Tag Archives: Google

Security Advisory: You Should Use Two-Factor Authentication

Passwords are rapidly becoming less and less protective of your online information. And at the same time, we’re putting more of our lives online and standing to lose more from someone breaking that security. And don’t think it can’t happen to you: you probably heard about Wired writer Mat Honan, who recently had his Amazon, Apple, Gmail, and Twitter accounts hacked and his iPhone, iPad, and MacBook all wiped with no backup—because the hacker thought his Twitter username was cool.

Two-factor authentication is an easy way to add a great deal of security to accounts that support it without really losing much. In Mat’s case, he would never have lost all his data had he had two-factor authentication enabled on his Gmail account, and he urges everyone to turn it on. Here’s why (and how do to it).

What exactly is two-factor authentication? In its most common usage, it means that logging in requires not only a password (in security speak, “something you know”), but also an item with some sort of cryptographic key or other code (“something you have”). This item can take the form of specialized hardware such as a smart card or a device that displays randomly changing numbers, a flash drive, or a decidedly low-tech sheet of paper with one-time-use numerical codes printed on it. It can also be a smartphone app or a server that distributes codes via text message or phone call, which is the simplest to implement for average users and the method I’m focusing on in this article.

Two-factor authentication works really well with very little sacrifice on the part of the user. If you’re using two-factor authentication, if somebody gets your password, you’re not screwed yet—they still have to get hold of your phone. In the case of Mat’s recent hack, the hacker never knew him personally, so he would have had no chance at his phone or list of backup codes—both physical objects—making the rest of the damage he did impossible. (Furthermore, depending on his settings, Mat might well have received a random text message with an authentication code—a dead giveaway that somebody had tried to access his email account.) And it’s not a major inconvenience to you. With many services, like Google, you don’t even have to do anything different on computers you use regularly; you just use them once and check a “remember” box. On other computers, you simply have to take fifteen seconds to pull out your phone and type a number into the computer. It’s a pretty small price to pay for making it nearly impossible for a random stranger to destroy your online life.

I was one of the first wave of people who signed up for two-factor authentication at Google when it was first released. I’ll freely admit I thought it was a gimmick and paranoia when I did, but I thought it couldn’t hurt. But with the latest batch of password database cracks and now this widely-publicized Mat Honan business, I think the world is changing. Passwords just aren’t enough anymore, even good ones—a good portion of breakins now don’t even involve cracking a password, they involve stealing passwords from somewhere, using weak password reset or security question vulnerabilities, or tricking customer service into letting you into someone else’s account. Those are all things which you can’t control, except with two-factor authentication.

Nowadays I think everyone should enable two-factor authentication right now. A few minutes now just might save you an awful lot of trouble later!

With Google accounts, you can have codes texted to you or delivered by voice call when you need to log in, or you can install a smartphone app called Google Authenticator which works even when you’re offline. In case you need to log in when you have a dead battery or no service, you can print out a list of single-use backup codes and keep it in your wallet (you could even memorize one in case you’re stuck without even your wallet). They’ve really covered just about everything at Google.

Here’s how to enable two-factor authentication on your Google account.

  1. Log into your Google account if you’re not already logged in.
  2. Visit http://accounts.google.com. If it’s been a while since you logged in, you may have to confirm your password.
  3. Click the Security link on the left.
  4. Next to “2-Step Verification,” click Edit.
  5. Click “Start setup” and give your phone number if it’s not already on file in your account. You’ll receive a text message (or call, if you’re using a landline or SMS delivery isn’t working) with a code to confirm your phone.
  6. Check the box if you want to “trust” the current computer, which means that you won’t need to enter codes on it. This way, you only have to bother with verification codes if you’re on a computer other than your own, safe computer.
  7. Click Confirm to activate two-factor authentication.

Here are a couple of things you may want to check (and things to keep in mind now):

  1. On the overview page, it is wise to provide a backup phone number and print (or write down) the list of backup codes. The codes are useful, as mentioned, if you’re without your phone or without use of it. It’s a good idea to make the backup phone a landline, as you can lose a cell phone for a while and be stuck locked out, but it’s pretty hard to lose a landline number.
  2. If you have a smartphone or iPod Touch, you can investigate the “mobile application” (Google Authenticator in your device’s app store) to make logging in even easier.
  3. If you use apps that access your email, you may need to set up “application-specific passwords,” as many apps can’t accept two-factor verification. Google simply generates a special sixteen-letter password for use with only that app; if someone gets into that account or steals that device, you can simply revoke the password from your accounts page (leaving everything else untouched and fully operational). You cannot log into the main Gmail web interface with an application-specific password.
  4. At the bottom of the page, you’ll notice that you can forget all other trusted computers, just in case you think someone managed to get a computer trusted with your verification code or you accidentally checked the “trust” box when logging in on a computer you don’t actually trust.
  5. Before you log out, it would be wise to open a new incognito window or a different browser and double-check that you can log in properly, just in case there’s somehow something wrong with your phone setup.
  6. If somebody ever gets your password or it’s somehow released onto the internet by some other database for which you used the same password being cracked, you should still change your password (it’s essentially only one-factor authentication until you do), but you’re safe for the moment.
  7. If you lose your phone, simply log into accounts.google.com and deauthorize your phone (you can use a backup code or your backup phone if you’re locked out because your phone is missing). If you get it back or you get a new one, you can just add it back in.

