My Flypaper Mind Brenden Schaaf's opinions, ideas, comments, rantings, & minutiae


How safe are your passwords?

Strong Passwords courtesy Paul O'Rear on FlickrThe recent news that some LinkedIn and eHarmony passwords have been compromised represents the latest  in a string of such stories that are part of a trend we will continue to see for the foreseeable future.  Users of these services were advised to change their passwords, but how much will that really protect most people?  Most of us have accounts, and therefore passwords, with dozens or even hundreds of websites.  Furthermore, it has been reported that way too many people use the same password (including the password they use for online banking) or handful of passwords across multiples sites.  So once a hacker has someone's email address and password for LinkedIn they very likely have enough information to login to Amazon, eBay, Wells Fargo, etc.

So what's a person to do?  Standard advice includes creating strong passwords that aren't susceptible to dictionary attacks as well as making a different password for every site visited.  After doing this for just a handful of sites, however, it would become next to impossible to remember every password needed by most of us.

Storing passwords in an encrypted text file is a possible solution, though keeping  a copy available on several machines and mobile devices would require the use of insecure means (such as carrying the file on a USB flash drive or emailing the file back and forth between work and home) or the use of an encrypted synchronization solution like SugarSync or Dropbox.  I think that anyone willing to do that is better off using a dedicated solution in the form of an online Password Manager.

I first learned of these kinds of tools at the 2011 MNCPA Tax Conference, when Tommy Stephens of K2 Enterprises demonstrated a tool he uses called RoboForm.  I was impressed that it allowed him to select bookmarks directly from his browser and be automatically logged in to the destination site without any intervention.  This looked like a good tool to use primarily to save time...I didn't really give much thought to the security reasons for using such a tool.  I tried RoboForm after the conference for a couple weeks but soon found that I preferred a similar solution called LastPass instead.

I actually became aware of LastPass in 2010 when Xmarks was purchased by them, but never thought to use it until I saw the Roboform demonstration and found it to be kind ofLastPass Generate Secure Password Dialog Box kludgy in my daily use.  The lightbulb went off and I quickly recalled that the sister-program to Xmarks (another product I highly recommend, by the way) might be worth checking out and I sure am glad that I did so.  In my opinion it just works better than Roboform and I found it very intuitive to set up and use.  Having used LastPass now for 6+ months I can't recommend enough that everyone use this program.  Given that these tools are constantly being updated and related applications are available for multiple operating systems (iOS, Android, Windows, Blackberry, Linux, etc.) you should try a couple and choose the one that works best for how you use the internet and the devices you use.

Here are some of the many benefits to using LastPass:

  1. Passwords are encrypted and stored securely and are unlocked only through the use of a master password (needed only one time per browsing session at most).  Since this is the only password you really need to remember you can, and should, make it very strong.  Doing so is key to making your information secure.
  2. You can easily test your password performance and continue to tweak your passwords to make them even more secure using a tool that runs against your current collection of passwords and ranks you in comparison to other users.  See graphic showing my scores.
  3. Not having to remember passwords for multiple sites, especially those used infrequently.
  4. No longer storing passwords insecurely in multiple web browsers on several machines.
  5. Easily generate lengthy, strong, unique passwords.
  6. No password reuse at multiple sites.
  7. Browser add-ons and mobile apps are available to make LastPass easy to use on multiple devices and platforms.  Some of these tools are available only to subscribers to LastPass Premium, but the cost of $12/year is negligible and I felt compelled to pay for the premium product just to support the software development even before I used the Android app.

When first run, LastPass will offer to import passwords stored in your default browser making it easy to populate the database initially.  Once that is done you'll want to visit each site stored in LastPass to change your existing password for that site to something stronger.  LastPass will generate a password to your specifications.  Start by choosing  the desired password length and whether to include uppercase, lowercase, numeric, or special characters and let LastPass create a random password.  Depending on the website, you may be able to click "Accept" at the bottom to have the password automatically inserted into the password field(s) on the site or you may need to click "Copy" as in the graphic shown to manually paste the password into the form.  Once you do that, LastPass will offer to store the password for future use.

One of the most frustrating issues I ran across when going through this process is how varied the password requirements are for different websites.  See the adjacent table for some of the requirements I noted for some randomly chosen sites.

Password requirements for selected sites

I was surprised at how many sites had upper limits on password length since presumably the sites are storing a hashed version of user passwords (which may be a fixed length no matter how long the user's password is).  I was also shocked that several sites emailed me the new password in plain text immediately upon changing it, a very problematic issue.

Perhaps the most troublesome are those that only allow short passwords or that disallow special characters since they are limiting the strength of their customers' passwords by default and making their own sites more vulnerable than necessary. Although many sites allowed very long, complicated passwords (I set several of my passwords to 75+ characters) there were some, unfortunately, that limited passwords to 4 digit PINs.

I was also surprised by a few websites that didn't seem to allow password changes at all but I found a work-around for nearly all of them by using the "forgot password" link to generate a new, temporary password and then I was able to create a new password.

