Tag Archives: security

A Call from Windows

I got a call from “Windows” the other day. My computer, you see, had reported errors to Windows, and they wanted to help me get rid of them.

First of all, let me point out a couple of essential problems with this scam. For one, “Windows” is not a legitimate company; Windows is a piece of software. Windows calling me to tell about a problem with my computer is like “Beetle” calling me to tell me about a problem with my Volkswagen. They didn’t say that their call was about Windows (which would have been correct, to a point), they said that they were Windows. Secondly, should I have accepted that Windows was a legitimate company, why would Windows have known that my computer had errors? They addressed this by saying that my computer was “reporting” errors to them. But why? Even if Windows (or anyone else) had indeed set up a massive surveillance system to know how well my computer was working at any given time, why would they bother calling me to help me get rid of the errors? They would have no motivation to do so. I did not pay Windows to repair my computer or to protect it from viruses. If I’m like most people, I didn’t even choose to buy a copy of Windows, much less enter into an agreement with Windows to maintain the well-being of my computer – my computer just came with it installed. It costs a lot of money to call people and help them fix their computers when they not only didn’t do anything to deserve it but didn’t even ask for help.

No, to anyone who pauses to think about it – even someone who is unfamiliar with computers, unfamiliar with this particular scam, and does not know that Windows is not a company – the premise simply makes no sense. Why would one of the world’s largest software companies make an unsolicited telephone call to help you? No, of course this is fraud on a massive scale. Evidently there are a number of operations like this, but, no matter what, their goal is to cheat you out of your money.

So the call was handed off to me by another member of the household. (I’d stated previously that if we ever got one of these, I wanted to take it. This had been forgotten, but the call was passed on to me anyway because it was technical in nature.) The person, who had a strong Indian accent and told me he was “calling from Windows,” explained that my computer was reporting many errors that were somehow related to a problem with viruses, then asked me if I could turn my computer on. He didn’t explain that he was going to help me solve the issue, provide further confirmation of who they were, or anything else; he just asked, as if it was completely normal for strangers to call out of the blue and ask people to turn their computers on and start following instructions. Being an apparently agreeable person, I stepped over to the desk and pretended to punch the power button, complete with leaning-over-under-the-desk sounds, then quickly went over to my actual computer, googled the Windows 7 startup sound, and played it loudly. (The computer was booted into Linux at the time.)

The guy then proceeded to have me open the Windows Event Viewer and filter the display to show me all the errors. (Of course it’s quite common to get some type of “error” logged in the event logs, which store practically everything that happens on the computer, even errors that aren’t important enough to indicate to the user. One common “warning” indicates that Windows hasn’t been able to synchronize the clock for one day, perhaps because the computer was switched off at the time.) I wasn’t actually displaying the errors, though, because I wasn’t even running Windows on the computer. In order to sound believable, I just played dumb and repeated the guy’s instructions and said “okay” a lot. And, of course, I delayed things on purpose, since my goal was to waste some time.

After I said that I saw all the errors, he told me, “It’s eating your computer, sir, day by day.” He then immediately told me to “open Internet Explorer” and browse to a website; apparently I had been compliant enough that he didn’t try to convince me further that there was something wrong. I chose to pretend I didn’t suspect anything and follow the next set of instructions. He had me go to the website of a legitimate remote-access software product, then told me to click on a link that wasn’t there. I told him it wasn’t there (and it legitimately wasn’t – I wasn’t even making it up). We spent the next five minutes repeatedly spelling and retyping the URL, even though I said the page matched the descriptions he was giving. When that didn’t work, he transferred me to another guy who had me try the same thing again, then transferred me again to someone who had me try a different piece of software.

The attempt to use this second piece of software gave rise to a farce where my computer displayed a thirteen-digit passcode and I was supposed to read it to him. (Before doing so, I unchecked the box that read “Grant Full Control” and put my finger near the power switch in case they connected and could actually do something on the computer.) I read it wrong, several times, then read it right. But it didn’t end there: I had to read it loudly and clearly at least ten more times (correctly) before the guy heard it right. At this point I pulled up several terminal windows full-screen and typed “cat /dev/urandom” in each, causing the screens to fill with random scrolling characters, which I suspected would confuse whoever connected. He never actually managed to get the software to work, though, even after he finally read the passcode back to me correctly.

I was transferred again and told we would try “one more thing.” “We” went to yet another website and tried yet another software package. This time it downloaded correctly, but it was a Windows executable and wouldn’t have run on my machine. I said something like, “Uh, weird things are happening,” then power cycled the machine and said, “Oh, my computer rebooted by itself.” He sounded somewhat flustered, but bought it and sat waiting for my system to reboot.

Throughout all the people I was transferred to, I was asked several times how old my computer was. I responded “a couple of years,” and was met with “okay”s and “huh”s every time. I don’t know what the point was; if I had been thinking faster, I might have given several different responses to try to find out (assuming they wouldn’t be recording the response).

I’m not sure what I was planning to do next, but I think I probably would have “caught on” and tried a bunch of objections to see how much it would take to get them off the phone, but unfortunately I didn’t get a chance to do that, because the machine legitimately wouldn’t boot: my punching of the power switch had, by some fluke of improbability, corrupted the hard disk to the point where it wouldn’t start. After it became clear that retrying wasn’t going to do the trick, I hung up on him, somewhat disappointed but still amazed that I had managed to keep them on the phone for 32 minutes while not even having a Windows computer in front of me. After about thirty seconds, they called back four times consecutively: I would let the phone ring for a moment, press “talk,” then immediately press “end” and hang up the phone to terminate the call, and seconds later the phone would ring again. Finally I said, “Listen, I can’t talk right now, okay?” and hung up again as I heard someone saying, “Hello?” (Evidently the computer was dialing and then trying to connect me.) They haven’t called back since; I don’t know if they figured out I wasn’t going to talk to them anymore or just decided there was a problem with the phone.

The hard drive was fine; I just had to boot off a diagnostic CD and run a disk check. I don’t know what they would have done if they’d managed to connect, but I suspect they would have tried to install some malware or some sort of backdoor, or perhaps purposefully broken the computer so that I would have had to pay them to fix it.

