Brendan’s Blog

Once upon a time I frequently reused passwords. So if you knew my dogs name, or what kind of car I drove, you could easily have pretended to be me with just a little extra work. This is obviously a very bad idea, but I’m sure many people struggle with managing passwords for web sites and computer systems you access on a regular basis.

Passwords are keys to your identity.  If a malicious person were to figure out your email password, what harm could they cause?  Could they quickly gather the names and contact information for your friends and family?  Could they figure out where you bank?  Could they reset your bank password by telling your bank that your password was forgotten?

A researcher who examined 10,000 Hotmail, MSN and Live.com passwords that were recently exposed online has published an analysis of the list and found that “123456″ was the most commonly used password, appearing 64 times.
- Wired Magazine

Here are my tips for choosing the best passwords:

• Use different passwords for every site/application.  Do not reuse them.
• Change passwords frequently.  The more you use a password, the more you should change it.
• Keep your passwords secret.  Guard them as if they were keys to your identity — they usually are.
• Consider using a random password generator.
• Consider using passphrases (e.g. Myhouseismadeofwoodandhasyellowsiding!)
• Consider using acronyms (e.g. Mhimowahys!)
• Do not use words, birthdays, family and pet names, addresses, or any other personal information in your passwords.
• Do not use repeat characters such as 111 or sequences like abc, qwerty, or 123 in any part of your password.

I strongly recommend using a password managment tool for three important reasons.

1. Tools remember many passwords so you don’t have to.
2. Tools can type passwords for you.  This makes strong passwords easy to use.
3. Tools can create strong passwords which are complex, unique, and random.

A while back I wrote a post about PasswordSafe, which I used to manage my usernames and passwords.  I later switched to a different tool named KeePass.  KeePass is also free and open source, but I think it is also easier to use.  I now also use LastPass which is a different on-line based password manager.

KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish). For more information, see the features page.

The ability to auto-type usernames and passwords is infinately flexible with KeePass.  Auto-type is a very important feature, although I can understand why you may not initially think so.  Think about the strongest types of passwords.  They are long, complex, unique, and full of many different character types.  Do you want to type those in manually each time?  Once I switched to KeePass, my normal password length increased to 20 or more randomized characters wherever possible.  Since I don’t have to remember or type them, I prefer the really long/complex ones.

To manage my password database across several computers, I use FolderShare to synchronize it between systems.  This keeps my database of (as of writing 317) passwords the same across all my systems.  Occasionally I also copy the password database file to a USB flash drive so I can access accounts when I’m not using one of my own computers.

KeePass has many other great features.  The listing of features below links to their website.

Some websites with more complicated authentication schemes will require customization of the auto-type string.  The software “help” references provides details on how to do this.

The small physical size and low cost of USB based flash disk drives, or USB Drives, often exposes confidential information due to theft and loss. The growing memory capacity on these drives increases the problem as more data is stored for longer periods of time.

I use my USB Drives frequently, as do many mobile professionals. I categorize my usage into two basic functions:

• Storage – Storing my files for later reference, often with a PC which is not my own.
• Transfer – As a mechanism to copy files from one PC to another.

When evaluating encryption methods I considered how a given encryption product would impact the use of a USB Drive for both functions. For example, since I frequently use my USB Drive with PCs I do not own, I cannot use a product which requires a typical software installation on a PC to use.

I also sometimes lend my USB Drive to others temporarily – typically when transferring files from one PC to another. The encryption product needs to allow a third party to still use my USB Drive without knowing how to use the encryption software.

Another consideration was cost. A low to no-cost solution is usually preferable, not only because it does not require an initial investment, but it also facilitates easy testing and rapid adoption.

I settled on a product called TrueCrypt which, for now, seems like the best tool suited for my use. Its license provides for free use for both non-commercial and commercial purposes. Version 4.2a for Windows is around 1,388KB in total size which includes documentation.

