Passwords Don't Matter

Why Passwords Don't Matter

I set out to write an article about tools to easily manage passwords securely, but when I looked for data on computer crime to encourage people to use better passwords, I discovered a very different story. Most "computer crime" (according to the FBI) is various forms of scams and con games that used to be carried out in person, over the phone, or through the mail, but are now done through online auctions or email. Nothing to do with passwords. This 25-page 2008 Internet Crime Report by the FBI only uses the word "password" twice.

At least for corporations, the big problem seems to be people using the access they were given to do bad things. That happens much more often than people hacking into other accounts.

Computer attacks tend to target applications and the operating system. If you don't keep up with patches, your password won't matter. Source: The Top Cyber Security Risks.

Contrary to the title of this posting, good password practices are important. But what's even more important is to:

1.) Keep your wits about you and cultivate a healthy skepticism before downloading a free game, clicking on an advertisement, or buying something from someone you don't know (e.g. eBay).

2.) Keep your operating system and applications updated. Always choose, "Yes, apply updates right now" and "Of course I'll reboot." Manually check for updates periodically just in case.

3.) Use a tool like Revo Uninstaller to remove applications you are no longer using. Especially anything by Adobe, RealPlayer, toolbars (e.g. Yahoo!), and the Microsoft .NET framework.

When Do Passwords Matter?

I got an email today saying that a web application I used a single time eight years ago had suffered a break-in and warning me that if I used that password for multiple accounts, I should change the passwords to all those accounts. I have over 120 personal accounts, and God knows how many at my various jobs over the last 8 years - how many of those applications have been compromised? Kudos to the organization who discovered the break-in AND alerted me. I think it's safe to assume this is not the only break-in among those 120 applications, nor the only one discovered.

Minimum Effort Password Management

I just read a wonderful article in the Boston Globe Online about the time-wasting, annoying, and mostly useless advice security experts have given us about passwords. So if you want to be secure with the minimum amount of effort, what is the most important thing?

I believe using a different unguessable password for every account is the most important password practice because doing so means that all of your other accounts are safe whenever one of them is compromised - and if you use a computer long enough, accounts WILL be compromised. Some have suggested using X9$bFacebook, X9$bTwitter, X9$bMySpace, but schemes that use the application name, even if it's altered in various ways, are still guessable.

To manage different passwords for every account, you need a password manager. Many people use the "remember passwords" feature of their favorite browser. This is a terrible idea because:

• It means you are storing your most secure data (your passwords) in your least secure application (your browser)


• You are going to need to enter activation keys or passwords into software installed on your machine at some point, and you cannot store that in your browser


• When you go to another computer, or try to switch to another brand of browser, you don't have your passwords.


• When your hard drive dies, so do all your passwords


• When you die, so does access to your computer and all your passwords.

So the web browser is not such a good solution. The best I've found (and thanks to a good friend for pointing me to it) is a free, open-source password manager called KeePass which is available for Windows and KeePassX for Linux, Mac, and Windows. I use it with a strong master-password and a tool called DropBox to synch it across my computers. Lifehacker has an article on how to use them together. Once a year, I recommend printing out your KeePass database, writing your master password on it (your Dropbox password will be in your KeePass database), sealing the list in a tamper-evident security envelope, and putting it in your safe deposit box. Then burn last years list (you know, with a match). When your hard drive dies, you have a backup immediately available on your other computers via Dropbox. When you die, there are legal proceedings for your next of kin to access your safe deposit box.

For a less secure, less robust, but easier to use password manager, look at LastPass.

Moving from Windows XP to Ubuntu Linux this "Weekend"

Sat, Sep 19, 2009

6 PM

Bought a Western Digital 1TB Caviar (Green) drive and 4GB memory. I wanted to keep the old drive untouched in case there were issues with the install.

10:02 PM

new hard drive installed, Ubuntu install begun. I almost went with Xubuntu, but the display got messed up in VirtualBox when I applied patches. I think Ubuntu is going to be more reliable/compatible and that's even more important to me than performance.

11:53 PM

sent first email from new system using Google Chrome! I spent one of those 2 hours googling and thinking about partitioning before deciding to let the installer do what it wanted. Finally I clicked "OK" about 5 times and in 20 minutes it was done. Ran the updater, rebooted, added and removed some programs; another 20 minutes total. Really, it couldn't have been easier.

Sun, Sep 20, 2009

10:13 AM

Massive frustration. So far, it looks like installing Windows is going to be the hardest part of installing Linux. All I can find is an XP Home edition upgrade CD from 2004.

Microsoft doesn't sell XP any more. The Windows 7 beta download program has ended and you can't buy it until October 22nd (or thereabouts). What you can buy (for $300) is Windows Vista Professional Non-Upgrade with a "free" download of Windows 7 when it's released so you don't have to miss out on upgrading, patching, and being the first to find bugs. Even if that sounded good, I can't buy it now because the Windows store doesn't open until noon. Tech support isn't open either.

I decided to follow the instructions here:
http://www.virtualbox.org/wiki/Migrate_Windows

It looked good, but it's not the easiest, or necessarily the best way. Read on...

4:01 PM

Booting a 150GB image of my old Windows hard drive. Woohoo!

4:06 PM

Windows asks for a key code. I copy it off the sticker on the side of my computer. It doesn't take it. I call in and punch the numbers over the pone. No luck.

It turns out that it wouldn't let me re-register because I have an OEM version that was pre-installed on the drive and the virtual machine had different "hardware" then it was expecting. Maybe I could have faked the bios, the MAC address, the hardware, and I'm not sure what else in order to satisfy XP that I wasn't trying to install it on a different PC. I'm installing it on the same PC, so it's legal, but it's in a virtual machine, so I couldn't be sure the hardware would ever match. At this point I gave up and installed my XP Home Upgrade from 2004 over the XP Pro image because the upgrade has to be installed over an existing version of Windows (apparently it doesn't have to be a validated version).