This was a big operation. You could hear the call center noise in the background, and there were managers they went and talked to when something didn’t work correctly. The fact that such a relatively illogical scam can work is attributable to only one thing: people are scared about having their computers not work, and they’re scared of “viruses,” even though viruses as such are practically extinct in modern times. While the premise of the scam is ridiculous if you pause to consider, or at least odd enough to make you wonder what’s going on, the idea that your computer is going to stop working if you don’t let “Windows” (or “your IT department” or whatever) work with you is scary enough that enough people evidently play along and pay these guys enough money to make it a profitable scam.

So, if you get a call from “Windows,” or an unsolicited call from anyone who claims they want to help you, think twice about what’s going on. If it sounds legitimate, hang up, look up the number on the actual company or organization’s website, and call them back and ask (while you’re on the Internet, you could also google it and see if it’s a known scam). Callbacks aren’t foolproof (really determined people can forward the legitimate phone line to theirs, for instance, or the number can be changed on the reference page where it’s listed), but if the scammers are just pulling a dragnet looking for the most gullible people, they’re not going to bother. Caller ID, while useful, is not a shortcut for this: it’s ridiculously easy to spoof caller ID, and nobody doing something illegal like this will display their actual phone number.

And if you get a chance, turn around and mess with them a little bit. It probably won’t do anything significant, but it’s much more fun that way! If you get a good story, share it with me in the comments.

Ars Technica also had an article about this or a similar scam some time ago.

The Weakest Link: “Forgot Your Password?”

Assume for a moment that I wanted to access some confidential files that belonged to you. You, having at least an ounce of sense (or an IT department that makes these decisions for you) have set a Windows password on your computer. How should I aim to access those files?

Well, there are a lot of ways. Here are a few:

  1. Install a keylogger on your system, wait a little while, then come back and search through the output looking for things that look like passwords, then try them. (Probably several hours, unless I’m really good at it.)
  2. Try to guess your password based on things I know about you, or try common passwords like ‘password1′ or ‘123456’, or look around your desk for sticky notes containing your password. (A few minutes, assuming it works—which is a comfortably low chance if you use a sensible password, but unfortunately a lot of people don’t.)
  3. Use software that will search for common passwords out of a dictionary or brute-force the password. (Probably days.)
  4. Boot up the system using a boot disc to bypass the Windows password, locate the files, and copy them to a flash drive. (About 5 minutes.)

Which do you think I’m going to pick? Obviously, the sensible choice is the one that’s the easiest, the lowest risk, and takes the least amount of time, which is number 4. If you look at these options, you’ll notice there’s something different about number 4: I have not broken the installed security system (by finding the password despite not being a legitimate user), I have bypassed it altogether. Instead of trying to find the password to the system, I’ve simply found a way to access those files that didn’t require me to know the password at all.

On web services, the bypass-the-password option comes in the form of that little link that reads “Forgot your password?” While this function is a godsend if you really have forgotten your password, without some care it makes it much easier for someone to access your account without your permission. This scenario is not the most likely way for your account to be compromised—nowadays it’s more likely that a poorly secured password database containing your information will be stolen and published on the Web. But if someone singles you out as a particular target for whatever reason (and it’s not as impossible as it seems), password resets are likely to be something they try. Fortunately, it’s not all that difficult to make password resets significantly more secure.

How Password Resets Work
Consider for a moment what happens when you use a password reset function. Usually the service does one or both of these things:

  • It sends a confirmation link to your email address, which will allow you to set a new password.
  • It asks you one or more security questions to “prove” your identity, set up when you opened the account, supposedly things that only you would know, then allows you to change the password.

I’ll look at each of these in turn.

Email Link Reset
Services that simply send a link to your email address are the simplest case. As a would-be hacker, all I have to do is gain access to your email account, and I can easily reset the password on another site that I don’t know the password to. This may not seem like a big deal—after all, I still need to access your email account—but most likely you have twenty or thirty different accounts that will all happily send password reset links to the same email address in the same day. So if I can gain access to your email account through whatever means, even if you have the best unique passwords set up on every other account, I can still access every one of them.

This is pretty simple to fix, though:

  • Never, ever reuse the password you use on your main email account for any reason. Even if you use the same password for everything else (which I don’t recommend, but if you must do it, you must), use a unique one for your email.
  • Make that password a strong one: at least 20 characters, using letters, numbers, and symbols, and nothing easily guessable, such as your phone number, spouse’s or pet’s name, zip code, birthday, and so on. (Actually, guessable things are not in themselves bad—but they need to be combined with something completely unrelated to be secure. Your birthday is a bad password; your birthday combined with a random dictionary word and the last four digits of your phone number when you were six is a good password.)
  • Set up two-factor authentication on your email account if you can. It’s extremely effective and surprisingly unobtrusive.
  • Make certain that you’ve always logged out of your email account when you’re done using it on a public computer. Not only does it help keep you secure on other websites, at least one court has ruled that it’s legal to read someone else’s email if they neglect to log out. If you ever do forget to log out, many services have an option to log out other sessions (in Gmail, if you click the “Details” link in the lower-right-hand corner of the page, there’s a button labeled “Sign out all other sessions”).
  • If you have an “alternate” email address set in your email account’s settings (for recovering the password to your email account), double-check that that account is also secured in the same way. From personal experience, I can attest that this is a “D’oh!” moment if it happens to you.

Some people recommend setting up a different email account reserved for signing up for web services (to keep password reset emails more secure). Personally, I’m too lazy to check my email at two different places (for obvious reasons, you shouldn’t have that mail forwarded to your other email address), and I’m confident enough in the security of my main email account that I’m not worried.

Security Questions
Some people think that security questions are an effective and useful security measure. They’re dead wrong.

Actually, security questions have become popular partly because of a misunderstanding of the theory behind two-factor authentication. In security theory, there are three ways to authenticate yourself: something you know (a password or something more unique like a series of pictures where you must choose the right one), something you have (a token that displays different numbers, a smart card, an RFID tag, or an encryption key on a flash drive), and something you are (a biometric reading such as a fingerprint scan, voice print,
or face recognition).