At present you can see by the images above that LastPass is managing 214 passwords for me and the average length of the stored passwords is 23.7 characters.  I couldn't imagine memorizing more than one password that long much less several dozen that are longer.  Not only am I more comfortable now that I'm using LastPass but I find being online and the myriad of passwords to be even easier to use now.  That's a definite win-win.

Anyone that cares about security should use LastPass or a product like it.


My favorite Firefox add-ons

firefoxI'll admit that this post is largely self-serving.  Having rebuilt two WindowsXP machines (one of them twice) in the past week along with installing Windows 7 on my Toshiba NB205 Netbook, I am tired of trying to keep track of the add-ons that I love every time I install Firefox.  Perhaps someday Xmarks or a product like it will synchronize these things across multiple installations, but counting my home PC, laptop, netbook, work PC, etc. I've ended up with quite an array of different add-ons on each machine.  With any luck, by listing the best ones here along with links, I will be able to more easily manage these things -- and if it benefits you as well, that's great!

So here, in no particular order other than my ability to remember them, are my favorite add-ons for my favorite browser, Firefox:

  1. Xmarks
    • I wrote at length about Xmarks back in May.  Briefly, it is a way to synchronize your bookmarks (and passwords if you choose) across multiple Firefox installations.  In the scenario I mentioned above about installing a fresh version of Firefox on a new (or rebuilt) PC, all that is needed to have all your bookmarks is to install this add-on and enter your Xmarks username and password and the bookmarks are downloaded from the Xmarks server to your new machine.  All icons are maintained as the order and foldering structure present on your other machines.
    • Download Link:
  2. Adblock Plus
    • I've sung the praises in-depth of Adblock Plus before.  Disregarding whatever moral issues there might be to blocking ads on sites that are otherwise free, this add-on will make your browsing experience faster and less cluttered.  There are very few times that I've had to disable Adblock Plus due to "false positives" but it has happened on a couple sites.  Even so, turning it off is as simple as clicking the icon in the status bar and choosing from the menu.
    • Download Link:
  3. Forecastfox
  4. Download Statusbar
    • Normally when you choose to download a file, Firefox pops up a separate window to show the download status and from which you can launch the file when the download is complete.  This is interesting behavior given that one of the primary reasons many people first adopted Firefox was because of the pop-up blocker that other browsers lacked.  With this add-on, you can eliminate the extra pop-up window and instead monitor and execute downloads from the Firefox status bar.
    • Download Link:
  5. Greasemonkey
    • This add-on is different from others in that by itself it does nothing.  Instead, you have to download (or create) Greasemonkey scripts (there are thousands) to make it do whatever it is you desire.  A more lengthy post I wrote in May provides more details, but having Greasemonkey is like putting your browser on steroids.  Just like there are add-ons for Firefox I find it hard to live without, there are Greasemonkey scripts that I depend on heavily as well.  Many of those are listed in the post from May, but I'll update the list via a new post soon.
    • Download Link:
  6. Greasefire
  7. The Camelizer
    • used to have a Greasemonkey script that worked on Amazon so that you could see historical prices for a given item without having to visit the main CamelCamelCamel site.  They have no released a Firefox add-on that does much the same thing except that it now also functions on NewEgg and Best Buy.  This is a great way to know if that deal you are eyeing is really a deal and you also have the ability to set price alerts so that you'll receive an email when the price drops below a certain point.  If you enjoy shopping online, this is a must-have add-on.
    • Download Link:
  8. TinyURL Generator
  9. Fission
    • Download Link: I discovered this add-on when I first got a netbook.  Screen real estate is a premium on a small screen and I wanted to turn off the status bar at the bottom of the screen but I missed having the progress bar that shows how much of a page has downloaded.  This add-on combines the address bar with the download progress meter at the top of the screen.
    • Download Link:
  10. Personal Menu

Windows 7 Release Candidate

Wow!  Summer sure is flying by.  Only a few weeks away from the Great Minnesota Get-Together and then we're into autumn.  My summer has been so packed that I haven't had much time to write things here, but I just have to report on my experience with the Windows 7 Release Candidate that I installed on my laptop a couple weeks back.

First off, my Dell E1505 is 3+ years old.  It came with Windows XP, which came out to great fanfare way back in 2001.  Eight years is a long time in terms of technology.

About once a year I wipe my laptop clean and reinstall Windows XP because if I don't do that it becomes slower and slower until I am so frustrated that it is virtually unusable.  I last wiped it clean in November 2008 and it seemed like it ran really well for a few months but by summer I had been experiencing significant slowdowns once again.  Given that it had taken me 12+ hours last time to wipe/reinstall Windows and then reinstall all my applications and updates (dozens of updates plus reboots after many of them) not to mention having to backup and copy back all my data, this was not a task I was really rushing to perform if you catch my drift.

In fact, I even considered buying a new laptop but decided instead to get a Toshiba NB205 Netbook and milk my existing larger laptop for as long as I could stand it.  Given my issues with Windows XP slowing down, I wasn't sure that I'd be able to stand it for very long!

