Brenden Schaaf / November 10, 2013

I have 294 passwords…but I only need to remember one!

password hellI really do wish I had more time to write blog posts for this site.  It isn’t that I don’t have things to say — it’s that I have so much to say that I tend to say them on Twitter in 140 character bursts instead of here in long-form posts.  In addition, I continue to contribute to the Minnesota Society of CPAs member publication, Footnote.  I’ve written here about LastPass before and I tackled the issue of password generation/vault software for the September issue of Footnote.  I have been impressed by the feedback I have received and I hope that everyone that is serious about security and about making their lives simpler investigates the use of LastPass or a similar password management software solution.  Here’s a link to my article:

Brenden Schaaf / March 24, 2013

Even encryption may not be enough

Data security is probably one of the biggest issues facing everyone in the near future.  We’ve grown accustomed to hearing news reports about laptops stolen from the back seat of rental cars and hard drives lost in-transit containing sensitive data such as social security numbers.  In these cases, the advice has been that encryption would protect data in such circumstances and the issue is just that too few people use it.

With our increased reliance on mobile technology, Android and iPhone have offered users the option of encryption for some time giving users some peace of mind that their data on mobile phones could be secure as well.

Well it isn’t quite that simple as some German researchers have discovered. It turns out that placing the phone in the freezer can allow some of the supposedly “safe” data to become compromised.  There are very specific circumstances that have to be met in order to pull this off, but just the fact that it is possible should give people some reservations about placing especially sensitive data on their mobile devices.

Compared to people naively using unsecured wireless access points while accessing sensitive data, I think that this issue is comparatively minor but it is worth noting.  Perhaps the biggest benefit will be to hardware/software manufacturers so that they can build countermeasures into their products.

More information:

Brenden Schaaf / June 10, 2012

How safe are your passwords?

Strong Passwords courtesy Paul O'Rear on FlickrThe recent news that some LinkedIn and eHarmony passwords have been compromised represents the latest  in a string of such stories that are part of a trend we will continue to see for the foreseeable future.  Users of these services were advised to change their passwords, but how much will that really protect most people?  Most of us have accounts, and therefore passwords, with dozens or even hundreds of websites.  Furthermore, it has been reported that way too many people use the same password (including the password they use for online banking) or handful of passwords across multiples sites.  So once a hacker has someone’s email address and password for LinkedIn they very likely have enough information to login to Amazon, eBay, Wells Fargo, etc.

So what’s a person to do?  Standard advice includes creating strong passwords that aren’t susceptible to dictionary attacks as well as making a different password for every site visited.  After doing this for just a handful of sites, however, it would become next to impossible to remember every password needed by most of us.

Storing passwords in an encrypted text file is a possible solution, though keeping  a copy available on several machines and mobile devices would require the use of insecure means (such as carrying the file on a USB flash drive or emailing the file back and forth between work and home) or the use of an encrypted synchronization solution like SugarSync or Dropbox.  I think that anyone willing to do that is better off using a dedicated solution in the form of an online Password Manager.

I first learned of these kinds of tools at the 2011 MNCPA Tax Conference, when Tommy Stephens of K2 Enterprises demonstrated a tool he uses called RoboForm.  I was impressed that it allowed him to select bookmarks directly from his browser and be automatically logged in to the destination site without any intervention.  This looked like a good tool to use primarily to save time…I didn’t really give much thought to the security reasons for using such a tool.  I tried RoboForm after the conference for a couple weeks but soon found that I preferred a similar solution called LastPass instead.

I actually became aware of LastPass in 2010 when Xmarks was purchased by them, but never thought to use it until I saw the Roboform demonstration and found it to be kind ofLastPass Generate Secure Password Dialog Box kludgy in my daily use.  The lightbulb went off and I quickly recalled that the sister-program to Xmarks (another product I highly recommend, by the way) might be worth checking out and I sure am glad that I did so.  In my opinion it just works better than Roboform and I found it very intuitive to set up and use.  Having used LastPass now for 6+ months I can’t recommend enough that everyone use this program.  Given that these tools are constantly being updated and related applications are available for multiple operating systems (iOS, Android, Windows, Blackberry, Linux, etc.) you should try a couple and choose the one that works best for how you use the internet and the devices you use.

