How to Prevent Compulsive Browsing

Guess what happened to me the other day? I had a big project to work on. Before I started, I figured, I would just check my email and my Facebook account “really quickly.” So I did. I still didn’t really want to start, so I checked my Google Reader feed. Then I read some things linked to that, and some things linked to that. Then I looked at the clock and noticed that I’d just wasted a whole hour.

Everybody has a different weakness; maybe yours is Reddit, or Memebase, or Google News. I have a huge problem with Wikipedia; I love learning about random stuff so much that I click any links that look interesting, and then I click some links in those articles, and eventually I notice that I’ve moved ridiculously far from my original topic.

Ironically, it was several levels of links out from my Google Reader feed that I learned of the program that has worked wonders for me. It was an article called “How to Quit Wasting Time on the Internet” that showed up in the related articles section of a website I’d reached after clicking a link on one of the pages I reached by clicking a link on Reader. Given that I was undeniably wasting time on the Internet at the time, I immediately clicked the link.

The article has a large number of suggestions, so if you’re interested in more options and tools, take a look at it. But what worked for me was a Chrome extension called StayFocusd. It has two modes:

  • A daily limit on browsing time for particular sites. You make a list of sites you often waste time on (I have Facebook, Google Reader, Lifehacker, The Onion, YouTube, Wikipedia, and for good measure even though I don’t often visit them, Reddit and StumbleUpon). You can also check a box that will count sites you access by clicking links on time-wasting sites as time-wasting sites as well (very important for sites that are primarily lists of links to others, such as Google News or Reader). Then you choose how long you want to give yourself to browse these sites per day (right now I have 20 minutes, but I’m still trying to find the best amount). After you’ve used up that time, you can’t visit those sites for the rest of the day, and you can’t increase the time either.
  • A complete block for a given amount of time. This is called the “nuclear option.” You choose the length of time you need to be distraction-free and whether you want to block just your blacklisted sites or the entire Internet, and after you click the button there’s no going back.

It’s quite possible to cheat if you want to; for instance, you can simply open a different browser in which the extension is not installed. But unless you have really serious self-control problems, you don’t really need to block things entirely, you just need to give yourself a reminder. As soon as the extension informs me that I’m not supposed to be visiting a website, I immediately realize what I’m doing and lose the desire to try. Having a timer also works wonders to remind me to scan lists of articles quickly rather than waste time reading unimportant ones.

I had no idea how much time I was wasting this way until I installed the extension. Since installing it, I find myself wondering what I should do much more frequently; though I wasn’t aware of it, apparently I had a tendency to just start browsing the Web and then get drawn into something that way.

If you’ve ever had a problem with compulsive browsing, this extension could give you time you didn’t even know you had.

Download StayFocusd for Chrome

(Note: There are similar extensions for Firefox; see the original article that I linked earlier for some of these.)

Low-Tech: Use the Most Basic Effective Solution

Ever find yourself wondering whether you should use the latest app or buy the latest fancy device to replace a simpler, lower-tech tool? Here’s a rule I recently came up with to help decide. Simply put: One should use the lowest-tech solution that meets one’s needs.

This may seem strange in the modern world with all our fancy gadgets and innovative smartphone apps: Why would you prefer the low-tech solution unless it was perceptibly better? By way of answering, I’ll ask a hopefully easier question: why wouldn’t you pick the high-tech solution?

  • Simplicity. You’ve probably heard the acronym KISS (“Keep it simple stupid”). If a sheet of paper works just fine, why should you use a computer system or a tablet? Unless it’s actually more useful that way, you’re only adding needless complexity. This is not to say that the simpler solution is always better; rather, the simpler solution is better if it also does everything you need it to. If the tablet truly is more useful, then by all means go with it—the key is that at equal levels of utility, the simpler system is better.
  • Fragility. In nearly all situations, the more complex a system gets, the more likely it is to fail. (You could argue that some complex systems are complex because of all the checks and failsafes in them, but in the end there is still more to go wrong than in a simpler system. No matter how good your battery charging and warning system is, it’s still going to be harder to run out of battery life on your paper.) If there is no difference in utility, it makes sense to choose the system that’s less likely to fail.
  • Flexibility. The simplest systems are often easier to adapt to other purposes, and they’re often easier to fix when something goes wrong or turns out not to work the way you intended.
  • Cost. I don’t really mean financial cost; while low-tech methods are sometimes cheaper, it can go either way (if you already have a computer or a smartphone that is capable of duplicating the function of another system, needing a separate device or piece of equipment will cost you more). However, the more complex your system gets, the more time and energy you must put into learning it. Sometimes this is totally worth it (if you’ve found a new computer program that can help you do your job in half the time, for instance), but other times it proves to be a waste of effort.

Here are two test cases I’ve run into:

  • Anki. Anki is a flashcard system that manages your studying for maximum efficiency. I have 17,525 cards in Anki at the moment and can expect to see about 300 of them on any given day (if I’m studying every day, as I’m supposed to), getting maybe 260 of those correct on the first shot. Imagine for a moment that I instead had chosen to implement this with paper flashcards instead.A 1000-count of plain white 3×5 index cards costs me around $10 on Amazon, making around $180 just for the paper to date (plus probably another $20 for ones I spoiled initially or chose to delete at some point). Anki is completely free (assuming you already have a computer) and even if you want to buy the paid mobile version, that’s only $25. Then we have the space that 18,000 index cards takes up: a stack of 100 index cards is about 3x5x0.875 inches. Stacked all together, those index cards would be over 13 feet tall! And from this stack, I would somehow have to figure out which 300 to study.This isn’t quite as impossible as it might seem; there are reasonably efficient algorithms for handling this kind of study, even by hand. But the point is that it would be a huge pain. In this case, the low-tech solution does not meet my needs in any way, so I move to a more complicated and high-tech system.
  • Notes. On the other hand, if I just need to sketch something out or write down a note quickly, I reach for a sheet of paper, a sticky note, or an index card. Writing the note on the computer does not make sense: I could talk about the ways in which paper is more flexible, but it’s easier to describe the ways in which using a computer doesn’t make sense: if I’m making a list of things I’m trying to remember to do in the next 20 minutes, I don’t need the storage or searching capabilities that a computer or phone can provide (in fact, it’s more likely to never get deleted and junk up my notes collection or filesystem). If I’m writing in Notepad and suddenly realize I need to include a diagram, I have to open up a different program or app to do that (and if I tried to avoid that by going with a drawing app from the start, I’d probably lose the organizational abilities of a more text-oriented notes program). Additionally, there is significant overhead in opening an extra app or program (and getting the appropriate device if not already using it).

    The flexibility and simplicity of paper won out here: it can be used for nearly anything and is nearly always available.

If you ever feel like you’ve been drawn into using new software or tools that sounded like they were useful but turned out to be more of a burden or useless than anything else, give the simplicity test a shot next time: Is the new system legitimately more useful (and significantly enough so to cover the cost of learning it)? Or does it only add more complexity with little to show for it?

Website Reorganization

Today I’m announcing the reorganization of The Technical Geekery.

What does this mean? I’m going to be moving some things around and adding some
things, but more importantly, I’m going to be clarifying my mission statement
and the purpose of having my website. That has always been somewhat tenuous. The
site has, to me, felt split between two personalities: the Computer Tips
personality (in the blog) and the Random Crap personality (in many of the other
pages). Not that I feel that the Random Crap is, well, crap—it’s me, it’s
stuff I want to share and I think other people might appreciate, and it’s stuff
that belongs on my website, but the way it’s done right now just doesn’t *feel*
right, at least to me.

I also want to add some entirely new stuff to the website. Lately I’ve stopped
writing on the blog except on an irregular basis. I could try various means to
try to make myself do it, but I realize that that’s not the problem—there’s a
deeper one. That problem is, I think, that I’m feeling limited. I have all sorts
of things that I could share with the world, some of which I’m guaranteed to be
very interested in when it comes time to write an article—but I have to write
something in a very specific area, about tips for using a computer.

As a reader, you will continue reading about computers. But you will also hear
about other things related to technology, such as balancing the usage of paper
and computers and storing information using various software and methods. I’m
planning to set up some blog categories so that if you’re only interested in
some of the topics, you can read those and leave out the rest.

I’m keeping the name The Technical Geekery. The site still revolves around
technology; I don’t feel that much has changed. The way I see it, this is much
more of an expansion than anything else. (By the way, for some time the site has
also been accessible at http://sorenbjornstad.com. There’s a chance I’ll change
that into a personal landing page at some point in the future, but The Technical
Geekery will certainly be featured prominently on it if I do.)

If you’re interested in seeing the new mission statement and more about the
changes, read on. If not, I hope you enjoy the new Technical Geekery as it
progresses in the next few weeks.