Two-factor authentication consists of using two different types of authentication (in most implementations, a password—something you know—and a token—something you have). However, people heard that two-factor authentication was good, decided that security questions were “two-factor authentication” because you had to authenticate two different ways, and “Wish-It-Was Two-Factor” authentication was born.

It is often said that “good” security questions have four characteristics:

  1. The answer cannot easily be guessed or researched.
  2. The answer doesn’t change over time.
  3. The answer is memorable.
  4. The answer is definitive/simple.

Looking at how tough those requirements (plus a fifth one, that the question needs to apply to most of your users) are, it’s no wonder that nearly all of the questions you see are bad!

Let’s look at where some common questions go wrong:

  • “What is your favorite movie?” This fails on count 2. You probably won’t need to reset your password for months if not years. By that time you’ve almost certainly forgotten what your favorite movie was at the time, if you even had a well-defined one to begin with. Even if you could somehow remember what your favorite movie was on any day during your life, you’d still have to remember when you created your account for that knowledge to be useful.
  • “What city were you born in?” This fails on count 1—it can be found easily in public records. Even if I couldn’t find it with some good research, it’s quite likely you’d give me this information if I asked you, as it doesn’t feel very sensitive.
  • “What is your date of birth?” This isn’t usually presented as a security question, but it is often used for verification. The majority of people have their birthday listed on Facebook, for one, and even if not, once again, it’s in public records. Alternatively, I could call you up and pretend to be conducting a survey or something similar and ask you for your birthday, and you’d probably give it to me.
  • “What is your favorite color?” This fails on count 1 in two different ways. First of all, there are only so many colors that people will describe as their favorite. If you simply type in “blue,” you’ll get it right a very good percentage of the time (according to one survey, a whopping 36 percent of the time averaged between genders). How many people are going to describe their favorite color as something that’s actually somewhat difficult to guess like “light chartreuse” or “burnt orange”? And when was the last time you asked someone what their favorite color was and they told you, “No, that’s private information”? If you can’t find it anywhere, you can just ask.

The Solutions

So what can you do about bad security questions? There are two options I like:

  1. Make up a fake identity of security questions, store them in a file or on a sheet of paper, and read off it anytime you need a security question. You can store it in your email account if you need to be able to access it anywhere (you made sure your email account was secure, right?). If you want to make it even more secure, you can make up answers that are completely unrelated to the question (e.g., “What is your favorite pet’s name?” / “Wal-Mart”). This takes a little while to set up, but you can feel confident that you’ll never accidentally reveal the answer to a question, and you have at least some security in the event that someone does discover the answer to one of the questions, as you don’t have to use the same one on every website. Here’s the list of 13 questions that I use (with my answers removed, of course).
  2. If that sounds too complicated for you (and for most people, it probably is), simply make up a password and enter it every time you are asked for a security question. It doesn’t matter one bit what the question is. (If you want to get a little bit more secure, you can add something to the password based on the name of the site or use two or three passwords based on the question. This password will never change (unless it’s compromised and you need to change it, of course), is always memorable and applicable to you, and is not researchable, since it’s not an answer, it’s a password.
Other options that are not as good as these but are at least better than nothing:
  • Replace letters with numbers or symbols in your answer as if it was a password you were attempting to obscure. This can usually be cracked easily by a password dictionary, but hopefully nobody will be trying a password dictionary on your security question, since it’s not supposed to be a password.
  • Even if you must use the actual question and answer with an actual answer, if you’re given the option to choose your own question, use it. But make it something good—it should pass those four guidelines at the beginning of the section for you.

I’ve had some fun in the past asking security questions like “What is 2 + 2?” and making the answer something that’s not even a number. The look on the face of a would-be hacker as he or she is informed that the answer is not 4 is priceless. (I was in the same room with a friend when she tried to access my Gmail account as part of a prank once.)

Here’s some more reading on security questions if you’re interested:

All the good security questions in the world won’t save you from social engineering. In several high-profile cases, customer service representatives have allowed unauthorized users to access accounts even though they didn’t have the answer to the security questions. Of course, there’s nothing you can do about this—just do what you can and hope that none of the things you can’t fix get you in trouble. And if you’re in charge of a web service or business, make clear security guidelines and stick to them (I highly recommend The Art of Deception by Kevin Mitnick—it’s written specifically for businesspeople looking to improve their company’s security, but it’s very enlightening reading for anyone).

So what can you do right now? Most importantly, go to your email account right now and check your security. If you have weak security questions, change them. If you have an alternate email address, make sure it’s secure (or simply remove it from your account; it’ll make it a little bit harder if you really do lose your password, but it will increase your security). And if you don’t have a strong, unique password on your email account, change it! If you can only follow good password guidelines on one account, make it your email.

As for other sites, if you don’t want to go through and change all your security questions now, at least try one of these methods the next time you’re signing up for an account.

Intermission: LastPass FAQ

It’s been two weeks since my last post, when I suggested that you install LastPass and start collecting passwords from around the Internet into your account. If you did, good for you. Though I said I was going to go on in my next post, I’m actually going to take a short break to make sure that you have a chance to collect all your passwords.

If you haven’t yet, go ahead and read How to Use Better Passwords Without Losing Your Mind. Using a password manager isn’t necessarily fun, but it will save you an awful lot of grief in the long run.

What I am going to do this week is cover a few common questions and misconceptions I’ve heard.

What happens if I need a password and I’m not at my computer?
Although the convenient LastPass button is present only on computers you’ve installed it on, you can still browse to LastPass.com on any computer and log in with your username and password to copy passwords onto your clipboard if you need them.

Isn’t that a pain?
Yeah, it is. That’s why I don’t use LastPass for my email, Facebook, or Amazon accounts, since I often need to access those on other computers. Instead I have separate strong passwords for them (created with the same process that I described for coming up with a master password last week). On the odd occasion that I need to access a strange account from a public computer, it’s not such a big deal. You should probably do the same, once you’ve gotten all your passwords straightened out.

