A Vault for Your Passwords

I once read a book on passwords and the author suggested that an astonishingly large number of people use "password" as their password. Some try to obfuscate it a bit with "p455w0rd" or "PaS5w0Rd", but an automated password cracking program will need only a few minutes to discover it. Secure passwords should have at least 16 characters and the characters should be random. The problem with something like "J]fpVfiEy{Muh7Nkz0=b", though is that nobody can remember a monstrosity like that, so it will be written down and taped to the side of the monitor. More security conscious folks might store the slip of paper in the top left drawer, under a notepad. Creating a good password isn't difficult, but no password should be used for more than one function. How many do you have? How can you keep them straight?

The best password, if you needed just one, would be something you would find easy to remember while being difficult for someone else to guess. For example, maybe you've always wanted to visit Egypt, your best friend when you were growing up lived at 3361 Smith Road, and your great aunt had a cat she called Stinky. These bits of information can be combined to make this password: Cairo3361Stinky. And if you're concerned that you'll forget it, you could even leave yourself a note: "North Africa, Joe's address, Aunt Martha's pet." You'd still be better off not writing yourself a note, but obscure clues that are themselves tucked away are acceptably secure in most cases.

The problem is that you should use the password for only one system or service. That means you'll need to create an entire series of passwords: The office computer's primary log-in, various servers at work, a home computer, bank websites, home and office e-mail accounts, online stores. The list goes on and on. Then you have to remember whether Cairo3361Stinky belongs to the bank's website or Amazon.

KeePass Creates Secure Passwords

Click any of the images here for a full-size view.Click for a larger view.

There is a solution. KeePass is a free open-source password manager that solves the problem of creating secure passwords, storing them securely, and making them available as needed. It stores all of your passwords in one file and the file is encrypted. Suddenly everything is more manageable: Now you need to remember just one password, the one needed to unlock KeePass.

Above at the right is a sample entry in KeePass.

Click for a larger view.KeePass creates the kind of password you won't be able to remember. If you want extreme security, you can choose a 256-bit hex key such as "6fae4c32a0136621313571e5aff9e358abfc5024dda8497bb9fd0c7b2326ece2". Or, if extreme security isn't important to you, settle for something as "simple" as "j2bdcvJ3". That's an 8-character password, and it's about as short as you want a password to be. With 52 letters (26 upper case and 26 lower case) and 10 numbers, each of the 8 positions can contain any of 62 values. If you allow punctuation and special characters, you can increase that substantially. And if you allow high-bit characters, you would have nearly 250 possibilities for each of the 8 positions.

Click for a larger view.Click for a larger view.Limiting the selection to just letters and numbers, this arrangement has 62 x 62 x 62 x 62 x 62 x 62 x 62 x 62 possible combinations. That's 218,340,105,548,896 (218 trillion). Assuming someone tried to break the password by brute force, that the miscreant could test 100 passwords per second, and that he would stumble onto the correct password after testing approximately half of the possible combinations, this is how long he could expect to spend looking for the right password: 34,954 years.

But now you need to store the password where you can find it.

KeePass Stores Passwords Securely

Because KeePass version 1 needs no installation procedure, all you need do is copy it to your computer's hard drive or open it from a thumb drive. That means you can easily keep all of your passwords on a computer at the office, on your computer at home, and on a thumb drive in your pocket. The application does have an installer, though, for those who want to automate the process of creating a menu entry or an icon on the desktop. Version 2.0, now in beta, requires Microsoft's Net Framework. That makes set up a bit more difficult, but you can copy the installed files to a thumb drive and run them from there, so portability remains the same.

Additionally, KeePass works with Mono (a Net Framework equivalent for Linux and OS X) so you can run the same application on nearly any computer.

What If You Lose the Thumb Drive?

Click for a larger view.Nothing. The password file is encrypted. In addition to that, the passwords are encrypted even when KeePass is running and unlocked. If the computer should crash while KeePass is unlocked, the resulting memory dump that's written to the disk will contain only the encrypted copy of the file.

So that you don't have to type "j2bdcvJ3" every time you open a connection, you can tell KeePass what the window title is (the text that appears in the upper left corner of the window) and then define keystrokes that will fetch the appropriate user name and password, then paste them in to the application. By default, the process pastes the user name, the tab key, then the password and Enter. If you work with an application that requires more information (a payroll system, for example, might have a company code in addition to the user name and password), you can define a process that adds the extra information.

