Wednesday, September 27, 2006

Password Pandemonium

I hate passwords. There, I said it. I'm a security guy and even I hate them. As a technological society, we should have advanced past the point where we need passwords for everything. But passwords are cheap to implement, the concept is easy to understand, and they work with any existing system that has an input device. For these reasons, they're not going away anytime soon.

So now that we've established the need for them, we might as well learn how to effectively manage and use them. My first password was "qwertyuiop" -- just the top line of letters on the keyboard. It was simple to type, it was easy to remember, and it wasn't a dictionary word. I thought I was doing pretty well coming up with that one. I guess everyone did when they came up with it too. The problem with this password is that it isn't unique (in fact it is fairly common) and it is easy to guess. I don't use that password anymore.

Instead, I use a three-tiered system of passwords. The tiers are based on the type of information contained in the systems. The three types of information that I have are public, private, and secret. Public information is that which is readily available to all, private information is that which I want to keep from all but my friends and people who know me fairly well, and secret information is information that I don't want anyone but myself to know. Other highly respected people use the same system that I do and feel perfectly secure doing it.

The first tier are systems like the Atlanta Journal-Constitution website, the New York Times website, and other systems where I only receive and never give information. Not only that, these sites contain only public information that is available to anyone. Not even my email address is stored there; I used one of the many anonymous email services to register. (I'll cover online anonymity in a later post.) In short, I use a simple, generic password here because it doesn't matter if anyone gets access. In fact, there are places where people register for a login and password then post it so that others don't have to bother.

For the second tier, I use a password that is more secure. This one I use for websites where I have some personal information, but only things that my friends, family, and several others already know about me. Things like my name, some pictures, my address and phone number, etc. But I would NOT use this password to protect financial information or any kind of information I wouldn't want anyone to find out about. This password is one that I only change once a year or so. These types of systems are ones that would merely be inconvenient if they were cracked, like an email account I use to chat with friends or online stores that don't store credit card info.

The third type of password I use is usually 20-60 characters long, mixed with numbers, upper and lower case letters, and special characters. These passwords guard systems that protect financial and private information. Systems like my bank account, my online bill-pay for my home utilities, my credit card website, and the email account that I use to get email from all of these systems. Each system has a unique password and each password is changed at least once every 90 days. These are systems where a loss of confidentiality would severely hurt my financials, my reputation, or be difficult to repair.

If all of this sounds extreme, it probably is. You probably won't ever lose personal information or have your identity stolen because someone cracks your password. These days, it is much more likely that the database itself will be broken into or that you'll have a keylogger installed onto your computer. But this is also the type of password system that I use at work, where the stakes are higher. At work, I'm responsible for keeping other people's secret information.

But believe it or not, there are simple ways to keep track of this stuff. First, you have to classify your information systems and figure out which ones you need to protect and at what level. First, it's best to look at any website where you have financial information, like your credit cards, bank accounts, credit union, investments, utilities, etc. Next, identify your second tier systems -- you may want to double check these to make sure that these don't have any financial information, like bank account emails, etc. If they do, you'll want to include them in the "secret" tier or get a new email account to receive your secret emails.

NOTE: You'll want to pick an email account that lets you login over an encrypted connection. This way, if someone manages to observe your communications with the website they won't see what you're actually seeing. All they'll see is an indecipherable data stream. I recommend hushmail for this.

Second, you'll need to come up with some passwords. For the first tier (public information) systems, you can use any password that you want. Use qwerty, 12345, password, or whatever you'll be able to remember. You might want to use something a bit more complex so that any website that checks for password complexity. Something like q1w2e3r4t5y6 might be good here. It's easy to remember, but will pass most complexity checks for public information websites.

You'll want to put more thought into your private information passwords. I'd recommend a very complex password, something with upper and lower case letters, numbers, and special characters. There are dozens of websites with password generators, advice on how to come up with strong passwords, and ways to remember them. Keep in mind that you'll only change this only once or twice a year, so even a long and difficult password will quickly be easy to remember. Passwords are usually committed to muscle memory after only a few uses, so that will probably mean that after a week or so, you won't be mistyping it anymore.

