World Password Day 2018

There really is a day for everything and today it’s World Password Day! With the beautiful weather we’ve been having lately you’re probably thinking about cleaning, gardening, and all of the other renewal-driven projects that this time of year brings. Though we’d rather be outside, spending a few minutes to “spring clean” your digital security is well worth it.

This is also a good time to remind yourself to be on the lookout for fraud – I’ve received email scams recently related to the Canada Revenue Agency and tax time. Stay alert, and don’t fall for it!

According to the annual fraud survey commissioned by the Chartered Professional Accountants of Canada, “more than seven-in-ten (71 per cent) of those surveyed agreed that they are concerned about identity theft.” Almost four in ten respondents fear their personal information has already been compromised! Protecting your personal information is important, but with so much of our lives online now, it can be difficult.

security

Having strong passwords (and password hints, security questions, etc.) and good password management practices are critical for protecting yourself. Unfortunately, too many people simply don’t pay enough attention to this. It doesn’t have to be difficult or time consuming to make some simple changes that will really make a difference.

Here are my tips!

Use strong passwords and change them semi-regularly

According to Troy Hunt, a security expert who built and operates Have I Been Pwned (more on that in a minute), most passwords are terrible. “In other words, 86% of subscribers were using passwords already leaked in other data breaches and available to attackers in plain text.” The top ten includes passwords like “123456”, “qwerty”, and the ever-popular “password”.

Don’t use those passwords! Instead, generate a unique, strong password for every account you use. There are plenty of tools to help you generate passwords that are strong and that match the varied requirements that different sites have (like length, special characters, etc.). Here’s the one I use from LastPass.

It’s important to use a different password for each account. That way, if one site is compromised, your credentials can’t be used to get into other sites too. It’s also a good idea to change your passwords once or twice a year, to decrease the likelihood of a compromise. Of course, if you know a service you use has been hacked, you should change your password there right away.

Get a password manager

With a different, randomly generated password for each account, how do you remember them all? You can’t. This is where a password manager comes in! Think of it like a digital vault in which you store all of your account credentials. Then instead of remembering each one, you only need to remember the master key that you use to get into the vault.

There are a number of good password managers out there like 1Password, Dashlane, and Passpack. I use and recommend LastPass. All of them provide tools to generate strong passwords, encrypt and store them, offer browser extensions and mobile apps to make logging in easier, and typically provide ways to securely share passwords with others. One of the cool features LastPass offers is Security Challenge, which analyzes your passwords and gives you a score along with step-by-step instructions on how to improve your passwords.

While there are pros and cons to each service and their various philosophical approaches to storing your data, I don’t think you should spend too much time worrying about that. You can get a more secure solution if you’re willing to do some work and give up some convenience, but if it becomes too cumbersome to use, then what’s the point?

Use a passphrase for your password manager

With a password manager you only need to remember one password – the one to get into the password manager! So you should make it as strong as you can. One way to do that, while still ensuring it is memorable and easy to type, is to use a passphrase instead. Whereas a password is a random list of letters, numbers, and symbols combined, a passphrase is more like a sentence, though it can still have those elements.

password strength

So a passphrase might look like: “trusted walrus shows off 500 petty limes”. I generated that using this Passphrase Generator, but there are plenty of other tools you can use. The key is to not use a phrase or sentence that is common or easily guessable. It should be nonsense! You can also consider running it through the Pwned Passwords tool to see if it has ever been exposed in a data breach.

Don’t use real answers for security questions

So now you have strong passwords and a password manager to help you organize them. The front door to your digital home is secure, but what about the back door or the side doors? Many sites will require you to set some security questions in case you forget your password or sometimes to confirm you are who you say you are when logging in from a new location. Don’t answer them!

Well, don’t answer them factually. Instead, generate a new random response for each question and store them in your password manager! This way, if an attacker figures out your mother’s maiden name or your favorite school teacher or your first car, the information won’t help them break into your accounts.

