Brendan’s Blog

Once upon a time I frequently reused passwords. So if you knew my dogs name, or what kind of car I drove, you could easily have pretended to be me with just a little extra work. This is obviously a very bad idea, but I’m sure many people struggle with managing passwords for web sites and computer systems you access on a regular basis.

Passwords are keys to your identity.  If a malicious person were to figure out your email password, what harm could they cause?  Could they quickly gather the names and contact information for your friends and family?  Could they figure out where you bank?  Could they reset your bank password by telling your bank that your password was forgotten?

A researcher who examined 10,000 Hotmail, MSN and Live.com passwords that were recently exposed online has published an analysis of the list and found that “123456″ was the most commonly used password, appearing 64 times.
- Wired Magazine

Here are my tips for choosing the best passwords:

• Use different passwords for every site/application.  Do not reuse them.
• Change passwords frequently.  The more you use a password, the more you should change it.
• Keep your passwords secret.  Guard them as if they were keys to your identity — they usually are.
• Consider using a random password generator.
• Consider using passphrases (e.g. Myhouseismadeofwoodandhasyellowsiding!)
• Consider using acronyms (e.g. Mhimowahys!)
• Do not use words, birthdays, family and pet names, addresses, or any other personal information in your passwords.
• Do not use repeat characters such as 111 or sequences like abc, qwerty, or 123 in any part of your password.

I strongly recommend using a password managment tool for three important reasons.

1. Tools remember many passwords so you don’t have to.
2. Tools can type passwords for you.  This makes strong passwords easy to use.
3. Tools can create strong passwords which are complex, unique, and random.

A while back I wrote a post about PasswordSafe, which I used to manage my usernames and passwords.  I later switched to a different tool named KeePass.  KeePass is also free and open source, but I think it is also easier to use.  I now also use LastPass which is a different on-line based password manager.

KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish). For more information, see the features page.

The ability to auto-type usernames and passwords is infinately flexible with KeePass.  Auto-type is a very important feature, although I can understand why you may not initially think so.  Think about the strongest types of passwords.  They are long, complex, unique, and full of many different character types.  Do you want to type those in manually each time?  Once I switched to KeePass, my normal password length increased to 20 or more randomized characters wherever possible.  Since I don’t have to remember or type them, I prefer the really long/complex ones.

To manage my password database across several computers, I use FolderShare to synchronize it between systems.  This keeps my database of (as of writing 317) passwords the same across all my systems.  Occasionally I also copy the password database file to a USB flash drive so I can access accounts when I’m not using one of my own computers.

KeePass has many other great features.  The listing of features below links to their website.

Some websites with more complicated authentication schemes will require customization of the auto-type string.  The software “help” references provides details on how to do this.

LinkedIn is a powerful tool for enhancing and maintaining your professional people network. An article about the service was recently published in USA Today.

I was first introduced to LinkedIn several years ago when I received an “invite” from someone I worked with on a project. My initial reaction was to ignore the invitation. I am suspicious of unexpected e-mail, and giving out any personal information unless I have a good understanding of how it will be used. LinkedIn’s web site identifies the following three primary benefits of the service:

1. Find past and present colleagues and classmates quickly. LinkedIn makes staying in touch simple.
2. Discover inside connections when you’re looking for a job or new business opportunity.
3. Your network is full of industry experts willing to share advice. Have a question? Just ask.

After some cursory steps to verify what LinkedIn was, I created an account and simply ignored it for over almost two years. During that time I never received any spam or unexpected communications as a result of having a LinkedIn account. Some time later, in 2006, I was reintroduced to LinkedIn during a meeting with colleagues. I saw how my coworker had developed an extensive LinkedIn network of peers and colleagues, and I decided I should do the same.

Since that time I have used LinkedIn frequently. As a rule-of-thumb, I only send invites to people who are already a member of LinkedIn. I do seek out trusted colleagues, and new professional acquaintances who are already LinkedIn members to establish connections. There are over 14 million members, and it is growing every day.I avoid establishing connections to people I have not met or worked with.

I set my public profile to read similar to a resume. It identifies all of my employers and a quick summary of my jobs. Since I have done lots of project work, I also list some specific customers — but not details of those engagements. This sometimes results in unwanted contacts from recruiters, but I have found those to be rare. This detailed public profile serves two important purposes for me.

1. People who have heard of me, but do not know me, can quickly discover a little about my experiences and expertise.
2. Those who have business opportunities that fit my background can find me.

In practice I have found LinkedIn to be helpful in learning more about my colleagues and keeping track of those who move around. It is also worth noting that my current job the result of a contact made through LinkedIn. LinkedIn has worked for me, and it can work for you with a little effort. There are over 14 million members, you must know some of them!

Frequently asked questions about LinkedIn are answered here.

The small physical size and low cost of USB based flash disk drives, or USB Drives, often exposes confidential information due to theft and loss. The growing memory capacity on these drives increases the problem as more data is stored for longer periods of time.

I use my USB Drives frequently, as do many mobile professionals. I categorize my usage into two basic functions:

• Storage – Storing my files for later reference, often with a PC which is not my own.
• Transfer – As a mechanism to copy files from one PC to another.

When evaluating encryption methods I considered how a given encryption product would impact the use of a USB Drive for both functions. For example, since I frequently use my USB Drive with PCs I do not own, I cannot use a product which requires a typical software installation on a PC to use.

I also sometimes lend my USB Drive to others temporarily – typically when transferring files from one PC to another. The encryption product needs to allow a third party to still use my USB Drive without knowing how to use the encryption software.

Another consideration was cost. A low to no-cost solution is usually preferable, not only because it does not require an initial investment, but it also facilitates easy testing and rapid adoption.