For the final tier, your secret information, you'll probably want to come up with a passphrase. A good passphrase will be several words long, have a couple of capital letters, punctuation, and numbers. A good passphrase will be nearly impossible to crack by brute force techniques, or even using rainbow tables! Passphrases can be easier to remember than passwords, though they might take more time to type. A good passphrase for your Hotmail account might be "I use 5 times a day!" This passphrase is 32 characters long, has 2 upper case letters, 1 number, and 8 special characters. This is very secure and very easy to remember. Make sure you have a different passphrase for each of these systems.

Alright, so now you've got your three tiers of passwords, but you may still have over a dozen passwords to keep track of. This is no easy task, even for very smart, security-minded people. In corporations, this can be a problem that costs millions of dollars per year when people flood the helpdesk with calls by employees who have forgotten their passwords. So somebody really smart invented a concept known as Single Sign On. The basic concept is that you only have to login once to access all of the systems needed for business.

But SSO isn't just for businesses. You can get password management utilities for your desktop that will automatically log you into websites. Firefox and Opera have this capability builtin, but they only work for websites. The two best password management programs out there for windows are Password Safe and KeePass. Password Safe was originally written by Bruce Schneier -- the guy who wrote the book on cryptography. Then rewrote it. That gives this program as much credibility as anything else out there. KeePass is another great program with a better user interface and more options. Either one of them is a great way to keep your passwords safe and even auto-login to applications and websites!

This has been a pretty long post, but it pretty much breaks down to this: passwords don't have to be burdensome! Like any security system, a little planning and thought can actually enable you to do more with the resources you have. In this case, planning out how you treat your important information and having a good password management strategy can be easier and more secure.

Tuesday, September 19, 2006

War With Malware

AntiVirus and AntiSpyware is not something you want to skimp on if you have any important information stored on your computer. And if you do any shopping, banking, or other types of financial transactions online, Viruses and Spyware could help a criminal steal your identity and you may be liable for thousands of dollars! However, if you have a computer where you just want some basic AntiVirus and AntiSpyware software, there are some free software packages you can pick up that will fit the bill.

The top 3 free AV products are AntiVir, Grisoft, and Avast!. Here is a comparison of these three programs. Remember, these are primarily on-demand scanners, which means you have to manually run them! Yes, you can schedule them, but you still have a long delay between when you might become infected and when you get cleaned. Also, keep in mind that stopping the viruses from getting into your system is better than cleaning up later, as you might not be able to get rid of it. [Edit: It has been pointed out to me that some of these have do real-time monitoring and should catch things before they get installed.]

Another free AntiVirus program I've seen is Cyberhawk. It is a free heuristics based AntiVirus which runs in realtime. I haven't tested it much, but it seems to pick up on some of the more suspicious behavior of some of the software I have thrown at it. I recommend using it alongside one of the other virus scanners. And don't forget that Google Pack gives you 6 months of Norton AntiVirus 2005 for free, and AOL Safety and Security Center licenses Kaspersky AntiVirus to you for free. If you'd rather do some research and pay for something, here are some good sites to get you started.

AntiSpyware is a fairly new industry and, until the last 18 months or so, the free programs were probably better than anything you could buy. However, now it seems like the free stuff isn't being updated nearly as often and the stuff you can buy makes life a lot simpler. This is my opinion, and others will have wildly differing ones, but one thing everyone can agree on is to stay far away from the rogue AntiSpyware!

Also, try out different programs on different computers. If you use F-Secure AntiVirus, Zone Alarm Pro Firewall, and Webroot SpySweeper on your main computer, put Avast!, Kerio, and Ad-Aware on your kids' computer. Find something that works out well for you. Some of the newer viruses and spyware are written specifically to evade the main AntiVirus vendors, so give some of the lesser known guys a try. Use Nod32 or Kaspersky instead of McAfee or Norton.