Turn on multi-factor authentication

Another thing you can do to improve your online security is to use multi-factor or two-factor authentication wherever possible. This means that in addition to your username and password you need another piece of information to login, usually a generated code of some kind. Most of the big sites like Facebook and Google support this, and it only takes a few minutes to enable. If you have the option of using SMS or an app, go with the app. I recommend the Microsoft Authenticator app which you can download for Android, iOS, and Windows Phone.

You can see a full list of websites that support two-factor authentication here. If nothing else, turn this on for your email accounts (Gmail, Outlook, etc.) and Facebook or any other site you often use to login to other sites. Of course, you should also enable this for your password manager!

Get educated and stay informed

Once you have done the above, stay informed. It doesn’t have to be all boring technical stuff, a lot of great information has been made available that is much more accessible. Here are some suggestions:

That’s it! Happy World Password Day – stay safe!

Get your digital house in order for 2015

Maybe you make new year’s resolutions, maybe you don’t. Either way, a new year always brings the feeling of starting fresh! That thing you’ve been putting off? Now’s the time to wipe the slate clean and tackle it. With that in mind, here are some tech-related things you might consider starting 2015 with.

Backup your stuff

It’s always a good idea to backup your stuff regularly, and now’s as good a time as any to set this up if you’ve been putting it off. Any backup strategy is better than no backup strategy, but ideally you’d have multiple copies of important data, stored locally and in a remote location. Have some really important stuff? Put it on a USB drive and stick it in a safe deposit box. For most data though, a combination of a local drive and the cloud is probably the way to go.

Backblaze 2.0 (fisheye)
Photo by ChrisDag

I have been using Backblaze for a couple of years now. For $5 per month or $50 per year, you get worry-free, unlimited backup. You simply install the software on your computer (Windows or Mac) and Backblaze will send everything up to the cloud automatically. You don’t need to worry about choosing specific folders to backup, and everything is encrypted. If you ever need to restore something, there are three options: you can download a zip file for free, you can pay $99 to get up to 128 GB sent on a USB flash drive, or you can pay $189 to get up to 4 TB sent on a hard drive. If you’ve ever lost something important, I think you’ll agree that Backblaze is totally worth the price.

Store stuff in the cloud

Related to the backup task, now’s a great time to take advantage of cloud storage. If you save stuff to the cloud regularly, I think you can worry about backing it up a little less. Saving data to the cloud is like backing it up immediately! You’ve probably been exposed to Dropbox and that’s a fine service but I’m a big fan of OneDrive.

OneDrive

With Dropbox you only get 2 GB of storage for free, but with OneDrive you get 15 GB and it’s really easy to earn more (and as an Office 365 subscriber I get unlimited storage). OneDrive supports Windows, Mac, Android, iOS, and Xbox. I use it for everything, especially OneNote as I wrote about last year. I can’t recommend it enough!

Another service to keep in mind is Mover. They’re a local company, and their service can help to migrate your data from one cloud storage provider to another. That might be useful if you plan on testing a few out. You could also use Mover’s backup service for $4 per month. Another great addition to your toolkit!

Get organized

Are you a to-do-list person? Maybe you like sticky notes? Spreadsheets? There are countless ways to organize your tasks and ideas, and I have tried my share of them. But over the past year, I’ve found that Trello works best for me.

Trello

Trello is the right combination of simplicity and power. You can create boards, which contain lists, which contain cards. You can then move cards from list to list. A typical setup will have “To Do”, “Doing”, and “Done” lists. And let me tell you, moving a card into that “Done” list is super satisfying! Trello works across devices and platforms, has a great responsive website, and is free!

A local service that you might use in a similar fashion is Stormboard, which provides a shared, real-time sticky note whiteboard. It’s a great tool, focused mainly on collaborating with others (which Trello can do too). Check out the tour to see all that Stormboard can do.