You can also use two-factor authentication on Facebook, LastPass, and a growing number of other popular applications—it wouldn’t hurt to investigate, especially on accounts you care about keeping secure. (UPDATE: Yahoo Mail and Dropbox have recently added two-factor authentication options as well.) It’s especially important, however, to have good security on your email account. Why? Think about what you do if you need to reset a password. On nearly all websites, you enter your email address and have a reset link sent to your email account—the one you used when you set it up. If someone gets into your email account, they essentially have a free pass to all your other online accounts.

If you have problems with or questions about two-factor authentication, I’d be happy to help you in the comments—I’m surprising myself with how strongly I’ve started to believe that this stuff is important.

Searching Google: Tips & Tricks

I have published a new article about all sorts of tricks for searching the web, both in forming search queries and using features of Google you probably didn’t know existed. This is an updated version of an article that’s been around in the past; if you were ever a subscriber of the original Technical Geekery Tips, you might vaguely recognize it.

You can read the article here (it will remain under the Miscellaneous tab of the website menu, if you want to look for it later).

People who know me personally might also appreciate a new item on the (also new) Miscellaneous tab, Conversations with Soren. Check it out.

Searching Google for Only a Specific Site

Ever been to a really poorly-designed website? I’ve certainly seen a few. And what’s worse than a poorly-designed website? A poorly-designed website without a search box.
Fortunately, you can get around this fairly easily using a surprisingly little-known trick on Google. Just start your query with site:www.confusing-site.com. (You must not put a space between the site: and the domain of the website, or it won’t work.) Try it out–here’s an example search.

This can also come in handy if the website does have a search box, but just doesn’t have a good one. I also use it routinely when I read a news article, then want to show it to someone else. If I know what site I found it on (say, Slashdot or the New York Times website), I can easily get back to the article by searching this way, whereas if I go to the site and try to browse for it, it’s likely to be buried or even completely gone if I go back a day later.

Soren “scorchgeek” Bjornstad

http://www.thetechnicalgeekery.com

If you have found an error or notable omission in this tip, please leave a comment or email me: webmaster@thetechnicalgeekery.com.

Copyright 2012 Soren Bjornstad.
Verbatim copying and redistribution of part or all of this article
is permitted, provided this notice is preserved.

Google Web History, and Why You Might (or Might Not) Want To Turn It Off

If you’ve been anywhere on Google lately, you’ve probably noticed that their privacy policy is changing. But does that actually mean anything for you? Well, the thing they’ve been getting some complaints about is the way they can now tie your data across multiple services. So the information in your Web History could, for example, be used to decide what ads to show you in Gmail.

You probably didn’t even know Google had a web history feature. And it seems to be active for some people and not for others; in the couple of articles I’ve read so far, nobody seems to know what the criteria are. (Has it always been opt-in? Has it changed?) But if it is on, the the service is tracking all searches you make (and optionally, which results you click on) while you’re logged into your Google account. For many people, that’s a good percentage of the time they use their browser.

Now, before you start thinking Google is some crazy company keeping your data for who-knows-what, you do get something out of it. For one, you can go back and see what you searched for on any day in the past, which is actually a pretty cool way to look back, and on occasion it can help you remember what you were doing on a given day, if you need to figure it out. Also, if you know you’ve successfully searched for something in the past, but now don’t know what search terms you use and can’t find it anymore, you can probably figure out what your search terms were from the web history. Additionally, if you’ve enabled the more-powerful tracking options (these are opt-in), when you run a search you’ll see text underneath any results you’ve clicked on before, with the date you last accessed them through a search. This is really handy, because if you’ve been to a site before it makes it significantly more likely that you’ll be looking for it again. Google can also use the information to give you (supposedly) more relevant results.

Of course, having a history of all the searches you’ve ever performed might be unattractive to some. If that’s you, feel free to clear it out. But keep in mind that this won’t necessarily prevent Google from collecting some of this information about you anyway (see #2 on this CNET article). Especially with that in mind, I find that for me the benefits are worth the potential privacy risk. Personally, I never clear my history in either Google or my own browser, because I frequently want to go back and search where I was a couple of days ago. Someday this is probably going to come back and bite me when someone steals my browsing history, but that won’t be that big of a catastrophe, and I’m willing to take the risk for the convenience.

