My Flypaper Mind Brenden Schaaf's opinions, ideas, comments, rantings, & minutiae

10Jun/120

How safe are your passwords?

Strong Passwords courtesy Paul O'Rear on FlickrThe recent news that some LinkedIn and eHarmony passwords have been compromised represents the latest  in a string of such stories that are part of a trend we will continue to see for the foreseeable future.  Users of these services were advised to change their passwords, but how much will that really protect most people?  Most of us have accounts, and therefore passwords, with dozens or even hundreds of websites.  Furthermore, it has been reported that way too many people use the same password (including the password they use for online banking) or handful of passwords across multiples sites.  So once a hacker has someone's email address and password for LinkedIn they very likely have enough information to login to Amazon, eBay, Wells Fargo, etc.

So what's a person to do?  Standard advice includes creating strong passwords that aren't susceptible to dictionary attacks as well as making a different password for every site visited.  After doing this for just a handful of sites, however, it would become next to impossible to remember every password needed by most of us.

Storing passwords in an encrypted text file is a possible solution, though keeping  a copy available on several machines and mobile devices would require the use of insecure means (such as carrying the file on a USB flash drive or emailing the file back and forth between work and home) or the use of an encrypted synchronization solution like SugarSync or Dropbox.  I think that anyone willing to do that is better off using a dedicated solution in the form of an online Password Manager.

I first learned of these kinds of tools at the 2011 MNCPA Tax Conference, when Tommy Stephens of K2 Enterprises demonstrated a tool he uses called RoboForm.  I was impressed that it allowed him to select bookmarks directly from his browser and be automatically logged in to the destination site without any intervention.  This looked like a good tool to use primarily to save time...I didn't really give much thought to the security reasons for using such a tool.  I tried RoboForm after the conference for a couple weeks but soon found that I preferred a similar solution called LastPass instead.

I actually became aware of LastPass in 2010 when Xmarks was purchased by them, but never thought to use it until I saw the Roboform demonstration and found it to be kind ofLastPass Generate Secure Password Dialog Box kludgy in my daily use.  The lightbulb went off and I quickly recalled that the sister-program to Xmarks (another product I highly recommend, by the way) might be worth checking out and I sure am glad that I did so.  In my opinion it just works better than Roboform and I found it very intuitive to set up and use.  Having used LastPass now for 6+ months I can't recommend enough that everyone use this program.  Given that these tools are constantly being updated and related applications are available for multiple operating systems (iOS, Android, Windows, Blackberry, Linux, etc.) you should try a couple and choose the one that works best for how you use the internet and the devices you use.

Here are some of the many benefits to using LastPass:

  1. Passwords are encrypted and stored securely and are unlocked only through the use of a master password (needed only one time per browsing session at most).  Since this is the only password you really need to remember you can, and should, make it very strong.  Doing so is key to making your information secure.
  2. You can easily test your password performance and continue to tweak your passwords to make them even more secure using a tool that runs against your current collection of passwords and ranks you in comparison to other users.  See graphic showing my scores.
  3. Not having to remember passwords for multiple sites, especially those used infrequently.
  4. No longer storing passwords insecurely in multiple web browsers on several machines.
  5. Easily generate lengthy, strong, unique passwords.
  6. No password reuse at multiple sites.
  7. Browser add-ons and mobile apps are available to make LastPass easy to use on multiple devices and platforms.  Some of these tools are available only to subscribers to LastPass Premium, but the cost of $12/year is negligible and I felt compelled to pay for the premium product just to support the software development even before I used the Android app.

When first run, LastPass will offer to import passwords stored in your default browser making it easy to populate the database initially.  Once that is done you'll want to visit each site stored in LastPass to change your existing password for that site to something stronger.  LastPass will generate a password to your specifications.  Start by choosing  the desired password length and whether to include uppercase, lowercase, numeric, or special characters and let LastPass create a random password.  Depending on the website, you may be able to click "Accept" at the bottom to have the password automatically inserted into the password field(s) on the site or you may need to click "Copy" as in the graphic shown to manually paste the password into the form.  Once you do that, LastPass will offer to store the password for future use.

One of the most frustrating issues I ran across when going through this process is how varied the password requirements are for different websites.  See the adjacent table for some of the requirements I noted for some randomly chosen sites.

Password requirements for selected sites

I was surprised at how many sites had upper limits on password length since presumably the sites are storing a hashed version of user passwords (which may be a fixed length no matter how long the user's password is).  I was also shocked that several sites emailed me the new password in plain text immediately upon changing it, a very problematic issue.

Perhaps the most troublesome are those that only allow short passwords or that disallow special characters since they are limiting the strength of their customers' passwords by default and making their own sites more vulnerable than necessary. Although many sites allowed very long, complicated passwords (I set several of my passwords to 75+ characters) there were some, unfortunately, that limited passwords to 4 digit PINs.

I was also surprised by a few websites that didn't seem to allow password changes at all but I found a work-around for nearly all of them by using the "forgot password" link to generate a new, temporary password and then I was able to create a new password.