Main Features:

• Creates a virtual encrypted disk within a file and mounts it as a real disk.
• Encrypts an entire hard disk partition or a storage device such as USB flash drive.
• Encryption is automatic, real-time (on-the-fly) and transparent.
• Provides two levels of plausible deniability, in case an adversary forces you to reveal the password:
  • Hidden volume (steganography – more information may be found here).
  • No TrueCrypt volume can be identified (volumes cannot be distinguished from random data)
• Encryption algorithms: AES-256, Serpent, and Twofish. Mode of operation: LRW.
• Further information regarding features of the software may be found in the documentation.

I create an encrypted disk volume within my USB Drive, rather than encrypting the entire device. The encrypted volume is used to store all protected data. When the encryption software is not used, the encrypted volume simply appears as a large file which cannot be accessed. Naturally this file can be deleted, however, the data within the file is protected from unauthorized access.

I leave unencrypted free space on the USB Drive for use when transferring files from one PC to another. This allows the USB Drive to be used for file transfers without using the encryption software at all.

TrueCrypt can certainly be used in many other ways and for many other purposes. I simply find the USB Drive to be an easy use-case.

There are many options and technologies to consider when planning a wireless network at your home. Products available today are much easier to use, and even less expensive, than in the past. I’ll describe a few factors that I consider to be the most important, and what I happen to use along with them. I will start with an overview of what is needed for a wireless network. A network consists of an Access Point and one or more wireless clients (e.g. Desktop and/or Laptop PC.) In the diagram below, the Access Point is physically connected to a router and modem for Internet connectivity. Frequently router and access point functionality is combined within one device. The modem (cable, DSL, or Satellite) is what connects your network to the rest of the world.

Wireless Compatibility

An international standards organization (IEEE) defines the 802.11 standards that most wireless vendors comply with. You must ensure each of your devices supports the same standards or they will not work together.

The wireless standards most commonly used in the US consumer market are as follows:

The newer protocols offer higher speed and range, but at increased cost. Some products use proprietary enhancements to the standard protocols which are only helpful if all of your equipment is from the same manufacturer. I use a “G” based network, though I may consider upgrading to “N” once I have computers that support it.

Security

Security mechanisms within the wireless network standards are used to both keep data private encryption, and keep unauthorized clients from connecting to your network. Three standards are common, with the newest standard (WPA2) offering the best protection. The WEP standard is very weak, as a malicious user can compromise a network protected only with WEP very quickly.

To provide the greatest protection you should implement the newest standard that all of your devices support. In addition to the access point, all of your wireless clients must support the encryption standard you use. If you have some older devices they may not all support the latest standards.

Home networks generally rely on a pre-shared key (PSK) to control access to an encrypted network. So in addition to specifying the use of WPA or WPA2, you will need to define a “key.” Anyone with this “key” will be able to access your network, and its data. The best keys are long, and not something a neighbor or acquaintance may be able to guess. I recommend one of two options here.

1. A long pass-phrase. A long passphrase is made up of several easy to remember words and/or numbers that would not be easy to guess. For example: “thethreelittlepigsbuilt3houses” Pick something long and unique to you.
2. A long random string. There are several password generation programs and web sites. You can try this one (at GRC) to generate a key such as “7BF9A06F64C3722F70E9173F1CC400C5E2B7″. Since this is more complicated, you will generally save the key electronically, and simply cut/paste it to type it in when needed.

MAC Filtering

Most access points support a feature called MAC filtering. Wireless network interfaces on client PCs are pre-programmed with a unique MAC address. With MAC filtering you tell your access point to ignore traffic from other wireless clients. This may seem like a security setting, but it is possible to bypass this protection by listening for traffic from your home and manually setting another network client to use the same MAC address. MAC filtering isn’t a bad thing, but it should only be used in concert with encryption.

Service Set Identifier (SSID)

When you configure an access point, you are prompted to enter an SSID. The SSID is your “station identifier” or name. This is not a password or a secret. Your access point typically broadcasts this value to advertise the presence of your wireless network. I recommend changing the default value to something else — you can decide if you want a name that lets your neighbors know whose network it is, or if you want to use a word/value that only you find meaningful.

