My Flypaper Mind Brenden Schaaf's opinions, ideas, comments, rantings, & minutiae

10Nov/130

I have 294 passwords…but I only need to remember one!

password hellI really do wish I had more time to write blog posts for this site.  It isn't that I don't have things to say -- it's that I have so much to say that I tend to say them on Twitter in 140 character bursts instead of here in long-form posts.  In addition, I continue to contribute to the Minnesota Society of CPAs member publication, Footnote.  I've written here about LastPass before and I tackled the issue of password generation/vault software for the September issue of Footnote.  I have been impressed by the feedback I have received and I hope that everyone that is serious about security and about making their lives simpler investigates the use of LastPass or a similar password management software solution.  Here's a link to my article: http://www.mncpa.org/publications/footnote/2013-09/I-have-294-passwords-but-I-only-need-to-remember-one.aspx

24Mar/130

Even encryption may not be enough

Data security is probably one of the biggest issues facing everyone in the near future.  We've grown accustomed to hearing news reports about laptops stolen from the back seat of rental cars and hard drives lost in-transit containing sensitive data such as social security numbers.  In these cases, the advice has been that encryption would protect data in such circumstances and the issue is just that too few people use it.

With our increased reliance on mobile technology, Android and iPhone have offered users the option of encryption for some time giving users some peace of mind that their data on mobile phones could be secure as well.

Well it isn't quite that simple as some German researchers have discovered. It turns out that placing the phone in the freezer can allow some of the supposedly "safe" data to become compromised.  There are very specific circumstances that have to be met in order to pull this off, but just the fact that it is possible should give people some reservations about placing especially sensitive data on their mobile devices.

Compared to people naively using unsecured wireless access points while accessing sensitive data, I think that this issue is comparatively minor but it is worth noting.  Perhaps the biggest benefit will be to hardware/software manufacturers so that they can build countermeasures into their products.

More information:

10Jun/120

How safe are your passwords?

Strong Passwords courtesy Paul O'Rear on FlickrThe recent news that some LinkedIn and eHarmony passwords have been compromised represents the latest  in a string of such stories that are part of a trend we will continue to see for the foreseeable future.  Users of these services were advised to change their passwords, but how much will that really protect most people?  Most of us have accounts, and therefore passwords, with dozens or even hundreds of websites.  Furthermore, it has been reported that way too many people use the same password (including the password they use for online banking) or handful of passwords across multiples sites.  So once a hacker has someone's email address and password for LinkedIn they very likely have enough information to login to Amazon, eBay, Wells Fargo, etc.

So what's a person to do?  Standard advice includes creating strong passwords that aren't susceptible to dictionary attacks as well as making a different password for every site visited.  After doing this for just a handful of sites, however, it would become next to impossible to remember every password needed by most of us.

Storing passwords in an encrypted text file is a possible solution, though keeping  a copy available on several machines and mobile devices would require the use of insecure means (such as carrying the file on a USB flash drive or emailing the file back and forth between work and home) or the use of an encrypted synchronization solution like SugarSync or Dropbox.  I think that anyone willing to do that is better off using a dedicated solution in the form of an online Password Manager.

I first learned of these kinds of tools at the 2011 MNCPA Tax Conference, when Tommy Stephens of K2 Enterprises demonstrated a tool he uses called RoboForm.  I was impressed that it allowed him to select bookmarks directly from his browser and be automatically logged in to the destination site without any intervention.  This looked like a good tool to use primarily to save time...I didn't really give much thought to the security reasons for using such a tool.  I tried RoboForm after the conference for a couple weeks but soon found that I preferred a similar solution called LastPass instead.

I actually became aware of LastPass in 2010 when Xmarks was purchased by them, but never thought to use it until I saw the Roboform demonstration and found it to be kind ofLastPass Generate Secure Password Dialog Box kludgy in my daily use.  The lightbulb went off and I quickly recalled that the sister-program to Xmarks (another product I highly recommend, by the way) might be worth checking out and I sure am glad that I did so.  In my opinion it just works better than Roboform and I found it very intuitive to set up and use.  Having used LastPass now for 6+ months I can't recommend enough that everyone use this program.  Given that these tools are constantly being updated and related applications are available for multiple operating systems (iOS, Android, Windows, Blackberry, Linux, etc.) you should try a couple and choose the one that works best for how you use the internet and the devices you use.