I settled on a product called TrueCrypt which, for now, seems like the best tool suited for my use. Its license provides for free use for both non-commercial and commercial purposes. Version 4.2a for Windows is around 1,388KB in total size which includes documentation.

Main Features:

• Creates a virtual encrypted disk within a file and mounts it as a real disk.
• Encrypts an entire hard disk partition or a storage device such as USB flash drive.
• Encryption is automatic, real-time (on-the-fly) and transparent.
• Provides two levels of plausible deniability, in case an adversary forces you to reveal the password:
  • Hidden volume (steganography – more information may be found here).
  • No TrueCrypt volume can be identified (volumes cannot be distinguished from random data)
• Encryption algorithms: AES-256, Serpent, and Twofish. Mode of operation: LRW.
• Further information regarding features of the software may be found in the documentation.

I create an encrypted disk volume within my USB Drive, rather than encrypting the entire device. The encrypted volume is used to store all protected data. When the encryption software is not used, the encrypted volume simply appears as a large file which cannot be accessed. Naturally this file can be deleted, however, the data within the file is protected from unauthorized access.

I leave unencrypted free space on the USB Drive for use when transferring files from one PC to another. This allows the USB Drive to be used for file transfers without using the encryption software at all.

TrueCrypt can certainly be used in many other ways and for many other purposes. I simply find the USB Drive to be an easy use-case.

Everyone has different television viewing habits and preferences. Some don’t have a TV at all and there are times that seems appealing. My viewing habits can be summarized as follows:

• I don’t watch TV every day.
• I only watch TV using a DVR
• I only watch pre-recorded shows (except occasional sports.)
• I usually skip commercials and sometimes even boring content within a program.
• Most of my TV watching is late, when the kids are asleep.

Until recently I had been a DirecTV customer for over ten years. Their service was consistent, reliable, and reasonably priced. That changed when I decided to upgrade our primary TV to an HDTV set.

Several months ago I purchased a 42″ HDTV set from Costco. I chose Costco because they provide a 90 day return policy (in case I was not happy) and an excellent price.

None of my DirecTV receivers supported HDTV content, so I called to inquire about an upgrade. I was quoted an unreasonable (in my mind) cost for a new HDTV DVR box, with two additional unreasonable conditions:

1. I wouldn’t own the box. Even though I would need to pay hundreds of dollars for the new box, I would have to return it with no refund if I decided to leave DirecTV.
2. A 2 year term agreement. Like cellular companies, DirecTV wanted to lock me into their service exclusively for the next two years.

I called ComCast (my local cable provider) and ordered service from them. They promptly installed an HDTV DVR and lots of high-definition content with no one-time charges, and a lower monthly cost than DirecTV. Unfortunately I found ComCast’s TV service to be unreliable. Over the course of two months we logged a half-dozen service calls. Channels would dissapear from my line-up, the On-Demand service would quit working, and the picture quality would sometimes degrade to where it was unwatchable. Many technicians came out, but none could fix the problem which was “upstream”‘ somewhere.

I then checked out DishNetwork. Dish provided a dual-tuner HDTV DVR (ViP 622) for my primary set, and a standard dual-tuner DVR (DVR625) for our second TV. I ordered Dish through a reseller instead of directly ordering it from Dish. The reseller allowed me to specify which DVR boxes I wanted and had a promotion for discounted premium channels.

Installation was $49 (which the reseller offered to waive in exchange for a long-term contract.) Installation required two dishes on my roof. One provides all of the standard definition content, the other provides VOOM HDTV content. The installer did a great job concealing the cables running down my house, and patching the wires into my existing wiring.

A couple months later I am very satisfied with Dish. Like DirecTV their service is consistent, reliable, and reasonably priced. There is lots of HDTV content (currently more than either ComCast or DirecTV offer in my area.) The DVR interface/remote is very easy to use and even includes the 30 second commercial skip feature I had to reprogram every time my old Tivo lost power.

Update: Last weekend a storm damaged something and caused one of our two TVs to stop working.  I called Dish support and did basic troubleshooting over the phone.  It was quickly determined that my “switch” was bad.  A service technician was dispatched and showed up on Tuesday.  They replaced the dish LNB which has the multi-switch integrated.  This fixed the problem.  No charge to me for the visit.  Not bad.

Most financial experts recommend keeping some quantity of cash savings available for emergencies. Up until a few months ago I kept my cash savings in standard Certificates of Deposit with my credit union. CDs provide a modest interest return, but make quick access to the funds painful with early withdrawal fees. I did a little research for a good alternative and found GMAC Bank. Its interest rate returns are better than CDs and there are no “early withdrawal” penalties.

GMAC Bank offers a “Money Market Savings” account which earns a very competitive interest rate, currently 5.30% APY. Deposits are FDIC insured and can be made via mail (postage-paid envelopes are provided at no cost), ACH, or wire transfer.

After opening your account you will receive a small order of checks and a VISA Debit/ATM card. ACH transfers of funds from GMAC to your normal bank account are free and take ~24-48 hours.

There are a few minor catches (of course) but I could easily live with all of them.

• Minimum balance of $500 to avoid monthly charges
• Maximum of 3 check/debit card transactions per month
• Maximum of 6 withdrawals, or transfers to other accounts, per month
• No local bank branches you can go visit

The GMAC Bank web site is simple and secure. From the web site you can do basic account management such as reviewing transactions or initiating a deposit or withdrawal (via ACH.) GMAC Bank will also download transactions to Quicken or MS Money.

You can open an account online or by phone.

• Open an account online
• Open an account by phone: 1-866-2GMBANK (1-866-246-2265)