My Network

I use a Linksys WRT54G as my router/firewall. The Linksys firewall is running 3rd party software called DD-WRT to provide enhanced features such as Quality of Service (QOS). I disabled the wireless features of the Linksys, and use a Netgear WPN824 as my wireless access point. I chose the Netgear because the MIMO feature greatly increased the range of my wireless network. Using only the Linksys, the wireless network reliably worked in only two rooms of my house. With the Netgear I can use my network anywhere in my house — I have even used ittwo houses away.

My kids have lots of movies, and I quickly found that DVD movies are not kid-proof. Scratched and lost discs cost us a number of titles before I took action to protect our investment.

The process involves making copies of DVD based movies that I have purchased. I am not a lawyer, but I contend that what I’m doing does not violate the spirit of copyright laws. If anyone has evidence otherwise, send it to me, and I’ll send it to my lawyer for review.

There are several reasons why I make copies of my DVD movies:

• I’m a fan of backups. I like knowing that if a disc is lost or scratched, I don’t have to re-purchase a new copy.
• Backups made with this process start playing the real movie immediately when it is inserted.
  

  Note to movie studios: I hate the commercials that you force kids to watch before they can actually watch the movie that is on the disc. It is unreasonable to me that you block the ability to skip or fast-forward through commercials on a DVD that you charge money to buy.

  Four things are needed to make a copy of a commercial movie DVD. This is not “secret” knowledge. A quick Google search will tell you the same thing.

1. A PC with a DVD recorder. If your PC has two DVD drives (at least one of which is a recorder) things are even easier.
2. Blank DVD media. Most commercial movie DVDs use dual-layer media which can hold up to 9GB of video and audio data. Most blank DVDs for use in computers is single layer and only holds 4.5GB of video.
3. Software to disable DVD copy protection mechanisms. I use AnyDVD. Once installed, all DVDs appear to your PC as having no copy protection. AnyDVD also includes an option to skip the movie trailers. (My favorite feature.)
4. Software to compress the source video (9GB) so that it will fit onto a standard blank DVD (4.5GB). I use CloneDVD. It is very easy to use and works quickly.

Once I had all of the software installed, the following steps summarize what I do each time I want to make a movie backup:

1. Configure AnyDVD to “Remove annoying adverts and trailers” and “Jump directly to the movie.”
2. Insert the original movie in one DVD drive, and insert a blank DVD disc into the DVD recorder drive.
3. Start CloneDVD and click the “Clone DVD” button.
4. Point the software to the source DVD drive.
5. View a portion of the on-screen movie player to ensure that it found the right movie content. Click Next.
6. In this screen I don’t change anything. If you want you can remove foreign language content to save space and potentially have less need for compression. Click Next.
7. Confirm that it is writing the copy to the blank media, and will erase any temporary files from your hard disk once the process is complete. Click Go.
8. Watch the video in fast forward mode if you like, and relax. A sound will play in 30-40 minutes to let you know it is complete.

Blank DVD media can be purchased almost anywhere. You may find that some media works better than others in your recorder (DVD-R vs. DVD+R). You may also notice some media works better than others in your DVD players (like the one in your car.) Some players (usually older ones) don’t support writable DVD media at all.

Most businesses provide some sort of remote access so that employees can do work from home, or access services like e-mail when away from the office.  LogMeIn provides a free service that allows you to remotely access your PC at work or at home if both you and it are connected to the Internet.  I don’t use this service often, but it is really handy when I do.

1. Sign up for a free account
2. Use your web browser to install a small software component on the PC you want to remotely access
3. From a remote location, go to the LogMeIn web site, and login to your account
4. Select the PC you want to remotely access
5. Remotely view and interact with your PC.

The free service allows you to have more than one PC associated with your account (I have seven.)  The software works through most firewalls without issue.  LogMeIn publishes a security white paper which describes the mechanisms in place to ensure only you can access your PC, and to protect the data in transit.  LogMeIn also provides information for system administrators to prohibit LogMeIn on their networks.