Here are some of the many benefits to using LastPass:

  1. Passwords are encrypted and stored securely and are unlocked only through the use of a master password (needed only one time per browsing session at most).  Since this is the only password you really need to remember you can, and should, make it very strong.  Doing so is key to making your information secure.
  2. You can easily test your password performance and continue to tweak your passwords to make them even more secure using a tool that runs against your current collection of passwords and ranks you in comparison to other users.  See graphic showing my scores.
  3. Not having to remember passwords for multiple sites, especially those used infrequently.
  4. No longer storing passwords insecurely in multiple web browsers on several machines.
  5. Easily generate lengthy, strong, unique passwords.
  6. No password reuse at multiple sites.
  7. Browser add-ons and mobile apps are available to make LastPass easy to use on multiple devices and platforms.  Some of these tools are available only to subscribers to LastPass Premium, but the cost of $12/year is negligible and I felt compelled to pay for the premium product just to support the software development even before I used the Android app.

When first run, LastPass will offer to import passwords stored in your default browser making it easy to populate the database initially.  Once that is done you'll want to visit each site stored in LastPass to change your existing password for that site to something stronger.  LastPass will generate a password to your specifications.  Start by choosing  the desired password length and whether to include uppercase, lowercase, numeric, or special characters and let LastPass create a random password.  Depending on the website, you may be able to click "Accept" at the bottom to have the password automatically inserted into the password field(s) on the site or you may need to click "Copy" as in the graphic shown to manually paste the password into the form.  Once you do that, LastPass will offer to store the password for future use.

One of the most frustrating issues I ran across when going through this process is how varied the password requirements are for different websites.  See the adjacent table for some of the requirements I noted for some randomly chosen sites.

Password requirements for selected sites

I was surprised at how many sites had upper limits on password length since presumably the sites are storing a hashed version of user passwords (which may be a fixed length no matter how long the user's password is).  I was also shocked that several sites emailed me the new password in plain text immediately upon changing it, a very problematic issue.

Perhaps the most troublesome are those that only allow short passwords or that disallow special characters since they are limiting the strength of their customers' passwords by default and making their own sites more vulnerable than necessary. Although many sites allowed very long, complicated passwords (I set several of my passwords to 75+ characters) there were some, unfortunately, that limited passwords to 4 digit PINs.

I was also surprised by a few websites that didn't seem to allow password changes at all but I found a work-around for nearly all of them by using the "forgot password" link to generate a new, temporary password and then I was able to create a new password.

At present you can see by the images above that LastPass is managing 214 passwords for me and the average length of the stored passwords is 23.7 characters.  I couldn't imagine memorizing more than one password that long much less several dozen that are longer.  Not only am I more comfortable now that I'm using LastPass but I find being online and the myriad of passwords to be even easier to use now.  That's a definite win-win.

Anyone that cares about security should use LastPass or a product like it.

29Nov/110

A couple things I’ve written

Despite the lack of writing I've been doing here, my pen hasn't been completely idle.  In the past several months I've written a couple things for MNCPA publications.

  • A Footnote article from several months ago highlighted some file-syncronization services, including my favorite service, Sugarsync, that will keep files (especially those frequently used) synchronized across several devices.  This has been particularly handy to me since the demise of Windows Live Sync that I wrote about before and the added bonus of cloud-based storage is a nice feature when I'm on a machine I don't own.
  • A Student eNews piece hit the virtual press in October.  It urges students to learn to use technology while in school because employers will expect it and there are benefits to be realized while they are still studying.  It frustrates me that accounting majors are even allowed to graduate without knowing basic Excel strategies.  Hopefully some of them take my advice and the make an effort to improve themselves before they are on someone's payroll.
27Nov/110

Flexible Backup From Crashplan.com

I remember thinking when I started this blog that I would make frequent posts here to share things, primarily with my friends and family.  Then I discovered Twitter and that became my main place of sharing information instead.  Every so often, though, a tool comes along that I can't describe in 140 characters or less and it lands here.  My discovery of Crashplan is one such item.

