Securing Your Computer using a Password

Ok, so I want to address this issue first. While a password is important for preventing someone from USING your computer, it really doesn’t do much good for protecting the data on the computer. Yes, you can password protect your data (using Windows), but that’s risky also. While it might stop someone from booting into the computer and opening a file, it doesn’t stop them from seeing that the file exists. And if you reset your password, there’s a good chance that you won’t be able to open the file either.

If you just rely on the fact that you have a password on your login, that’s not going to do you any good. Case in point: I have a triple-boot system (Windows XP, Ubuntu 13.04, and Fedora 19) on one computer, and a triple-boot system (Windows Vista, Ubuntu 13.04, and Fedora 19) on another. On either system, I can boot into one of the Linux operating systems and open/view/run any file on the Windows drive. They don’t necessarily have the same passwords or usernames (if there’s a password at all). So, it doesn’t matter.

In fact, if someone asks me to fix their computer, the first thing I do is create an image of it. The second thing I do is boot a LiveCD and copy all of their documents, pictures, music, and whatever else they want to keep to a USB drive. Then I either fix or wipe and reinstall the computer for them. Finally, I put all of their stuff back on the computer for them. Up until I actually start to work on the computer, I don’t even need to know their passwords. ****I should note that after I’ve completed the work and verified that everything is right, I delete the images and backups. I use the images and backups in case something goes horribly wrong. I can restore them, and start over from scratch.

The point to this article is that if you’re worried about your privacy (or are required by law to ensure the privacy of your data), you need some form of encryption software installed on the computer.

By no means, am I denying the necessity or values of using a password to prevent unauthorized access to your computer. It’s imperative for logging into and using the system.

Password Security revisited

If your password is on this list, then you can be sure of two things:  1) You’ll never be able to log into Twitter with this password, and 2) It’s so easily guessed that you should be surprised no one has hacked your accounts already.

The list is the 370 passwords that Twitter has banned because they are too easy.  It’s a small drop in the bucket of “dictionary words” and other weak passwords that you should avoid using.

If you want some tips on changing your password, then check out my related posts, or search for “how to create strong passwords” on Google.

Have a great day:)
Patrick.

Choosing your password (.pdf) from Securing Your E-City.

 Choosing Your Password (pdf file) from Securing Your E-city.

There have been multiple stories written in the past few days about hacking attempts.  They range from drones that fight in the wars to Twitter being overtaken by the “Iranian Cyber Army” last night.  While the attacks are different, they share a common theme:  the attacks were carried out because of weak passwords.

This also brings up the age-old advice about choosing strong passwords.  I came across this pdf file, thanks to ESET’s Twitter account.  The pdf file contains suggestions for what NOT to use as passwords, and how to create good (read strong) passwords.  Of course, you’re going to be somewhat limited by the allowances of the system.  But, you should still be able to create a stronger password.

This holds true especially if you accessed Twitter last night, during the compromise.  Some reporters are saying that if you used a browser or any application that logs you in via HTTP (Port 80), there’s a good chance that your login information was given to the Iranian Cyber Army.  Which means that any account which uses the same login information is now vulnerable.

So, in short, change your passwords to something stronger.  And make sure you are not using the same password on multiple accounts.

Have a great day:)
Patrick.

Password Tips—Things to look for in Password Mangers, Strong Passwords, and Secret Question answers.

Ok, I’ve talked about the three Password Managers that I found off-hand (although there are others).  So now I’m going to give you some tips about what to look for in a password manager, how to create strong passwords, and some ideas for your secret question answers.

Password Managers:  What to look for.

One of the first things that you should look for is the ability (or a default setting) to password protect your data file.  RoboForm, and Password Safe are good about requiring a combination right away.  KeyWallet and Whisper 32 don’t require it immediately, but will prompt you to protect it at some point.  Also you can do this in the options.

The second thing that you should look for is the type of encryption that the password manager uses.  Blowfish is probably the best option, but AES and DES are good too.  Make sure that it doesn’t store your master password in any plain-text files.  Even if no one can get into your computer from the outside, you don’t want that accessible to someone who has physical access either.

The third thing to consider is how easy it is to use the passwords.  If you have to right click to get them, it’s a bit more time consuming than just double clicking on the name.  Although that time is miniscule, it’s still a consideration.  As far as ease goes, RoboForm was the easiest by far, and Password Safe was a close second.