In reorganizing, I tried an experiment and wrote down all the pages on my site,
then tried to group them into common topics. Here are the categories I came up
with, along with what of my current website is in them:

EFFICIENCY – Anki, Dvorak, some blog posts
SECURITY / SAFETY – blog posts
COOL SOFTWARE / TECHNOLOGY – Anki, NetHack, Interesting and Useful Websites
MY CREATIONS – stuff under Miscellaneous
META – stuff under “About TTG and Me”

And then I wrote down some things that I’d like to add, and made categories for
them:
RECORD / INFORMATION-KEEPING
BALANCING TECHNOLOGY
CONTROLLING YOURSELF

I feel that everything fits together now, a feeling I’d been totally lacking
before. I have yet to add any new content however, so there’s always the chance
it won’t work—that will have to wait and see.

This is my working new mission statement:
The Technical Geekery is a collection of ideas for improving life through
technology. Those ideas fit into seven major categories:

EFFICIENCY has always been an interest of mine. I firmly believe that attempting
to use all of one’s time in the most “efficient” manner possible is not
intelligent (for instance, there is real value in sitting on a bus “doing
nothing”: using the time for something else isn’t always bad, but resting and
thinking can be one of the best uses of your time). However, I also believe that
one should not spend more time than necessary or useful on tasks. For instance,
I’m a big stickler for using keyboard shortcuts: there is no value whatsoever in
choosing “Edit -> Copy” from a menu every time you need to copy something rather
than pressing Ctrl-C and losing yourself several seconds.

SECURITY / SAFETY while computing is something I’ve been interested in. When I
was about four years old, I discovered the “set password” function in Microsoft
Word and was unreasonably excited about it (I was protecting gibberish text that
I typed by mashing the keyboard with those passwords). These days, I’m a big
advocate for using good passwords, two-factor authentication, and being on the
lookout for phishing attempts, even if I don’t feel the need to encrypt
everything I possibly can.

COOL SOFTWARE / TECHNOLOGY is what I live on on the computer, being the geek
that I am. The stuff that I find the most useful or that has changed the way I
work or my life the most (hopefully) makes its way onto this site.

CREATIONS / UNIQUELY ME covers things like board games, funky poems, and
recordings and things I wrote when I was younger. This has only an indirect
relationship to the rest of the website, but it’s one way that I make my
website, mine, and I post things that I hope other people will enjoy.

RECORD / INFORMATION-KEEPING is something I am somewhat obsessed with. I have tried all sorts of methods for wrangling my thoughts, ideas, to-do items,
appointments, journal entries, and everything else you can think of. In the
process, I’ve had some interesting revelations—and found some methods that work
really, really well for me.

BALANCING TECHNOLOGY is about when you should not use high-tech methods. It’s
about when I shut down my computer and write in a notebook or stop using the
fancy software I started using some time ago because it just wasn’t useful
enough. In a world increasingly dominated by technology, I feel thinking about
this is just as important as thinking about the ways to use more technology to
improve our lives.

CONTROLLING YOURSELF, while it may sound like it belongs on a therapy website,
is about the ultimate in low-tech methods, using only your brain and body. In an
odd way, however, this is also the ultimate in high technology: if you can
calculate in your head, you’ve transcended the need for even the best
calculator you can imagine. Of course, there are also times when the costs
exceed the benefits, so it’s about those times as well.

OTHER includes things that I wrote before having a clear purpose for my website
(and don’t want to delete), as well as anything else that I want to publish
somewhere but doesn’t really fit. Proceed into disorganization at your own risk.

My Space

This week I thought I’d show off my room and workspace a little bit, as well as showing some of the unusual devices and pieces of technology I own.

I did a few calculations the other day; I have about 144 square feet of space (the room has pieces cut out of it in two out of four corners, so it’s not easy to calculate), along with about 90 cubic feet of storage space (that counts drawers, shelves, and the closet). Surprisingly, even though it’s not very much space for a house in suburban Indiana, I’ve never really felt crowded in it.

As you might have read in last week’s post, over my internet break I cleaned things up, so it’s looking nice and neat now.

So how about the pictures? You can click on any picture to enlarge it. Apologies for any less-than-stellar photography—my room has horrible lighting.

Here’s a view of most of my workspace.Obviously the computer is on a sort of standing desk; it’s about an inch higher than I’d like for perfect keyboard position (I’m a bit obsessed with ergonomics), but it works absurdly well for being exactly the height that my bookshelf was. I’ve been using this desk for about half a year, and in general I find it works great, especially in the afternoons after school—after sitting for almost an entire day with only short breaks, it’s really nice to be on my feet for a while. If I get tired of standing, I switch to using my laptop on the desk or, better yet, go do something else.

Here’s a closer shot of the desk with some code up on the left monitor and a running instance of the program on the right (this is a text adventure game I wrote up as a programming exercise a while back). I love having two monitors; it divides the desktop very nicely as well as giving you more screen space for cheaper than a big monitor.

No doubt you’ve been wondering “What the heck is with that weird keyboard?” Here’s a closer look:It’s called a Kinesis Advantage Contoured keyboard. While it looks really weird, it feels really good once you get used to using it (about a week or so). Along with the Dvorak keyboard layout (which is on the keys in the smaller letters), you have to move your fingers such a ridiculously low distance compared to a standard keyboard that you wonder how you were ever happy with a normal keyboard before.

This is one of the thumb pads:Ever noticed that your thumbs (your strongest fingers) never do anything except hit the spacebar? Now, this isn’t a complete catastrophe, since spaces aren’t exactly uncommon characters to type, but it’s still a comparative waste of your fingers. And most people let one of their thumbs idle completely, striking the spacebar exclusively with the other thumb. On the Kinesis, your opposite thumb hits the backspace key, which makes a lot of sense once you think about it. (For my first two weeks, I was constantly hitting space instead of backspace when I used any other keyboard, but I soon got used to it.) And instead of making awkward stretches from your pinky out to hit shortcuts with Ctrl and Alt, you press them with your thumbs instead.

This is a Logitech Marble Mouse:Some people are crazy about trackballs, but I’m not one of them. However, I obviously still like them, since I have one on my desk! I find it somewhat more comfortable not to have to move my hand as much, and it’s nice that the trackball stays in one place and takes up significantly less room on the desk. It’s also nice that you can give the ball a neat flick to cross all the way across the 2.5 feet of monitor width I have, rather than having to pull the mouse all the way across. However, while I find the trackball excellent for occasional mouse usage, I find myself significantly slowed on things that require constant mouse usage, such as photo editing, some games, and so on. For these tasks, I use a mouse.

My interesting input devices aren’t the only thing I use; I have alternatives for most of them near my desk, and when one is better than another I swap them out. Here’s one configuration, something I might use for playing games. It uses a flat QWERTY keyboard with a numpad (important for some programs), a Logitech MX Revolution mouse (a $100 mouse, but a very nice one, though if I understand right they’ve moved on to a similar but different model), and a pair of headphones plugged into my speakers’ volume control.

I have one more keyboard, the TypeMatrix 2030, although this one typically lives in my laptop bag or attached to my laptop on the desk rather than with the desktop. It’s a really nice keyboard for only $100, and it’s very portable and seems fairly resilient:

This is the laptop I’ve been talking about. It’s going to be my main machine in college starting next year (that’s why I got it). The screenshot is on the setup utility simply because I was too lazy to boot the system all the way up, not because of any issues with the system or because that’s all it can do. :-)(That piece of paper to the side is the checklist I keep in my laptop bag to avoid forgetting things in my room when I go out.)

The following is, indeed, a hard drive platter being used as a coaster. It doesn’t stay nearly as clean and smooth as the platters are in a newly sacrificed drive, but it still looks cool on a geeky computer desk. It’s not labeled because I wouldn’t know it’s a coaster otherwise—I label everything that has a permanent place because it helps remind me to keep it there and not put other things there that don’t belong.

This is a lantern for mood lighting:

It spins because of a convection current created by the light, but because of its placement on top of the top ventilator of the computer, it spins even when the power to both it and the system are off (I think it’s because the power supply unit right below it generates a small amount of heat in standby).

I salvaged this piece of ancient power equipment from my church office when I upgraded their systems.I don’t have a printer or computer connected to the labeled buttons; instead I use it to control my lighting and the chargers connected to the back. It’s a really handy way to switch some devices on and off quickly, and the inside of the case holds any extra cord you don’t want.

I bought this stopwatch for timing my work on the Anki support forums: Unlike every other cheap stopwatch I’ve owned, it’s actually enjoyable to use and doesn’t feel like it’s either about to fall apart or wasn’t really meant to be used as a stopwatch in the first place (ones added to cheap watches, for instance).