If more traditional task lists are your thing, then I’d recommend Remember the Milk. The service has been around for 9 years already, which feels like an eternity in the web space, but it’s still here because it is excellent. It too works across devices and services, and has a pretty advanced set of features.

Improve your security

Security was a big topic last year and will continue to be in the headlines this year. It can seem incredibly daunting to try to protect yourself in the post-Snowden world, but here are two really important things you can do.

First, stop using the same password for everything. In the security world people often talk about “attack surface”, and a different password for every website you use really decreases your attack surface. Because if one service is hacked and you use the same password everywhere, then all of your other accounts would be vulnerable too!

If you only use one or two websites, it’s easy to remember a different password for each. But more than likely you use dozens of services. That’s where a tool called a password manager comes in. I use LastPass because it works across devices and uses strong encryption to keep my data safe (I have used Passpack in the past too). When I sign up for a new website or app, I add it to LastPass and use a strong password that it generates for me automatically. If I had to remember every password, I’d be much less likely to use a strong password (random combination of characters), so that’s another benefit of using a service like LastPass (I take it a step further and generate random answers to the very insecure password recovery questions too).

So, what happens if LastPass gets hacked? Good question. Certainly their approach to encryption is one level of protection, but two-factor authentication is another. And that’s my second security tip – enable two-factor authentication wherever possible!

2FA

Two-factor authentication (2FA) makes your accounts more secure by requiring additional information when logging in. Typically this is a code sent to you via text message or generated in a specific app, the idea being that even if someone had your password, they’d also need your phone to login. It takes a few extra seconds when logging into a website or app, but it’s worth it. There’s an excellent list of websites that support 2FA here. For services that support software-based 2FA rather than text messages, you’ll need an app like Google Authenticator on Android or iOS, or Authenticator on Windows Phone.

Maybe you don’t want to enable 2FA on every site, but you should enable it on your email account at minimum (and get a new one if yours doesn’t support 2FA). So much of our identity and security online is tied to our email accounts, so it’s a critical area to focus on. Apple, Google, Microsoft, and Yahoo all support 2FA. I also use it on key social media accounts on Twitter, Facebook, and LinkedIn. Of course I use it on financial services like PayPal wherever possible too.

Backup your data, start using cloud storage, use an online tool to get organized, and take some simple steps to improve your security. All the best in 2015!

OpenID Connect

I’ve been doing some work with OpenID and OAuth lately, making use of the excellent DotNetOpenAuth library. I am pretty much a beginner when it comes to these technologies, but I have been able to get up-to-speed fairly quickly. I was a big fan of Facebook Connect, and I quite like the new Graph API too (which uses OAuth 2.0). Though it was easy to develop against, I think the biggest benefit of Facebook Connect was the excellent end user experience. It was consistent and simple.

In contrast, OpenID is a little more cumbersome, and a lot less consistent. The discussion on how to make it easier and sexier has been going on for a while now. It seems like some significant progress will be made this week when OpenID Connect is discussed at the Internet Identity Workshop. What is OpenID Connect?

We’ve heard loud and clear that sites looking to adopt OpenID want more than just a unique URL; social sites need basic things like your name, photo, and email address.

We have also heard that people want OpenID to be simple. I’ve heard story after story from developers implementing OpenID 2.0 who don’t understand why it is so complex and inevitably forgot to do something. Because it’s built on top of OAuth 2.0, the whole spec is fairly short and technology easy to understand. Building on OAuth provides amazing side benefits such as potentially being the first version of OpenID to work natively with desktop applications and even on mobile phones.

Chris Messina has some additional thoughts on the proposal here:

After OpenID 2.0, OpenID Connect is the next significant reconceptualization of the technology that aims to meet the needs of a changing environment — one that is defined by the flow of data rather than by its suppression. It is in this context that I believe OpenID Connect can help usher forth the next evolution in digital identity technologies, building on the simplicity of OAuth 2.0 and the decentralized architecture of OpenID.