Can I use LastPass if I can’t change a password?
But I can’t / shouldn’t put that password into LastPass, because someone else needs to use it / the site has specific password requirements.
You absolutely can, and you should. You should put all of your passwords into LastPass, regardless of the situation. Simply putting your password into LastPass does not change the password or do anything to change your login or the website. It’s only when you later go through and change your passwords that, well, your passwords change. On the other hand, if you put the password into LastPass, you won’t forget it, and you’ll likely get it off an insecure medium like a sheet of paper. Besides, it just makes sense to keep all your passwords in one place.

There’s an obvious corollary to this: Remember to change your passwords once you’ve gotten them all into LastPass. If you don’t, you’re not much more secure than you were before.

So I’m more secure now that I’m using LastPass?
No, you need to change your passwords first. Using LastPass (or any password manager) is a great first step and a crucial one in securing your logins, but just having a LastPass account and saving your passwords to it does nothing to make you more secure. Saving your passwords in LastPass is the equivalent of writing down your (insecure) passwords and putting the list into a safe: nobody else can see your passwords, but they couldn’t anyway when they were in your head, and you haven’t made the passwords any more secure against guessing or automated attacks.

Once you change your passwords, you are more secure, since you now have random passwords. You could theoretically have accomplished that without LastPass, but in practice you would be unable to remember those passwords without it.

But will I have to pay for LastPass?
Unless you want to use a mobile version or certain two-factor authentication devices, no. You can get the premium version if you want (it’s only $12 a year), but most people don’t need to, and you certainly don’t have to pay just to try it out.

But I shouldn’t put my financial information in here?!
Is this actually secure?
Can’t someone read this?
Your credit card number is far more secure in LastPass than it is on your credit card. A pickpocket could easily steal your wallet while you’re walking by, and a waiter or store clerk could easily memorize or write down your information for use in the normal course of their job. Or you could simply drop your credit card on the ground and someone could pick it up. Your credit card is really a horrible method for storing your financial information.

In contrast, your LastPass database is encrypted with some of the strongest available encryption techniques. Nobody at LastPass can read your database, since it’s encrypted in the browser that you use to access it. Because of the encryption, even if someone succeeded in stealing the databases of every LastPass user from the server, they would be unable to read them. And it would take trillions of years for our present computers to break the encryption.

The only real hazard is someone sitting down at your computer and using it while you’re logged in (which is not any easier than grabbing your credit card). If you’re paranoid about this, you can check the “reprompt” box in a password’s “edit” screen. This requires LastPass to reprompt for your password before filling it in or showing the password, ensuring that even if somebody uses your computer while you’re logged in, they can’t get the really important passwords.

Obviously, this applies equally to all forms of financial and sensitive information—even though it’s being sent over the web (securely, via HTTPS and SSL, mind you), it’s still more secure than it would be in basically any other system, and certainly any system that you would ever use for storing it.

LastPass: How to Use Better Passwords Without Losing Your Mind

Last week (well, last post—I never got around to publishing for the last two weeks) I talked about why passwords are getting easier than ever to crack. If you haven’t read that article, you should read it now, because if you don’t, you’re going to give up before you get through this article.

Yes, I told you it wouldn’t be too easy. Well, it’s not exactly difficult, but it means an hour or three of work for you. But guess what: that’s a lot less trouble than you’d have to take if somebody got into one of your accounts and started screwing up your life. And given how easy it is now, it’s no longer a crazy, improbable possibility.

Besides keeping your passwords safer, LastPass can help you in other ways as well. It can fill out forms for you (of course, there are other tricks for doing this faster as well). It can keep track of what accounts you have on the Internet, which might seem unimportant but is really nice if you visit a site that you vaguely remember and can’t remember if you had an account already set up for. And guess what: you’ll never again sit at a username and password prompt and have no idea what to type in. It may be a small annoyance, but the more small annoyances you fix, the better your life will be.

Here’s how to get going and secure your life. I’m going to take you through some steps that may seem paranoid, but will greatly increase the likelihood that you remain secure not just now, but in the future. (For instance, a strong twelve-character password may be acceptable now, but in five years it may not be anymore. Therefore, I recommend a twenty-character password or better.)

If you can’t read any screenshot below clearly, you can click on it to display it full-size.

1: What Is LastPass?

LastPass is a browser extension that acts as a password manager. It adds a small LastPass button and right-click menu to your browser somewhere, as well as prompting you to autofill a password when you visit a page containing a login form:

The Firefox LastPass extension. In this screenshot, LastPass has been set to autofill the password into this site—all you have to do is click Login. The LastPass button is circled in the upper-right-hand corner.
The Chrome LastPass extension. It's very similar to the Firefox one. In this screenshot you see LastPass prompting you to fill in the login information rather than automatically filling it (this happens the first time after you enter a site and if you have multiple logins for a site).

LastPass can synchronize your data across multiple computers using the browser extension, so you can use LastPass at home, at work, and on your tablet or smartphone. You can also log onto the LastPass website if you need to access a password from a different computer (you can’t autofill, but you can copy and paste your password, which is good enough for occasional use).

However, you’re not giving your passwords up to LastPass for this convenience. All your data is encrypted on the client side, which means the browser on your local computer deals with everything. The folks at LastPass can never access your data, no matter if they’re curious, get hacked, or have a court order to retrieve your passwords. And the encryption would supposedly take trillions of years to crack with current computers—even if that’s a high estimate, nobody is getting to your passwords anytime soon. (LastPass has a nice page about their security, but I can’t seem to find it right now. If you’re still worried, try to find it, and if you do, post the URL in the comments for me.)

Unless you have an amazing memory or love sitting around memorizing strings of characters, you need a password manager to be fully secure in today’s world. If you don’t want to use LastPass for whatever reason, poke around the Internet and look for a different one (I don’t know of any other ones that can synchronize across the Internet, although you can still sync them using Dropbox or a similar service). Some popular ones include KeePass(X), RoboForm, and Password Safe. The rest of this article will focus on LastPass because I find it to be the easiest to use and most feature-rich.

