Posts Tagged ‘trust’

Happy New Year! Now update your passwords!

Saturday, January 2nd, 2010

Frapestaartje / flickr

One of my new year’s rituals is to change my passwords.  All of them.  Personal PC’s, work PC’s, servers, and all the websites I visit that require a password. The hardest part of this for me is to actually choose a new password.  It has to be secure, but also easy enough to remember.  Additionally, each of them has to be at least a little different, in the event that if one of them becomes compromised, I’m not totally screwed.

Passphrases

There’s a trick I learned a few years ago that made creating passphrases (a password made of multiple words) much easier.  Did you know that the space character is a valid password character on most systems? That allows you to create an easy to remember short phrase or sentence to log in, instead of trying to remember a sequence of random characters.

The one drawback to this is that typing the space key sounds a little different than all the other keys. This might provide an intruder that has physical access to you a little more information about cracking your password, but I believe that if you make the words in the passphrase long enough, and type it quickly enough, that “hearing” the space key(s) shouldn’t matter.

How to create a passphrase

You want it to be easy enough to remember, but not easy enough to guess. For example, if you’re a well-known fan of Tiger Woods, you don’t want your passphrase to be “in the hole!“, as that would be very easy to guess.  The goal here is to be random.  And, if you’re like me (and, for your sake, I hope you’re not), you might have a problem thinking about random things.  That’s where a random word generator comes it.  My favorite is the Random Phrase Generator (that same site also has random words, sentences and paragraphs).  You can create a random phrase up to four words long, with the ability to select the type (noun, verb, adjective, etc.) and the obscurity (from Very Common to Obscure), and it will spit out a phrase for you:

The Creativity Tools from watchout4snakes.com

The phrase itself may not satisfy all systems’ password complexity requirements.  Many systems may require the presence of at least one character from a certain character set, such as capital letters, numbers and punctuation. Try to mix it up a bit.  Instead of using a space, use a punctuation character or number. Or, although it’s frowned upon, you could use 1337 speak; replace l’s or i’s with the number 1, O’s or o’s with the number zero, etc. The reason it’s frowned upon is that it’s a well known substitution cipher, and may not provide much more security than without the substitution.

Using hashes

I read about this concept a few weeks ago on Lifehacker; it pointed to an article on cybernetnews called “How to Remember Secure Passwords Without Writing Them Down“.  The gist of the article is to create an apparent random string of characters using the MD5 hash tool. If you’re technically savvy, you may already have MD5 (as well as SHA) hashing tools already on your computer. If not, there’s a web site for that: the Online MD5 Hash Generator. Enter a word or phrase of your choosing, then press the “Calculate MD5″ button, and you’ll see a long string of characters generated.  All you need to do is remember the first eight or so characters in the hash, and use it as your password.

If you do have the tools, you can use the same technique, but use your favorite mp3 or favorite photo to hash and use the beginning sequence of digits as your password.  At first, I thought this was a crazy way to come up with passwords, but after trying it in a test, I found that you do start naturally remembering the password after entering it several times.  If you forget the password, just redo your hash.

Making them unique

I mentioned earlier that I make all my passwords slightly different to avoid having all my accounts breached if one password is cracked. When creating passwords for seriously sensitive sites (like your bank account, for instance), it should probably be entirely different than your Twitter password, so your financial information remains safe if (or should it be when) Twitter’s password information is breached. Your work passwords should also be completely different than your personal passwords for similar reasons. However, for those not-so-sensitive services, such as the aforementioned Twitter or Facebook, try simply modifying the password in such a way as to personalize it for that site. Perhaps add the first few characters of the site’s domain name to the beginning or end of your password, or somewhere in between.

So, get to it! Happy password changing!

Tags: , ,
Posted in General |

Gartner tells network administrators to “Release the Hounds”

Monday, October 19th, 2009

CNET reports that Gartner execs have told the crowd attending Gartner Symposium that it’s time to relax the network restrictions a bit:

[Gartner analysts] argu[ed] that corporate computing departments shouldn’t block social networking and that security shouldn’t completely lock down communications with the outside world. And even if information technology authorities want to shut down such activity, they can’t.

That is quite a change from IT “lock it all down” policies that I’ve seen spiraling out of control.  In my mind, it would be a welcome change. Lockdowns of corporate networks have gone past the point of annoyance into the realm of complete productivity busting. Over the last year, I’ve encountered being blocked from reading essential information regarding Linux system administration (reason: bikinis and/or lingerie. Seriously.) to being locked out of my corporate network entirely due to a password change that didn’t propagate to my maven settings (lost time: roughly four hours).

What’s amusing is, as the article says, blocking is futile.  I was able to get to the blocked Linux forum by using my iPhone.  I can do the same with social networking services.  Ditto instant messaging services that are also actively blocked. The only drawback is that is takes a bit longer.

I’ll just have to wait and see if this takes hold in the corporate world.

Tags: , ,
Posted in Productivity |

Why I hate proxy servers

Wednesday, September 23rd, 2009

“Hate” is a strong word. It’s also a massively overused word. I avoid the use of “hate”, reserving it for the most heinous of nouns.  One such noun is “authenticating proxy server.”  Fortunately, for most of my career, I’ve managed to avoid workplaces in which these roadblocks to the Internet are used.  That is, until my current job.

A brick wall

A brick wall

There was an issue that arose recently that perfectly exemplifies why I hate the proxy server. Somehow, probably through the proxy server itself, I managed to have my account locked out.  While I remained logged in to my workstation, I could not access any resources outside the proxy server. The application I was using apparently needed access to the Internet to phone home (perhaps validating registration or checking for updates), and because my account had been locked, I couldn’t get through the proxy server. When the application couldn’t complete the call home, it decided to crash. Net result: I lost about 30 minutes worth of work.  All because the proxy server was there ensuring that I didn’t go to nasty porn sites.

A similar issue occurs with some development tools, namely Maven.  During a build, Maven checks public repositories for updated libraries used in the project.  If you do not have proxy settings just right, Maven cannot access those repositories, and the build will fail.  Again, all for a little perceived extra security.

The rules in place for the proxy server to block a site appears to be completely random.  On several occasions, I’ve Googled something I was researching, and find the golden nugget of information I needed, only to have the site blocked because it had been tagged as “a BLOG”. OH MY GOD NO, NOT A BLOG! Fortunately, I was able to get around that problem by either looking at Google’s cached version of the page, or using a mobile broadband modem to view the actual site, but either solution meant that I wasted time.

The time lost due to data loss, build problems and blocked research is significant. This happens at least twice a month, and there have been days where this has happened twice or more.  Each “outage” costs me at least a half hour, more when you consider the “in the zone” time that’s lost.

My takeaway from this is that there is less concern about getting things done than there is about blocking questionable content from the Internet.

Tags: , , ,
Posted in Productivity |