If you are like me, you have good intentions to frequently back-up your data, but those intentions turn into "I'll do it someday" which turns in to never.  Despite having the capacity to easily back-up my own data on a different computer or a separate hard drive within my main desktop PC, doing so (however infrequently) doesn't help me in case of disaster such as a fire at my home.  In that case all of my data, including the backups, would be destroyed.  Also, I've yet to find an external hard drive and/or backup software that made the process easy despite what the marketing would have you believe.

A Footnote article I wrote for the MNCPA several months ago highlighted some services, including my favorite service, Sugarsync, that will keep files (especially those frequently used) synchronized across several devices.  This can create a de facto backup service for the items you choose to synchronize and this works quite well for files that are frequently edited as it results in the current version of every file available on every device.  But what about backing up the all-important photos or MP3 files that don't really change (although the collection of such files does grow over time)?  For that situation a dedicated backup solution is best.

In pursuit of such a solution I have discovered Minneapolis-based Crashplan.  I recall them being mentioned as some professional conferences I had attended the past couple years and I pushed into looking at them further after seeing a billboard for their service just yesterday in Blaine.

This unique software offers free and paid options.  Using the free options you are able to backup your data to other computers (including those of your friends to create an "off-site" backup) or external hardware.  The paid choices add storage in the cloud on Crashplan's servers as well. While many other services treat consumers as an afterthought by focusing primarily on businesses, Crashplan seems to place the consumer front-and-center and, while they do offer plans for small/medium businesses and larger, home/personal users will feel perfectly comfortable dealing with this company.

After playing briefly with the free choices, I took advantage of a 50% off sale to purchase 2-years of the Crashplan+ unlimited service.  Even at the regular price of $49.99/year this seems like a steal and it is a double-steal to get two years for that price.  I immediately started backing up my primary PC and the estimated time of completion is just over 11 days (nearly 200GB of data).

On my other PCs I don't store data-hogs like photos so I'm fine using Sugarsync on those machines which mirrors my frequently-used files onto the primary PC where they are backed-up by Crashplan.  I also still use SyncBackSE to maintain a subset of my frequently-used files on a flash drive.  If your setup requires it, Crashplan does offer a household plan where all devices can be backed up to the cloud for a higher subscription price (a bit more than double the price of a single-computer option as I write this).

In summary, online backup is like insurance for your ever growing collection of data.  Like insurance, it is something you hope to never need but just knowing it is there makes me feel more secure already.  Check out Crashplan and try the free services for yourself to see just how easy it can be to "set it and forget it" while storing your backup in the cloud.  The fact that they are a Minneapolis-based company is icing on the cake as far as I'm concerned, but you don't have to be from the Land of 10,000 Lakes to find their service beneficial.

10Jun/110

Surf (more) safely

With the advent of Firefox add-ons like Firesheep that make hijacking browser sessions easy for even the most novice users, it is more necessary than ever to take action to use the most secure methods of transmitting/receiving data possible.  One good tip is to only visit sites that use a secure connection (denoted by "https" as the protocol rather than "http").  A great tool that will automatically do this for you for major sites it this add-on, HTTPS-Everywhere.  Another tip is just to change your Facebook, Twitter, Hotmail, etc. bookmarks to https in the URL to make sure that you are always connecting securely through your own bookmarks, but if you click on a "share on Facebook" or similar link at a website you are still subject to the site owner's link design as to which server you are taken to.  Better to use this add-on to be safe, but do understand that there are limitations that might cause problems.  These are generally the result of some services (like Google Images or Facebook Chat) not being available over HTTPS so some sites may not look/feel exactly the same as their non-secure counterparts.

17Nov/100

Easily (and cheaply) hang a flat-panel TV

This is one of those posts that has been sitting in the back of my brain for a few months now, but I've just been too busy with other things to actually sit down for 30 minutes and bang it out.