The install kept the files on the C:\ drive, but it overwrote the My Documents folder and left my old home directory inaccessible. Using CACLs showed it to be owned by WINDOWS NT/my-old-id. I was able to make it readible, but couldn't delete anything. I began deleting my now useless applications but it was taking hours. The solution? Boot the VM into Ubuntu and delete them from Nautilus. It took minutes. How can Microsoft charge $300 for an operating system when a free one has a 100 times faster file system?

8:01 PM

Windows XP home is installed and works. Beginning "Windows Update."

8:29 PM

Installed vpnc, which connects to a Cisco VPN from the Linux command line. Nice! XP is still applying updates.

9:10PM

Windows updates, updates, updates. 50 at once this time.

Mon, Sep 21, 2009

8:24 AM

Windows XP home was finally upgraded to SP3 around midnight last night after many reboots, and lots of clicking and waiting. Installed VirtualBox Guest Additions this morning which was quite easy.

Noonish

Had a work call that wanted to use Citrix GoToMeeting. I accidentally laughed out loud at the suggestion (it was a little akward). But within 5 minutes I had the Citrix client installed on Windows and thanks to VirtualBox GuestAdditions I was looking at a full-screen screen-share without any noticeable lag or any issue whatsoever. Nice!

At some point I called Microsoft to find out my options. This took about 4 calls. One of which was a voice recognition system that couldn't recognize a thing I said. later I played "20 questions" with an automated voice response system that put me on hold for 10 minutes. When I finally got a human, the response was, "If you got your operating system with a computer, call that computer's manufacturer, not us." and "We don't sell Windows XP. Want to buy Vista?"

I called Lenovo and they could only offer a CD of the original drive image for $45, but I would have had the same hardware vs. validation issues in VirtualBox.

Tue, Sep 22, 2009

4:35 PM

I'm basically Done. XP upgraded so SP3, Office 2003 installed and upgraded to SP3, Norton Internet Security installed and upgraded, 2 VPNs installed on Windows. I tried to compress the virtual drive image to no avail. They aren't really designed to have their size changed. There's inaccessible or otherwise useless little bits of junk spread out on the drive image (some are unmovable by a defragment) which probably kept it from compressing. At one point, I ran some program on my XP image that was supposed to fill the drive with zeros (to make the image compress better) by making a big enough text file with each character being the null character. It was supposed to delete the file when finished, but presumably your computer would crash about the same time once the drive was full, but it was running so slowly that I killed it and never got to see.

I thought I'd just write a little script that piped the small file of zeros many times into a new file until the machine crashed. But you can't pipe like that in DOS. I downloaded sdelete instead. It took about 5 hours for it to write 140GB of zeros.

While I was waiting for Windows/Office to install, I installed my development environment and got all my Linux apps up and running.

Mon, Oct 5, 2009

11:27 AM

I've installed Photoshop and Cygwin on Windows in the last week. They work fine, but Photoshop really needs the full-screen 1024x768. I might have to get a real graphics card and bigger monitor.

Had to share encrypted WinZip archives with Windows users. Installed PeaZip and it encrypted/decrypted zipped/unzipped WinZip files perfectly. Everything works so much faster than on Windows. There was definitely pain involved in making the switch, but it's also definitely paying off.

Lessons Learned:

1. A new hard drive was a great idea. I could pop the old one out of the machine and be sure I wasn't deleting anything important by accident. I wouldn't try an upgrade like this without a blank drive.


2. A Windows XP Pro SP3 CD would have been a godsend. I still might get one and reinstall to bring the disk image size down to about 10GB instead of almost 150 and to be rid of any lingering junk on the drive.


3. Dropbox and KeePass make managing online accounts across machines really, really easy.


4. I did the right thing. I was really unsure about it. But consider:
   
   1. I was able to be up and running on Linux FOR FREE in 2 hours (would have been 1 if I didn't second-guess the installer for an hour). The XP install took 2 days (would have been 1 if I paid $130 for a disk which Amazon, not Microsoft sells).
   
   
   2. Deleting big files on Windows was incredibly slow. Rebooting into Linux running off a CD (inside the same VirtualBox VM) turned hours into minutes or less.
   
   
   3. Support: If I actually had a support question (not a pre-sales question), I would have had to pay Microsoft $45 to ask it. The Mac Ads are very funny, but they are accurate in this case. I can get on Freenode IRC for free and have virtually any (polite, pre-researched, well worded) question answered in about 10 minutes, and probably learn something else interesting while I'm there.
   
   
   4. My whole system is much, much faster. Startup is in about 20 seconds as opposed to 3 minutes. Suspend (sleep) takes about 2 seconds, waking up takes 5-10. The wake-up on Windows often took 5 minutes!
   
   
   5. In this process I expected to discover that Linux wasn't ready for prime time. Instead I discovered a lot of negative things about Windows and a lot of positive things about Linux!
   
   

Conclusion

I'm installing Photoshop now on Windows so a Windows VM is probably here to stay, but I would be very surprised if I ever switched back.

If Google comes out with a killer Netbook operating system this fall, more people will use Linux. If Windows 7 forces developers to rewrite their apps, and if people have to run XP in a virtual machine to use older applications, they can do that just as well on Linux (or Mac) and have a better, faster, more secure host operating system. All this adds up to Windows having a smaller market share and developers having more reason to come out with a OS-X and/or Linux port of their software. If they use a toolkit like GTK+ (free) instead of Microsoft Visual Studio (very expensive), it shouldn't be such a big deal to run on all three operating systems. At least for me, the future looks a lot more like Linux and less like Microsoft.