31 January 2020

Security Demands a Password Manager and That's Not All

Several decades ago, antivirus applications weren't necessary. Then suddenly they were. Antivirus applications weren't needed for Apple computers. Then they were. Password managers were nice-to-have applications for years, but hardly necessary. Now they are.

There are still organizations that forbid their employees to use password managers. These are places were the employees write passwords on sticky notes and put the note on the monitor. Some clever people stick the note to the inside of a desk drawer or put it under a desk pad. I remember having to change half a dozen passwords every 45 days. Instead, I set a reminder to make the change every 42 days so that my password changes would always be on Wednesdays and my passwords wouldn't expire on a weekend day. I also created a system that used a series of codes that linked in an obscure way to terms only I knew. Anyone could have the code and it would be meaningless.

 Click any of the small images for a full-size view. To dismiss the larger image, press ESC or tap outside the image.

In addition to managing passwords, these applications often have extra features that review user names to see if they've been involved in a data breach, display the strengths of passwords, and even provide an overall assessment of your passwords based on whether or not passwords have been reused, how old they are, whether they may have been compromised, and how strong they are.

Many organizations now have converted to single-log-in systems that authenticate users on all systems that they should have access to. Corporate IT departments that use these systems have made the right choice, but many users probably still write down their passwords.

Authentication can be accomplished using one of three methods and sometimes with a second factor:

• Something you know (passwords are the most common)
• Something you have (key fobs and smart cards are in this category)
• Something you are (facial recognition, fingerprints, and retina scans are used)

There are other methods, including one that was virtually foolproof in the days when phone lines and modems were used. High-security modems were designed to be user specific and those who needed access to the computer would call their modem. The modem would immediately disconnect and call the user back at the one telephone number registered with the device. This was expensive, but it was also secure.

Most financial and medical systems now seem to use multi-factor authentication. A credit union I use asks for my user name (not an email address). Then it displays a photo that I selected when I set up the account so that if I see something else I'll know there's a problem. Next, I'm asked for the account password and, when that has been accepted, I have to respond to a security question. That's a quick and reasonably painless process.

A bank that I use requires only a user name and password if I log on from a computer that has been authenticated previously. About once a week, though, the bank requires that I enter a security code that the system sends to my mobile phone. Or if I attempt to log on from a new computer, the server will send a security code to my phone to ensure that I am who I claim to be.

Security is a tough topic and I don't envy chief security officers who have to balance security with ease of use. When a system is easy to access, security is probably less than ideal. Conversely, extremely high security makes the system more difficult to use.

Passwords Are Dead, but They Don't Yet Know It

Better systems are coming and passwords will fade over the coming years as biometric systems become more popular and as their costs fall. Some notebook computers have fingerprint readers. My primary computer has one, but I never use it because it's near the keyboard and the case has to be open for me to provide a fingerprint. The computer connects to two external monitors, an external mouse, and an external keyboard and so the cover is always closed. I still use a password for access, but I can also use a PIN or the Windows Hello face recognition function. I've set up a PIN and use it occasionally just to confirm that it's working as expected. The Surface Pro tablet that travels with me recognizes my ugly mug.

Consumer-grade biometric systems still have a long way to go and should not be considered to be as secure as a password. So we're still stuck with passwords.

I've written about password managers before and used LastPass for many years. A year ago I switched to 1Password and, while it was as functional and well built as LastPass, I have switched back to LastPass. Those are just two of the programs available to help with password management.

If web browsers can remember credentials for sites you visit often, why is a separate password manager needed? That's a logical question. Although browsers are doing a better job of protecting passwords that they store, it's still better to use an app made explicitly to manage passwords.

Those of us who use more than one browser find that a password manager is an improvement over storing credentials in a browser because the manager will work with all browsers. Trying to coordinate passwords between browsers is time consuming. Password managers are even more important for those who use more than one computer and a mobile device or two. A good password manager will coordinate credentials on all of your devices.

Proper Password Procedures

Besides using a password manager, there are other good practices that improve security for your data, cloud-based resources, and online shopping. Some disagreement exists and I should note that disagreement extends even to whether password managers are a good idea. I feel that they are, but some consultants are passionately opposed because losing control of the credentials for the password manager could reveal every user name and password you have to some exceptionally bad folks.

So create a strong password for the password manager. Make it so long and obscure that nobody (not even a spouse or close friend) will be able to guess it. It's a good idea to write this password down and store it so that a spouse can find it in an emergency. Storing it on the computer is not a good idea. And don't email it to your spouse. Go old school and write it on an index card, put the index card in an envelope, and store the envelope in a location that you and your spouse know.