The way I avoid spyware and viruses is to know what I'm downloading, avoid sketchy websites, patch Windows, and configure my browsers for security -- IE, and Firefox. You can get plugins which will disable scripting, warn you of bad sites, and warn you of phishing sites. I also recommend replacing the default Windows firewall with one of the good free alternatives: Zone Labs, Kerio, or Comodo. These will block outbound network traffic as well as inbound, but they may be a bit more intimidating for the average user.

If you're worried about your kids, visitors, or whoever going to dangerous sites, you can install a web filtering proxy and set up separate Limited User Windows logins. I recently had a house guest go to some unsavory sites late at night while he was staying here and I ended up getting hit with something that shut my computer off, but thanks to my AntiVirus program, nothing ended up on the hard drive. However, taking the two steps above would have prevented the incident altogether and would have saved me the couple of hours it took to double check the computer for any nasty stuff that had gotten by.

In the end, the best thing for the average user looking at some of the freeware listed here is to just pick something and use it. If you find that it doesn't fit the bill, you can always drop it and grab something else. Remember that ease of use can be as important as anything else. If you get 10 popups an hour from your security software, you're likely to just click through it. It may be no more effective at protecting you than having nothing, and it makes using the computer frustrating.

There have been quite a few links in this week's post, and it might be a bit intimidating. But each one links to a program or to information about them. You don't have to hit every one of them, just surf where the 'net takes you. If you feel more comfortable navigating and digging deep into things, feel free to click every link and devour all of the information. And post here if you find more things.

When you were a kid, your parents tried to help you understand the dangers of the world outside your home and protect you from them. When you're going out into the big bad online world, there are a lot of things to look out for, too. Hopefully this will be a starting point for you to do some research and see what is out there so you can keep your computer healthy. And don't forget your scarf, it might get cold out there.

Wednesday, September 13, 2006

My First Post

This is my first post to the blog, so I should probably say a little about why it was created. I decided to start this not long after I started my company, Beau Woods, LLC, in order to give out some advice on whatever I seem to be thinking about at the time. The intent is to give out some good advice for people who don't have the time to spend 10-12 hours a day thinking about keeping themselves safe online -- which is most people I know. But that's the great thing about the internet, you can usually find a lifetime's worth of knowledge and experience boiled down to a quick 15 minute read.

Think about how much research has been done that culminates decades of work into one paper. These things are published by scholarly reviews all over the world, with thorough documentation, careful analyses of all results, caveats about the conclusions, and showing the blood, sweat, and tears shed over the lifetime of the research. And on the internet, somebody will post a really quick bullet point that disregards all of the attention to detail and caveats about drawing erroneous conclusions. The summary is published in a thousand other blogs and sometimes in print, each reprinting adding credibility to a post by someone who may only have skimmed the first page of the original research paper.

I guess my point (and my first tip) is this: don't believe everything you hear or read. Whether it's on the Internets, in print, or first-hand from somebody who swears it is the truth. You learned critical thinking skills in school, right? If not, you should look into that. Often times you can pull apart a claim or argument with simple logic and a little bit of skepticism. I'm not saying you should go around calling people liars if you don't believe them, it's just that sometimes things are not what they seem.

So go forth, be truthful, and analyze.

Monday, September 11, 2006

Blog Goals

My goals for this blog are to help out people from all experience levels and backgrounds. I am hoping to get people to do more critical thinking about the world in which we live. I think those types of lessons can apply to more than just computer security. So I won't tell you about the latest products and trends, and I won't spout off about whatever is harshing my mellow at the moment (mostly).

What I will do is to try to give you strategies for solving problems and attempt to shape the way you attack them. And in the close of each post I'll try to relate things to the real world.

It may take me a while to work up to something productive and useful, so I ask you to bear with me while I work through my growing pains. I can't promise you that I'll deliver on a regular schedule, or that everything I put here will be relavent to your life. But I will promise you that I'll be honest to what I believe. Hopefully that will come across clearly, because if you can't make your thoughts cross from inside your head to inside others' heads, there's hardly a point in trying.