In late June I was reading about the upcoming Windows 7 release set for October.  It was hailed as the Windows that Vista should have been, which didn't mean much to me because I've had virtually zero experience with Vista other than helping my wife with a couple tasks on the new laptop that she got in May.  Still, the reviews made Windows 7 sound like a pretty sweet operating system and the Release Candidate (the last version before it goes on sale) sounded pretty stable.

After confirming that my Dell E1505 could run Windows 7 (I ran the Microsoft tool to check this and also found some posts online by folks that had already taken the plunge), I downloaded the OS from Microsoft and made a DVD that would allow me to format/install Windows 7 to my laptop.  In a sad twist of irony, I had to use the DVD burner on my wife's laptop (running Windows Vista) to actually create the DVD because my own laptop kept creating I guess Vista and/or HP were better than XP and/or Dell in this case!

This time, backing up my data before wiping my laptop clean was a non-issue since I now use Windows Live Sync as I reported on earlier.  My bookmarks are backed up using Xmarks so that wasn't an issue either.  Not having to spend 1-2 hours finding and copying all my data files was a great relief and made the start of the upgrade process that much easier.  I gathered up my application CDs and install files (Microsoft Office 2007, Camtasia, and Snagit being the main ones) and began the process of installing Windows 7 to my laptop.  I figured the worst that could happen is that it wouldn't work and then I'd need to install Windows XP, which was something that I had intended to do anyway.

I'm happy to report, though, that my Windows 7 install went great!  I had a lot fewer issues with missing drivers than I had the last time I reinstalled XP (video drivers and DVD software were a huge obstacle last time) and everything that didn't work right away when Windows 7 booted up the first time (screen resolution was limited, for example) worked just fine after I ran Windows Update once.  DVDs even played in Windows Media Player without the need for me to install any special software/codecs/drivers to make it happen and the wifi was a snap to configure/use.  Despite a few hiccups along the learning curve (I, like many others, really miss having an "up" button in Windows Explorer to get to the parent directory, for example) after two weeks of running Windows 7  it feels like I have a brand new machine and I wish my other XP machines were running it too.

Screenshot of Windows 7 RC Desktop running on my Dell E1505

Screenshot of Windows 7 RC Desktop running on my Dell E1505

I fully intend to purchase the retail version of Windows 7 in October on the basis of my experience installing the RC on my laptop.  I may even buy a 2nd copy to upgrade my netbook since Toshiba appears to be actively embracing Windows 7 and has already released several drivers to make the switch possible.  The main obstacle there is that the NB205 doesn't have a DVD drive so I'll probably let some other early adopters tackle this chore first and then I can follow their advice online for booting from a flash drive once I'm comfortable that installing that way will be relatively trouble-free.  Or maybe Microsoft will release Windows 7 on a flash drive which is something that would allow me to upgrade my desktop too (also running Windows XP and also without a DVD drive).

Unfortunately I missed the boat buying Windows 7 at the discounted "get people excited" price (didn't realize the timeframe was so limited) but I have preordered the upgrade version on Amazon and will have the DVD in hand in October when it is released.  It sounds like I'll need to do another clean install (something Walt Mossberg has made  out to be a bigger deal than it really is in my opinion), but that shouldn't be very problematic given my experience with the RC.  Walt may be right that performing a clean install is beyond the capabilities of most people, but I also believe reading his column is beyond the capabilities of most people and he still keeps writing it regularly.  I guess I can forgive his sense of alarm on the Windows 7 upgrade given that he and I largely share the same opinion on my new netbook.  Stay tuned for my take on that topic soon after I get some time to use it more.


Firefox Add-on: Xmarks

xmarksfirefoxNearly half of you probably already use Firefox as your primary web browser, but I bet even if you use it regularly that there are lots of ways that Firefox could make your life easier, if only you knew about them.  The great thing about Firefox is that there are lots of add-ons, but finding them is often difficult.  I'll share some of my most loved add-ons over time (some I have now and some that I hope to discover through this process) so keep checking back for more posts like this one if you find it helpful.  And if you haven't tried Firefox it is free to download/install and few people I know have tried it and then gone back to whatever they were using before.

The main Firefox add-on I live by these days is one called Xmarks (it was called Foxmarks until a couple months ago) and the main feature of Xmarks is the ability to synchronize your bookmarks/favorites across multiple computers and web browsers.  That's right...Xmarks now works with Safari and Internet Explorer (I guess that's the reason for the name change) so your bases are covered even if you have no control over the web browsing software you use (because of a restrictive employer or computer-controlling spouse, for example!).  There is now even the ability to set up profiles so that you can have a separate set of "work" bookmarks to use at the office and "home" bookmarks to use everywhere else.

With the name change, Xmarks also started doing a few other things beyond the bookmark management, like site suggestion based on other users' bookmarks, bookmark tagging to make them easier to find, and marking top sites on Google with a little Xmarks logo.  I wouldn't doubt if some more things are on the horizon because I get the feeling that the Xmarks folks are looking to find a way to make some money, but the bookmark-sync alone is enough to keep me as a loyal user and my bookmarks stay the same on 3 different machines and my flash drive without me having to think about them.  Here is to hoping it stays free!

Learn more about Xmarks at these links: