Brenden Schaaf / November 10, 2013

I have 294 passwords…but I only need to remember one!

password hellI really do wish I had more time to write blog posts for this site.  It isn’t that I don’t have things to say — it’s that I have so much to say that I tend to say them on Twitter in 140 character bursts instead of here in long-form posts.  In addition, I continue to contribute to the Minnesota Society of CPAs member publication, Footnote.  I’ve written here about LastPass before and I tackled the issue of password generation/vault software for the September issue of Footnote.  I have been impressed by the feedback I have received and I hope that everyone that is serious about security and about making their lives simpler investigates the use of LastPass or a similar password management software solution.  Here’s a link to my article: http://www.mncpa.org/publications/footnote/2013-09/I-have-294-passwords-but-I-only-need-to-remember-one.aspx

Brenden Schaaf / June 10, 2012

How safe are your passwords?

Strong Passwords courtesy Paul O'Rear on FlickrThe recent news that some LinkedIn and eHarmony passwords have been compromised represents the latest  in a string of such stories that are part of a trend we will continue to see for the foreseeable future.  Users of these services were advised to change their passwords, but how much will that really protect most people?  Most of us have accounts, and therefore passwords, with dozens or even hundreds of websites.  Furthermore, it has been reported that way too many people use the same password (including the password they use for online banking) or handful of passwords across multiples sites.  So once a hacker has someone’s email address and password for LinkedIn they very likely have enough information to login to Amazon, eBay, Wells Fargo, etc.

So what’s a person to do?  Standard advice includes creating strong passwords that aren’t susceptible to dictionary attacks as well as making a different password for every site visited.  After doing this for just a handful of sites, however, it would become next to impossible to remember every password needed by most of us.

Storing passwords in an encrypted text file is a possible solution, though keeping  a copy available on several machines and mobile devices would require the use of insecure means (such as carrying the file on a USB flash drive or emailing the file back and forth between work and home) or the use of an encrypted synchronization solution like SugarSync or Dropbox.  I think that anyone willing to do that is better off using a dedicated solution in the form of an online Password Manager.

I first learned of these kinds of tools at the 2011 MNCPA Tax Conference, when Tommy Stephens of K2 Enterprises demonstrated a tool he uses called RoboForm.  I was impressed that it allowed him to select bookmarks directly from his browser and be automatically logged in to the destination site without any intervention.  This looked like a good tool to use primarily to save time…I didn’t really give much thought to the security reasons for using such a tool.  I tried RoboForm after the conference for a couple weeks but soon found that I preferred a similar solution called LastPass instead.

I actually became aware of LastPass in 2010 when Xmarks was purchased by them, but never thought to use it until I saw the Roboform demonstration and found it to be kind ofLastPass Generate Secure Password Dialog Box kludgy in my daily use.  The lightbulb went off and I quickly recalled that the sister-program to Xmarks (another product I highly recommend, by the way) might be worth checking out and I sure am glad that I did so.  In my opinion it just works better than Roboform and I found it very intuitive to set up and use.  Having used LastPass now for 6+ months I can’t recommend enough that everyone use this program.  Given that these tools are constantly being updated and related applications are available for multiple operating systems (iOS, Android, Windows, Blackberry, Linux, etc.) you should try a couple and choose the one that works best for how you use the internet and the devices you use.

Here are some of the many benefits to using LastPass:

  1. Passwords are encrypted and stored securely and are unlocked only through the use of a master password (needed only one time per browsing session at most).  Since this is the only password you really need to remember you can, and should, make it very strong.  Doing so is key to making your information secure.
  2. You can easily test your password performance and continue to tweak your passwords to make them even more secure using a tool that runs against your current collection of passwords and ranks you in comparison to other users.  See graphic showing my scores.
  3. Not having to remember passwords for multiple sites, especially those used infrequently.
  4. No longer storing passwords insecurely in multiple web browsers on several machines.
  5. Easily generate lengthy, strong, unique passwords.
  6. No password reuse at multiple sites.
  7. Browser add-ons and mobile apps are available to make LastPass easy to use on multiple devices and platforms.  Some of these tools are available only to subscribers to LastPass Premium, but the cost of $12/year is negligible and I felt compelled to pay for the premium product just to support the software development even before I used the Android app.