Here are some of the many benefits to using LastPass:

  1. Passwords are encrypted and stored securely and are unlocked only through the use of a master password (needed only one time per browsing session at most).  Since this is the only password you really need to remember you can, and should, make it very strong.  Doing so is key to making your information secure.
  2. You can easily test your password performance and continue to tweak your passwords to make them even more secure using a tool that runs against your current collection of passwords and ranks you in comparison to other users.  See graphic showing my scores.
  3. Not having to remember passwords for multiple sites, especially those used infrequently.
  4. No longer storing passwords insecurely in multiple web browsers on several machines.
  5. Easily generate lengthy, strong, unique passwords.
  6. No password reuse at multiple sites.
  7. Browser add-ons and mobile apps are available to make LastPass easy to use on multiple devices and platforms.  Some of these tools are available only to subscribers to LastPass Premium, but the cost of $12/year is negligible and I felt compelled to pay for the premium product just to support the software development even before I used the Android app.

When first run, LastPass will offer to import passwords stored in your default browser making it easy to populate the database initially.  Once that is done you’ll want to visit each site stored in LastPass to change your existing password for that site to something stronger.  LastPass will generate a password to your specifications.  Start by choosing  the desired password length and whether to include uppercase, lowercase, numeric, or special characters and let LastPass create a random password.  Depending on the website, you may be able to click “Accept” at the bottom to have the password automatically inserted into the password field(s) on the site or you may need to click “Copy” as in the graphic shown to manually paste the password into the form.  Once you do that, LastPass will offer to store the password for future use.

One of the most frustrating issues I ran across when going through this process is how varied the password requirements are for different websites.  See the adjacent table for some of the requirements I noted for some randomly chosen sites.

Password requirements for selected sites

I was surprised at how many sites had upper limits on password length since presumably the sites are storing a hashed version of user passwords (which may be a fixed length no matter how long the user’s password is).  I was also shocked that several sites emailed me the new password in plain text immediately upon changing it, a very problematic issue.

Perhaps the most troublesome are those that only allow short passwords or that disallow special characters since they are limiting the strength of their customers’ passwords by default and making their own sites more vulnerable than necessary. Although many sites allowed very long, complicated passwords (I set several of my passwords to 75+ characters) there were some, unfortunately, that limited passwords to 4 digit PINs.

I was also surprised by a few websites that didn’t seem to allow password changes at all but I found a work-around for nearly all of them by using the “forgot password” link to generate a new, temporary password and then I was able to create a new password.

At present you can see by the images above that LastPass is managing 214 passwords for me and the average length of the stored passwords is 23.7 characters.  I couldn’t imagine memorizing more than one password that long much less several dozen that are longer.  Not only am I more comfortable now that I’m using LastPass but I find being online and the myriad of passwords to be even easier to use now.  That’s a definite win-win.

Anyone that cares about security should use LastPass or a product like it.

Brenden Schaaf / January 16, 2012

Customer Service in Contrast

I was prepared to write a blog post about the excellent service I received today at the new Discount Tire near our house, but before I even arrived home I received such terrible service elsewhere that I’ve decided to highlight both experiences because it makes the good service feel even that much better.

My wife and I were on our way to Caribou Coffee a couple miles from home this morning (we are both off for MLK Day) when our tire pressure warning light came on.  This has happened a couple times before and it has always meant that one tire was a bit low on air.  Since we had our tires filled with nitrogen a few months ago this was a surprise because nitrogen typically doesn’t leak from the tires at all as opposed to “regular air” that does (especially in winter).  After parking at Caribou, my wife noticed that the right front passenger tire was very low…as in it would probably be completely flat if we left it for the day.  Conveniently enough, within the last two months a brand new Discount Tire opened up pretty much next door to the Caribou so we hopped back in and drove across the street to get the tire fixed.  The guy told us it would probably be 20-30 minutes so we told him we’d be back in an hour and walked to Caribou to drink some coffee and read as originally planned.

When we arrived back at the Discount Tire after an hour, another gentleman was at the desk.  He gave me the van keys and then said he wanted to check what they found in the tire so he went out the garage briefly to find out.  When he got back he said they found a screw in the tire but they repaired the puncture and we were good to go.  He gave me a receipt that showed $0.00.  I asked, “there’s no charge for this?” and he replied, “not today…all we ask is that you give us a chance to earn your business the next time you need tires.”  I was blown away.  I expected to pay $50 or more and would have been happy with that.  Instead I was elated like I was after being treated so well by the Kansas City Royals last spring.  My wife and I left feeling very happy and are somewhat excited to actually need tires in the future (who can say that ever?) knowing that we will be well taken care of at Discount Tire.  I can honestly say that the next set of tires we purchase will be from Discount Tire, without question.