Here are my pedals for the StealthSwitch 3, a device that assigns keyboard events to foot pedals. I have had five pedals for over a year and am still in the process of trying to figure out what they should be assigned to. One of these currently does media play/pause, which is very nice:Another one, located on the opposite side of the desk, puts the computer into standby so I can just touch the switch as I’m leaving the room (my computer draws a good 150W of power idling, so it’s important to turn it off when it’s not being used). The other simply locks the screen if it needs to remain running for some reason. The red spike tape is so that I know roughly where they should go if they drift; I’ve marked out quite a few places in spike tape so I know where the chair mat goes, what floor space needs to be clear for the drawers to be openable, and so on.


I’m going to switch gears to some less electronic-related stuff. As much as I love gadgets and technology, I love paper too. Perhaps that’s one of the reasons why I own an electric typewriter. The book on the left is a textbook that I picked up at a rummage sale for 10 cents.The other reason is that I got it at Goodwill for six dollars when I was seven years old and have never seen fit to get rid of it. I don’t use it every day or even necessarily every week, but it’s there and I do use it; it’s nice to be able to type on a form or worksheet, or just sit down and write something without using the computer.

Here’s a device you’ve probably never seen the likes of before:It’s an AlphaSmart 3000, but if you looked at the picture you saw that. It’s sort of a cross between those typewriters with screens and a laptop; officially it’s called a portable word processor. You type on it, then wire it to a computer via USB and it acts as a keyboard and inputs your file. I don’t use it too often, but it comes in handy if I want to work on something away from a computer (to avoid distractions or because I’m in the waiting room at the dentist) and not have to type it in again later. It’s rated for 700 hours of operation on 2 AA batteries, it can hold some 80 pages of text, and you could throw it across the room and expect to damage the wall first. Since it’s old, they run for about $25 on eBay.

Oh, and you noticed the keyboard is laid out in Dvorak, right? Yes, it supports Dvorak natively.

This is my handheld scanner. It can scan a page in about four seconds, and you can scan hundreds of pages onto a MicroSD card before needing to transfer them to a computer. It makes it practical to scan your mounds of paper, which means I’ve gotten rid of piles of old notes and imported them into giant PDFs stored in Evernote instead.(That’s a note-taking sheet for NetHack, a game I play. It’s in the picture because it was on top of my inbox when I went to take a picture.)

Speaking of my inbox and my other specific in/out boxes…yeah, they need some work:Let’s not talk about those for now, huh?

Moving even more to paper, this is a note-taking system I use, based on techniques promoted by Lion Kimbro (website is rather old and does not contain a reference to my reference) in Mindhacker. In the notebook are some ideas about backups and the intrinsic differences between different types of data and their value, and the sheet of paper is a map organizing the contents of the whole notebook. (To zoom in closer and read, right-click and choose Copy Image Link, then open a new tab and paste the link.)Here’s part of the index (same drill on zooming):

Some more writing and paper stuff. I’ve had the fountain pen for about a year now (it’s a Pelikan Tradition M200 for anyone interested), and the drafting pencil on the case for somewhat less. The nibs in the clear case (it’s a repurposed iPod Touch package) are antique steel nibs.

I keep all my computer gear in these file cabinets, then use the tops as extra storage space for items that don’t belong in my room and need to go somewhere. The flash drive hanging on the wall is needed to boot up my laptop, so I keep it somewhere prominent where I won’t lose it.

I carry the items in the box with me when I go out (this all fits in my pockets comfortably, but I couldn’t add anything else): Roughly from bottom-right to top-left: green pocket notebook (more later), iPod Touch, four-color ballpoint pen+pencil (the most useful pen I can carry with me if I only carry one), Livescribe pen (only when I go to school—used for notes, but I keep it in my pocket when I go because it’s expensive and I don’t want it to get scraped up or covered with lead shavings in my pencil case), really cheap dumbphone (I don’t really care for texting and make all my calls from my house landline, so I don’t have much reason to own a more modern phone, but I do need to call people while I’m out occasionally), wallet, and keys + flash drive + flashlight.

Here’s an example of some pages from my pocket notebook. I write down ideas, quotes I hear or say/think myself, things I need to do, and stuff I need to send to or tell other people. I cross them out once I act on them or move them into a more permanent place like my clippings file or to-do list, but leave them for future reference. If it looks like I spat random letters onto the page in some places, that’s a form of shorthand known as Dutton Speedwords (Google it).I really would be in trouble without my pocket notebook now that I’ve gotten used to having it (I’ve been carrying one regularly since this September). I could use my iPod, but it takes forever to pull it out, open the notes app, and then type on a touch-screen keyboard—by the time I was ready to type, I could have written something down in a notebook. Also, you can sketch if you need to—I don’t need to very often, but I have. I’ve even squished in three more lines between each line and made makeshift staff paper to write down a melody I wanted to remember. It’s also rarely socially unacceptable to write something on a piece of paper, whereas there are times when you simply can’t use an electronic device.

In the past, I’ve had trouble really warming up to pocket notebooks because they were simply too big: in the side pocket of dress pants or khakis they were fine, but in the side pocket of jeans they really constricted my movement and were uncomfortable, and in the back pocket they were too rigid and were uncomfortable when I sat down. When I tried the soft-cover kind, they got smushed and ripped up in a few weeks. But this one is barely the size of my palm, and it even fits in a shirt pocket:(Speaking of shirt pockets, the world needs more shirt pockets. I much prefer having my notebook in a shirt pocket because otherwise it has to share a pocket with my iPod, making both significantly more difficult to get out. But only one or two of the shirts I wear regularly have one, even the button-up ones and polos. I suppose it’s cheaper not to put them on.)

I’ve always been a fan of weather, so this barometer is an obvious functional decoration:(Sharp-eyed readers may notice a misprint on the dial.)

And then you have my bed, which is in complete contrast to the rest of my neat spaces:It doesn’t really bother me much, but maybe I should start making my bed sometime.

Noticed that bright blue backlit alarm clock?It’s a Neverlate Executive alarm clock, which can proudly state that it is quite possibly the only alarm clock to require a “Quick Start Guide.” It has 21 alarms, a radio, a nap timer, a radio sleep timer, one-time alarms, a skip alarm button, and a “settings” menu that lets you control all of those and more. Despite all the features, it’s still easy to use until you want to change the settings.

I bought this boom box sometime around 2004. It still works, so I keep it for when I want to listen to CDs. It takes up some floor space and gets in the way sometimes, but I do like having a way to play music without using my computer.That timer in the back kicks in for four hours a day to provide juice to my charging station, then cuts out to eliminate standby power draw. It’s not much energy, but since I already had the timer and it was just lying around, I figured I might as well set it up.

 

Here’s the back of my computer desk:The cables aren’t too pretty, but there’s not much you can do about that when you want to put the computer smack in the middle of the room (and there’s really no other way to lay out the bookshelves—the two tables which run the length of the room for sitting desk space have less than a foot of space at the ends, and the bed only fits on the side of the room where it is). I hardly see them anymore, even though I’m normally very picky about that kind of thing. Of course, writing about them has made me start noticing them and being annoyed by their ugliness. Let’s move on, shall we? ;)

My display shelf. The chess board isn’t just for decoration; I’m playing chess over Facebook with a friend. I put the board up on the display shelf because in the first game we played, I accidentally brushed the board (which was on the file cabinet) while coming into the room in the dark, sliding a knight over by one space without noticing, eventually causing me to lose the game because I thought moves were safe which weren’t.

I keep all my computer parts, lesser-used peripherals, and cables in these cabinets.I really regret not having taken a “before” picture of my cable drawer before I organized it. The cables were in one huge knot which didn’t fit inside the drawer, so it was perpetually propped open with cables hanging out of it. If I needed a cable, I inwardly groaned and spent the next five minutes going either “I know I had that in here!” or “I see the end of the cable, but how do I get it out?” This is much better, huh?

I actually have free space in my closet now, as well as an office supply organizer:The plastic bin is the “doodad bin,” which consists of all the random stuff I have that doesn’t really belong anywhere. It’s not, however, a junk bin—I refuse to have a junk bin, as everything is supposed to either have a place or get out of my room (or be in a pile for organizing). I go through there regularly and throw things out.

You’ve been seeing a lot of labels, so here’s the thing that makes them:

 

It’s been a long tour—I hope you’ve enjoyed it! Feel free to ask about anything I didn’t explain adequately in the comments, and I’ll be back next week with some sort of a “tip,” as we’ve had a shortage of those compared to other types of content lately.

A Week Without the Internet

I’ve spent my last week mostly disconnected. It’s been a surprising week in a lot of ways, and a very good, relaxing, and productive one as well.

