols groups), then anything you do to make it longer is almost as good as the same length of hard to remember gibberish. Like the password examples above, just one more character in length, even though it looks simple, more than doubles the time needed to crack a password.

Lets give some more examples:

3,People,Walk,Into,a,Bar

According to GRC’s calculator, it should take “9.38 hundred billion trillion centuries” to crack under the best circumstances. I’m sure you can remember that.

TR9rIM^w

According to GRC’s calculator, it should take “1.12 minutes” to crack. A very bad example.

You can even use something like your name:

1234567890DJ.is.the.greatest
76.43 million trillion trillion centuries

Maybe something even simpler:

God I love Hershey bars!
65.10 billion trillion centuries

Or add a number or two:

God I love Hershey bars!56
8.47 thousand trillion trillion centuries

Even better.

If you don’t like sentences, one of the most common password is “monkey”:

*M0nkeySeeM0nkeyD0*
1.21 hundred trillion centuries

Or pad the password, as Steve suggests:

1234<>?monkey1234<>?
19.31 trillion centuries

Or, even this:

1!monkeymonkeymonkey1!
91.92 thousand trillion centuries

As you can see, there are many ways to create length without sacrificing rememberability.

To sum up: length, length, length. Having a longer password is drastically better than having a complicated password. Make your password long, easy to remember and type out. It’s one of the easiest ways to protect yourself online.

Do you want to see how your favorite password stacks up? Head over to GRC’s Haystacks page and see how long it takes to crack.

Coming next time

For a part two hint, head over to Lastpass’s site. We’ll be discovering how easy it is to have different passwords for each site in a secure, easy manner.

Podcasts for beginners

I would like to apologize for not posting much lately. I’ve been very busy with a redesign and branding of Red Nova Technologies.

Being so busy, one thing has been a lifesaver (or at least a sanity saver).

Many people keep music playing throughout their houses, cars, and offices to entertain them when they are doing something monotonous. What do you do when you think everything on the radio is not worth your time and you are tired of listening to All You Need is Love for the 500-millionth time? I turn to podcasts.

What are they?

Podcasts are sound and/or video files delivered regularly to your computer or device. I’ll leave out the technical details as that isn’t really important. Think of them like old time radio shows in the 40s and 50s, but rather than gathering around the radio at seven, you can listen to them at your leisure.

There are podcasts covering every subject matter you can imagine, from news to special purpose podcasts to teach you about a subject. I’ll share a few of my personal favorites at the end of this post.

Most podcasts are free, though there are a few that are for-pay only or that give more episodes to a paying member.

I’m interested, now what?

Probably the easiest podcatcher (a program that downloads podcasts for you) to use is iTunes. That’s the method I will outline here as a basic tutorial.

First you will need iTunes installed. If you are on a Mac it will already be installed. If you are a Windows user, you will need to download and install it from apple.

To find podcasts to download (or subscribe)

• Open iTunes.

• Click the sidebar item labelled iTunes Store.

• Click the link at the top of the store labelled Podcasts.

• Browse or search via the search box in the upper right corner of the window to a podcast that you like.

• Click the Subscribe Free button on the podcast page. This should download the latest episode of this podcast.

• If you have a podcast that you want that you cannot find in the store; copy the rss url to the clipboard, open iTunes, open the Advanced menu, click Subscribe to Podcast…, and pasted the url here.

To play your downloaded podcasts

• Open iTunes
• Click the sidebar item labelled Podcasts. (Note: the number to the left of the word indicates how many unplayed episodes you have yet to listen to.)
• Double click on the podcast you wish to play and then double click on the episode you wish to play.
• Use the controls in the iTunes window to control playback.

Some of my favorite podcasts

Most of my podcasts are unlikely to be of interest to non-geeks, though the following are very general purpose and a great introduction to podcasts for anyone.

• Escape Pod - Science fiction short stories.
• PodCastle - Fantasy short stories.
• Pseudopod - Horror short stories.
• This American Life - Non-fiction stories with a focus on real people and their stories.
• Quick and dirty tips network - A plethora of podcasts on life. Like grammar, productivity, public speaking, etc. Most episodes are 5-10 minutes in length and feature one real tip per week.
• Journey Into… - Remember how I said that podcasts were like old radio shows? This one really is. Recorded somewhere in Oregon, some episodes are fiction, many are actual rebroadcasts of classic radio shows.