When first run, LastPass will offer to import passwords stored in your default browser making it easy to populate the database initially.  Once that is done you’ll want to visit each site stored in LastPass to change your existing password for that site to something stronger.  LastPass will generate a password to your specifications.  Start by choosing  the desired password length and whether to include uppercase, lowercase, numeric, or special characters and let LastPass create a random password.  Depending on the website, you may be able to click “Accept” at the bottom to have the password automatically inserted into the password field(s) on the site or you may need to click “Copy” as in the graphic shown to manually paste the password into the form.  Once you do that, LastPass will offer to store the password for future use.

One of the most frustrating issues I ran across when going through this process is how varied the password requirements are for different websites.  See the adjacent table for some of the requirements I noted for some randomly chosen sites.

Password requirements for selected sites

I was surprised at how many sites had upper limits on password length since presumably the sites are storing a hashed version of user passwords (which may be a fixed length no matter how long the user’s password is).  I was also shocked that several sites emailed me the new password in plain text immediately upon changing it, a very problematic issue.

Perhaps the most troublesome are those that only allow short passwords or that disallow special characters since they are limiting the strength of their customers’ passwords by default and making their own sites more vulnerable than necessary. Although many sites allowed very long, complicated passwords (I set several of my passwords to 75+ characters) there were some, unfortunately, that limited passwords to 4 digit PINs.

I was also surprised by a few websites that didn’t seem to allow password changes at all but I found a work-around for nearly all of them by using the “forgot password” link to generate a new, temporary password and then I was able to create a new password.

At present you can see by the images above that LastPass is managing 214 passwords for me and the average length of the stored passwords is 23.7 characters.  I couldn’t imagine memorizing more than one password that long much less several dozen that are longer.  Not only am I more comfortable now that I’m using LastPass but I find being online and the myriad of passwords to be even easier to use now.  That’s a definite win-win.

Anyone that cares about security should use LastPass or a product like it.

Brenden Schaaf / November 29, 2011

A couple things I’ve written

Despite the lack of writing I’ve been doing here, my pen hasn’t been completely idle.  In the past several months I’ve written a couple things for MNCPA publications.

  • A Footnote article from several months ago highlighted some file-syncronization services, including my favorite service, Sugarsync, that will keep files (especially those frequently used) synchronized across several devices.  This has been particularly handy to me since the demise of Windows Live Sync that I wrote about before and the added bonus of cloud-based storage is a nice feature when I’m on a machine I don’t own.
  • A Student eNews piece hit the virtual press in October.  It urges students to learn to use technology while in school because employers will expect it and there are benefits to be realized while they are still studying.  It frustrates me that accounting majors are even allowed to graduate without knowing basic Excel strategies.  Hopefully some of them take my advice and the make an effort to improve themselves before they are on someone’s payroll.

Brenden Schaaf / November 27, 2011

Flexible Backup From Crashplan.com

I remember thinking when I started this blog that I would make frequent posts here to share things, primarily with my friends and family.  Then I discovered Twitter and that became my main place of sharing information instead.  Every so often, though, a tool comes along that I can’t describe in 140 characters or less and it lands here.  My discovery of Crashplan is one such item.

If you are like me, you have good intentions to frequently back-up your data, but those intentions turn into “I’ll do it someday” which turns in to never.  Despite having the capacity to easily back-up my own data on a different computer or a separate hard drive within my main desktop PC, doing so (however infrequently) doesn’t help me in case of disaster such as a fire at my home.  In that case all of my data, including the backups, would be destroyed.  Also, I’ve yet to find an external hard drive and/or backup software that made the process easy despite what the marketing would have you believe.

