Brendan’s Blog

Once upon a time I frequently reused passwords. So if you knew my dogs name, or what kind of car I drove, you could easily have pretended to be me with just a little extra work. This is obviously a very bad idea, but I’m sure many people struggle with managing passwords for web sites and computer systems you access on a regular basis.

Passwords are keys to your identity.  If a malicious person were to figure out your email password, what harm could they cause?  Could they quickly gather the names and contact information for your friends and family?  Could they figure out where you bank?  Could they reset your bank password by telling your bank that your password was forgotten?

A researcher who examined 10,000 Hotmail, MSN and Live.com passwords that were recently exposed online has published an analysis of the list and found that “123456″ was the most commonly used password, appearing 64 times.
- Wired Magazine

Here are my tips for choosing the best passwords:

• Use different passwords for every site/application.  Do not reuse them.
• Change passwords frequently.  The more you use a password, the more you should change it.
• Keep your passwords secret.  Guard them as if they were keys to your identity — they usually are.
• Consider using a random password generator.
• Consider using passphrases (e.g. Myhouseismadeofwoodandhasyellowsiding!)
• Consider using acronyms (e.g. Mhimowahys!)
• Do not use words, birthdays, family and pet names, addresses, or any other personal information in your passwords.
• Do not use repeat characters such as 111 or sequences like abc, qwerty, or 123 in any part of your password.

I strongly recommend using a password managment tool for three important reasons.

1. Tools remember many passwords so you don’t have to.
2. Tools can type passwords for you.  This makes strong passwords easy to use.
3. Tools can create strong passwords which are complex, unique, and random.

A while back I wrote a post about PasswordSafe, which I used to manage my usernames and passwords.  I later switched to a different tool named KeePass.  KeePass is also free and open source, but I think it is also easier to use.  I now also use LastPass which is a different on-line based password manager.

KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish). For more information, see the features page.

The ability to auto-type usernames and passwords is infinately flexible with KeePass.  Auto-type is a very important feature, although I can understand why you may not initially think so.  Think about the strongest types of passwords.  They are long, complex, unique, and full of many different character types.  Do you want to type those in manually each time?  Once I switched to KeePass, my normal password length increased to 20 or more randomized characters wherever possible.  Since I don’t have to remember or type them, I prefer the really long/complex ones.

To manage my password database across several computers, I use FolderShare to synchronize it between systems.  This keeps my database of (as of writing 317) passwords the same across all my systems.  Occasionally I also copy the password database file to a USB flash drive so I can access accounts when I’m not using one of my own computers.

KeePass has many other great features.  The listing of features below links to their website.

Some websites with more complicated authentication schemes will require customization of the auto-type string.  The software “help” references provides details on how to do this.

The small physical size and low cost of USB based flash disk drives, or USB Drives, often exposes confidential information due to theft and loss. The growing memory capacity on these drives increases the problem as more data is stored for longer periods of time.

I use my USB Drives frequently, as do many mobile professionals. I categorize my usage into two basic functions:

• Storage – Storing my files for later reference, often with a PC which is not my own.
• Transfer – As a mechanism to copy files from one PC to another.

When evaluating encryption methods I considered how a given encryption product would impact the use of a USB Drive for both functions. For example, since I frequently use my USB Drive with PCs I do not own, I cannot use a product which requires a typical software installation on a PC to use.

I also sometimes lend my USB Drive to others temporarily – typically when transferring files from one PC to another. The encryption product needs to allow a third party to still use my USB Drive without knowing how to use the encryption software.

Another consideration was cost. A low to no-cost solution is usually preferable, not only because it does not require an initial investment, but it also facilitates easy testing and rapid adoption.

I settled on a product called TrueCrypt which, for now, seems like the best tool suited for my use. Its license provides for free use for both non-commercial and commercial purposes. Version 4.2a for Windows is around 1,388KB in total size which includes documentation.