At present you can see by the images above that LastPass is managing 214 passwords for me and the average length of the stored passwords is 23.7 characters.  I couldn't imagine memorizing more than one password that long much less several dozen that are longer.  Not only am I more comfortable now that I'm using LastPass but I find being online and the myriad of passwords to be even easier to use now.  That's a definite win-win.

Anyone that cares about security should use LastPass or a product like it.

10Jun/110

Surf (more) safely

With the advent of Firefox add-ons like Firesheep that make hijacking browser sessions easy for even the most novice users, it is more necessary than ever to take action to use the most secure methods of transmitting/receiving data possible.  One good tip is to only visit sites that use a secure connection (denoted by "https" as the protocol rather than "http").  A great tool that will automatically do this for you for major sites it this add-on, HTTPS-Everywhere.  Another tip is just to change your Facebook, Twitter, Hotmail, etc. bookmarks to https in the URL to make sure that you are always connecting securely through your own bookmarks, but if you click on a "share on Facebook" or similar link at a website you are still subject to the site owner's link design as to which server you are taken to.  Better to use this add-on to be safe, but do understand that there are limitations that might cause problems.  These are generally the result of some services (like Google Images or Facebook Chat) not being available over HTTPS so some sites may not look/feel exactly the same as their non-secure counterparts.

17Dec/090

My favorite Firefox add-ons

firefoxI'll admit that this post is largely self-serving.  Having rebuilt two WindowsXP machines (one of them twice) in the past week along with installing Windows 7 on my Toshiba NB205 Netbook, I am tired of trying to keep track of the add-ons that I love every time I install Firefox.  Perhaps someday Xmarks or a product like it will synchronize these things across multiple installations, but counting my home PC, laptop, netbook, work PC, etc. I've ended up with quite an array of different add-ons on each machine.  With any luck, by listing the best ones here along with links, I will be able to more easily manage these things -- and if it benefits you as well, that's great!

So here, in no particular order other than my ability to remember them, are my favorite add-ons for my favorite browser, Firefox:

  1. Xmarks
    • I wrote at length about Xmarks back in May.  Briefly, it is a way to synchronize your bookmarks (and passwords if you choose) across multiple Firefox installations.  In the scenario I mentioned above about installing a fresh version of Firefox on a new (or rebuilt) PC, all that is needed to have all your bookmarks is to install this add-on and enter your Xmarks username and password and the bookmarks are downloaded from the Xmarks server to your new machine.  All icons are maintained as the order and foldering structure present on your other machines.
    • Download Link: https://addons.mozilla.org/en-US/firefox/addon/2410
  2. Adblock Plus
    • I've sung the praises in-depth of Adblock Plus before.  Disregarding whatever moral issues there might be to blocking ads on sites that are otherwise free, this add-on will make your browsing experience faster and less cluttered.  There are very few times that I've had to disable Adblock Plus due to "false positives" but it has happened on a couple sites.  Even so, turning it off is as simple as clicking the icon in the status bar and choosing from the menu.
    • Download Link: https://addons.mozilla.org/en-US/firefox/addon/1865
  3. Forecastfox
  4. Download Statusbar
    • Normally when you choose to download a file, Firefox pops up a separate window to show the download status and from which you can launch the file when the download is complete.  This is interesting behavior given that one of the primary reasons many people first adopted Firefox was because of the pop-up blocker that other browsers lacked.  With this add-on, you can eliminate the extra pop-up window and instead monitor and execute downloads from the Firefox status bar.
    • Download Link: https://addons.mozilla.org/en-US/firefox/addon/26
  5. Greasemonkey
    • This add-on is different from others in that by itself it does nothing.  Instead, you have to download (or create) Greasemonkey scripts (there are thousands) to make it do whatever it is you desire.  A more lengthy post I wrote in May provides more details, but having Greasemonkey is like putting your browser on steroids.  Just like there are add-ons for Firefox I find it hard to live without, there are Greasemonkey scripts that I depend on heavily as well.  Many of those are listed in the post from May, but I'll update the list via a new post soon.
    • Download Link: https://addons.mozilla.org/en-US/firefox/addon/748
  6. Greasefire
  7. The Camelizer
    • CamelCamelCamel.com used to have a Greasemonkey script that worked on Amazon so that you could see historical prices for a given item without having to visit the main CamelCamelCamel site.  They have no released a Firefox add-on that does much the same thing except that it now also functions on NewEgg and Best Buy.  This is a great way to know if that deal you are eyeing is really a deal and you also have the ability to set price alerts so that you'll receive an email when the price drops below a certain point.  If you enjoy shopping online, this is a must-have add-on.
    • Download Link: https://addons.mozilla.org/en-US/firefox/addon/14392
  8. TinyURL Generator
  9. Fission
    • Download Link: I discovered this add-on when I first got a netbook.  Screen real estate is a premium on a small screen and I wanted to turn off the status bar at the bottom of the screen but I missed having the progress bar that shows how much of a page has downloaded.  This add-on combines the address bar with the download progress meter at the top of the screen.
    • Download Link: https://addons.mozilla.org/en-US/firefox/addon/1951
  10. Personal Menu