2: What LastPass will not do

LastPass does not work miracles. It is a useful tool that helps you keep track of secure passwords, but simply getting a LastPass account will not magically increase your security. (This seems to be a fairly common misconception.) For it to work properly, you need to do a few other things:

  • Use a strong master password (and, preferably, two-factor authentication). If your password is “password,” all the security measures in the world will be useless.
  • Get all your passwords into LastPass’s database. If you don’t know where you have accounts on the Web, it’s going to be difficult to secure them.
  • Once you have them gathered together, change all your passwords to something more secure, ideally randomly generated.
  • Don’t do anything stupid. Don’t leave your LastPass account logged in on a public computer, write your master password on a sticky note on your monitor, or anything else. Common sense applies.

Ready to start? It’s probably best to wait until you have about forty-five minutes free to do the initial steps.

3: Choosing a Master Password

Before you create your account, you should choose a master password. If you’ve never made a strong password before, this is probably going to cause a few hangups for you. Your master password should be at least twenty characters long. Twenty-five or more is better.

There are a lot of different ways to get a good password. The one I typically use is to pick two or three phrases or words (randomly, using whatever inspiration you want) and string them together, often with some sort of numbers and/or punctuation in the middle. If you do this, it doesn’t matter if one part of the password is fairly guessable by itself—the strength is provided by the fact that two completely random things have been joined.

Here’s one of mine as an example (I don’t use it anymore, of course):


The second part of this password comes from the phrase “You can’t spell evil without vi.” If you don’t know anything about Unix/Linux, you probably don’t get it—which is all the better, because it demonstrates that most people probably wouldn’t even guess the original phrase, without my modification and the first part. The first part is a reference to the fact that gnus are related to *nix and can be remembered by thinking “the gnu is saying the following phrase.”

I could make this password even more secure without too much loss in memorability by capitalizing a random letter or two: 1-stuffed-gnU:no-evIL-wo-vim, or, slightly less secure in terms of guessing but useful if I needed a bit more help to remember, 1-stuffed-gnu:no-eVIl-wo-VIm. I could also add another number somewhere: 1-stuffed-gnu25:no-evil-wo-vim. (The 25 translates to “nose” in my modified version of the Major System, so I could remember this as “stuffed gnu nose.”)

If you don’t like my technique, another good one is using the initials of a phrase. Don’t pick a common phrase or a phrase from well-known literature (if you pick a Bible verse, for example, it is quite easy for a dictionary cracker to try every single verse in the Bible in just a few minutes). You should combine this with something else if you want a 20-character length. Names and birth dates work well when used in combination with something else. (Using only a name with a number after it is a recipe for disaster: cracker programs are available that can hack all common name+number combinations in only a couple of minutes.) You can hunt around the Internet for other good techniques; just be sure to take the sources with a grain of salt (if somebody on Yahoo Answers tells you that a six-character password of your initials repeated twice is a good password, they’re wrong).

“But I won’t remember this password!”

You can really remember pretty much any password of reasonable length, no matter how insane it is. The only thing you have to do is use it. If you enter your password enough, you’re unlikely to forget it, and if you do it even more and you’re a touch-typist, it’s likely the password will even be engraved into your unconscious memory—you can type it without thinking about the words. When I create a new master password for any encryption or password software, I type it ten times right afterwards, ten times later that day, and ten times the next day. As long as I use it regularly after that, I’ve never had trouble remembering my password.

You also get a password hint to help you out; see two paragraphs down.

If you really feel you need to, write down your master password and put it in a safe place. (If you usually keep your wallet with you, it’s probably pretty good—if you lose it, you should notice and have a chance to change your password.) After a few days, once you’re sure you know your password, it’s best to destroy it or put it somewhere really inaccessible, like a safe deposit box.

That said, keep in mind that there is no way to recover your LastPass master password if you forget it (remember that LastPass can never see your data?). This is of course the sensible way to handle information this secure, but most of us are so used to clicking the “Forgot your password?” link that we take it for granted that we can recover passwords anytime we forget them. However, while you can’t reset your password if you forget it, you can provide a password hint that will be emailed to you if you click the “forgot password” link. Since nobody but you will ever see this unless your email account is hacked, you can safely describe the parts of the password (for my example+numbers password, I could say something like “speaker’s nose: evil vim”). Chances are very good that that will be plenty to jog your memory.

At the end I’ll also talk about backing up your password list, so that even if you do forget your master password you won’t be totally screwed.

4: Signing Up

Phew, we’re 1500 words into this article and we haven’t even created an account yet? Don’t panic; in my experience the master password is usually the biggest mental hurdle for new users to overcome.

You can sign up for a LastPass account in several ways, but if you use this referral link both you and I get a free month of LastPass Premium.

Scroll down to “create your account” and fill in your email address, your shiny new master password, and a password hint, as described in the previous section.

You can uncheck “Keep a history of my logins and form fills” and/or “Send anonymous error reporting data…” if you’re really paranoid, but otherwise they should be fine. You do have to check the first two boxes, though. If you picked a good master password, the bar will probably be full.

In case you didn't get the warning that there's no way to recover your password yet, here you are. Take heed of the warning but don't do anything stupid because of it, like writing your password on a sticky note and putting it in your desk drawer.

Click the Download LastPass button and proceed through setup. This step will be different for each operating system and browser, so I won’t walk you through it (it’s not difficult). At some point during the process, you will be prompted to import all “insecure” passwords that are currently stored in your browser’s memory. You should accept this offer and the one to have them deleted from the old storage, as they’ll be safely retained in your new LastPass Vault. You may be shocked to discover how easily LastPass can tell you exactly what all those passwords are—that’s why it’s not a very good idea to store your passwords there!

You may need to restart your browser(s) to install the LastPass extension(s). (If you have multiple browsers, the extension should have been installed in all of them.) After you see the LastPass button (an asterisk with a black background, or a red background if you’re logged in) in your browser, you can click it to log in. There are two screenshots way up at the top if you’re confused.

5: Getting Your Passwords Into LastPass

Adding a new password to LastPass is easy:

Step 1: Go to the site you wish to add and sign in as normal.
Step 2: LastPass will display a bar at the top of the screen (the color depends on your browser and theme settings) asking you if you want it to remember this password. Click Save Site.
Step 3: Name the site and select a group. If you don't care much for organization and don't have too many passwords, you may choose not to group your passwords and just use the URL of the site. I, on the other hand, have nearly 100 entries in my LastPass database (not all of them are websites), so I organize things carefully into groups and give them friendlier names.