Main Features:

• Creates a virtual encrypted disk within a file and mounts it as a real disk.
• Encrypts an entire hard disk partition or a storage device such as USB flash drive.
• Encryption is automatic, real-time (on-the-fly) and transparent.
• Provides two levels of plausible deniability, in case an adversary forces you to reveal the password:
  • Hidden volume (steganography – more information may be found here).
  • No TrueCrypt volume can be identified (volumes cannot be distinguished from random data)
• Encryption algorithms: AES-256, Serpent, and Twofish. Mode of operation: LRW.
• Further information regarding features of the software may be found in the documentation.

I create an encrypted disk volume within my USB Drive, rather than encrypting the entire device. The encrypted volume is used to store all protected data. When the encryption software is not used, the encrypted volume simply appears as a large file which cannot be accessed. Naturally this file can be deleted, however, the data within the file is protected from unauthorized access.

I leave unencrypted free space on the USB Drive for use when transferring files from one PC to another. This allows the USB Drive to be used for file transfers without using the encryption software at all.

TrueCrypt can certainly be used in many other ways and for many other purposes. I simply find the USB Drive to be an easy use-case.

There are many options and technologies to consider when planning a wireless network at your home. Products available today are much easier to use, and even less expensive, than in the past. I’ll describe a few factors that I consider to be the most important, and what I happen to use along with them. I will start with an overview of what is needed for a wireless network. A network consists of an Access Point and one or more wireless clients (e.g. Desktop and/or Laptop PC.) In the diagram below, the Access Point is physically connected to a router and modem for Internet connectivity. Frequently router and access point functionality is combined within one device. The modem (cable, DSL, or Satellite) is what connects your network to the rest of the world.

Wireless Compatibility

An international standards organization (IEEE) defines the 802.11 standards that most wireless vendors comply with. You must ensure each of your devices supports the same standards or they will not work together.

The wireless standards most commonly used in the US consumer market are as follows:

The newer protocols offer higher speed and range, but at increased cost. Some products use proprietary enhancements to the standard protocols which are only helpful if all of your equipment is from the same manufacturer. I use a “G” based network, though I may consider upgrading to “N” once I have computers that support it.

Security

Security mechanisms within the wireless network standards are used to both keep data private encryption, and keep unauthorized clients from connecting to your network. Three standards are common, with the newest standard (WPA2) offering the best protection. The WEP standard is very weak, as a malicious user can compromise a network protected only with WEP very quickly.

To provide the greatest protection you should implement the newest standard that all of your devices support. In addition to the access point, all of your wireless clients must support the encryption standard you use. If you have some older devices they may not all support the latest standards.

Home networks generally rely on a pre-shared key (PSK) to control access to an encrypted network. So in addition to specifying the use of WPA or WPA2, you will need to define a “key.” Anyone with this “key” will be able to access your network, and its data. The best keys are long, and not something a neighbor or acquaintance may be able to guess. I recommend one of two options here.

1. A long pass-phrase. A long passphrase is made up of several easy to remember words and/or numbers that would not be easy to guess. For example: “thethreelittlepigsbuilt3houses” Pick something long and unique to you.
2. A long random string. There are several password generation programs and web sites. You can try this one (at GRC) to generate a key such as “7BF9A06F64C3722F70E9173F1CC400C5E2B7″. Since this is more complicated, you will generally save the key electronically, and simply cut/paste it to type it in when needed.

MAC Filtering

Most access points support a feature called MAC filtering. Wireless network interfaces on client PCs are pre-programmed with a unique MAC address. With MAC filtering you tell your access point to ignore traffic from other wireless clients. This may seem like a security setting, but it is possible to bypass this protection by listening for traffic from your home and manually setting another network client to use the same MAC address. MAC filtering isn’t a bad thing, but it should only be used in concert with encryption.

Service Set Identifier (SSID)

When you configure an access point, you are prompted to enter an SSID. The SSID is your “station identifier” or name. This is not a password or a secret. Your access point typically broadcasts this value to advertise the presence of your wireless network. I recommend changing the default value to something else — you can decide if you want a name that lets your neighbors know whose network it is, or if you want to use a word/value that only you find meaningful.