After leaving Discount Tire, we went to directly to Osaka Sushi and Hibachi Steakhouse to meet up with an additional four people for lunch (not be confused with the Osaka Seafood Steakhouse whose website confusingly lists some of the same locations including one in Coon Rapids but not this one in particular).  They had purchase a Groupon worth $40 good Monday through Thursday in January so today seemed like a good time to use it.  The six of us were the only ones at our table and there was only one other table being used in the Hibachi portion of the restaurant (where they cook in front of you) so they weren’t all that busy even though it was Noon when we arrived.

Upon ordering, our friends presented their Groupon and were told it was only good at dinner and that it could not be accepted for lunch.  We ordered our food and everyone examined the Groupon more closely.  Nowhere on the Groupon does it restrict the time of day that it can be used, only the day of the week.  Figuring that the waitress was just doing what she was told, our friend approached the manager.  He was again told that the Groupon could only be used at dinner.  I called up the Groupon website on my phone while this was happening and also found no restrictions listed.  Asked to explain again where on the Groupon it restricted usage to only dinner, the manager (David) then offered our friend $30 toward lunch instead of the full $40 that could be applied to dinner (according to him).  Only after an additional protest after dinner did the manager offer up a feeble “I dont’ know why it doesn’t say it on there” and finally agree to take the full $40 off their bill. He was obviously disgusted to do so and offered no apology.  If he was confused as to why it didn’t restrict time of day on the Groupon imagine how his customers felt.  He didn’t seem to care.  Especially since someone took the time to ask if the Groupon could be used for lunch and was told that, in fact, it could!!

The most interesting thing to me in our experiences at two different businesses today isn’t that we were treated well at one business and shabbily at another.  We’ve all grown accustomed to poor service so much that it is hardly a surprise to have to fight for what is right these days.  What surprised me is that the business that treated us well is a part of a national chain and the place we were treated poorly is a locally owned (presumably), small business.  I would have expected our experiences to be flipped.

What isn’t surprising is that I will beat a path to Discount Tire the next time I need work done and I will recommend that my friends do the same.  Also, I will never again set food inside any Osaka location given our treatment today.  According to my 7-year old, Behihana has better food anyway!


Brenden Schaaf / November 29, 2011

A couple things I’ve written

Despite the lack of writing I’ve been doing here, my pen hasn’t been completely idle.  In the past several months I’ve written a couple things for MNCPA publications.

  • A Footnote article from several months ago highlighted some file-syncronization services, including my favorite service, Sugarsync, that will keep files (especially those frequently used) synchronized across several devices.  This has been particularly handy to me since the demise of Windows Live Sync that I wrote about before and the added bonus of cloud-based storage is a nice feature when I’m on a machine I don’t own.
  • A Student eNews piece hit the virtual press in October.  It urges students to learn to use technology while in school because employers will expect it and there are benefits to be realized while they are still studying.  It frustrates me that accounting majors are even allowed to graduate without knowing basic Excel strategies.  Hopefully some of them take my advice and the make an effort to improve themselves before they are on someone’s payroll.

Brenden Schaaf / November 27, 2011

Flexible Backup From

I remember thinking when I started this blog that I would make frequent posts here to share things, primarily with my friends and family.  Then I discovered Twitter and that became my main place of sharing information instead.  Every so often, though, a tool comes along that I can’t describe in 140 characters or less and it lands here.  My discovery of Crashplan is one such item.

If you are like me, you have good intentions to frequently back-up your data, but those intentions turn into “I’ll do it someday” which turns in to never.  Despite having the capacity to easily back-up my own data on a different computer or a separate hard drive within my main desktop PC, doing so (however infrequently) doesn’t help me in case of disaster such as a fire at my home.  In that case all of my data, including the backups, would be destroyed.  Also, I’ve yet to find an external hard drive and/or backup software that made the process easy despite what the marketing would have you believe.

A Footnote article I wrote for the MNCPA several months ago highlighted some services, including my favorite service, Sugarsync, that will keep files (especially those frequently used) synchronized across several devices.  This can create a de facto backup service for the items you choose to synchronize and this works quite well for files that are frequently edited as it results in the current version of every file available on every device.  But what about backing up the all-important photos or MP3 files that don’t really change (although the collection of such files does grow over time)?  For that situation a dedicated backup solution is best.

In pursuit of such a solution I have discovered Minneapolis-based Crashplan.  I recall them being mentioned as some professional conferences I had attended the past couple years and I pushed into looking at them further after seeing a billboard for their service just yesterday in Blaine.

This unique software offers free and paid options.  Using the free options you are able to backup your data to other computers (including those of your friends to create an “off-site” backup) or external hardware.  The paid choices add storage in the cloud on Crashplan’s servers as well. While many other services treat consumers as an afterthought by focusing primarily on businesses, Crashplan seems to place the consumer front-and-center and, while they do offer plans for small/medium businesses and larger, home/personal users will feel perfectly comfortable dealing with this company.