The only difficult or annoying part of this process is that you have to repeat it for all the accounts you have on the Internet. The easiest way is to take about a two-week-long break at this point. Every time you want to sign into a website, make sure you’re logged into LastPass (the icon will be red), then log in and make sure to click the “Save Site” button. For now, you’re done—go ahead and put continuing this on your calendar for a couple of weeks from now. Just don’t forget to keep adding those passwords (and don’t forget to come back or you won’t be any more secure than you were before).

If you want to speed the process up, there are a couple tricks. Obviously, if you currently have a pad of paper or a Word document containing a long list of passwords (shame on you), that’s a pretty good place to start. Another trick is to search your email for terms like “account” or “password reset” to remind yourself of what websites you have accounts with (since most websites send service messages to your email, as long as you archive your email this should work fairly well). It’ll probably be months before you have every website in your database, but as soon as you have a fair number of the ones you use frequently, you can proceed on to the next step.

6: Changing Your Passwords

Did you take a good break to find some of your accounts? Good. If you haven’t done it yet, it wouldn’t hurt to try some of the tricks in the paragraph immediately above, like searching through your email or password files. (If you haven’t added one to your database yet, just go to it and log in.)

Although you now have a nice, neat, comprehensive list of all (most of) your accounts and passwords, you’re not any more secure than you were when you started, even though you have a nice fancy password manager. In order to increase your security, you need to change the passwords.

Changing a password can be a bit of a challenge at times; it’s not always the most accessible option. (On one memorable occasion, I had to resort to an eHow article to figure out how to change my Comcast email password.) Fortunately, LastPass has a handy feature to help you out: the security check. The security check runs through your passwords and gives you a report of which passwords are duplicates and which have low strength. To use it, simply open your vault (LastPass button → LastPass Vault) and click the “security check” link on the left-hand side, then click the huge “Start the Challenge” button.

You’ll get a big score (90.1% in my case), a rank, and a short list of the criteria that it used to determine your score. That’s good for seeing how generally secure you are, but the real meat is underneath, where there’s an exhaustive listing of all your LastPass accounts, their strength, which have duplicate passwords, and (if you enable it) the exact plaintext password of each. Here’s a small snippet of mine (usernames blurred for security):

Sometimes you get a terrible rating on an account with a password that you can't change (for instance, on the top one, the username is the real password, as it's a string of random numbers, while the password is the first two letters of my last name). But most of the time, a low score indicates that you have a poor or duplicated password.

When you see that you have a poor rating on a site, you should click the “visit site” link, log in, and find the “change password” option. I’ll change my Amazon password because it’s currently a duplicate (though a strong password).

When changing a password, LastPass helpfully offers to fill both your current password and a new password.

After reaching the password change page, click “fill current” to enter your current password. Then click “Generate” to bring up the “Generate Secure Password” dialog box. A random password is about as secure as you can get: there’s no way to guess it aside from brute force. You probably can’t remember it, but that’s what your password manager is for—you only need to remember that one master password.

However, LastPass’s default settings really don’t produce a secure password. Here are my standard settings:

Here are good standard options. Your password length should be 20 or 25 (or more, if you want)—as there’s very rarely any need to type it, there’s little advantage in making it shorter. “Avoid Ambiguous Characters” is useful if you expect you’ll need to type it or copy it—it excludes characters like l, 1, I, and i, so that you won’t make errors because you couldn’t read the password.

Sometimes, though, you’ll encounter a website that imposes silly restrictions, like “the password must be exactly 7, 12, or 62 characters in length” or “the password must consist of exactly two numbers, two special characters, one composed of only straight lines and the other only curves, and thirteen consonants, alternately lowercase and capitalized.” (Okay, they’re not usually quite so bad, but sometimes they feel like it. Once I was trying to change my Yahoo password and was informed that my password could not contain any part of my first name. All well and good, but many moons ago I’d entered my first name as “S,” so my new password was not permitted to contain the letter s.) In this case, simply come back to this dialog box and fiddle with the options until they produce a password that meets the guidelines.

Once you’re done, click “generate” (the password doesn’t update to match your settings until you do), then “accept.” LastPass will fill in your new password. Click the accept or continue button on the website.

This final step is extremely important. After clicking accept, you will receive a notification bar that says “LastPass detected a password change….” Click “Confirm.” If you don’t, LastPass will continue attempting to log in with the old password and you’ll be unable to access the site. (The generated password is always saved as “generated password for x.com” until or unless you click save, so you’ll never completely lose your password and be locked out due to this. Keep that in mind in case it happens to you.)


If you follow these instructions, your passwords should be secure for the most part. It’s a lot of work, but the next time one of your passwords is compromised, you’ll be pretty happy. (I haven’t had a website lose my password information yet, but I have accidentally pasted my password into a live chatroom, twice. It’s a pain when you only use a couple of passwords and have to change them all in an afternoon.)

Next week I’ll talk about increasing the security on your LastPass account itself, as well as some more things you can do with LastPass (filling forms and storing software license keys). Additionally, I’ll discuss how to back up the contents of your LastPass account.

After the LastPass stuff is done, I’ll continue with security and talk about what you should do if one of your accounts is hacked. I’ll also deal with how you can protect yourself from other attack vectors that may allow people to bypass your passwords entirely.

Comments, questions, and problems are welcome.

Why Passwords Are Getting Easier to Crack

I’m going to do a security series over the next couple of weeks, inspired by last week’s post. This week I’m taking a look at an Ars Technica article I read today, called “Why passwords have never been weaker — and crackers have never been stronger.”

It’s a long article, but if you have a few minutes, I highly recommend it, especially if you’re interested in security. The most important thing to take out of it, though, is that password cracking is making extremely rapid advancements–the past couple of years have brought nearly as much new information to the field as all the rest of cracking history combined.

This is due primarily to an increase in password databases being stolen and cracked, which gives both security analysts and malicious hackers a prime opportunity to see what kinds of passwords people use in the real world. As a result of all the information, password dictionaries have gotten orders of magnitude more effective, making choosing a good password more important than ever.