Creating a Secure Password to Lock KeePass

Click for a larger view.Click for a larger view.The password you use to open KeePass absolutely must be memorable. If you forget it, all of your super-secret passwords will be unavailable. So choose this password with care.

Let's say you like music by the Beatles and that a couple of your favorites are "We All Live in a Yellow Submarine" and "Glass Onion". "WeAllLiveInAGlassOnion" would be nearly impossible for anyone to guess, but it's sufficiently memorable that you won't forget it. Or do it this way: "WEallLIVEinAglassONION". Just be sure that it's not something somebody would know about you (the name of a parent, spouse, child, or pet; your home town, phone number, license number, or social security number; auto make or model; and so on.) Obscure but memorable, and long. That's the rule.

And don't forget to back up your password file. Several times. In multiple locations. If the data file on your computer is lost to a disk crash or system corruption, you'll want to be able to recover it.

5 CatsBottom Line: Quick, easy, secure, and free. Pick any 4.

KeePass has far more features than I've had time to talk about here, but if you have passwords and you're concerned about forgetting them, losing them, or having them stolen, this is the application you need.
For more information, visit the KeePass website.

Should You Let TestMyPCSecurity Check out Your Computer?

I received an offer from Comodo, the company that provides a free firewall that I used until is was improved so much that it became unusable. The offer was a free suite of test tools: "Do you know if your PC is well protected? Testmypcsecurity.com can tell you. If you're connected to the Internet, it's like an open doorway for hackers to see your online activity. Testmypcsecurity.com lets you know how secure your computer is." This is the kind of thing that I find intriguing and often useful. Not this time, though.

Click any of the images here for a full-size view.

Click for a larger view.I should start by warning that it's always a bad idea to accept any pop-up offer to scan your computer for security hazards. These are always frauds that range from scans that "find" lots of infections and then sell the sucker a worthless product to others that encrypt the user's drive and won't unencrypt it until a ransom has been paid.

E-mail offers are suspect, too. This one claimed to be from Comodo and the e-mail headers confirmed that it did originate with Comodo. Further investigation confirmed that Testmypcsecurity.com is associated with Comodo.

Click for a larger view.Click for a larger view.So I visited the website. The first thing I noticed was that the site must have been set up by an amateur who didn't know enough to set up the server so that "Testmypcsecurity.com" would resolve to "www.Testmypcsecurity.com". Forget the "www" part and you get a "page not found" error. This should never happen.

The site told me I could "download tests individually or in one zip to check your own security software." I decided to download the Zip file.

Click for a larger view.Both AVG Antivirus and the Microsoft Windows Defender went nuts! They warned about threats in the file I was downloading. That wasn't too unexpected; after all, the tests are supposed to mimic malware. I told the security applications to stand down and allow the intruder to pass. A professional website designer might have thought to warn people about that.

Examining the Zip File with AVG

Click for a larger view.Click for a larger view.Next, I scanned the Zip file with AVG antivirus. It told me that every file had at least one hazard within, and some had more than one. Based on this response alone, I would have to conclude that my computer is reasonably well protected.

On the left, warnings about infections. On the right, warnings about spyware.

There were more warnings when I started extracting the tests from the 32 individual Zip files. Some of the tests unzipped to their own directories. Some did not. This was yet another oversight that I would hope a professional wouldn't make. But I didn't get very far in the extraction process: Nearly every file generated at least one dire warning from AVG, Microsoft Windows Defender, or both. Two were deemed to potentially harmful that AVG wouldn't even allow me to extract them. And one had an installer file!

Sure, I'm going to install a file that I've been told will "test my system's security" even though it's from somebody I don't know.

I contacted Comodo and Testmypcsecurity.com to express my concerns.

Paul Whitehead of Comodo dismissed the concern, saying, "This is a false positive on the part of your AV software. The tests are harmless simulations of attack vectors and do not contain malicious code. Comodo is sponsor of the testmysecurity (sic) project. The tests on testmypcsecurity are indeed collected from various sources but none contain harmful code."

I could, of course, have turned off the protective software, but that's exactly what a social-engineering attacker would request. It's something that many users, fortunately, wouldn't even know how to do. If Comodo's expectation is that unsophisticated users will be able to test their computers with these 32 applications, I think they're going to be disappointed.