The Plan

  • For the first weekend, I did not touch any internet-enabled device.
  • Afterwards (weekdays), I used the Internet at school for an online class, to work during one meeting, and to research how to change the date format on an assignment I needed to print. I also glanced at my email twice to confirm nothing really urgent had come up (I read only two emails total further than the subject).
  • I also did not play any electronic games or use my iPod Touch for anything except looking up notes during that meeting and studying. I barely text at all, but if I did I would have refrained from that as well.

For most of the time I kept my Ethernet cable disconnected and in a drawer in another part of the house, which prevented me from connecting for something trivial. On my wireless devices, I used the “forget this network” option. (I still knew the password, but not having it immediately available was all the deterrent I needed.)

Effects
I spent most of the weekend and some of the following week picking up, deep-cleaning, and organizing my room. It’s better than it’s looked in years now (it remains to be seen whether I can keep it that way, but I’m going to try). I can’t say that I got a ton of other stuff done since I spent hours on that—I suppose I could try it again sometime and see how I fared.

I noticed that I got my homework (and other tasks I needed to do) done a lot more expediently. With fewer distractions and fewer of my customary things to do, I was much more likely to just sit down and do it.

Most noticeably, though, the way I reacted to my Internet connection being gone surprised me. If you use your computer a lot, you’re probably familiar with the feeling you get when you find your internet is down. (If you don’t use or like computers or the Internet too much, think of your electricity being out.) Do you sometimes go around expecting to do things, then realizing you can’t do them because the Internet / power is out? It’s easy to forget everything that the Internet does for us nowadays because we’re so used to it being there. I don’t feel that I’m completely dependent on or addicted to the Internet (and I should know, since I just spent a week without it!), but I’ve even been known to open a browser before I remembered that I didn’t have a connection.

Yet this week hasn’t been full of those “duh” moments. Indeed, I was surprised to find myself hardly missing my Internet connection at all. Sure, there were plenty of times when I realized I couldn’t do something (order an item from Amazon, look up the answer to a question, or research something I heard about and was interested in). When I had one of these moments, I added an item to my “List of Things to Do on the Internet,” to be handled when I got back. But I didn’t put things on the list after I tried to do them and couldn’t; I always knew I couldn’t do things before I tried them. I think it’s because my separation from the Internet was planned and intentional, rather than being a technical problem suddenly thrust upon me. Seeing the difference has been quite educational.

I also found that the need to be in touch with what’s going on is considerably less than I thought. (I’m speaking of the level of need perceived by people today and what society expects of us—the actual need is of course still lesser.) I looked at my email twice, as I mentioned earlier. I never found an email that actually required my attention until the last day (which I saw only after my break was done anyway). I left an autoresponse message giving people my phone number if they felt their message was time-sensitive; only two people took me up on it.

I’m happy to get back online (starting today). It’s nice to be able to look things up, read about what’s going on in the world, and communicate with others. But this week felt really good, too; it was a much-needed break from being in constant contact with our friends and the news of the world. Those abilities are certainly useful, but it’s also important to sometimes take a step back and remind ourselves that it isn’t the only thing that matters.

I’ll certainly look into doing this again, though I’m more inclined to go for a couple of days or a weekend rather than a full week. Nevertheless, the longer time span was definitely educational, and I’m glad I did it.

How to Set Up Your Own Break
I’d recommend that everyone give this a shot. A week is probably a little bit overkill at first, especially if your job depends on using the Internet (sure, you can make an exception for that, but if you’re connected during work every day, it’s not really the same). Many of these ideas are still useful for short periods of time, but they’re especially aimed at (and important for) longer breaks.

  • Decide on conditions. Having a plan for what you will and will not do makes it easier to keep going with it. List the dates you plan to be off and what exceptions you’ll make. Write it down and give it to someone else to create accountability.This may seem like a silly exercise—after all, the point of taking a break from using the Internet is not to test your willpower, it’s to give you a break. Unfortunately, we’re so used to having the Web right there that just saying “All right, now I won’t use the Internet” probably won’t work.
  • Visit networks and let people know what you’re doing. Post a status update, write an automatic vacation reply, whatever is normal for that network or method of communication to let people know you’ll be away for a bit. If you like, you can provide a phone number for urgent things. You don’t need to do this, but if you don’t, people will probably ask you what’s going on. Here’s my email autoresponse:
To the copyright holder/owner/writer of this email—
I am taking a break this week from my regular Internet connectivity. I will be back on February 9, 2013. If your email is time-sensitive and cannot wait until then, feel free to call me at [my phone number].
Thanks for your understanding.
Soren “scorchgeek” Bjornstad
http://sorenbjornstad.com
  • Liberate digital data. If you have an electronic, online calendar, to-do list, or anything else that you expect to need during your break, get the relevant information on paper. There’s absolutely nothing wrong with using these normally, but if you have to keep connecting to access them, it’s much easier to justify doing other things “while you’re there.”
  • Make an “internet list.” If you write down things you want to do online, you won’t have to feel bad about not doing them—you can simply do them later (and by that point, perhaps some of them will have become irrelevant or uninteresting and you won’t have to do them anymore—always a nice feeling).

And most important of all, enjoy your break: get something done that you’ve been putting off, or get some much-needed rest.

The Weakest Link: “Forgot Your Password?”

Assume for a moment that I wanted to access some confidential files that belonged to you. You, having at least an ounce of sense (or an IT department that makes these decisions for you) have set a Windows password on your computer. How should I aim to access those files?

Well, there are a lot of ways. Here are a few:

  1. Install a keylogger on your system, wait a little while, then come back and search through the output looking for things that look like passwords, then try them. (Probably several hours, unless I’m really good at it.)
  2. Try to guess your password based on things I know about you, or try common passwords like ‘password1′ or ‘123456’, or look around your desk for sticky notes containing your password. (A few minutes, assuming it works—which is a comfortably low chance if you use a sensible password, but unfortunately a lot of people don’t.)
  3. Use software that will search for common passwords out of a dictionary or brute-force the password. (Probably days.)
  4. Boot up the system using a boot disc to bypass the Windows password, locate the files, and copy them to a flash drive. (About 5 minutes.)

Which do you think I’m going to pick? Obviously, the sensible choice is the one that’s the easiest, the lowest risk, and takes the least amount of time, which is number 4. If you look at these options, you’ll notice there’s something different about number 4: I have not broken the installed security system (by finding the password despite not being a legitimate user), I have bypassed it altogether. Instead of trying to find the password to the system, I’ve simply found a way to access those files that didn’t require me to know the password at all.

On web services, the bypass-the-password option comes in the form of that little link that reads “Forgot your password?” While this function is a godsend if you really have forgotten your password, without some care it makes it much easier for someone to access your account without your permission. This scenario is not the most likely way for your account to be compromised—nowadays it’s more likely that a poorly secured password database containing your information will be stolen and published on the Web. But if someone singles you out as a particular target for whatever reason (and it’s not as impossible as it seems), password resets are likely to be something they try. Fortunately, it’s not all that difficult to make password resets significantly more secure.

How Password Resets Work
Consider for a moment what happens when you use a password reset function. Usually the service does one or both of these things:

  • It sends a confirmation link to your email address, which will allow you to set a new password.
  • It asks you one or more security questions to “prove” your identity, set up when you opened the account, supposedly things that only you would know, then allows you to change the password.

I’ll look at each of these in turn.

Email Link Reset
Services that simply send a link to your email address are the simplest case. As a would-be hacker, all I have to do is gain access to your email account, and I can easily reset the password on another site that I don’t know the password to. This may not seem like a big deal—after all, I still need to access your email account—but most likely you have twenty or thirty different accounts that will all happily send password reset links to the same email address in the same day. So if I can gain access to your email account through whatever means, even if you have the best unique passwords set up on every other account, I can still access every one of them.

This is pretty simple to fix, though:

  • Never, ever reuse the password you use on your main email account for any reason. Even if you use the same password for everything else (which I don’t recommend, but if you must do it, you must), use a unique one for your email.
  • Make that password a strong one: at least 20 characters, using letters, numbers, and symbols, and nothing easily guessable, such as your phone number, spouse’s or pet’s name, zip code, birthday, and so on. (Actually, guessable things are not in themselves bad—but they need to be combined with something completely unrelated to be secure. Your birthday is a bad password; your birthday combined with a random dictionary word and the last four digits of your phone number when you were six is a good password.)
  • Set up two-factor authentication on your email account if you can. It’s extremely effective and surprisingly unobtrusive.
  • Make certain that you’ve always logged out of your email account when you’re done using it on a public computer. Not only does it help keep you secure on other websites, at least one court has ruled that it’s legal to read someone else’s email if they neglect to log out. If you ever do forget to log out, many services have an option to log out other sessions (in Gmail, if you click the “Details” link in the lower-right-hand corner of the page, there’s a button labeled “Sign out all other sessions”).
  • If you have an “alternate” email address set in your email account’s settings (for recovering the password to your email account), double-check that that account is also secured in the same way. From personal experience, I can attest that this is a “D’oh!” moment if it happens to you.