After playing briefly with the free choices, I took advantage of a 50% off sale to purchase 2-years of the Crashplan+ unlimited service.  Even at the regular price of $49.99/year this seems like a steal and it is a double-steal to get two years for that price.  I immediately started backing up my primary PC and the estimated time of completion is just over 11 days (nearly 200GB of data).

On my other PCs I don’t store data-hogs like photos so I’m fine using Sugarsync on those machines which mirrors my frequently-used files onto the primary PC where they are backed-up by Crashplan.  I also still use SyncBackSE to maintain a subset of my frequently-used files on a flash drive.  If your setup requires it, Crashplan does offer a household plan where all devices can be backed up to the cloud for a higher subscription price (a bit more than double the price of a single-computer option as I write this).

In summary, online backup is like insurance for your ever growing collection of data.  Like insurance, it is something you hope to never need but just knowing it is there makes me feel more secure already.  Check out Crashplan and try the free services for yourself to see just how easy it can be to “set it and forget it” while storing your backup in the cloud.  The fact that they are a Minneapolis-based company is icing on the cake as far as I’m concerned, but you don’t have to be from the Land of 10,000 Lakes to find their service beneficial.

Brenden Schaaf / June 10, 2011

Surf (more) safely

With the advent of Firefox add-ons like Firesheep that make hijacking browser sessions easy for even the most novice users, it is more necessary than ever to take action to use the most secure methods of transmitting/receiving data possible.  One good tip is to only visit sites that use a secure connection (denoted by “https” as the protocol rather than “http”).  A great tool that will automatically do this for you for major sites it this add-on, HTTPS-Everywhere.  Another tip is just to change your Facebook, Twitter, Hotmail, etc. bookmarks to https in the URL to make sure that you are always connecting securely through your own bookmarks, but if you click on a “share on Facebook” or similar link at a website you are still subject to the site owner’s link design as to which server you are taken to.  Better to use this add-on to be safe, but do understand that there are limitations that might cause problems.  These are generally the result of some services (like Google Images or Facebook Chat) not being available over HTTPS so some sites may not look/feel exactly the same as their non-secure counterparts.

Brenden Schaaf / April 30, 2011

Enchanted by the Kansas City Royals

View from our seats after our tickets were exchanged. What a gorgeous stadium!

I’m in Kansas City with a few family members to catch our hometown baseball team, the Minnesota Twins, take on the Royals.  This trip was planned back in the depths of winter as a way to celebrate my recent birthday while enjoying some outdoor baseball and a weekend out of town with my wife, dad, and sister.  Perhaps I am more aware of this given that I recently read Enchantment: The Art of Changing Hearts, Minds, and Actions by Guy Kawasaki, but it seems like everybody in Kansas City is already practicing the art of enchanting customers.

The staff at The Hampton Inn has been fabulous, the service at a nearby restaurant called Tomfooleries was excellent (not to mention my new favorite, the peanut butter bacon burger), and even the clerk at a CVS near the airport seemed to be among the friendliest drug store employees I have ever encountered.

Above all, thought, I have found that the Kansas City Royals organization knows how to treat customers.

Every single person we have encountered from the staff at the Royals Hall of Fame and the concession workers to the usher tonight in section 419 have been incredibly friendly and helpful.  The usher tonight, for example, took time to tell us “we love when you guys from Minnesota come to town because you are such great fans” and he genuinely meant it.  I have never been told more than a couple words by an usher at Target Field so this is not the treatment I expected as a fan of the visiting team.  Except for one clown who had consumed too many beers prior to the first pitch, this has been how we have been treated all weekend in Kansas City by Royals fans, hotel and restaurant staff, and the Royals employees at the ballpark.

The most incredible example of going beyond expectations, though, has to be how we were treated when it turned out that I had mistakenly purchased tickets to the June 4th game instead of for tonight’s game.  Arriving at the stadium gate, the scanner being used by the “ticket taker,” for lack of a better term, beeped loudly and only upon inspection of the paper ticket did we find out that when I had purchased tickets back in March I had bought April 29th, May 1st, and June 4th (supposed to be April 30th).  Coincidentally the Twins are back in town in early June so I obviously chose the wrong Saturday when I was buying the tickets online.

We were directed to a nearby ticket window where I fully expected to pay full price for 4 tickets for tonight’s game given that I was holding tickets for a game 5 weeks from now.  I’m quite sure that at any other professional stadium in America that is how the situation would have been handled.  But not at Kauffman Stadium (which is a great place to watch a game, by the way).

