Wednesday, April 23, 2014

Let's talk passwords

I began this post weeks ago, but with the recent Heartbleed problems, it's even more timely and I feel like I need to finish this and get it out there.

Passwords have been an issue for some time, and they will continue to be more and more of an issue. There have now been a few large scale compromises--that we know about--and there will only be more as time goes by. I thought I'd bring this blog (at least briefly) out of retirement to talk about them.  I'm going to knock down some password myths, discuss how to build good ones, and give you some best practices, some good practices if you don't follow the best ones, and some okay practices.

First of all, passwords are terrible.  They're just an awful concept, but we use them because they're approximately the least-worst of several bad options.  Passwords are naturally easy to guess, and hard-to-guess passwords are necessarily hard to remember.  For good security, you need to use a different password everywhere, but the human mind doesn't work that way.  Passwords are a way that vendors, developers, and admins push the responsibility for security onto their users, because passwords are easier and cheaper to implement than actual, functional security measures.  One day, if it hasn't yet happened (it probably has, but you may not know), a password of yours is going to be compromised; know that when it happens, it is not your fault, but rather that the way the world is currently set up guarantees it over a long enough time window.  The best you can do is minimize the frequency and the impact of a compromised password.  This means using passwords that are:

  1. Hard to crack, but more importantly,
  2. Unique to the service you're using them on

If you don't read any further into this article, the best way for a layperson to do this is to use password management software. Password managers have their issues, but they are far better than your other options.  I personally use and love Lastpass, and know other people who swear by 1Password and Keepass, but the fact of using a password manager is more important than which you use.  Note that those are direct links, and there's no kickback involved for me in this (although I don't control the ads that show up on this site in the sidebar).

The reason to use a password manager is that it takes out of your hands the need to come up with a new password for each web site, something people are terrible at doing and so generally won't do.  Come up with a very strong password for the manager (we'll discuss those later), and then import almost all of your passwords into the password manager.  The exception is this: do not use the password manager to hold your primary email password. Come up with a separate (and again, strong) password for this service.  You'll be required to manage two passwords, but this means that an attacker that compromises your password manager doesn't have access to your email, and most services will allow you to reset or retrieve your password using your primary email address.  Likewise, someone who compromises your primary email password doesn't immediately get access to all of your other services, although you'll need to establish a new email address ASAP and start moving things.  What to do when a password is compromised will have to wait for another article, as this one is going to be long enough.

Going forward, you'll want to use the password manager to generate randomized passwords for everything you log into.  Your existing services will take some time, but for any new service, always use the manager rather than coming up with something manually.  Try to be disciplined about this: whenever you log into something, immediately change the password if you haven't already to something randomized.  The benefit of this is that when one of these services is compromised (as one of them will be), the attacker only gains access to that service.  When you reuse passwords, if someone compromises that password in one place they gain access to every place that you use it.

Now, some people are not going to use password managers, for various reasons.  Distrust of third parties, self-reliance, inability to install software on their work computers, all valid things.  In addition, some services can't be used with your manager, and you may not have access in the office.  Many people will require passwords that have not been generated via software.  We're going to go through a few things for you, and for those passwords that simply can't be stored in a password manager.

This is my personal method for coming up with a strong but memorable password.  I'm going to give you an example. DO NOT USE THE EXAMPLE PASSWORD. The example password is also not a password that I have used anywhere, but I encourage you to try it.

Step 1: come up with a nonsense word or phrase.  Not something random, like jkasdgkjashg.  We're going to use the brain's language capabilities to give us something both unique and memorable.  Phrases are particularly good, because they include punctuation and spaces.  Let's use "aggle mibble" (we'll be omitting the quotation marks).

See how easy that is to memorize? You've probably already got it down.  It's also not crackable using dictionary methods, because those aren't English words (If you google them, you'll find one is a Gaelic word and one is a name for a code library, but coming up with entirely unique nonsense words is not worth the time for this exercise).  It includes a space already, which means that to crack it with brute force will take orders of magnitude longer (check it against GRC's password haystacks, and you'll see the the single space takes the "massive cracking array scenario" from around 39 seconds to around 7 months).

Step 2: Strengthen your nonsense phrase with some capital letters, numbers and/or symbols. Use the old "change a letter to a number" chestnut, and starting with a cap, gives us Aggle Mibbl3.  Try this against the above cracker, and you'll see that our offline attack scenario is now in the centuries.  Now, look back at that password.  Isn't that much, much easier than the sorts of passwords you'd expect to be that strong?  We've used your brain's ability to handle language to reverse the normal scenario; this password is now very easy to remember and very hard to crack.