Some people recommend setting up a different email account reserved for signing up for web services (to keep password reset emails more secure). Personally, I’m too lazy to check my email at two different places (for obvious reasons, you shouldn’t have that mail forwarded to your other email address), and I’m confident enough in the security of my main email account that I’m not worried.

Security Questions
Some people think that security questions are an effective and useful security measure. They’re dead wrong.

Actually, security questions have become popular partly because of a misunderstanding of the theory behind two-factor authentication. In security theory, there are three ways to authenticate yourself: something you know (a password or something more unique like a series of pictures where you must choose the right one), something you have (a token that displays different numbers, a smart card, an RFID tag, or an encryption key on a flash drive), and something you are (a biometric reading such as a fingerprint scan, voice print,
or face recognition).

Two-factor authentication consists of using two different types of authentication (in most implementations, a password—something you know—and a token—something you have). However, people heard that two-factor authentication was good, decided that security questions were “two-factor authentication” because you had to authenticate two different ways, and “Wish-It-Was Two-Factor” authentication was born.

It is often said that “good” security questions have four characteristics:

  1. The answer cannot easily be guessed or researched.
  2. The answer doesn’t change over time.
  3. The answer is memorable.
  4. The answer is definitive/simple.

Looking at how tough those requirements (plus a fifth one, that the question needs to apply to most of your users) are, it’s no wonder that nearly all of the questions you see are bad!

Let’s look at where some common questions go wrong:

  • “What is your favorite movie?” This fails on count 2. You probably won’t need to reset your password for months if not years. By that time you’ve almost certainly forgotten what your favorite movie was at the time, if you even had a well-defined one to begin with. Even if you could somehow remember what your favorite movie was on any day during your life, you’d still have to remember when you created your account for that knowledge to be useful.
  • “What city were you born in?” This fails on count 1—it can be found easily in public records. Even if I couldn’t find it with some good research, it’s quite likely you’d give me this information if I asked you, as it doesn’t feel very sensitive.
  • “What is your date of birth?” This isn’t usually presented as a security question, but it is often used for verification. The majority of people have their birthday listed on Facebook, for one, and even if not, once again, it’s in public records. Alternatively, I could call you up and pretend to be conducting a survey or something similar and ask you for your birthday, and you’d probably give it to me.
  • “What is your favorite color?” This fails on count 1 in two different ways. First of all, there are only so many colors that people will describe as their favorite. If you simply type in “blue,” you’ll get it right a very good percentage of the time (according to one survey, a whopping 36 percent of the time averaged between genders). How many people are going to describe their favorite color as something that’s actually somewhat difficult to guess like “light chartreuse” or “burnt orange”? And when was the last time you asked someone what their favorite color was and they told you, “No, that’s private information”? If you can’t find it anywhere, you can just ask.

The Solutions

So what can you do about bad security questions? There are two options I like:

  1. Make up a fake identity of security questions, store them in a file or on a sheet of paper, and read off it anytime you need a security question. You can store it in your email account if you need to be able to access it anywhere (you made sure your email account was secure, right?). If you want to make it even more secure, you can make up answers that are completely unrelated to the question (e.g., “What is your favorite pet’s name?” / “Wal-Mart”). This takes a little while to set up, but you can feel confident that you’ll never accidentally reveal the answer to a question, and you have at least some security in the event that someone does discover the answer to one of the questions, as you don’t have to use the same one on every website. Here’s the list of 13 questions that I use (with my answers removed, of course).
  2. If that sounds too complicated for you (and for most people, it probably is), simply make up a password and enter it every time you are asked for a security question. It doesn’t matter one bit what the question is. (If you want to get a little bit more secure, you can add something to the password based on the name of the site or use two or three passwords based on the question. This password will never change (unless it’s compromised and you need to change it, of course), is always memorable and applicable to you, and is not researchable, since it’s not an answer, it’s a password.
Other options that are not as good as these but are at least better than nothing:
  • Replace letters with numbers or symbols in your answer as if it was a password you were attempting to obscure. This can usually be cracked easily by a password dictionary, but hopefully nobody will be trying a password dictionary on your security question, since it’s not supposed to be a password.
  • Even if you must use the actual question and answer with an actual answer, if you’re given the option to choose your own question, use it. But make it something good—it should pass those four guidelines at the beginning of the section for you.

I’ve had some fun in the past asking security questions like “What is 2 + 2?” and making the answer something that’s not even a number. The look on the face of a would-be hacker as he or she is informed that the answer is not 4 is priceless. (I was in the same room with a friend when she tried to access my Gmail account as part of a prank once.)

Here’s some more reading on security questions if you’re interested:
http://www.goodsecurityquestions.com/
http://stackoverflow.com/questions/104680/what-are-some-good-security-questions
http://malektips.com/online-account-security-question-dangers.html

Conclusion
All the good security questions in the world won’t save you from social engineering. In several high-profile cases, customer service representatives have allowed unauthorized users to access accounts even though they didn’t have the answer to the security questions. Of course, there’s nothing you can do about this—just do what you can and hope that none of the things you can’t fix get you in trouble. And if you’re in charge of a web service or business, make clear security guidelines and stick to them (I highly recommend The Art of Deception by Kevin Mitnick—it’s written specifically for businesspeople looking to improve their company’s security, but it’s very enlightening reading for anyone).

So what can you do right now? Most importantly, go to your email account right now and check your security. If you have weak security questions, change them. If you have an alternate email address, make sure it’s secure (or simply remove it from your account; it’ll make it a little bit harder if you really do lose your password, but it will increase your security). And if you don’t have a strong, unique password on your email account, change it! If you can only follow good password guidelines on one account, make it your email.

As for other sites, if you don’t want to go through and change all your security questions now, at least try one of these methods the next time you’re signing up for an account.

Intermission: LastPass FAQ

It’s been two weeks since my last post, when I suggested that you install LastPass and start collecting passwords from around the Internet into your account. If you did, good for you. Though I said I was going to go on in my next post, I’m actually going to take a short break to make sure that you have a chance to collect all your passwords.

If you haven’t yet, go ahead and read How to Use Better Passwords Without Losing Your Mind. Using a password manager isn’t necessarily fun, but it will save you an awful lot of grief in the long run.

What I am going to do this week is cover a few common questions and misconceptions I’ve heard.

What happens if I need a password and I’m not at my computer?
Although the convenient LastPass button is present only on computers you’ve installed it on, you can still browse to LastPass.com on any computer and log in with your username and password to copy passwords onto your clipboard if you need them.

Isn’t that a pain?
Yeah, it is. That’s why I don’t use LastPass for my email, Facebook, or Amazon accounts, since I often need to access those on other computers. Instead I have separate strong passwords for them (created with the same process that I described for coming up with a master password last week). On the odd occasion that I need to access a strange account from a public computer, it’s not such a big deal. You should probably do the same, once you’ve gotten all your passwords straightened out.

Can I use LastPass if I can’t change a password?
But I can’t / shouldn’t put that password into LastPass, because someone else needs to use it / the site has specific password requirements.
You absolutely can, and you should. You should put all of your passwords into LastPass, regardless of the situation. Simply putting your password into LastPass does not change the password or do anything to change your login or the website. It’s only when you later go through and change your passwords that, well, your passwords change. On the other hand, if you put the password into LastPass, you won’t forget it, and you’ll likely get it off an insecure medium like a sheet of paper. Besides, it just makes sense to keep all your passwords in one place.

There’s an obvious corollary to this: Remember to change your passwords once you’ve gotten them all into LastPass. If you don’t, you’re not much more secure than you were before.

So I’m more secure now that I’m using LastPass?
No, you need to change your passwords first. Using LastPass (or any password manager) is a great first step and a crucial one in securing your logins, but just having a LastPass account and saving your passwords to it does nothing to make you more secure. Saving your passwords in LastPass is the equivalent of writing down your (insecure) passwords and putting the list into a safe: nobody else can see your passwords, but they couldn’t anyway when they were in your head, and you haven’t made the passwords any more secure against guessing or automated attacks.

Once you change your passwords, you are more secure, since you now have random passwords. You could theoretically have accomplished that without LastPass, but in practice you would be unable to remember those passwords without it.

But will I have to pay for LastPass?
Unless you want to use a mobile version or certain two-factor authentication devices, no. You can get the premium version if you want (it’s only $12 a year), but most people don’t need to, and you certainly don’t have to pay just to try it out.