And get this: what you thought was a “good password” almost certainly isn’t. Here are a few things that the bad guys are onto now (mostly sourced from the Ars article, with a bit of personal opinion and other general consensus in security fields included):

  • You know those websites that make you include a number and a capital letter (and maybe a symbol) in your password? Turns out those requirements really do essentially nothing, except perhaps annoying users and making them more likely to write down their passwords or otherwise store them insecurely. Nearly all capital letters are the first character of passwords; nearly all numbers and symbols are at the end of passwords. Most of the time, people just capitalize the first letter and stick a ‘1’ on the end. If they’re feeling more clever, they might change an ‘e’ to a ‘3’ or a ‘t’ to a ‘1’–all those substitutions are in the dictionaries too.
  • Shifting your hands sideways on the keyboard or going around keyboards in patterns are in any good dictionary now, too. The same goes for spelling words backwards or both directions. If you’re not sure whether your password trick is secure, here’s my personal rule of thumb: If you think you’re being clever, you probably aren’t.
  • A $12,000 computer called “Project Erebus” can crack the entire keyspace for an 8-character password in just 12 hours when run on a database that has been stored poorly (which is, unfortunately, most of the companies involved in data breaches lately). That means if your password is 8 characters or less, this computer will always get it in 12 hours or less, no matter what it is. 8 characters used to be a secure password (it still was when I wrote about passwords in 2009); now 8 characters is a terrible password (though still a good sight better than 7 or 6 characters, since password strength increases exponentially with each additional character). This computer is not particularly special; anyone with a few grand to spare and a bit of computer smarts can put together a few graphics cards into a solid password-cracking machine nowadays.
  • Average desktop computers equipped with good graphics cards can test about eight billion passwords every second against a file of encrypted hashes (those are what you usually get when you steal a password database from a company).
  • The average Web user has 25 accounts but only 6.5 passwords. In my opinion, reusing passwords is even worse than using bad passwords. And that’s despite the fact that just about everybody reuses their passwords at least occasionally. That’s because if somebody gets your password from one site, no matter if it’s “hu!-#723d^*&/”!q4,” they can get into your other accounts as well. If you have a bad password and it gets cracked, at least the damage is confined to that one site (unless it’s your email account, as described at the very end of last week’s post).
  • A large number of passwords consist of first names (or worse, usernames) followed by years. There are now dictionaries of names pulled from millions of Facebook accounts which can be used with programs that try appending likely numbers (such as possible years of birth) until a match is found. A good graphics card can crack your password in roughly two minutes if you use this type of password.
  • A number of attacks depend on the companies that store your data being stupid. For instance, there’s an easily implemented method called salt that makes cracking password databases far more difficult (and one method called rainbow tables completely impossible). It’s been around for years. And yet Yahoo, LinkedIn, and eHarmony, among other major companies, were caught dead without it when they lost password databases recently. The same goes for using better cryptographic hashes for encrypting password databases–using a good hash can make a database essentially uncrackable (2,000 tries per second as opposed to several  billion), but most services still choose to use a poor one. Unfortunately, there’s not really anything you can do about this, other than contact technical support and boycott them if they don’t follow best practices (and given how bad the standards are, you can expect to not be using very many websites). You can, however, mitigate the possible damage by using a different password for every site so that you will have lost less if your password is cracked.

Now is a good time to remind yourself that two-factor authentication would help prevent anybody from logging into your account even if they cracked your password, isn’t it? Next week I’ll be back with some practical tips for making and using better passwords.

Security Advisory: You Should Use Two-Factor Authentication

Passwords are rapidly becoming less and less protective of your online information. And at the same time, we’re putting more of our lives online and standing to lose more from someone breaking that security. And don’t think it can’t happen to you: you probably heard about Wired writer Mat Honan, who recently had his Amazon, Apple, Gmail, and Twitter accounts hacked and his iPhone, iPad, and MacBook all wiped with no backup—because the hacker thought his Twitter username was cool.

Two-factor authentication is an easy way to add a great deal of security to accounts that support it without really losing much. In Mat’s case, he would never have lost all his data had he had two-factor authentication enabled on his Gmail account, and he urges everyone to turn it on. Here’s why (and how do to it).

What exactly is two-factor authentication? In its most common usage, it means that logging in requires not only a password (in security speak, “something you know”), but also an item with some sort of cryptographic key or other code (“something you have”). This item can take the form of specialized hardware such as a smart card or a device that displays randomly changing numbers, a flash drive, or a decidedly low-tech sheet of paper with one-time-use numerical codes printed on it. It can also be a smartphone app or a server that distributes codes via text message or phone call, which is the simplest to implement for average users and the method I’m focusing on in this article.

Two-factor authentication works really well with very little sacrifice on the part of the user. If you’re using two-factor authentication, if somebody gets your password, you’re not screwed yet—they still have to get hold of your phone. In the case of Mat’s recent hack, the hacker never knew him personally, so he would have had no chance at his phone or list of backup codes—both physical objects—making the rest of the damage he did impossible. (Furthermore, depending on his settings, Mat might well have received a random text message with an authentication code—a dead giveaway that somebody had tried to access his email account.) And it’s not a major inconvenience to you. With many services, like Google, you don’t even have to do anything different on computers you use regularly; you just use them once and check a “remember” box. On other computers, you simply have to take fifteen seconds to pull out your phone and type a number into the computer. It’s a pretty small price to pay for making it nearly impossible for a random stranger to destroy your online life.

I was one of the first wave of people who signed up for two-factor authentication at Google when it was first released. I’ll freely admit I thought it was a gimmick and paranoia when I did, but I thought it couldn’t hurt. But with the latest batch of password database cracks and now this widely-publicized Mat Honan business, I think the world is changing. Passwords just aren’t enough anymore, even good ones—a good portion of breakins now don’t even involve cracking a password, they involve stealing passwords from somewhere, using weak password reset or security question vulnerabilities, or tricking customer service into letting you into someone else’s account. Those are all things which you can’t control, except with two-factor authentication.