It sounds very exciting – I hope OpenID Connect becomes a reality!

Alberta Budget 2010 website – security through obscurity

Tomorrow, Tuesday, is budget day here in Alberta. Like many Albertans, I am curious about what Finance Minister Ted Morton is going to deliver, so I started poking around online. First stop, last year’s budget, available at http://budget2009.alberta.ca/.

Seems logical that the 2010 budget would be at http://budget2010.alberta.ca. So I tried that URL, and was prompted with a login screen. First thing that came to mind was “administrator” and “password”. Voila:

Fortunately for Mr. Morton, the documents don’t appear to have been uploaded yet. You can see all the placeholders though, which is kind of funny. And it seems you can leave feedback.

It does reveal the theme of the budget, Striking the Right Balance. Last year was Building on Our Strength.

This is what is known as “security through obscurity”. It’s not really secure, it’s just hidden. I’d suggest that programmers working at the Government of Alberta invest in Writing Secure Code, a fantastic book on the subject.

I hope this isn’t a reflection of the budget we see tomorrow…cutting corners, etc.

UPDATE: Sometime around 9:45 AM today they changed the password, and I think pointed the virtual directory somewhere else.

UPDATE2: The Journal wrote about this today.

UPDATE3: The site is now officially live with all the budget documents. Enjoy!

Putting my New Year’s energy to good use

tasks I’m not really a fan of New Year’s resolutions, though like many people I often feel re-energized at the start of a new year. Instead of putting that energy into a list of year-long tasks or goals that would inevitably be abandoned, I decided this year that I’d try to capitalize on that energy to accomplish a few things I often put off. I settled on three things: passwords, backups, and bills.

I feel pretty good about my strategy for passwords, with one exception – I don’t change my passwords often enough. Sometimes I get lazy and use an existing password when I sign up for a new site, but the important sites all have unique, randomly generated, strong passwords (well as strong as they can be…I still can’t believe that banks don’t allow special characters and long lengths). It’s good security practice to change passwords regularly, but that never seems to happen. Over the last week, I’ve changed all my passwords. I started with the list of sites and services that I use regularly, and changed everything else as it came up. I’m sure there are a few that I’ve missed, and I’ll change them the next time I need to login. It wasn’t as hard as I thought it would be actually!

The second thing I tackled was backups. Despite having pretty good systems in place to backup Paramagnus stuff, I don’t have a good process for my personal stuff. I still don’t, but I did manage to accomplish a few things. First, I bought a new hard drive and copied everything from my existing data drive onto it. I’ll store the old one somewhere safe now. Second, I backed up a bunch of stuff to Amazon S3. It’s inexpensive, fast, and easy. Lately I’ve been using CloudBerry Explorer, it’s a great app! I’m going to try to back up important data more regularly, but that’ll be an ongoing thing.

The final thing I did? I turned off paper bills. I logged into every site that I currently receive something in the mail for and found that almost all of them have a “go paperless” button buried somewhere in the interface (some call it “change notification options” or something similar). I typically shred bills as soon as they arrive anyway, so why receive them at all? I do everything online, and I have no need for the physical copies. Now it’ll really be a unique experience to receive something in the mail!

I’ve got a number of things on the go that require time and energy of course, but these were my “New Year’s tasks” if you want to call them that. Anyone else shun resolutions in favor of accomplishing something right away?

All browsers have security issues

ielogo You may have heard in the last day or so about a critical flaw found in Internet Explorer. Microsoft says that “the vulnerability could allow remote code execution if a user views a specially crafted Web page using Internet Explorer.” The risk is mitigated if you run an account with fewer privileges or if you run IE in the High security mode. As always, you should ensure your machine is up-to-date with all of the latest patches at Microsoft Update (you can also find downloads at the Microsoft Download Center).