But I shouldn’t put my financial information in here?!
Is this actually secure?
Can’t someone read this?
Your credit card number is far more secure in LastPass than it is on your credit card. A pickpocket could easily steal your wallet while you’re walking by, and a waiter or store clerk could easily memorize or write down your information for use in the normal course of their job. Or you could simply drop your credit card on the ground and someone could pick it up. Your credit card is really a horrible method for storing your financial information.

In contrast, your LastPass database is encrypted with some of the strongest available encryption techniques. Nobody at LastPass can read your database, since it’s encrypted in the browser that you use to access it. Because of the encryption, even if someone succeeded in stealing the databases of every LastPass user from the server, they would be unable to read them. And it would take trillions of years for our present computers to break the encryption.

The only real hazard is someone sitting down at your computer and using it while you’re logged in (which is not any easier than grabbing your credit card). If you’re paranoid about this, you can check the “reprompt” box in a password’s “edit” screen. This requires LastPass to reprompt for your password before filling it in or showing the password, ensuring that even if somebody uses your computer while you’re logged in, they can’t get the really important passwords.

Obviously, this applies equally to all forms of financial and sensitive information—even though it’s being sent over the web (securely, via HTTPS and SSL, mind you), it’s still more secure than it would be in basically any other system, and certainly any system that you would ever use for storing it.

LastPass: How to Use Better Passwords Without Losing Your Mind

Last week (well, last post—I never got around to publishing for the last two weeks) I talked about why passwords are getting easier than ever to crack. If you haven’t read that article, you should read it now, because if you don’t, you’re going to give up before you get through this article.

Yes, I told you it wouldn’t be too easy. Well, it’s not exactly difficult, but it means an hour or three of work for you. But guess what: that’s a lot less trouble than you’d have to take if somebody got into one of your accounts and started screwing up your life. And given how easy it is now, it’s no longer a crazy, improbable possibility.

Besides keeping your passwords safer, LastPass can help you in other ways as well. It can fill out forms for you (of course, there are other tricks for doing this faster as well). It can keep track of what accounts you have on the Internet, which might seem unimportant but is really nice if you visit a site that you vaguely remember and can’t remember if you had an account already set up for. And guess what: you’ll never again sit at a username and password prompt and have no idea what to type in. It may be a small annoyance, but the more small annoyances you fix, the better your life will be.

Here’s how to get going and secure your life. I’m going to take you through some steps that may seem paranoid, but will greatly increase the likelihood that you remain secure not just now, but in the future. (For instance, a strong twelve-character password may be acceptable now, but in five years it may not be anymore. Therefore, I recommend a twenty-character password or better.)

If you can’t read any screenshot below clearly, you can click on it to display it full-size.

1: What Is LastPass?

LastPass is a browser extension that acts as a password manager. It adds a small LastPass button and right-click menu to your browser somewhere, as well as prompting you to autofill a password when you visit a page containing a login form:

The Firefox LastPass extension. In this screenshot, LastPass has been set to autofill the password into this site—all you have to do is click Login. The LastPass button is circled in the upper-right-hand corner.
The Chrome LastPass extension. It's very similar to the Firefox one. In this screenshot you see LastPass prompting you to fill in the login information rather than automatically filling it (this happens the first time after you enter a site and if you have multiple logins for a site).

LastPass can synchronize your data across multiple computers using the browser extension, so you can use LastPass at home, at work, and on your tablet or smartphone. You can also log onto the LastPass website if you need to access a password from a different computer (you can’t autofill, but you can copy and paste your password, which is good enough for occasional use).

However, you’re not giving your passwords up to LastPass for this convenience. All your data is encrypted on the client side, which means the browser on your local computer deals with everything. The folks at LastPass can never access your data, no matter if they’re curious, get hacked, or have a court order to retrieve your passwords. And the encryption would supposedly take trillions of years to crack with current computers—even if that’s a high estimate, nobody is getting to your passwords anytime soon. (LastPass has a nice page about their security, but I can’t seem to find it right now. If you’re still worried, try to find it, and if you do, post the URL in the comments for me.)

Unless you have an amazing memory or love sitting around memorizing strings of characters, you need a password manager to be fully secure in today’s world. If you don’t want to use LastPass for whatever reason, poke around the Internet and look for a different one (I don’t know of any other ones that can synchronize across the Internet, although you can still sync them using Dropbox or a similar service). Some popular ones include KeePass(X), RoboForm, and Password Safe. The rest of this article will focus on LastPass because I find it to be the easiest to use and most feature-rich.

2: What LastPass will not do

LastPass does not work miracles. It is a useful tool that helps you keep track of secure passwords, but simply getting a LastPass account will not magically increase your security. (This seems to be a fairly common misconception.) For it to work properly, you need to do a few other things:

  • Use a strong master password (and, preferably, two-factor authentication). If your password is “password,” all the security measures in the world will be useless.
  • Get all your passwords into LastPass’s database. If you don’t know where you have accounts on the Web, it’s going to be difficult to secure them.
  • Once you have them gathered together, change all your passwords to something more secure, ideally randomly generated.
  • Don’t do anything stupid. Don’t leave your LastPass account logged in on a public computer, write your master password on a sticky note on your monitor, or anything else. Common sense applies.

Ready to start? It’s probably best to wait until you have about forty-five minutes free to do the initial steps.

3: Choosing a Master Password

Before you create your account, you should choose a master password. If you’ve never made a strong password before, this is probably going to cause a few hangups for you. Your master password should be at least twenty characters long. Twenty-five or more is better.

There are a lot of different ways to get a good password. The one I typically use is to pick two or three phrases or words (randomly, using whatever inspiration you want) and string them together, often with some sort of numbers and/or punctuation in the middle. If you do this, it doesn’t matter if one part of the password is fairly guessable by itself—the strength is provided by the fact that two completely random things have been joined.

Here’s one of mine as an example (I don’t use it anymore, of course):

1-stuffed-gnu:no-evil-wo-vim

The second part of this password comes from the phrase “You can’t spell evil without vi.” If you don’t know anything about Unix/Linux, you probably don’t get it—which is all the better, because it demonstrates that most people probably wouldn’t even guess the original phrase, without my modification and the first part. The first part is a reference to the fact that gnus are related to *nix and can be remembered by thinking “the gnu is saying the following phrase.”

I could make this password even more secure without too much loss in memorability by capitalizing a random letter or two: 1-stuffed-gnU:no-evIL-wo-vim, or, slightly less secure in terms of guessing but useful if I needed a bit more help to remember, 1-stuffed-gnu:no-eVIl-wo-VIm. I could also add another number somewhere: 1-stuffed-gnu25:no-evil-wo-vim. (The 25 translates to “nose” in my modified version of the Major System, so I could remember this as “stuffed gnu nose.”)

If you don’t like my technique, another good one is using the initials of a phrase. Don’t pick a common phrase or a phrase from well-known literature (if you pick a Bible verse, for example, it is quite easy for a dictionary cracker to try every single verse in the Bible in just a few minutes). You should combine this with something else if you want a 20-character length. Names and birth dates work well when used in combination with something else. (Using only a name with a number after it is a recipe for disaster: cracker programs are available that can hack all common name+number combinations in only a couple of minutes.) You can hunt around the Internet for other good techniques; just be sure to take the sources with a grain of salt (if somebody on Yahoo Answers tells you that a six-character password of your initials repeated twice is a good password, they’re wrong).

“But I won’t remember this password!”

You can really remember pretty much any password of reasonable length, no matter how insane it is. The only thing you have to do is use it. If you enter your password enough, you’re unlikely to forget it, and if you do it even more and you’re a touch-typist, it’s likely the password will even be engraved into your unconscious memory—you can type it without thinking about the words. When I create a new master password for any encryption or password software, I type it ten times right afterwards, ten times later that day, and ten times the next day. As long as I use it regularly after that, I’ve never had trouble remembering my password.

You also get a password hint to help you out; see two paragraphs down.

If you really feel you need to, write down your master password and put it in a safe place. (If you usually keep your wallet with you, it’s probably pretty good—if you lose it, you should notice and have a chance to change your password.) After a few days, once you’re sure you know your password, it’s best to destroy it or put it somewhere really inaccessible, like a safe deposit box.

That said, keep in mind that there is no way to recover your LastPass master password if you forget it (remember that LastPass can never see your data?). This is of course the sensible way to handle information this secure, but most of us are so used to clicking the “Forgot your password?” link that we take it for granted that we can recover passwords anytime we forget them. However, while you can’t reset your password if you forget it, you can provide a password hint that will be emailed to you if you click the “forgot password” link. Since nobody but you will ever see this unless your email account is hacked, you can safely describe the parts of the password (for my example+numbers password, I could say something like “speaker’s nose: evil vim”). Chances are very good that that will be plenty to jog your memory.

At the end I’ll also talk about backing up your password list, so that even if you do forget your master password you won’t be totally screwed.