A Footnote article I wrote for the MNCPA several months ago highlighted some services, including my favorite service, Sugarsync, that will keep files (especially those frequently used) synchronized across several devices.  This can create a de facto backup service for the items you choose to synchronize and this works quite well for files that are frequently edited as it results in the current version of every file available on every device.  But what about backing up the all-important photos or MP3 files that don’t really change (although the collection of such files does grow over time)?  For that situation a dedicated backup solution is best.

In pursuit of such a solution I have discovered Minneapolis-based Crashplan.  I recall them being mentioned as some professional conferences I had attended the past couple years and I pushed into looking at them further after seeing a billboard for their service just yesterday in Blaine.

This unique software offers free and paid options.  Using the free options you are able to backup your data to other computers (including those of your friends to create an “off-site” backup) or external hardware.  The paid choices add storage in the cloud on Crashplan’s servers as well. While many other services treat consumers as an afterthought by focusing primarily on businesses, Crashplan seems to place the consumer front-and-center and, while they do offer plans for small/medium businesses and larger, home/personal users will feel perfectly comfortable dealing with this company.

After playing briefly with the free choices, I took advantage of a 50% off sale to purchase 2-years of the Crashplan+ unlimited service.  Even at the regular price of $49.99/year this seems like a steal and it is a double-steal to get two years for that price.  I immediately started backing up my primary PC and the estimated time of completion is just over 11 days (nearly 200GB of data).

On my other PCs I don’t store data-hogs like photos so I’m fine using Sugarsync on those machines which mirrors my frequently-used files onto the primary PC where they are backed-up by Crashplan.  I also still use SyncBackSE to maintain a subset of my frequently-used files on a flash drive.  If your setup requires it, Crashplan does offer a household plan where all devices can be backed up to the cloud for a higher subscription price (a bit more than double the price of a single-computer option as I write this).

In summary, online backup is like insurance for your ever growing collection of data.  Like insurance, it is something you hope to never need but just knowing it is there makes me feel more secure already.  Check out Crashplan and try the free services for yourself to see just how easy it can be to “set it and forget it” while storing your backup in the cloud.  The fact that they are a Minneapolis-based company is icing on the cake as far as I’m concerned, but you don’t have to be from the Land of 10,000 Lakes to find their service beneficial.

Brenden Schaaf / July 3, 2009

Instamapper

Because MapMyFitness (and related sites like MapMyRide) have decided to now charge for the BlackBerry iMapMyRide application, I decided to hunt around for something else that I could use to record bike trips that I take using my Blackberry’s built-in GPS. I’m not opposed to buying the iMapMyRide application (interestingly, the iPhone version remains free), but $5/month (or $100/year for the Gold membership to get the app for free) is a bit steep in my opinion.

Luckily, I stumbled upon this post that explained how to use Instamapper to record your ride and then from there you can export the trip to a file on your computer in GPX format, which can then be imported to MapMyRide (or related). So it’s a few more steps but isn’t really that hard and the nice thing is that it works with more smartphones than just the Blackberry.

In fact, Instamapper offers some decent mapping capabilities as well so with a little more experimenting I may just decide to leave my map data on their site instead of even moving it over to MapMyRide.  Perhaps the best part is that the site (including maps) isn’t cluttered up with advertisements (see below). I do like how MapMyRide inserts mile markers along the route and it just seems a bit more advanced, but maybe Instamapper has those things too and I just don’t know how to use it (or maybe features will be added).
GPS tracking powered by InstaMapper.com

Brenden Schaaf / May 3, 2009

Faxing through the internet

maxemailDespite the fact that most paper-based communication seems to have moved to email, there is still a need at times to rely on sending/receiving faxes.  I suppose in ten years faxing might have gone the way of the buggy whip, but until then faxing can be made to look/act a lot like email without having to worry about having an extra piece of office equipment and/or a spare phone line.