Optional step 3: Remember what I said about unique passwords?  Well, even if you're generating passwords with your own mind and not with a software tool, it's still possible to remember a unique password for every site and service.  I'll show you how.

Imagine you log on to, and are asked to create a strong password. You've already followed the process above, and now you'll remember Aggle Mibbl3 for the rest of your life.  Now, to make a unique password for this site is as simple as embedding the site itself somewhere in the password.  We could go with:

yourbank Aggle Mibbl3

or even better: Aggle Mibbl3

But better still is:

Aggle Mibbl3

Now you have a phenomenally strong, easy to remember password that is impossible to crack with a dictionary and virtually impossible with brute force.  It is also unique to this site, and therefore if compromised it won't automatically compromise everything else you log into.


 - Obviously, if this password is compromised, and a human looks at it, they'll probably recognize the pattern.  If that happens, they can attempt to use it against other sites, so if this is compromised you should still go through the process of resetting passwords anywhere you've used the same pattern.  However, if this is compromised programmatically, it is unlikely that an automatic password cracking implementation can recognize the pattern and reuse it, and that's the greatest danger.  Of course, if similar patterns become popular, they will begin to do so.

 - Some sites limit your password length.  These sites are very poorly implemented, but they likely include places you'll be absolutely required to log into, such as your bank.  There is nothing to be done here, and for these I highly recommend the password managers described above.

 - Similarly, some other poor site implementations omit certain symbols, like the spaces we used.  You can replace them with dashes, or dots, or anything else that you feel you can remember, but the fragmentation of password requirements is going to cause you problems.

Ultimately, the real fixes for this need to be on the industry side, but it will probably require a few more high-profile, internet-wide breakages before anything is done on a large scale.  The best you'll be able to do in the meantime is to protect yourself, and fixing your password usage is the first and most important step to doing so.

Happy internetting. I'm sure the more tech savvy of you are already poking holes in my reasoning, so feel free to do so in the comments.

Monday, December 31, 2012

What tablet should I buy?

Image © Copyright Keith Evans and licensed for reuse under this Creative Commons Licence.

This could probably have been more timely what with the Christmas season just ending, but I've been working on other projects.  I've been asked this a lot lately, for obvious reasons, and hopefully I'm addressing it soon enough to get to the post-Christmas crowd.

The first question is what platform you want.  The short answer is: buy the one whose platform matches your phone.  If you have an iPhone, buy an iPad.  If you have an Android phone, buy an Android tablet.  The reasoning here is that you're already invested in the app market for that platform, and many (not all) of your apps will be reusable.  Some developers want you to use different versions for different form factors, and so the phone versions won't transfer, but by and large you'll be able to make use of previous purchases.  You'll also understand the little idiosyncrasies of the system better.  Unless you have a specific function that you know only the other tablet has, this is the way to go.

The second question is the form factor.  A 7 inch tablet is highly portable, a 10 inch tablet is magazine-like and easier to consume content on.  If you don't think you have a preference, I would recommend the larger size.  There are more things that it is capable of, and it's closer to what developers are aiming for when they develop for tablets specifically. You should go with the smaller version if you're on a budget and don't need the size.  If you're on a budget but do need a large viewing space, consider buying refurbished.

If you are buying an iPad, you're done now.  The smaller form factor is the iPad Mini, and the larger is the plain ol' iPad.  The newest version of the latter has Apple's "Retina" display, but the older iPad 2 is still perfectly usable if you want to save a little money.

As far as Android, my specific recommendations as of this moment are the Nexus 7 from Google if you want a smaller tablet and the Note 10 from Samsung if you want a larger one.  This information changes quickly, but you're probably safe with anything that's called a Nexus, and Samsung is widely acknowledged to make very good hardware.

Things to avoid:

  • No-name generic Android tablets abound, but you won't save enough on the cost of the Nexus 7 to justify purchasing something cheaper.  They are generally locked to an older version of Android; most of these are on 2.3 or earlier, while Android has reached 4.2 as of this writing.
  • I think buying a 3G or 4G tablet is silly for most people, as the situations in which you'd use a tablet but won't be under wifi are extremely rare.  With a phone, sometimes you'll want to navigate in the car, or take phone calls or text messages while outside, but unless you're going to do a lot of tablet computing in the park you probably don't need the extra expense at the time of purchase, let alone the data plan.
  • The Surface, in my opinion.  It's an exciting prospect in a lot of ways, but buying the first generation of a new Microsoft product is almost always a mistake, and Windows 8 has some serious problems.