I stumbled upon a deal on a plasma TV back in July and I decided that was a sign that I needed to replace the hulking 32" CRT that was taking up space in our bedroom.  Nevermind the fact that I had only recently lugged the behemoth upstairs when we bought a new LCD for the living room -- there was no mistaking the wisdom of purchasing a new TV for upstairs and ditching our old TV and the armoire in which it sits (both of which are still sitting in our upstairs hallway several months later).

Perhaps, like me, you have been relatively ignorant to the new TV technology and associated hardware and requirements.  I was surprised to learn, for example, that hanging a TV on a wall requires a wall mount that comes at a cost that is a large percentage of what I paid for the TV in the first place.  For example, the first mount I studied was at Costco and it was over $100.  Even basic, non-swiveling mounts at Costco can be expensive.  It turns out this is not unusual.  I was quickly able to determine that I could do without the swiveling/rotating features that allow the TV to extend from the wall and that doing so could save a bit of money, but I still wasn't prepared to spend $100 for a mount, but I'd prefer to do that than have my TV crash to the ground I reasoned.

Another issue with hanging a TV was cord management.  It does little aesthetically speaking to hang your shiny new TV on the wall and then run power, cable, DVD, etc. cords down or across the wall.  Plus taking some time to tuck the cords away goes a long way to keeping the marital peace I've found.  So I set off researching how to hide the cords in the wall and I was lucky enough to stumble upon a solution at monoprice.com.  A nice bonus is that they also sell  deals on sturdy wall mounts...at prices that look ridiculously cheap when compared to those offered elsewhere.

This, then, is the story of the solution I went with to successfully (it hasn't fallen yet) mount my 42" plasma TV to the bedroom wall keeping things looking nice and neat.

Wall mount

View of the bracket that screws to the TV. Once hung on the wall bracket, the small part at the bottom slides up and is screwed into a locked position to securely hold the two together. (click to enlarge)

As I mentioned above, I decided that I needed a stationary wall mount that allowed for slight tilting.  For barely over $20 I ordered product #3900 at MonoPrice.  In addition to being inexpensive, this is an extremely sturdy mount and the installation process was a snap.  Once I located the studs (relatively easy because of the outlets beneath my hanging area that I knew to be hung on a stud) I just had to bolt one side of the bracket to the wall and two other pieces screwed into the back of the TV.  Then it was like hanging a picture to put the TV onto the bracket.  All of this was a one-person job.  Before I could hang the TV, however, I needed to make sure that the cables would not be visible once the TV was in place.

Behind-set power and wall plate for low voltage cable passage

MonoPrice conveniently recommended product #4006 to me as an accessory to the wall mount bracket.  This is a recessed power outlet coupled with a tunnel that allowed the threading of low voltage cable through the wall.  Note that it is a code violation to thread power cords through the wall so that is the purpose of the power outlet on this device.  Simply mount it above an existing outlet and piggy-back on the power to that outlet by running sheathed electric cable between the locations.  If you aren't comfortable with this you can hire an electrician, though it is not very difficult.  For safety's sake turn the power off before you begin.

View of the wall plate and power/low-voltage outlet.

As can be seen in this photo, the wall plate has swivel tabs that allow for installation without an electrical box on the side that allows for low-votage cable passage.  This is needed because installing a box would block the passage of cables through the wall.  The side with the power outlet does require a single-gang box, which can be purchased at your local hardware store.

Like the MonoPrice wall plate, the electrical box will have tabs that screw out and then tighten to the back of the drywall until secure.  Tools needed for this are a small drywall saw and a couple screwdrivers.  You probably also will find a box cutter and/or wire stripping tool to be handy.

Second low voltage wall plate for cable passage

A second wall plate needs to be installed toward the bottom of the wall.  This is where HDMI, coax, and other audio/visual cable will enter the wall before exiting behind the TV.  Since this is a low voltage installation, the "box" is really just a bracket (get this at the hardware store as well) that allows for the installation of something like product #3997 from MonoPrice.  I chose this because it matched the outlet I ordered for behind the TV (mentioned above) and it was under $3.  I have no idea if these things are also sold locally, but for $3 it wasn't worth my time to find out. Like the wall plate above, a drywall saw and a couple screwdrivers are all that is needed for this part of the installation.