Incidentally, I don't doubt that the applications probably are safe to use. It's just that they're essentially impossible to use. If you're looking for good, easy-to-run security test, try Shields Up from Steve Gibson at Gibson Research.

5 CatsBottom Line: Not worth the price even though it's free.

The entire idea needs some additional thought and planning along with better execution. It's an interesting and possibly useful idea. As it stands now, though, it doesn't come close to getting off the ground.
This is where I usually provide a link to the company's website.
Not this time.

Short Circuits

America's Most Photo-Friendly Cities

Quick! What's the nation's most photo-friendly city? According to the current Popular Photography magazine, it's Denver. Yeah, that surprised me, too. But what was even more of a surprise is that Columbus, Ohio, is 19th on the list, beating out Houston, Chicago, Las Vegas, Los Angeles, and Phoenix, among others.

This isn't strictly a technology story, but if you love to use your digital camera, you might want to check out some of the nation's 30 most photo-friendly locations.

The magazine made the selections based on the cost to visit the city, hours of sunshine, rain or snow, cleanliness of the air, camera stores, photo processors, parks, zoos, museums, galleries, the crime rate, and security.

Columbus was the only Ohio city on the list and scored just slightly lower than New York and San Diego.

And yes, Columbus is photo friendly:

And a few from some of those other cities:

If you're from central Ohio, go out and enjoy. If you're not from central Ohio, consider stopping here the next time you're on the way to one of the big traditional "tourist destinations". Ohio is still considered a "fly-over" state by the tourism industry, but Ohio has a Department of Travel and Tourism — I know because I worked there in the 1970s when it was a bureau in the Department of Economic and Community Development.

Conficker: The Story That Won't Go Away

Your computer is most likely not infected with the Conficker worm, although 9 to 15 million computers probably are. Assuming your copy of Windows is legal, you install security updates as Microsoft makes them available, and you have up-to-date protective software, your risk is essentially zero. Still, Conficker has awakened, stretched, and started to see what it can do.

On Thursday, Conficker began updating itself. The worm sets up a peer-to-peer network between infected machines. The updated software is more aggressive. The earlier versions blocked infected machines from visiting the websites of antivirus providers. The antivirus providers then set up special sites that provided tools to remove Conficker. The new application blocks access to many of those.

Researchers say that Conficker is scheduled to remove most of itself on May 3. Most. Not all. Enough of a stub will remain for the machine to listen for a message from the malware writers.

But the main question has been what the intent of the worm writers was. Antivirus companies say that part of this update process involves downloading the Waledac spam software. And this is probably how the writers hope to monetize their worm: Use it to send spam. Waledac is one of the best-known (but not so beloved) spam bots on the Internet.

Vandalism Shuts Down Phone Service Near Silicon Valley

If you're looking for something frightening, here it is: Vandals cut 4 inch-thick cables this week south of Silicon Valley and brought portions of 3 counties to a virtual stand still. It took AT&T workers 17 hours to restore service after someone removed a manhole cover, climbed down into a cable vault, and cut the cables.

By "virtual standstill", here's what I mean: Nobody could make a phone call because regular telephones were out of service, along with cell phones. Banks either closed or wrote paper receipts. Gas stations couldn't authorize credit card payments, so they took cash only. In an emergency, if you couldn't find a passing police car, you'd have to run or drive to a fire station.

According to the San Jose Mercury News, AT&T is offering a $100,000 reward for information that leads to the arrest and prosecution of the vandals.

It wasn't the work of an ordinary vandal. Somebody had to know where the cables were. Somebody needed the right tool to remove the manhole cover. But somebody knew where the cables were. And somebody had access to the right tool.

The scary part is that just a few well-placed cable cuts, or worse, could do the same thing to New York, Chicago, Los Angeles, or Washington. And possibly with results lasting more than 17 hours. For the full story, follow visit the Mercury News website.

$388 Million Fine Ordered for Microsoft

Microsoft has lost a patent infringement case and has been ordered to pay anti-piracy software publisher Uniloc $388 million, but says it will appeal the verdict. The trial has been working its way through federal court in Rhode Island for 6 years.

A jury agreed with Uniloc that Microsoft infringed the company's patent on software that discourages piracy by creating a unique ID code when applications are installed. The suit was filed in 2003 and alleged that Microsoft used Uniloc's technologies for Windows XP and also for Office 2003.

Pre-trial negotiating continued until March, when the trial finally got underway.