4: Signing Up

Phew, we’re 1500 words into this article and we haven’t even created an account yet? Don’t panic; in my experience the master password is usually the biggest mental hurdle for new users to overcome.

You can sign up for a LastPass account in several ways, but if you use this referral link both you and I get a free month of LastPass Premium.

Scroll down to “create your account” and fill in your email address, your shiny new master password, and a password hint, as described in the previous section.

You can uncheck “Keep a history of my logins and form fills” and/or “Send anonymous error reporting data…” if you’re really paranoid, but otherwise they should be fine. You do have to check the first two boxes, though. If you picked a good master password, the bar will probably be full.

In case you didn't get the warning that there's no way to recover your password yet, here you are. Take heed of the warning but don't do anything stupid because of it, like writing your password on a sticky note and putting it in your desk drawer.

Click the Download LastPass button and proceed through setup. This step will be different for each operating system and browser, so I won’t walk you through it (it’s not difficult). At some point during the process, you will be prompted to import all “insecure” passwords that are currently stored in your browser’s memory. You should accept this offer and the one to have them deleted from the old storage, as they’ll be safely retained in your new LastPass Vault. You may be shocked to discover how easily LastPass can tell you exactly what all those passwords are—that’s why it’s not a very good idea to store your passwords there!

You may need to restart your browser(s) to install the LastPass extension(s). (If you have multiple browsers, the extension should have been installed in all of them.) After you see the LastPass button (an asterisk with a black background, or a red background if you’re logged in) in your browser, you can click it to log in. There are two screenshots way up at the top if you’re confused.

5: Getting Your Passwords Into LastPass

Adding a new password to LastPass is easy:

Step 1: Go to the site you wish to add and sign in as normal.
Step 2: LastPass will display a bar at the top of the screen (the color depends on your browser and theme settings) asking you if you want it to remember this password. Click Save Site.
Step 3: Name the site and select a group. If you don't care much for organization and don't have too many passwords, you may choose not to group your passwords and just use the URL of the site. I, on the other hand, have nearly 100 entries in my LastPass database (not all of them are websites), so I organize things carefully into groups and give them friendlier names.

The only difficult or annoying part of this process is that you have to repeat it for all the accounts you have on the Internet. The easiest way is to take about a two-week-long break at this point. Every time you want to sign into a website, make sure you’re logged into LastPass (the icon will be red), then log in and make sure to click the “Save Site” button. For now, you’re done—go ahead and put continuing this on your calendar for a couple of weeks from now. Just don’t forget to keep adding those passwords (and don’t forget to come back or you won’t be any more secure than you were before).

If you want to speed the process up, there are a couple tricks. Obviously, if you currently have a pad of paper or a Word document containing a long list of passwords (shame on you), that’s a pretty good place to start. Another trick is to search your email for terms like “account” or “password reset” to remind yourself of what websites you have accounts with (since most websites send service messages to your email, as long as you archive your email this should work fairly well). It’ll probably be months before you have every website in your database, but as soon as you have a fair number of the ones you use frequently, you can proceed on to the next step.

6: Changing Your Passwords

Did you take a good break to find some of your accounts? Good. If you haven’t done it yet, it wouldn’t hurt to try some of the tricks in the paragraph immediately above, like searching through your email or password files. (If you haven’t added one to your database yet, just go to it and log in.)

Although you now have a nice, neat, comprehensive list of all (most of) your accounts and passwords, you’re not any more secure than you were when you started, even though you have a nice fancy password manager. In order to increase your security, you need to change the passwords.

Changing a password can be a bit of a challenge at times; it’s not always the most accessible option. (On one memorable occasion, I had to resort to an eHow article to figure out how to change my Comcast email password.) Fortunately, LastPass has a handy feature to help you out: the security check. The security check runs through your passwords and gives you a report of which passwords are duplicates and which have low strength. To use it, simply open your vault (LastPass button → LastPass Vault) and click the “security check” link on the left-hand side, then click the huge “Start the Challenge” button.

You’ll get a big score (90.1% in my case), a rank, and a short list of the criteria that it used to determine your score. That’s good for seeing how generally secure you are, but the real meat is underneath, where there’s an exhaustive listing of all your LastPass accounts, their strength, which have duplicate passwords, and (if you enable it) the exact plaintext password of each. Here’s a small snippet of mine (usernames blurred for security):

Sometimes you get a terrible rating on an account with a password that you can't change (for instance, on the top one, the username is the real password, as it's a string of random numbers, while the password is the first two letters of my last name). But most of the time, a low score indicates that you have a poor or duplicated password.

When you see that you have a poor rating on a site, you should click the “visit site” link, log in, and find the “change password” option. I’ll change my Amazon password because it’s currently a duplicate (though a strong password).

When changing a password, LastPass helpfully offers to fill both your current password and a new password.

After reaching the password change page, click “fill current” to enter your current password. Then click “Generate” to bring up the “Generate Secure Password” dialog box. A random password is about as secure as you can get: there’s no way to guess it aside from brute force. You probably can’t remember it, but that’s what your password manager is for—you only need to remember that one master password.

However, LastPass’s default settings really don’t produce a secure password. Here are my standard settings:

Here are good standard options. Your password length should be 20 or 25 (or more, if you want)—as there’s very rarely any need to type it, there’s little advantage in making it shorter. “Avoid Ambiguous Characters” is useful if you expect you’ll need to type it or copy it—it excludes characters like l, 1, I, and i, so that you won’t make errors because you couldn’t read the password.

Sometimes, though, you’ll encounter a website that imposes silly restrictions, like “the password must be exactly 7, 12, or 62 characters in length” or “the password must consist of exactly two numbers, two special characters, one composed of only straight lines and the other only curves, and thirteen consonants, alternately lowercase and capitalized.” (Okay, they’re not usually quite so bad, but sometimes they feel like it. Once I was trying to change my Yahoo password and was informed that my password could not contain any part of my first name. All well and good, but many moons ago I’d entered my first name as “S,” so my new password was not permitted to contain the letter s.) In this case, simply come back to this dialog box and fiddle with the options until they produce a password that meets the guidelines.

Once you’re done, click “generate” (the password doesn’t update to match your settings until you do), then “accept.” LastPass will fill in your new password. Click the accept or continue button on the website.

This final step is extremely important. After clicking accept, you will receive a notification bar that says “LastPass detected a password change….” Click “Confirm.” If you don’t, LastPass will continue attempting to log in with the old password and you’ll be unable to access the site. (The generated password is always saved as “generated password for x.com” until or unless you click save, so you’ll never completely lose your password and be locked out due to this. Keep that in mind in case it happens to you.)

Conclusion

If you follow these instructions, your passwords should be secure for the most part. It’s a lot of work, but the next time one of your passwords is compromised, you’ll be pretty happy. (I haven’t had a website lose my password information yet, but I have accidentally pasted my password into a live chatroom, twice. It’s a pain when you only use a couple of passwords and have to change them all in an afternoon.)

Next week I’ll talk about increasing the security on your LastPass account itself, as well as some more things you can do with LastPass (filling forms and storing software license keys). Additionally, I’ll discuss how to back up the contents of your LastPass account.

After the LastPass stuff is done, I’ll continue with security and talk about what you should do if one of your accounts is hacked. I’ll also deal with how you can protect yourself from other attack vectors that may allow people to bypass your passwords entirely.

Comments, questions, and problems are welcome.

Why Passwords Are Getting Easier to Crack

I’m going to do a security series over the next couple of weeks, inspired by last week’s post. This week I’m taking a look at an Ars Technica article I read today, called “Why passwords have never been weaker — and crackers have never been stronger.”

It’s a long article, but if you have a few minutes, I highly recommend it, especially if you’re interested in security. The most important thing to take out of it, though, is that password cracking is making extremely rapid advancements–the past couple of years have brought nearly as much new information to the field as all the rest of cracking history combined.

This is due primarily to an increase in password databases being stolen and cracked, which gives both security analysts and malicious hackers a prime opportunity to see what kinds of passwords people use in the real world. As a result of all the information, password dictionaries have gotten orders of magnitude more effective, making choosing a good password more important than ever.