Finally you should look at the options you have available in generating your passwords.  Do you have the option of password length, using Alphanumeric characters, Upper and lower case, and symbols?  Along these lines, do you have the option to override your default options, or are you stuck with them (and have to either set them in preferences first, or use a portion of the generated password)?  RoboForm and Password Safe both win on this, because you have the ability to customize your generated password before you actually create it.

If you’re looking at purchasing a suite with a Password Manager in it, you’ll want to make sure that future versions will open and upgrade your current data files.  This holds true for the free and open-source password managers as well.  Make sure they have a good import and export feature.

Tips for creating Strong Passwords:

Most of these tips are common place.  But I want to reemphasize them to you anyhow.

  1. Use a minimum of 6 characters for the length.  Some places require or recommend 8 or more, which is probably good.  Personally if there’s a set maximum, that’s what you want to use.  Otherwise at least 6 characters.
  2. Start with an uppercase letter.
  3. Combine lower and upper case letters in your password.  It’ll take longer to crack HorSe than it will horse or even Horse.
  4. Include numbers in your password.  HorSe1234 will take longer to crack than the other three passwords mentioned above.  There’s a language called “Leet” or “L337” that works perfectly to this advantage.  In Leet, 4 = h or A, 7 = T or t, 3 = e or E, 0 = o or O, and 1 can be an i or I, or l or L.  So H0rS3 would be even harder to crack than the other passwords (although H0rS31234 would be the hardest).
  5. Along the lines of numbers, don’t use numbers in sequence.  1234 or 1111 or 3421 aren’t good choices.  These would be some of the more common things that someone will try first.  They will definitely be trying sequences of numbers.  So even if they are combined with words, it’s not a good idea.
  6. If the site or program will allow, use symbols in your password.  ^*&#()!. are all good ones to use.  H0rS3&1234 is harder to crack than the above passwords.
  7. Do not use common names (dictionary words), words or phrases, or things that people can find out about you.  This includes your address, social security number, date of birth, phone number or even your birth date or anniversary date.  Definitely don’t use your name or any of your relative’s names.  Even if you combine them with the other tips, they’re still easy to figure out.
  8. An option that’s commonly recommended is to pick a phrase and use the first letter of each word in it.  For example, “My Very Elderly Mother Just Sat Upon North Platte” (the phrase we were taught as kids to memorize the planets) could become “MVeMjSuNp” and you could even go so far as to make it “Mv3mjSu&p”.  It’s a phrase you’ll remember, that no one will recognize, and includes the numbers and symbols.

Tips for the “Secret Question” answers.

Ok in my first post about passwords and managers, I talked about how easy it was to crack Sarah Palin’s Yahoo account.  They simply found the answers to her secret questions.  And most people will at some point blog or post about their first pet (Georgie), High School name (Franklin), or even their first love (Julia).  So, what do you do to fool potential crackers?

Probably the easiest thing is to make up names for these things.  But that may not work, since you’ll be more apt to try the real names than your pseudo names.

What I recommend doing is using some of the same tips for strong passwords..  My first pet just went from Georgie to G3oRg13.  My High School is now Fr4&kl1n. and my first love?  Ju1I@.  This makes it a lot harder to crack the secret question, because most places will lock you out after two or three attempts at answering it.

*Just for clarification and stating the obvious, don’t use the passwords or combinations of secret questions that I posted here.  And none of these apply to any of my passwords or secret questions.

Have a great day:)
Patrick.

Password Manager Reviews Part 1

Ok, so you’ve read the articles about how insecure the concept of “Secret questions” is.  And you want to know how to make a secure password, or where to store your passwords in a safe place.

So, let’s talk about Password Managers.  These programs are designed as a one-stop place to hold all of your passwords and make them easy for you to use when needed.  The theory is “Why remember 20 passwords, when you can remember one password and have access to 20 of them?”

There are a lot of managers out there.  Some are included as parts of suites like Symantec and McAfee provide.  Others are standalone programs—both free and shareware.

The ones that I’m reviewing are freeware programs.  RoboForm, Password Safe, Whisper 32, and KeyWallet.  If you’re a linux user, then KDE incorporates a password manager that’s similar in name to KeyWallet (if not in form and function).  The four that I’m reviewing are on Windows VIsta, but are usable on other versions of Windows, and possibly on Linux as well.

I’ll do this over 4 more parts, and will include some tips about what to look for in a password manager (both free and paid).

Tomorrow, I’m going to review RoboForm.

Have a great day:)

Patrick.