Unlike most zero day exploits, this one is actually infecting systems fairly quickly. That’s probably why Microsoft decided to take immediate action. As the Zero Day blog points out:

Researching, fixing, testing, and releasing a security patch within an eight day window is an incredible feat — especially given the need to support all versions of IE across all platforms and languages.  This is an ‘all hands on deck’ response from Microsoft – I don’t think we’ll see this as the norm for less critical patches in the future as it is quite disruptive to their own processes.

Make sure you update soon! Like right now!

When a vulnerability like this is disclosed, a common suggestion is to install and use a different browser, such as Firefox. That’s not a bad idea, but don’t think that will solve all of your problems! All browsers have security issues. Yesterday, for instance, Opera released an update to address at least seven security vulnerabilities. And today, Firefox released updates to both versions 2 and 3 to patch roughly a dozen security holes. And no, Chrome and Safari are not off the hook – just two days ago, they tied for last place in a test of password security.

Always make sure you’re running the latest version with all patches installed, no matter which browser you’re using. On top of that, be careful, pay attention, and use common sense when clicking links and opening files.

Just use OpenDNS

warning! Unless you frequent tech publications on the web, you’re probably not aware that a critical flaw in many DNS system implementations was found recently (DNS is what translates http://www.google.com into an IP address – learn more at Wikipedia). On July 7th, news of the design flaw that researcher Dan Kaminsky discovered started to spread. The next day, many vendors (including Microsoft, which hosted the press conference) participated in a coordinated release of patches. A few days ago the first exploit code started to appear, making it even more critical that DNS systems are patched soon.

As of today, many major ISPs are not patched and remain vulnerable. You can see if your ISP is vulnerable by visiting Kaminsky’s site and clicking the “Check My DNS” button on the right side.

Or, you can just switch your DNS servers to OpenDNS and be done with it. I came across OpenDNS on the day it launched two years ago, and have used them on some machines ever since. Turns out that OpenDNS is one of the few that were unaffected by this flaw:

I’m very proud to announce that we are one of the only DNS vendor / service providers that was not vulnerable when this issue was first discovered by Dan. During Dan’s testing he confirmed (and we later confirmed) that our DNS implementation is not susceptible to the attack that was discovered. In other words, if you used OpenDNS then you were already protected long before this attack was even discovered.

Switching your DNS settings to OpenDNS is really simple and takes about two minutes. To get started, just visit http://www.opendns.com/start and follow the instructions. Or if you know what you’re doing, then the nameservers you want are 208.67.222.222 and 208.67.220.220.

As always, make sure you have installed all of the latest patches for your computer (that would be Automatic Updates for Windows users).

Yahoo and Google become OpenID providers

Post Image The OpenID single sign-on project got a major boost this week when Yahoo announced it would enable it’s 250 million users to use their Yahoo logins for authenticating at OpenID websites. And just yesterday, Google announced that Blogger accounts can now be used as OpenID logins. OpenID is definitely gaining momentum.

So what is OpenID?

OpenID eliminates the need for multiple usernames across different websites, simplifying your online experience.

You get to choose the OpenID Provider that best meets your needs and most importantly that you trust. At the same time, your OpenID can stay with you, no matter which Provider you move to. And best of all, the OpenID technology is not proprietary and is completely free.

It’s a really good idea, and works fairly well in practice. I think a major question new users will have is, which provider should I use?

See I think most users have a Yahoo account and a Google account, and many others. There are tons of sites that act as OpenID providers. Which one should you choose? How do you decide which to use as your provider?

I guess it wouldn’t matter if you could combine them somehow. I don’t know enough about OpenID to know if that’s possible. Anyone reading this have any idea?

Read: OpenID

I'll say it until I'm blue in the face

Post ImageThere is no privacy on the web.

Early this morning, Robert Scoble’s Facebook account was disabled because he violated their terms of service by scraping data from the site. That caused a flood of a posts from people saying that either Scoble was wrong or that Facebook got what it deserved. Most people siding with Scoble said that as he owns his data, not Facebook, he was in the right. He should be able to do with it whatever he wishes. Except that he doesn’t own all the data. Would his friends be happy to find out that he was taking their data elsewhere without their knowledge?