And get this: what you thought was a “good password” almost certainly isn’t. Here are a few things that the bad guys are onto now (mostly sourced from the Ars article, with a bit of personal opinion and other general consensus in security fields included):

  • You know those websites that make you include a number and a capital letter (and maybe a symbol) in your password? Turns out those requirements really do essentially nothing, except perhaps annoying users and making them more likely to write down their passwords or otherwise store them insecurely. Nearly all capital letters are the first character of passwords; nearly all numbers and symbols are at the end of passwords. Most of the time, people just capitalize the first letter and stick a ‘1’ on the end. If they’re feeling more clever, they might change an ‘e’ to a ‘3’ or a ‘t’ to a ‘1’–all those substitutions are in the dictionaries too.
  • Shifting your hands sideways on the keyboard or going around keyboards in patterns are in any good dictionary now, too. The same goes for spelling words backwards or both directions. If you’re not sure whether your password trick is secure, here’s my personal rule of thumb: If you think you’re being clever, you probably aren’t.
  • A $12,000 computer called “Project Erebus” can crack the entire keyspace for an 8-character password in just 12 hours when run on a database that has been stored poorly (which is, unfortunately, most of the companies involved in data breaches lately). That means if your password is 8 characters or less, this computer will always get it in 12 hours or less, no matter what it is. 8 characters used to be a secure password (it still was when I wrote about passwords in 2009); now 8 characters is a terrible password (though still a good sight better than 7 or 6 characters, since password strength increases exponentially with each additional character). This computer is not particularly special; anyone with a few grand to spare and a bit of computer smarts can put together a few graphics cards into a solid password-cracking machine nowadays.
  • Average desktop computers equipped with good graphics cards can test about eight billion passwords every second against a file of encrypted hashes (those are what you usually get when you steal a password database from a company).
  • The average Web user has 25 accounts but only 6.5 passwords. In my opinion, reusing passwords is even worse than using bad passwords. And that’s despite the fact that just about everybody reuses their passwords at least occasionally. That’s because if somebody gets your password from one site, no matter if it’s “hu!-#723d^*&/”!q4,” they can get into your other accounts as well. If you have a bad password and it gets cracked, at least the damage is confined to that one site (unless it’s your email account, as described at the very end of last week’s post).
  • A large number of passwords consist of first names (or worse, usernames) followed by years. There are now dictionaries of names pulled from millions of Facebook accounts which can be used with programs that try appending likely numbers (such as possible years of birth) until a match is found. A good graphics card can crack your password in roughly two minutes if you use this type of password.
  • A number of attacks depend on the companies that store your data being stupid. For instance, there’s an easily implemented method called salt that makes cracking password databases far more difficult (and one method called rainbow tables completely impossible). It’s been around for years. And yet Yahoo, LinkedIn, and eHarmony, among other major companies, were caught dead without it when they lost password databases recently. The same goes for using better cryptographic hashes for encrypting password databases–using a good hash can make a database essentially uncrackable (2,000 tries per second as opposed to several  billion), but most services still choose to use a poor one. Unfortunately, there’s not really anything you can do about this, other than contact technical support and boycott them if they don’t follow best practices (and given how bad the standards are, you can expect to not be using very many websites). You can, however, mitigate the possible damage by using a different password for every site so that you will have lost less if your password is cracked.

Now is a good time to remind yourself that two-factor authentication would help prevent anybody from logging into your account even if they cracked your password, isn’t it? Next week I’ll be back with some practical tips for making and using better passwords.

Security Advisory: You Should Use Two-Factor Authentication

Passwords are rapidly becoming less and less protective of your online information. And at the same time, we’re putting more of our lives online and standing to lose more from someone breaking that security. And don’t think it can’t happen to you: you probably heard about Wired writer Mat Honan, who recently had his Amazon, Apple, Gmail, and Twitter accounts hacked and his iPhone, iPad, and MacBook all wiped with no backup—because the hacker thought his Twitter username was cool.

Two-factor authentication is an easy way to add a great deal of security to accounts that support it without really losing much. In Mat’s case, he would never have lost all his data had he had two-factor authentication enabled on his Gmail account, and he urges everyone to turn it on. Here’s why (and how do to it).

What exactly is two-factor authentication? In its most common usage, it means that logging in requires not only a password (in security speak, “something you know”), but also an item with some sort of cryptographic key or other code (“something you have”). This item can take the form of specialized hardware such as a smart card or a device that displays randomly changing numbers, a flash drive, or a decidedly low-tech sheet of paper with one-time-use numerical codes printed on it. It can also be a smartphone app or a server that distributes codes via text message or phone call, which is the simplest to implement for average users and the method I’m focusing on in this article.

Two-factor authentication works really well with very little sacrifice on the part of the user. If you’re using two-factor authentication, if somebody gets your password, you’re not screwed yet—they still have to get hold of your phone. In the case of Mat’s recent hack, the hacker never knew him personally, so he would have had no chance at his phone or list of backup codes—both physical objects—making the rest of the damage he did impossible. (Furthermore, depending on his settings, Mat might well have received a random text message with an authentication code—a dead giveaway that somebody had tried to access his email account.) And it’s not a major inconvenience to you. With many services, like Google, you don’t even have to do anything different on computers you use regularly; you just use them once and check a “remember” box. On other computers, you simply have to take fifteen seconds to pull out your phone and type a number into the computer. It’s a pretty small price to pay for making it nearly impossible for a random stranger to destroy your online life.

I was one of the first wave of people who signed up for two-factor authentication at Google when it was first released. I’ll freely admit I thought it was a gimmick and paranoia when I did, but I thought it couldn’t hurt. But with the latest batch of password database cracks and now this widely-publicized Mat Honan business, I think the world is changing. Passwords just aren’t enough anymore, even good ones—a good portion of breakins now don’t even involve cracking a password, they involve stealing passwords from somewhere, using weak password reset or security question vulnerabilities, or tricking customer service into letting you into someone else’s account. Those are all things which you can’t control, except with two-factor authentication.

Nowadays I think everyone should enable two-factor authentication right now. A few minutes now just might save you an awful lot of trouble later!

With Google accounts, you can have codes texted to you or delivered by voice call when you need to log in, or you can install a smartphone app called Google Authenticator which works even when you’re offline. In case you need to log in when you have a dead battery or no service, you can print out a list of single-use backup codes and keep it in your wallet (you could even memorize one in case you’re stuck without even your wallet). They’ve really covered just about everything at Google.

Here’s how to enable two-factor authentication on your Google account.

  1. Log into your Google account if you’re not already logged in.
  2. Visit http://accounts.google.com. If it’s been a while since you logged in, you may have to confirm your password.
  3. Click the Security link on the left.
  4. Next to “2-Step Verification,” click Edit.
  5. Click “Start setup” and give your phone number if it’s not already on file in your account. You’ll receive a text message (or call, if you’re using a landline or SMS delivery isn’t working) with a code to confirm your phone.
  6. Check the box if you want to “trust” the current computer, which means that you won’t need to enter codes on it. This way, you only have to bother with verification codes if you’re on a computer other than your own, safe computer.
  7. Click Confirm to activate two-factor authentication.

Here are a couple of things you may want to check (and things to keep in mind now):

  1. On the overview page, it is wise to provide a backup phone number and print (or write down) the list of backup codes. The codes are useful, as mentioned, if you’re without your phone or without use of it. It’s a good idea to make the backup phone a landline, as you can lose a cell phone for a while and be stuck locked out, but it’s pretty hard to lose a landline number.
  2. If you have a smartphone or iPod Touch, you can investigate the “mobile application” (Google Authenticator in your device’s app store) to make logging in even easier.
  3. If you use apps that access your email, you may need to set up “application-specific passwords,” as many apps can’t accept two-factor verification. Google simply generates a special sixteen-letter password for use with only that app; if someone gets into that account or steals that device, you can simply revoke the password from your accounts page (leaving everything else untouched and fully operational). You cannot log into the main Gmail web interface with an application-specific password.
  4. At the bottom of the page, you’ll notice that you can forget all other trusted computers, just in case you think someone managed to get a computer trusted with your verification code or you accidentally checked the “trust” box when logging in on a computer you don’t actually trust.
  5. Before you log out, it would be wise to open a new incognito window or a different browser and double-check that you can log in properly, just in case there’s somehow something wrong with your phone setup.
  6. If somebody ever gets your password or it’s somehow released onto the internet by some other database for which you used the same password being cracked, you should still change your password (it’s essentially only one-factor authentication until you do), but you’re safe for the moment.
  7. If you lose your phone, simply log into accounts.google.com and deauthorize your phone (you can use a backup code or your backup phone if you’re locked out because your phone is missing). If you get it back or you get a new one, you can just add it back in.

You can also use two-factor authentication on Facebook, LastPass, and a growing number of other popular applications—it wouldn’t hurt to investigate, especially on accounts you care about keeping secure. (UPDATE: Yahoo Mail and Dropbox have recently added two-factor authentication options as well.) It’s especially important, however, to have good security on your email account. Why? Think about what you do if you need to reset a password. On nearly all websites, you enter your email address and have a reset link sent to your email account—the one you used when you set it up. If someone gets into your email account, they essentially have a free pass to all your other online accounts.

If you have problems with or questions about two-factor authentication, I’d be happy to help you in the comments—I’m surprising myself with how strongly I’ve started to believe that this stuff is important.