For the most part, I trust Google to keep my information. Someone has to deal with my email (okay, technically I could run my own mail server, but that’s not really practical for most people). In my opinion it might as well be Google. Some people decry the fact that Google “reads your email”—a computer scans the content of your messages to determine advertisements that might be related. That doesn’t, however, mean that anyone at Google is actually going to read the words in your email and get any meaning out of it, nor does it really scare me. There are plenty of much easier ways for someone to intercept the content of my email over the Internet, and I highly doubt that keeping an archive of the entire world’s email is one of Google’s goals. And in general, I trust Google enough to keep my information. I wouldn’t trust a random start-up company with my history or my email, nor would I trust Facebook. And in exchange for everything that Google offers me (search, email, YouTube, this blog, . . .), I’m perfectly willing to let them display targeted advertisements.

If you do want to turn off web history, either because of the slight protection from Google it might afford you, because you don’t want Google to “personalize” your experience by combining profiles about your web use across their services, or because you just don’t like all that information being easily accessible, it’s easy enough to turn off. Just keep in mind that that data is still out there and consider what you’re losing.
Soren “scorchgeek” Bjornstad
http://www.thetechnicalgeekery.com
If you have found an error or notable omission in this tip, please leave a comment or email me: webmaster@thetechnicalgeekery.com.
Copyright 2012 Soren Bjornstad.
Verbatim copying and redistribution of part or all of this article
is permitted, provided this notice is preserved.

Three Fun Google Tricks

Google is well-known for putting cool logo modifications on their homepage. So it doesn’t come as much of a surprise to see that they love throwing random and quirky tricks into their search engine. Here are a couple of things to try searching for.

I’m not going to tell you what these do, or it wouldn’t be fun anymore–try them and see for yourself.
  • do a barrel roll
  • askew
  • recursion
Soren “scorchgeek” Bjornstad
http://www.thetechnicalgeekery.com

 

If you have found an error or notable omission in this tip, please leave a comment or email me: webmaster@thetechnicalgeekery.com.

 

Copyright 2012 Soren Bjornstad.
Verbatim copying and redistribution of part or all of this article
is permitted, provided this notice is preserved.

Using the Internet to Recall Sayings and Quotations You’ve Forgotten

Ever remember fragments of a saying? Or just part of a quote? You’re not alone. The trick is figuring out how to search for it. Here are two searching tricks to rescue you from that annoying feeling of remembering just part of something.

1: The Asterisk
There’s a really handy Google trick that almost nobody seems to know about: an asterisk (*) matches any single word. This lets you easily search for quotes that you can only remember part of. For example, “one death is a * a million deaths is a *” will easily bring up Joseph Stalin’s fairly well-known statement, “One death is a tragedy; a million deaths is a statistic.” (I have this posted on my wall right in front of me, so I’m not liable to forget it, but I couldn’t think of a better example.)

 

This trick works wonders; there are only so many possible sentences with that precise structure, and if it’s something reasonably well-known, the first page of hits is liable to give you a unanimous verdict on what you were trying to think of. If you get irrelevant results (which has actually never happened to me), you can try putting the whole thing in quotes. It’s also possible that you remembered the part that you knew wrong; try adding more asterisks in places you weren’t sure of.

 

2: Searching Books on the Internet
This is what happened to me the other day. I remembered the following phrase: “You may be the world champion tetris player, but eventually….” That was it. For the life of me, I could not figure out where it came from, or indeed any information about it. So I went to Google and just typed that in. Guess what? There was exactly one hit, a Google Books result taking me to exactly the passage I was looking for.

 

To test whether this was a transferable trick, I grabbed five books from my bookshelf, flipped them open to a random page, and typed in a quote from each. A search for the quoted passage (only ten words long or so, and devoid of any specific names) brought up the correct title of the book in five out of five cases.

 

The uniqueness of fairly mundane English sentences is truly surprising. Some things that worked:
  • “It lay out in the open, several feet away and unreachable” (Once Upon a Time In the North by Philip Pullman, 1 result)
  • “nudging people to use the standard cursor keys” (Windows XP Annoyances for Geeks by David Karp, 3 results)
  • “For the last six months we have exhausted every means of locating you” (East of Eden by John Steinbeck, 3 results).
So next time you can’t remember the source of a quote you’re thinking of, forget about thinking hard and scanning through books–just type it into Google. In most cases the websites also let you see a couple of pages of context, so you probably don’t even have to go get the book. Remember to use quotation marks around the quote, assuming that you’re fairly sure your words are exactly right–you’ll get much more relevant results.

 

Many sites and devices that you might use have their own search features (for instance, I can search all the books and documents on my Kindle from the main screen), but with the success rate of this technique, I’d only recommend using that if you don’t have immediate access to Google.