Nowadays I think everyone should enable two-factor authentication right now. A few minutes now just might save you an awful lot of trouble later!

With Google accounts, you can have codes texted to you or delivered by voice call when you need to log in, or you can install a smartphone app called Google Authenticator which works even when you’re offline. In case you need to log in when you have a dead battery or no service, you can print out a list of single-use backup codes and keep it in your wallet (you could even memorize one in case you’re stuck without even your wallet). They’ve really covered just about everything at Google.

Here’s how to enable two-factor authentication on your Google account.

  1. Log into your Google account if you’re not already logged in.
  2. Visit http://accounts.google.com. If it’s been a while since you logged in, you may have to confirm your password.
  3. Click the Security link on the left.
  4. Next to “2-Step Verification,” click Edit.
  5. Click “Start setup” and give your phone number if it’s not already on file in your account. You’ll receive a text message (or call, if you’re using a landline or SMS delivery isn’t working) with a code to confirm your phone.
  6. Check the box if you want to “trust” the current computer, which means that you won’t need to enter codes on it. This way, you only have to bother with verification codes if you’re on a computer other than your own, safe computer.
  7. Click Confirm to activate two-factor authentication.

Here are a couple of things you may want to check (and things to keep in mind now):

  1. On the overview page, it is wise to provide a backup phone number and print (or write down) the list of backup codes. The codes are useful, as mentioned, if you’re without your phone or without use of it. It’s a good idea to make the backup phone a landline, as you can lose a cell phone for a while and be stuck locked out, but it’s pretty hard to lose a landline number.
  2. If you have a smartphone or iPod Touch, you can investigate the “mobile application” (Google Authenticator in your device’s app store) to make logging in even easier.
  3. If you use apps that access your email, you may need to set up “application-specific passwords,” as many apps can’t accept two-factor verification. Google simply generates a special sixteen-letter password for use with only that app; if someone gets into that account or steals that device, you can simply revoke the password from your accounts page (leaving everything else untouched and fully operational). You cannot log into the main Gmail web interface with an application-specific password.
  4. At the bottom of the page, you’ll notice that you can forget all other trusted computers, just in case you think someone managed to get a computer trusted with your verification code or you accidentally checked the “trust” box when logging in on a computer you don’t actually trust.
  5. Before you log out, it would be wise to open a new incognito window or a different browser and double-check that you can log in properly, just in case there’s somehow something wrong with your phone setup.
  6. If somebody ever gets your password or it’s somehow released onto the internet by some other database for which you used the same password being cracked, you should still change your password (it’s essentially only one-factor authentication until you do), but you’re safe for the moment.
  7. If you lose your phone, simply log into accounts.google.com and deauthorize your phone (you can use a backup code or your backup phone if you’re locked out because your phone is missing). If you get it back or you get a new one, you can just add it back in.

You can also use two-factor authentication on Facebook, LastPass, and a growing number of other popular applications—it wouldn’t hurt to investigate, especially on accounts you care about keeping secure. (UPDATE: Yahoo Mail and Dropbox have recently added two-factor authentication options as well.) It’s especially important, however, to have good security on your email account. Why? Think about what you do if you need to reset a password. On nearly all websites, you enter your email address and have a reset link sent to your email account—the one you used when you set it up. If someone gets into your email account, they essentially have a free pass to all your other online accounts.

If you have problems with or questions about two-factor authentication, I’d be happy to help you in the comments—I’m surprising myself with how strongly I’ve started to believe that this stuff is important.

How to Tell if a Web Site is Legitimate

Ever gotten an email like this one? (Click to enlarge the image.)

I often wonder how many people are actually big enough suckers to respond to these emails. It must be a surprising number, whatever it is, because we wouldn’t be getting them if there wasn’t some money in it.


Unfortunately, a lot of phishing scams are much more subtle. And that’s when even the most seasoned Internet users can accidentally type their login information (or even credit card information, Social Security number, and so on) into a fake form. It hasn’t happened to me yet, but I’m quite aware that it might.


I got sent a link to an enlightening quiz a few days ago. There are several things that you should watch out for to determine if a website is real or fake (if you look at the examples in the quiz, you’ll see the first two things, and the other two don’t really need screenshots, so I won’t take any):
  • Check the URL in the address bar. Every modern web browser puts the actual domain name (like google.com) in bold. This is because sometimes scammers create URLs that look like this: http://7436et.kjfgk.com/ebay.com/login/7463e8et.php. Then people look at the address bar, see “ebay.com,” and figure that it’s legit. So remember: the part that’s in bold is the only part that matters.
  • Check for a security certificate. If you’re being asked for sensitive information, the connection should always be encrypted, which will be signified with a small lock icon and sometimes the company’s name next to the address bar. SSL (the encryption system used for web browsing) is a really complicated topic, but basically, if you don’t see that icon, beware, and never, ever enter your financial information into a page that doesn’t have the lock. (Some legitimate websites have login pages that are unencrypted but then send your login information over an encrypted connection when you actually press Submit.)
  • If the website doesn’t look quite like the login screen usually does, beware. If at all in doubt, play it safe: close that tab, open a new tab, type the website’s URL into the address bar, and start again from there.
  • If you’re clicking a link in an email, check the status bar before you click. Just hover your mouse over the link and look in the very bottom-left corner of your browser, and you should see the URL displayed. Make sure it’s what you were expecting.
The biggest problem is not determining whether a website is real or fake when you’re suspicious–these four steps should catch just about every phishing attack out there. The real problem is remembering to check. Make it a habit to glance over and check the URL and the lock icon before entering any sensitive information, and if you’re ever asked to log in to a website when you weren’t expecting to (for instance, you click a link on Facebook and are presented with a login screen, even though you were already logged in), be sure to take a long, hard look.


If you haven’t taken the quiz yet, I’d encourage you to. After reading this post, you ought to get a perfect score.


Soren “scorchgeek” Bjornstad


If you have found an error or notable omission in this tip, please leave a comment or email me: webmaster@thetechnicalgeekery.com.


Copyright 2011 Soren Bjornstad.
Verbatim copying and redistribution of part or all of this article
is permitted, provided this notice is preserved.