My Network

I use a Linksys WRT54G as my router/firewall. The Linksys firewall is running 3rd party software called DD-WRT to provide enhanced features such as Quality of Service (QOS). I disabled the wireless features of the Linksys, and use a Netgear WPN824 as my wireless access point. I chose the Netgear because the MIMO feature greatly increased the range of my wireless network. Using only the Linksys, the wireless network reliably worked in only two rooms of my house. With the Netgear I can use my network anywhere in my house — I have even used ittwo houses away.

Most businesses provide some sort of remote access so that employees can do work from home, or access services like e-mail when away from the office.  LogMeIn provides a free service that allows you to remotely access your PC at work or at home if both you and it are connected to the Internet.  I don’t use this service often, but it is really handy when I do.

1. Sign up for a free account
2. Use your web browser to install a small software component on the PC you want to remotely access
3. From a remote location, go to the LogMeIn web site, and login to your account
4. Select the PC you want to remotely access
5. Remotely view and interact with your PC.

The free service allows you to have more than one PC associated with your account (I have seven.)  The software works through most firewalls without issue.  LogMeIn publishes a security white paper which describes the mechanisms in place to ensure only you can access your PC, and to protect the data in transit.  LogMeIn also provides information for system administrators to prohibit LogMeIn on their networks.

Once upon a time I frequently reused passwords. So if you knew my dogs name, or what kind of car I drove, you could easily have pretended to be me with just a little extra work. This is obviously a very bad idea, but I’m sure many people struggle with managing passwords for web sites and computer systems you access on a regular basis.

Passwords are keys to your identity.  If a malicious person were to figure out your email password, what harm could they cause?  Could they quickly gather the names and contact information for your friends and family?  Could they figure out where you bank?  Could they reset your bank password by telling your bank that your password was forgotten?

A researcher who examined 10,000 Hotmail, MSN and Live.com passwords that were recently exposed online has published an analysis of the list and found that “123456″ was the most commonly used password, appearing 64 times.
- Wired Magazine

Here are my tips for choosing the best passwords:

• Use different passwords for every site/application.  Do not reuse them.
• Change passwords frequently.  The more you use a password, the more you should change it.
• Keep your passwords secret.  Guard them as if they were keys to your identity — they usually are.
• Consider using a random password generator.
• Consider using passphrases (e.g. Myhouseismadeofwoodandhasyellowsiding!)
• Consider using acronyms (e.g. Mhimowahys!)
• Do not use words, birthdays, family and pet names, addresses, or any other personal information in your passwords.
• Do not use repeat characters such as 111 or sequences like abc, qwerty, or 123 in any part of your password.

I strongly recommend using a password managment tool for three important reasons.

1. Tools remember many passwords so you don’t have to.
2. Tools can type passwords for you.  This makes strong passwords easy to use.
3. Tools can create strong passwords which are complex, unique, and random.

I have blogged about software based password managers PasswordSafe and KeePass.  Both remain excellent ways to manage your passwords.  I have also written a post about an on-line password management tool called LastPass.

PasswordSafe is a free and open source software which is easy to use. It is a very small download, and works on the many flavors of Windows.

What is Password Safe? Password Safe is an Open Source (free) tool that allows you to have a different password for all the different programs and websites that you deal with, without actually having to remember all those usernames and passwords. Password Safe runs on PCs under Windows (95/98/NT/2000/XP). An older (but fully functional) version is available for PocketPC. Linux/Unix clones that use the same database format have also been written (see Related Projects).

After starting PasswordSafe, you can categorize entries for anything that needs a password. Each entry must contain a Title, but everything else is optional. Most entries will also have a username and password. Since PasswordSafe remembers your credentials for you, make them all unique and complex. I recommend using the random password generation feature to generate secure passwords for every place you visit.

PasswordSafe’s information is saved in an encrypted file on your hard disk. So from now on, only remember one password… and change it on a regular basis.