Creating Secure Passwords and Keeping Them Secure

A few weeks ago, when I described my week without Windows, one of the first challenges I faced was the inability to move passwords from my Windows password manager (KeePass 2) to Linux. The solution involved creating an encrypted directory and storing a spreadsheet file there. It worked but it wasn't very elegant. The other problem I had with KeePass was that it didn't work on Apple's OS X. I needed to synchronize the password file manually on two computers at home and one at the office. Might there be a better way?

There is and it's called LastPass. Because passwords are stored on the LastPass server, you can use them from any computer. And because LastPass is a plug-in for all of the major browsers, it works equally well on Apple, Linux, and Windows computers. The basic service is free and a premium version costs just $12 per year.

You Want Me to Store My Passwords on the Internet!???

Yes, I do. Your backup files may already be on a remote server. Do you pay any bills via your bank's website? What about the IRS, state tax agencies, and regional taxing authorities? Have you filed your federal or state returns online after filling out all of the paperwork at a website? I have and then I visited the regional taxing authority's horrid website to file my local return.

You're wondering if there are risks. Of course. But there's a risk involved in just getting out of bed in the morning. A different risk involved in deciding not to get out of bed in the morning.

The company that provides the service is Marvasol and, according to Business Week, "Marvasol, Inc., doing business as LastPass, provides single sign on capability solutions to organizations. The company offers a password manager that allows users a secure method to login to Websites and applications. It also provides single sign on in mobile and shared workstations environments from various computers and mobile devices. The company was founded in 2008 and is based in Vienna, Virginia."

How It WorksHow it works

Because passwords are encrypted and stored on Marvasol's servers, you might wonder what happens if you can't reach Marvasol's servers. The passwords are also encrypted and stored on your computer so they're always available. What's on the company's server is actually an encrypted backup copy of your data so that you can securely and seamlessly restore your passwords when you change computers.

If you have an existing password manager or if you use a browser to remember passwords, LastPass can import them. The import feature supports files from Internet Explorer, Firefox, RoboForm, 1Password, KeePass, MyPasswordSafe, Password Agent, Password Safe, Sxipper (which ceased operation on 15 April 2011), Passpack, and TurboPasswords.

Particularly if you use more than one browser, you should install the application separate from any browser even though you can install individual plug-ins for each browser. Installing at the operating system level installs for all browsers. And if you install on multiple computers, import passwords from just one location. Importing from multiple locations will result in a lot of duplication.

 Click a small image for a larger view. Click the larger view to close it.  Most of the images in this series are from Chrome, which is not entirely compatible with LastPass. All of the important features work but flaws in Chrome can cause some display problems.

Click for a larger view.Shortly after setting up LastPass, I noticed an option to test my passwords. Passwords shouldn't be repeated, even for trivial accounts, but I had repeated some for those kinds of accounts and I knew they would count against me.

Unfortunately, I had also reused passwords for some decidedly nontrivial accounts.

Click for a larger view.So my score was a miserable 50.7, which means that about half of the LastPass customer base does a better job than I do.

Click for a larger view.My passwords ranged from lousy (1st column) to bad (2nd column) to decent (3rd column) and good (4th column).

Click for a larger view.LastPass requires its own password and this is one that you'll need to remember. It seems that my choice for that password was reasonably intelligent.

Click for a larger view.LastPass appears on your browser by default as a red square with a white asterisk in it. If you don't like that one, you can choose something else. Actually, it's red only when you have authenticated your identity by providing your master password. Until you do that, the icon is black.

A drop-down menu provides access to the program's features.

Click for a larger view.When you create or capture passwords, you can review them in the LastPass Vault. From here you can select a link and open the associated website (relax, there's an easier way), edit the account information, delete the entry, or share it. If you need to send someone a password now, what do you do? E-mail it? That's highly insecure. LastPass provides a way to securely share a password.

Click for a larger view.This is the edit screen where you'll see the URL, user name, and (optionally) the password. The password is hidden by default, but you can reveal it on this screen. There's also a place for notes. Notes are encrypted, too.

Click for a larger view.A drop-down list of recently-used sites makes opening your favorite sites easy. And, if your browser automatically opens several sites when you start it, LastPass can log in to those.

Click for a larger view.I have nearly 200 sites that I've divided into categories so that navigating to them is fast. In this way, LastPass not only manages passwords but also bookmarks so that all of the sites you use are available on all your computers, regardless of browser or operating system.

Click for a larger view.It's well known that the best passwords are long and contain a variety of characters (upper case, lower case, numeric, and symbol).

The problem with a password such as "C5!6Etq^AS%AmhT" is that nobody can remember it. People write down secure passwords such as these, instantly making them insecure.

Because LastPass remembers them, you can use high-quality passwords even for "trivial" sites.