Enter an online faxing service that allows you to send and receive faxes through your regular email account.  The one I use is called MaxEmail but I have also heard good things about eFax and I believe it works similarly.  There are several other options as well but I don’t have anything good or bad to say about them.

For about $85/year, I get a local fax number (you get to choose the area code and the exchange from a list of available locations) that people can send faxes to.  If you don’t mind having a random area code assigned to your fax number, you can sign up for around $25/month instead.  So if I need medical results faxed to me, for example, I can give them my home fax number and I don’t need to worry about my cholesterol figures sitting on the office fax machine or ending up missing in someone’s stack of work related papers.

When a fax comes into your fax number, MaxEmail converts it to a PDF file and sends it as an email that shows up like any other email message with an attachment.  To send a fax, you can format it like an email and address it to something like 6125551234@maxemailsend.com and MaxEmail will change it to from an email to a fax and send it to the recipients fax machine.  The body of your email message becomes the fax cover page and any attachments (many file formats like PDF, Word, Excel, etc. are supported) become the fax.  I do this to file my healthcare flexible spending claims for example, because I have the form on my computer and I scan in my receipts so getting it to the claims servicer is as simple as sending an email and attaching these items.

As I said, someday everything will travel by email and we’ll  probably sign things electronically to clear the hurdle that requires certain things (like FSA claims) to be sent by fax today.  Until then, a relatively inexpensive and easy option is to use an online faxing service like MaxEmail.

Brenden Schaaf / May 2, 2009

Easing the sting of buying a new car

truecar_logoA new website, truecar.com, has launched with a goal of providing consumers with information about quoted prices at local auto dealers that will allow them to know if they are or are not getting a good deal.  They supposedly collect actual pricing information from public records, lenders, etc. and eventually will offer vehicle sales through their website.

I’m the kind of person that hates buying a car because no matter what I feel like I’m going to feel like I got ripped off.  At least with a site like truecar.com maybe I’ll be that much more educated and at least feel like I came away with a deal.  A lot is going to depend on how reliable/accurate their data tends to be.  Sites like Zillow have tried to do the same thing with houses to mixed reviews.  I would think that crunching data with cars will be easier since there are more transaction and a 2009 Toyota Sienna XLE is the same whether you are buying it in Minneapolis or Bismarck.

Read more about truecar.com at this link:

http://www.autonews.com/article/20090428/ANA08/904289962/1018

Brenden Schaaf / April 26, 2009

Google Reader

I was late to the RSS game discovering Google Reader only a couple months ago.  For probably a couple years I had bookmarked in Firefox some RSS feeds to my Bookmark Toolbar.  This gave me the ability to view updated bookmarks with all the most recent StarTribune.com stories, for example, but it showed 10 or fewer links and if I didn’t look at it for a while I inevitably missed some stories.

Another issue I had was trying to monitor a handful (around 5) of blogs for updates on a regular basis.  It became a chore to remember to visit the sites I had bookmarked every day or two and I would inevitably miss important news items.

Enter Google Reader.  There are better resources than I could create to help you learn about Google Reader and how to use it, but the simplest way to get started with it is to subscribe to updates for this site by clicking on the “In an RSS Reader” link in the right column of this page.  If you have a Google account for Gmail, iGoogle, Google Calendar, etc. you will find the process to be quite simple.  Otherwise your biggest hurdle will be to set up a Google account.

As evidence of the Google Reader addict I have become, you see in the bottom of the column to the right all the RSS feeds I follow.  As you can see, RSS feeds can come not only from blogs, but also from news website and that is my primary use of them.  Google Reader collects all the sites I like to follow in one place and I can click a link in a snippet of an article to read the entire article on the original site.

Here are some other resources that may interest you:

http://googlereader.blogspot.com/2009/01/google-reader-for-beginners.html

http://google.com/support/reader/bin/answer.py?answer=113517