Not that it matters. It should be a non-issue. If everyone realized the truth – there is no privacy on the web – no one would be up-in-arms about the whole situation.

Sure there is something to be said about Facebook only sharing data when it makes good business sense for them to do so. Some might say that’s evil, others might say that’s business. Either way, it all boils down to privacy. Facebook gives you the impression that your data is secure, but it really isn’t.

There is no privacy on the web.

Scott Karp rightly points out that data is power. He suggests a war will be fought over control of data. I wonder though, if such a war can ever have a victor? Does Scoble own the data in his account? Does Facebook? What about his friends, don’t they own some of it? What about advertisers, surely they own some of it? Other companies? I think it’s a pointless battle. There’s far too much entanglement.

Forget trying to control the data. Let it flow freely. Forget trying to keep things secret. If there’s something that must be kept private, don’t post it on the web.

There is no privacy on the web.

Don’t fool yourself into thinking you’re safe. With each passing day we give up a little bit more privacy than the last. The bottom line is that we almost always choose convenience over privacy, whether we know it or not. There’s a reason that concepts like identity theft didn’t really exist a hundred years ago. We share more information about ourselves now than individuals did back then, and we think nothing of it. Of course, accessing and distributing that information is easier than ever too, thanks in large part to the Internet.

Everything you think you know about privacy in the physical world is meaningless in the virtual world. The rules of the game are completely different.

There is no privacy on the web.

Read: Techmeme

The Gatekeepers of Privacy

Post ImageAs you know, I don’t worry that much about online privacy. In fact, I think it’s a huge waste of time to be overly concerned about privacy on the web. I always keep two things in mind:

  1. There is no such thing as private information.
  2. If someone looks at information online and draws a negative impression about me, I have larger problems than privacy to worry about.

So far my strategy has been working fairly well. To my knowledge I haven’t missed out on any opportunities because of information about me found on the web – quite the opposite in fact.

For some reason though, I am fascinated by the worries and concerns of others when it comes to information privacy. And believe, me there are a lot of worriers out there. So many, it seems, that Global TV‘s troubleshooter looked at the security of Facebook and other popular websites last night (unfortunately they haven’t full embraced the new web, and the video is not available on their site).

They contacted a local “hacking” firm, and asked them to review Facebook, Gmail, and other popular sites. The gentleman they spoke to couldn’t have been more cliché – long hair, super geeky, could be mistaken for a girl, you know the type. Anyway, they apparently spent over 30 hours trying to “hack” into Facebook and couldn’t get in. I just shook my head through all of this. They deemed Facebook “very secure”. Well, problem solved I guess, haha!

Then they spoke to a professor from the UofA (if I remember correctly) who said that living under the assumption that your information is safe is a dangerous thing to do. Finally someone smart! The segment then ended with the anchors asking each other if they were on Facebook (they aren’t, unfortunately). Oh and the suggestion that you should read the privacy policy of every site you visit (yeah, cuz that’s going to happen).

It doesn’t matter how secure Facebook is. Privacy is not about technology. If someone wants to find out something about you, they will. Social engineering, dumpster diving, and many other techniques are far more effective than trying to hack into a site like Facebook. More importantly, there’s no need to – just create your own Facebook account! Chances are, the person you’re interested in hasn’t adjusted their privacy settings anyway.

For its part, Facebook follows two core principles:

  1. You should have control over your personal information.
  2. You should have access to the information others want to share.

A respectable policy, no doubt. Here’s the problem though. Let’s say I give access to certain information only to my brother. No one else (in theory) can see it, right? Wrong. I can give my brother access to the information, but I can’t restrict him from doing something with it.

Technology is just a tool. People are the gatekeepers of privacy.