Click for a larger view.LastPass can fill in forms, too, with whatever information you provide on a per-profile basis. You might have one profile with your home billing and shipping address, a Visa card, and your home e-mail. Another profile might have your home billing address, a business shipping address, an American Express card, and your office e-mail address. If you do a lot of online shopping, you'll find this to be a real time saver.

Another useful feature is the ability to store secure notes in LastPass. Social Security numbers for members of your family or driver license numbers, for example. This is a good way to store any information that you might need but won't remember. As long as a computer with Internet access is nearby, you have access to the information.

Alarm bells may be ringing in your head about now. I mentioned using a public computer to access this data. Yes, you can do that. If you log on to the LastPass website, no files are stored on the public computer. If you are using an untrusted public computer and need to access your LastPass data but are hesitant to do so because of potential keyloggers, LastPass provides One Time Passwords (OTPs) as one option for securely accessing your account.

Using the LastPass Web interface to log on to one of your secure sites won't expose the user name and password, but you may still be concerned about sending and receiving data securely, even with an https connection, from a public computer.

Click for a larger view.When you log on to the LastPass website, you'll find additional management options. Here you can delete multiple entries simultaneously or easily move many entries from one category to another.

Click for a larger view.LastPass also reports to you the IP address, time, and browser type that corresponds to recent uses of your online account. Assuming you use a secure password for LastPass, you'll probably never see anything surprising here.

Click for a larger view.The local copy of your passwords is stored in an encrypted file. That's it over at the right. You won't be able to read it, but then neither will anybody else.

Password Security Recommendations

LastPass provides several useful recommendations for making passwords more secure.

Eliminate Duplicate Passwords

Having identical or similar passwords for multiple websites is dangerous. LastPass's security analysis clearly identifies these sites. You should then manually visit each of these sites and change the password to something that is both unique and strong.

Eliminate Weak Passwords

As you saw in my own security report, LastPass ranks passwords. Weak passwords should be changed to something more secure by visiting the website and changing the password. LastPass can generate the password and automatically update the account record. If you have several hundred accounts, this might take all day but it's time well spent.

Stop Storing Passwords Insecurely

Storing passwords in a browser, on scraps of paper, in an e-mail, or in any format that is unencrypted is a needless serious risk. When you install LastPass, the installer will offer to import passwords from your browser and then delete them from the browser.

Start Using a Multifactor Authentication Scheme

This is an advanced feature but it's available even in the free version. It significantly increases the security of your confidential information. Users of the premium version can elect to use a YubiKey Multifactor Authentication device, which must be purchased separately. Increasing security also increases complexity and simply logging on will take longer. Whether the extra trouble is worth the enhanced security is something that each user must decide individually.

Improving My Score

After spending a few hours working to eliminate some of the duplicate passwords, my score was 70.1%, which puts me in 8671st place. That's better, but there's still room for improvement. Because some passwords are by design shared across multiple corporate entities, I will always have some duplicate passwords and I may not spend a lot of time improving my credentials for newspaper sites. What's important is that the critical sites now all have unique and secure passwords.

5 CatsBottom Line: Secure passwords no longer have to get in the way.

LastPass is the easiest and most comprehensive password management system I've seen. It works on most operating systems and with most browsers and the premium version adds support for most smart phones. The security is awesome. The price (free if you don't need the premium features) is incredible.
For more information, visit the LastPass website.

The Long Journey for Thumbs Plus

One of my favorite image organizers, Thumbs Plus, is about to release service pack 1 for version 8 of the application. Version 8 was introduced in 2010 but I've not yet reviewed it because the initial release of version 8 was badly flawed. Several months (and 4 betas) later, SP1 for Thumbs Plus 8 makes the application one that I can recommend as enthusiastically as I recommended earlier versions.

ThumbsPlus from Cerious Software has been an important part of TechByter Worldwide and, before that, of Technology Corner and I'm delighted to see that version 8, which was released several months ago, is about to be updated.

Here's something you might not think about when you're looking at a graphics application: Unicode support. After all, Unicode is for text and graphics applications are ... well, for graphics. But ThumbsPlus 8 is a Unicode application. Because of this it supports folder names, file names, and data in any language regardless of the edition of Windows on the computer. That's the good news.

The other good news is that this makes version 8 incompatible with Windows 95 through Windows Me. If you're still using one of those operating systems, you probably already know that you're not exactly on the cutting edge of 21st Century computing.

Most parts of ThumbsPlus are now ready to be built as a 64-bit application, which will allow much larger images to be loaded and handled. Some parts will have to remain 32-bit in order to call 32-bit libraries from other vendors at least until those are available in 64-bit form.

Python has been added to ThumbsPlus for use as a scripting language. This will enable both Cerious Software and users to extend the capabilities of the application. The developers say that more parts of ThumbsPlus will be moved to Python to allow easier customization. The ability to add Python routines will be added to the user interface in version 8.1.