Cables

2nd wall plate for low voltage wiring pass-through. Note the yellow and green HDMI cables.

One of my big frustrations even when I can see all of my cables is trying to figure out what is plugged in where.  Hiding the cables behind the wall was sure to make this chore even more difficult.  Thankfully MonoPrice has the answer to this issue as well.  They sell HDMI cables in a variety of colors so I ordered several 10-foot cables in a variety of colors such as this yellow one.  That way I could easily know which cable was for the satellite box and which was for the DVD player.  I used a steel fish tape to thread the cables through the wall, but it would be possible to do this by unbending a coat hanger or with a string and weight if the holes in your wall are lined up fairly straight given that the distance between them isn't too big.  Wall studs are typically 16" apart and the cables need to run vertically within the same wall cavity to avoid having to travel through studs.  This means that the likely distance between the hole is limited to 3-4 feet.

Once you have installed the wall plates and the run the cables, simply screw things into place and hang up the TV.  In my experience, the entire installation took about 30 minutes, though time will vary depending on how many trips to the hardware store you need to make!  When all was completed, I had a solidly mounted TV on the wall with no wiring visible.  I consider this a job well done!

3Jul/100

Firefox Add-on: Shareaholic

The customized Shareaholic menu from my Firefox address bar.

If you find that you constantly share links with friends through Twitter, Facebook, email, etc. then this add-on is for you.  There are literally dozens of services in Shareaholic that can be turned on or off so you can set up only the ones that you use.  Chances are that just the act of going through the setup will introduce you to some services that you didn't even know about before.

The ones I have set up, for example, are Facebook, Twitter, bit.ly, Google Mail, Google Reader, LinkedIn, and Microsoft Outlook.  Sharing the current page or a link on the current page using any of these methods is just a click away.

Download Link: https://addons.mozilla.org/en-US/firefox/addon/5457/

3Jul/100

Firefox Add-on: Extended Copy Menu

Normally when you copy text in Firefox it retains the original formatting when you paste it elsewhere (such as into

New choices available from the right-click menu after installing this Firefox add-on.

Word or into a blog post).  This is not always desired.

The workaround to lose the formatting that I used to use involved opening Notepad, pasting the text into there, copying from Notepad (Notepad is only capable of using plain text), and then pasting to whatever my destination was in the first place. This add-on puts additional choices such as "Copy as Plain Text" to the right-click context menu to make it as easy to copy text without formatting as it is to copy the text with the formatting.

Download Link: https://addons.mozilla.org/en-US/firefox/addon/4554/

12Jun/100

Got a 2nd HDTV = more decisions than I bargained for

Is anyone using DirecTV Whole-Home DVR service? I'd like to hear how/if it works.

http://www.directv.com/DTVAPP/content/directv/technology/wholehome

Here's the situation: we got a new flat panel for the bedroom and are looking at options where we can have HD service there but also watch shows in the bedroom that are on the DVR in our living room in HD quality.

Currently we have Dish Network and our current DVR (722) can output only SD signal to TV2. So a 2nd option (other than switching to DirecTV) is that we could upgrade to Dish 922k DVR and hope they release the "HDTV Multi-Room Extender" (which is really an HD SlingCatcher) soon also. I like Dish's receivers better than DirecTV's because it can record from over-the-air sources in addition to satellite sources so +1 to Dish for this as an option.

http://www.dishnetwork.com/tveverywhere/default.aspx

A 3rd option is to build a over-the-air DVR/PC for the bedroom. I could put a blu-ray player in that and it would do double-duty but, of course, we'd be limited to watching recorded shows in HD that came from over-the-air sources (which is probably 80% of what we record to be honest).  This idea is gaining favor in my mind now that I've written it, actually. A minor annoyance is that we would have some shows recorded in both places (on the PC in the bedroom and on the DVR in the living room) so it would be harder to manage what we have watched and not watched.

Every option has advantages/disadvantages to the point where I'm spinning in circles trying to decide what to do. Seeking advice!!

One final item of note is that my wife claims to not be able to tell the difference between SD and HD so this is only a big deal to me 🙂