Tuesday, November 6, 2012

Post Office update

Google seems to have made some under-the-hood changes to Chrome that broke Post Office.  It's now updated and appears to be working again, but let me know if you're using it and have problems.

For those who don't know, Post Office is a Chrome extension that I wrote to help manage multiple email accounts.  There's a full description in the Chrome Store, but the gist is that it allows you to selectively send to email links via webmail rather than your computer's default mail client.  I have to maintain a large number of email addresses, which makes this useful for me.  It may or may not be useful for you, which is why it's available on the store.

In case you're curious, now has a GitHub where you can see open source code projects.  Currently, this only includes Post Office.

Saturday, November 3, 2012

Why not Linux servers for small businesses?

I occasionally get asked why I don't use Linux more often for my clients. I've now spent about ten years as a networking consultant, six of that in the small-to-medium business space, which on the surface sounds like the ideal market for free-license software.  

This doesn't work for many reasons, which differ between desktop and server systems.  Today I'm breaking down the problems, as I see it, with Linux servers in the SMB market.

Time is money. Specifically, my time is expensive.  I work for companies that can't even close to afford to hire me full-time, and if they do have a "computer guy" on site, it's someone's nephew who kind of knows his way around a DOS prompt.  This divides the "computer work" into a few different categories:
  • High-level design and administration.  My bag.  This is fine under Linux, if not somewhat better in many cases.  It takes somewhat more time to build a Linux machine, but it probably takes less support over the lifetime of the device, so that's a wash. This is where the big savings is possible; Windows Server 2012 Standard licenses cost about the same as 7-10 hours of my time for a small business, depending on the number of employees.  Setting up a Linux network with a small number of servers takes longer than a Windows network (yes, it does), but not 7-10 hours longer per server, and you may save on support calls going forward.
  • Mid-level support. This is either done by someone moderately savvy, or by me walking someone through the steps involved.  This is a real drag under Linux, because the people I'm talking to aren't familiar with the interface, but it can be done and probably still works out better overall.
  • Day-to-day tasks. This is essentially impossible for end users to do on any version of Linux yet released without massive retraining.  In order for this to work, Linux needs to offer a desktop that is either as close as possible to Windows so that it looks familiar or is absolutely brain-dead to use. E.g., there's no real "desktop" unless you manually invoke it; you just log in and there are big buttons that say RESTART SERVER, RESTART X SERVICE, FIX PRINTERS (which clears the print queue), etc.
Application compatibility. This is big, and probably insurmountable without a giant push for more open-source software.  There are no good small business accounting packages on Linux (no, there aren't).  There are no truly solid ways of running Windows software, and if there were the vendors wouldn't support it.  Most small businesses are completely dependent on integrated accounting packages like Quickbooks or Peachtree.

That said, this is becoming less of a problem, as these services become hosted.  Most small businesses are now better off with hosted mail, and the fact that there's no Linux-based equivalent to Exchange/Outlook for mail/calendar/contacts matters much less.  These accounting systems are also going online, but as of yet the costs are prohibitive.  As they come down, more functionality can be pushed off site, and eventually most users will just use on-site servers for centralized account management and file sharing.  That's when small business Linux will become much more viable.

Packaged applications. Setting up a Windows server to host a dozen services is brain-dead simple and extremely fast.  No command-line work is necessary any more, everything is GUI- and wizard-based, and the defaults are almost always sufficient to get you 90% of the functionality you need.  Once I'm done designing a network, I can send a much more junior systems installer to handle the rest of it.  And Windows is only becoming better at this (although the UI in Server 2012 leaves something to be desired).

With Windows, one can set up services like DHCP, DNS, file sharing, centralized authentication, and even more advanced systems like VPN and a virtualization hypervisor with the push of a few buttons.  All of these things are available in Linux systems, and in many cases run better, faster, and with less intervention, but the setup goes from something essentially trivial to something requiring expert knowledge even for the most basic services.

Unfamiliarity. Linux just sounds scary to a lot of business owners (barring that small number of technophiles to whom it sounds great).  It's gotten branded as a geeks-only operating system that can't be used by mere mortals, which is a reputation that is only partly deserved, but it is partly deserved, primarily for the reasons outlined above.