Hacker Rattles Internet Security Circles - NYTimes.com

These kinds of articles come out all the time and most of us ignore them. Often it’s because there isn’t much we can do in order to protect ourselves from things like this, or we don’t really know how.

Today, I’ll break down what the average computer user really needs to know about this hack, what it can do, and what they need to do about it.

For those who don’t like to read long posts, the short of it:

Update your OS and update your browser to the latest. All major browsers and OSes have been updated to fix this hack. I’ll be posting instructions later on how to do this with all versions of Windows that I support as well as OS X.

For the person wondering what this is all about:

What exactly is SSL/TOS?

It’s simple really, you use SSL whenever you go to a Web site with https: in the url. You usually see a padlock in your browser and you get feel all warm inside knowing that you are safe.

How does SSL work?

There are these things called Root Certificate Authorities. We trust them and they vouch that the Web site you are visiting is who they say they are. There is a lot of math and cryptography behind it all but that’s the brass tacks if you will.

What happened here?

A hacker (or hackers) broke into a Root Certificate Authority named Diginotar, a Dutch company, and made them vouch that anyone is, for example, google.com. There were hundreds of certificates issued (the way we know that a Root Certificate Authority has vouched for a site, one per site).

How was this fixed?

All browsers and OSes have revoked trusting Diginotar. So we won’t trust anything they’ve vouched for anymore. You’ll get a broken padlock or an error page if you visited a site using these bad certificates.

How could this have been used against me?

This particular hack required someone in the position we call Man-in-the-Middle. Which means at your ISP or maybe a state firewall (Great FireWall of China, or Iran). There was pretty little to worry about in the United States if you trust your ISP isn’t hacking.

Doesn’t that mean that the SSL model is flawed?

Yes, if those at the top of this particular pyramid is compromised then we have no real recourse. This is a grim picture, but there are good people looking out at these situations and also trying to come up with a better solution. These hacks are rare and as long as we keep our software up to date we should’t have to worry.

This was an overly simplified explanation of SSL and this hack in particular. I have tried to be correct in the overall if not in the particulars as that would make it harder to understand. Just remember to update your software regularly and you’ll be fine. If you need help with any software updates, I’m always a phone call away.

Change Your DNS Settings on iPhone, iPod Touch, and iPad | Techinch

It is a good idea to use OpenDNS on your mobile device as it should filter out known malware domains. Remember your phone or tablet is a computer also and as such vulnerable to attack just as your PC is. This link describes how to do it on an iPad or iPhone.

Adding Find my iPhone to your iPhone

iPhone users should certainly take advantage of the free Find my iPhone feature that apple provides for the latest generation devices (iPhone 4, any iPad, and the latest gen iPod Touch). Following is the lesson I put together for a client to help their end users set this up on their iPhones. I have the iPad version and one on how to use the service. If anyone needs those lessons, please, don’t be shy and ask in the comments.

The Lesson

The following steps will take you through the procedure to both setup the service to find this iPhone as well as use this iPhone to find another device

Open the Settings app

From the home screen, locate and tap the Settings app

Open Mail, Contacts, Calendars

Scroll down and tap the row labelled Mail, Contacts, Calendars

Add an account

Tap the row labelled Add Account…

Choose MobileMe

Tap on the button labelled: mobileme

Enter credentials

Enter in your iTunes account information and tap the Next button

Accept the location dialog box

Tap the OK button

Save your work

Tap the Save button to save the new account.

On to the next step

Once you see the Account Added screen and are dropped back to the menu, press the Home button

Open the App Store

Tap on the App Store icon

Bring up the Search tab

Once the App Store has launched, tap on the Search tab on the bottom of the screen

Search for the app

Type in Find My iPhone and tap the Search button

Select the Find my iPhone app

Tap on the Find My iPhone app from the list

Install the app

Tap on the FREE button and then tap again on the INSTALL button in the same place

Enter your password

Type in your iTunes password and tap OK

All done

The app should download and install