Several important features were broken in the initial version 8 release but most of these have now been fixed.

If you're a longtime user of the application who believes in its future, you might want to check out the "perpetual license". Buyers who opt for the perpetual license will receive all future versions at no cost.

For more information, see the ThumbsPlus website and you can expect a full review of the application when version 8.1 arrives.

A Koobface by Any Other Name ....

The Koobface worm should probably be called Koobecaf. After all, "koob" is an anagram for "book" so "ecaf" would be the corresponding anagram for "face". Koobface, which began its nefarious life on Facebook, has finally moved on, though. Koobface infected a lot of computers last year but it hasn't been seen on Facebook since mid February.

You may have encountered it. A Facebook link directed users to a fake YouTube video. The video wouldn't play unless you downloaded an "updated codec". (That would be a big Warning Sign!) The "codec", of course, turned out to be a malicious application.

Security specialists considered Koobface to be among the most serious social networking threats. The attack vector was via a private message with a link to the supposed video. Often the links were obfuscated by URL shortening utilities such as goo.gl, tinyurl.com, or bit.ly.

The attackers appear to have monetized their "service" by using compromised computers to send spams for fake drugs. The command and control system consists of at least 150 servers that maintain a botnet of indeterminate size.

Facebook began actively blocking Koobface attacks last year and that apparently forced the fraudsters to try other means.

Short Circuits

Cisco Flips Off

Could this be characterized as a Flip Flop? Flip, the digital video camera originally made by Pure Digital but scooped up a couple of years ago by Cisco Systems, is still one of the most popular video recorders on the market. Cisco is killing it anyway. Since buying the company in 2009 for just under $600 million, Cisco has done nothing to improve the Flip, which is now being eclipsed by smart phones. So RIP, Flip.

Cisco is "making key, targeted moves" to "align operations" to support its "network-centric platform strategy" according to Cisco CEO John Chambers. Too bad the company didn't think of that before buying and then abandoning Flip.

Instead of trying to sell the business unit, Cisco is just putting it out of business.

To Cisco, $590 million is pocket change so it's hardly worth thinking about the people who work for Flip or those who have purchased the company's products. More than 500 people will lose their jobs but this is little more than a rounding error for Cisco—about 1% of the company's workforce.

The Flip has been copied by other manufacturers but it's still the number one seller in that particular market niche. In fact, the Flip was the top-selling video camera in the US last year with about a quarter of the market—2.5 million cameras.

It was a capable little camera, too. This year I was the judge for an online video competition and two of the videos were created using a Flip. Had the videographer not mentioned that fact in the accompanying paperwork, I would never have suspected.

Despite Cisco's "network-centric platform strategy", the company never made any attempt to give the Flip any network capabilities. Not even basic Wi-Fi. And this is the device used by millions to create and upload YouTube videos.

Criminal shortsightedness is not an indictable offense.

US: Not Exactly a High-Tech Leader

Most US citizens probably think the US is a high-tech leader. Not exactly. That would be Sweden. We're not number two either. That would be Singapore. Third and fourth place are occupied by Finland and Switzerland. Then comes the US in fifth place. Way to go!

The US can still proudly announce that we're ahead of Canada was (eighth place), Norway (ninth place), Germany (thirteenth), Britain (fifteenth), and to the delight of some, my family's homeland, France in 20th place.

The World Economic Forum in Davos, Switzerland, ranks 138 nations on more than 70 economic and social characteristics. The survey began in 2001 and this year highlights what are being called the "Asian tigers". Taiwan is one step behind the US. South Korea is in tenth place, Hong Kong is 12th, and Japan is 19th. Indonesia moved from 67th place to 53rd place as a result of improved educational standards.

More than 50 nations have better math and science education than the US. Forty-seven nations have lower-cost telephone service than the US. Seventy-five nations have a higher percentage of people who use mobile phones. And even in the category of personal computer ownership the US lags behind 23 other countries.

But we did beat France.

An Ipad for Every Five-Year-Old!

Next fall's incoming class of kindergarten students in Auburn, Maine, will all be given Ipads. At a time when school systems are generally having to make do with less, a reasonable question would seem to be whether this is genius or folly. Another reasonable question might be how many of the devices will still be functional at the end of the school year.

The district will have 300 five-year-old students, so that's an expenditure of (assuming some sort of discount) at least $120,000. The Ipads will be used to teach letters, numbers, drawing, and music according to Superintendent Tom Morrill.

Maine became the first state to give all 7th and 8th graders Apple laptop computers in 2002. Since then, the program has grown and about half of all Maine high school students are given laptop computers.

Some education experts say that overall computers are not a good investment for schools but others point to the ability of devices such as the Ipad to interest and engage students.

Morrill says most of the criticism he's heard so far centers on the cost. The plan is to raise money for the hardware from foundations and from federal, state, and local government agencies.