None of these is insurmountable, but most Linux flavors don't even make the attempt.  Red Hat is doing very well in the enterprise space, and Ubuntu seems to be aiming at the desktop and tablet market rather than at small businesses.  There is a lot of room to compete with Microsoft in this space, in my opinion, but it can't be an afterthought.  Even a wizard-based GUI-installed flavor of Linux that sets up DHCP, DNS, and file-sharing would go a long way, although to be a real competitor it needs to have an easy-to-use counterpart to Active Directory, and that doesn't seem to be forthcoming.

All of that said, I do use Linux in my practice, but it's a relatively small part.  Linux is great when I've already got an Active Directory server in place and just want to set up a file server (although AD integration could be miles better than it is).  Linux handles certain services far better than Windows, like simple web servers, FTP servers, and firewall systems (although for the latter an appliance is usually the best choice).  And Linux is a great way to re-use dying hardware for non-critical applications.  Even with all of that, though, it's maybe one in ten clients for whom it makes sense, dollar-for-dollar, to set up a "free" OS.

Microsoft escapes the top ten threat list

Microsoft's security team is killing it: Not one product on Kaspersky's top 10 vulnerabilities list - The Next Web: Microsoft products no longer feature among the Top 10 products with vulnerabilities. This is because the automatic updates mechanism has now been well developed in recent versions of Windows OS.
Although, arguably, it has more to do with how very terrible Adobe's products are.  Half of the top ten are Adobe products.  Frankly, internet safety would be in a much better place today if Adobe had never incorporated; the vast majority of the infected machines that I deal with were infected by compromised PDFs or Flash vulnerabilities.

Friday, October 26, 2012

Why Does Everyone Hate Windows 8? Should I Upgrade?

Why Does Everyone Hate Windows 8? Should I Upgrade?: Windows 8 is getting a bad rap from a lot of people, but it really does have a lot of good stuff going for it. After all, people hated XP when it came out, too. Here are some of the things people are complaining about, and why they probably don't matter.
Lifehacker has a significantly different view of Windows 8 than I do.  For one thing, I think that the argument that you shouldn't worry about the Start menu going missing because you can download third party tools to replace it is very weak.

Wednesday, October 24, 2012

Paypal pushing users into binding arbitration

You probably just received a notice from Paypal, and you probably didn't read it.  That's okay, I do these things so that you don't have to.  Paypal is binding any users who don't opt out through physical mail to internal arbitration without outside legal recourse.  They've done this before, but without the opt-out procedure it's proven legally thorny for them.

Paypal is, of course, notoriously difficult to deal with, and we'd all like to have legal recourse should it be necessary.  Here, from their agreement, is the opt-out method:
  1. You can choose to reject this Agreement to Arbitrate ("opt out") by mailing us a written opt-out notice ("Opt-Out Notice").  For new PayPal users, the Opt-Out Notice must be postmarked no later than 30 Days after the date you accept the User Agreement for the first time.  If you are already a current PayPal user and previously accepted the User Agreement prior to the introduction of this Agreement to Arbitrate, the Opt-Out Notice must be postmarked no later than December 1, 2012. You must mail the Opt-Out Notice to PayPal, Inc., Attn: Litigation Department, 2211 North First Street, San Jose, CA 95131.

    The Opt-Out Notice must state that you do not agree to this Agreement to Arbitrate and must include your name, address, phone number, and the email address(es) used to log in to the PayPal account(s) to which the opt-out applies. You must sign the Opt-Out Notice for it to be effective. This procedure is the only way you can opt out of the Agreement to Arbitrate. If you opt out of the Agreement to Arbitrate, all other parts of the User Agreement, including all other provisions of Section 14 (Disputes with PayPal), will continue to apply.  Opting out of this Agreement to Arbitrate has no effect on any previous, other, or future arbitration agreements that you may have with us.
If everything just went fuzzy on you and you woke up in another room after trying to read that, the gist of the gist is that you must send snail mail to Paypal by December 1 of this year indicating your intent to opt out, or thirty days after you first sign up if you are not a current Paypal user.  It has to include your name, address, phone number, and all email addresses you use with Paypal.  The letter must state your intent to opt out of the Agreement to Arbitrate, and probably should be labeled "Opt Out Notice" at the top.

Here are the requirements in easy-to-digest list form:

  • Labeled "Opt-Out Notice"
  • States that you opt out of the "Agreement to Arbitrate"
  • Signed
  • Sent through physical mail
  • Includes your:
    • Name
    • Address
    • Phone number
    • all email addresses used with Paypal
  • By December 1st 2012 OR thirty days after you sign up for new users
  • Send to:
PayPal, Inc
Attn: Litigation Department
2211 North First Street
San Jose, CA 95131
I strongly recommend that all readers do so as soon as possible.