Showing posts with label Applications. Show all posts
Showing posts with label Applications. Show all posts

Tuesday, April 13, 2010

Passwords Don't Matter



Why Passwords Don't Matter

I set out to write an article about tools to easily manage passwords securely, but when I looked for data on computer crime to encourage people to use better passwords, I discovered a very different story. Most "computer crime" (according to the FBI) is various forms of scams and con games that used to be carried out in person, over the phone, or through the mail, but are now done through online auctions or email. Nothing to do with passwords. This 25-page 2008 Internet Crime Report by the FBI only uses the word "password" twice.

At least for corporations, the big problem seems to be people using the access they were given to do bad things. That happens much more often than people hacking into other accounts.

Computer attacks tend to target applications and the operating system. If you don't keep up with patches, your password won't matter. Source: The Top Cyber Security Risks.

Contrary to the title of this posting, good password practices are important. But what's even more important is to:

1.) Keep your wits about you and cultivate a healthy skepticism before downloading a free game, clicking on an advertisement, or buying something from someone you don't know (e.g. eBay).

2.) Keep your operating system and applications updated. Always choose, "Yes, apply updates right now" and "Of course I'll reboot." Manually check for updates periodically just in case.

3.) Use a tool like Revo Uninstaller to remove applications you are no longer using. Especially anything by Adobe, RealPlayer, toolbars (e.g. Yahoo!), and the Microsoft .NET framework.



When Do Passwords Matter?

I got an email today saying that a web application I used a single time eight years ago had suffered a break-in and warning me that if I used that password for multiple accounts, I should change the passwords to all those accounts. I have over 120 personal accounts, and God knows how many at my various jobs over the last 8 years - how many of those applications have been compromised? Kudos to the organization who discovered the break-in AND alerted me. I think it's safe to assume this is not the only break-in among those 120 applications, nor the only one discovered.




Minimum Effort Password Management

I just read a wonderful article in the Boston Globe Online about the time-wasting, annoying, and mostly useless advice security experts have given us about passwords. So if you want to be secure with the minimum amount of effort, what is the most important thing?

I believe using a different unguessable password for every account is the most important password practice because doing so means that all of your other accounts are safe whenever one of them is compromised - and if you use a computer long enough, accounts WILL be compromised. Some have suggested using X9$bFacebook, X9$bTwitter, X9$bMySpace, but schemes that use the application name, even if it's altered in various ways, are still guessable.

To manage different passwords for every account, you need a password manager. Many people use the "remember passwords" feature of their favorite browser. This is a terrible idea because:
  • It means you are storing your most secure data (your passwords) in your least secure application (your browser)

  • You are going to need to enter activation keys or passwords into software installed on your machine at some point, and you cannot store that in your browser

  • When you go to another computer, or try to switch to another brand of browser, you don't have your passwords.

  • When your hard drive dies, so do all your passwords

  • When you die, so does access to your computer and all your passwords.


So the web browser is not such a good solution. The best I've found (and thanks to a good friend for pointing me to it) is a free, open-source password manager called KeePass which is available for Windows and KeePassX for Linux, Mac, and Windows. I use it with a strong master-password and a tool called DropBox to synch it across my computers. Lifehacker has an article on how to use them together. Once a year, I recommend printing out your KeePass database, writing your master password on it (your Dropbox password will be in your KeePass database), sealing the list in a tamper-evident security envelope, and putting it in your safe deposit box. Then burn last years list (you know, with a match). When your hard drive dies, you have a backup immediately available on your other computers via Dropbox. When you die, there are legal proceedings for your next of kin to access your safe deposit box.

For a less secure, less robust, but easier to use password manager, look at LastPass.
Posted by at No comments:
Labels: , , , , , , ,

Tuesday, January 5, 2010

My Favorite Free Windows Applications

I rely on a small set of free tools (suggested on Lifehacker) to keep my Windows (virtual) machines (and relative's Windows machines) running smoothly. They are:

  • Revo Uninstaller: To remove programs, but perhaps more importantly, to nuke junk that auto-starts (click Tools, then the traffic-light icon). Does a nice job of removing the extra junk that inconsiderate programs leave behind.

  • Ccleaner: To clean up trash on the hard drive and registry. I make sure to uncheck cookies for the cleanup in all my browsers. Longer-term, I will probably mark the cookies I care about as safe and let it nuke the rest. Then I run the registry cleanup repeatedly until it doesn't find anything any more.

  • Microsoft Security Essentials (antivirus): Free, highly rated, low-resource, no hassle. Time will still tell, but so far, so good. I've always thought that Microsoft should be the one responsible for protecting their own operating system.

  • MyDefrag: The "Weekly" script rocks. I don't run it weekly, but it's amazing what a mess Windows makes of its drive. It's like an animal soiling it's cage. MyDefrag really helps boot times. I'm very impressed. Note: I do not like the "Monthly" script at all. Sorting files in name and directory order seems like a total waste of time and disk-life to me.


Honorable Mention:


  • sdelete: A command-line utility from Microsoft that zeros out unused disk space. This is nice for security reasons, but I use it to keep my virtual disk images really small. I run "sdelete -c C:" Then in Linux, "VBoxManage modifyhd --compact"

  • cygwin: A Linux command-line emulator for Windows. I wouldn't live without it, but people wouldn't have a need for it.


The above programs have helped me tame the most clogged-with-crapware systems and make them secure and responsive again.

If someone told me that once I ran Linux, I'd think nothing of running several Microsoft operating systems, I would have laughed. But Windows works great in a VM. It's a fun toy when you don't have to rely on it to do anything useful. I use one VM for IE6 (for testing) and the other for IE8 (for programs that don't have Linux equivalents). Both are running Windows XP SP3. A Windows 7 VM is probably in my future.
Posted by at 1 comment:
Labels: , , ,
Subscribe to: Posts (Atom)