I explained my plight to the gentleman behind the glass and he quickly assured me that he could take care of me by exchanging my tickets for the game that was now starting in under an hour.  I was surprised that it was even an option but he cheerfully tapped away on the computer until he found us seats only one section away from where I thought we had purchased seats in the first place.  At one point he even said “I have 4 seats here but they aren’t very good so I’m going to find you some better ones.”  Wow!!  What amazing service!  His computer was slow and he was very apologetic, even though he was doing me a huge favor.  To top it off, this all happened while I stood there in a Twins jersey and my similarly adorned family stood nearby so it was clear that we were from out of town and were not there to support the local team.  Upon completing the transaction I was told to “enjoy the game” a phrase I heard repeatedly from Royals employees including those at the entrance to the parking lot and we were sent on our way with a cheery smile.  The service was so great that my wife actually went to the ticket window after I left and thanked the employee as well.

We ended up with great seats in section 419 and I was even given a $16 refund because the June game was a Premium Game and tonight’s was not.  Most importantly, though, I saw and felt what can happen when a customer is truly enchanted and the Royals will be the team I cheer for except when they are playing the Twins.  My thanks to the employees of the Kansas City Royals organization and complements to the management for hiring and training such awesome people.  Now if only the Twins could win the final game of the series before we have to head back home!

Brenden Schaaf / December 27, 2010

Should have froze our jelly or put it in a pie

Apparently frozen food in any quantity is allowed by the TSA.

Q.  Can I take food that is frozen?
A.  In a frozen state, food is considered a solid and not subject to restrictions of liquids, gels, and aerosols. Frozen food will be examined for tampering and additional screening may be necessary. However, liquid-based foods that are frozen (such as gravy) but are partially melted are subject to TSA’s restrictions for liquids, gels, and aerosols. For more information, please read our Liquids Rules:  3-1-1 for Carry-Ons. Please be aware that a Transportation Security Officer has discretion to prohibit a passenger from carrying an item through the screening checkpoint or onboard an aircraft if the item poses a security threat.

Or I could have put the jelly inside a pie (

Note: You can bring pies and cakes through the security checkpoint, but please be advised that they are subject to additional screening.

I guess I should have read that before traveling through TVC today.  Oh, and KY Jelly is also allowed.  Just don’t plan on going through security with your Welch’s Jelly (

We are continuing to permit prescription liquid medications and other liquids needed by
persons with disabilities and medical conditions. This includes:
all prescription and over-the-counter medications (liquid, gel, and aerosol), including
KY jelly, eye drops, and saline solution for medicinal purposes;

Brenden Schaaf / December 27, 2010

TSA power trips don’t keep us safe

Like a lot of other folks, I’ve grown tired of the TSA (Transportation Security Administration). I’m writing this from the Traverse City Cherry Capital Airport (TVC) where I have just witnessed more idiocy by the agents that are tasked with keeping us safe. My wife inadvertently packed two jars of jam in her carry-on bag and it was detected at the security checkpoint when the bag passed through the scanner. So far so good.

At that point, in my opinion, the bag and the traveler should both be subject to more advanced screening. Instead, though, my wife was allowed to take her bag (which they reversed back through the x-ray machine) and remove the offending items. She was given the option, by a TSA agent, of checking the bag (remember, this is supposedly dangerous stuff) or mailing the goods to herself (do we want explosives  in the mail) or just tossing them in the trash. In the interest of time and money, she chose the latter. So now the jam (which could be an explosive agent) is sitting in a trash bin right by security. Does this make sense?

If people are just allowed to remove offending items from their bags when they are detected, all the terrorists need to do is keep trying until their items get missed by the scanner and/or the agent. And it will happen.

After this charade, my wife was prohibited from locking her bag with a TSA approved lock before the bag was scanned again. The agent barked at her not to lock the bag in case it “needs to be opened.” This is despite the fact that right before her I had a locked bag pass through the scanner without incident and i was standing on the “secure side” of the scanner with that bag.  What is the point of a TSA lock if the TSA makes you leave the bag UNLOCKED?  Surprise…another TSA agent on a power trip.

These little TSA power trips are doing nothing to keep us safe. It is time change from this charade-based security to something that is actually effective. Having to throw out gifted jam does nothing for aviation security and makes me want to fly less and less.  Let’s start investigating further the people that need to be investigated and let grandma go through with her bottled water or hemorrhoid cream. I would actually be less upset if my wife had been subjected to further scrutiny for not following the rules rather than just allowing her to dump the offending jam in the trash.

Terrorists know that it works this way…they will just keep trying until something gets through and the rest of us will be left to suffer.