Other best practices:

• Change passwords frequently. NO! This is one of the most absurd suggestions in the history of computing. This practice causes no end of trouble. Create strong passwords (example: yb5*eX6U2^k31gba$J) that are impossible to guess, difficult to type, and not at all memorable. Your password manager will take care of remembering and typing the monstrous password so you don't have to. Use a service that can report when a user name may have been compromised and change the password only then. I have more than 300 passwords and if I changed them all every 45 days, I'd get no work done. Password managers such as LastPass can check your user names against lists of credentials that have been exposed or you can use an online service to see if your email address has been exposed in a data breach.
• Don't reuse passwords. This is excellent advice, but it's not an absolute. Bill Hess has written about the risks of reusing password on his PixelPrivacy blog. The exceptions to the rule that I see are for trivial resources, websites that store no personal data about you. I have unique passwords for websites such as Adobe Creative Cloud, American Electric Power, my health insurance provider, banks, Amazon, my website control panel, and other sensitive sites. Each of the passwords is long, complex, and impossible to remember. But I also have log-in credentials for CNet, Last.fm, Merriam-Webster, Nvidia support, and many other sites that are unimportant financially. In fact, most of these sites have unique passwords, too, but they follow a pattern. When I set up new accounts, I create long, strong, unique passwords, but I haven't gone back to change the less robust passwords on the trivial sites.
• Never share a password. This rates as a well, d'oh measure. Some organizations consider sharing a password with another worker to be grounds for dismissal.
• Avoid dictionary words and trivial passwords. A password manager will keep you from doing this, but if you must create your own passwords avoid ones like these (and yes, people do use passwords like these): 123456, password, letmein, 123456789, letmein123, and qwerty.
• Test your password. Long, complex passwords stored in a password manager make this less important, but download Microsoft's password testing tool if you create your own passwords. The tool's limit is passwords with 23 or fewer characters.
• Longer passwords are better. As illogical as it might seem, 111111111111111111111111 is a more secure password than X6U2yb&k. The password with all ones has 25 characters while the more complex password has just 8. Long and complex is better, but length trumps complexity.
• Make passwords hard to guess but easy to remember. Using a password manager eliminates the need to make the password easy to remember. A long and easy to remember password might be something like WeAllLiveInAYellowSubmarine. The trouble with doing something like that is that you still need to devise a separate password for each site and you'll soon forget which site uses WeAllLiveInAYellowSubmarine and which uses LucyInTheSkyWithDiamonds. Then you'll start writing the passwords down.
• Never write passwords down. There are exceptions even to this rule. In an office, writing passwords down is a bad idea -- so bad that it might get you fired. It's different at home, where some people have a notebook where they write every user name and password along with the name of the site it's used for. This is safe enough unless someone breaks in and steals the list. Still, a password manager is better.
• Use two-factor or multi-factor authentication when possible. Yes, this slows the log-in process, but it substantially improves security.

There's a lot of common sense involved in creating and securing login credentials. The more care you take, the safer you, your computer, and your data will be.

Short Circuits

A Pox on Your Website Notifications!

Website designers sometimes seem to be intent on finding ways to annoy visitors. Years ago, we had Flash animations that users had to watch before the site opened. Then designers added auto-play audio and video files. Today we have pop-ups that want us to subscribe to newsletter, that offer us chats, and — perhaps most annoying — ones that want to send us notifications.

Stop it! How can someone know whether they want to subscribe to your newsletter, chat with an auto-bot (or maybe a real person), or receive notifications from your website when they've only just arrived? This is the cyber equivalent of meeting someone and immediately asking if they want to have sex with you.

Far too many sites engage in this annoying behavior. Virtually all people who are faced with the offer to send notifications respond by saying no or just ignoring the message.

Most of us have enough messages and enough interruptions without volunteering for more. Currently Chrome, Firefox, and Safari all allow websites to engage in this annoying behavior. The good news is that browser developers are working to end the practice.

Some notifications can be helpful. You'll find them on social network sites and some news sites, but they can easily be misused. A site should prompt the user once and then abide by whatever decision is made. Instead, many sites continue asking to send alerts no matter how many times the user rejects them. Even worse, scammers have discovered how easy it is to misuse the technology.

The Chromium blog says that Google recommends developers "follow best practices for requesting the notification permission from users." The blog points out what should be a common-sense bit of information: "Websites that ask users to sign up for web notifications when they first arrive often have very low accept rates." Why this seems mysterious to some website developers is puzzling. Few people want to commit to interruptions from something that may do nothing more than waste their time until the know more about what a website offers and how information might be useful to them. "Sites that request the permission at contextually relevant moments enjoy lower bounce and higher conversion rates."

Mozilla's blog reported research late last year that showed clearly that these notifications are not appreciated by users. "We received telemetry regarding 217K permission prompts in one week. We discarded data for about 11% of prompts, coming from the approximately 40 users who had >200 prompts in the week."

A surprising number of website visitors simply left the website after seeing the first request. If the site continued to request permission to send alerts, more people left. After receiving 10 prompts from a site, nearly three quarters of users left. The requests are ineffective. At most, about 2% of users accepted the offer. More than 90% either denied the offer or left the site.

So clearly it's a significant annoyance for most users and it would be only a slight exaggeration to say nobody finds the these requests useful. More research from Mozilla shows 1.45 billion prompts were shown to users and only 23.7 million were accepted. That's slightly more than 1.5%.

Website designers who were smart enough to delay the notification request until after users had interacted with the site were much more likely to have their offers accepted — 17% instead of less than 2%.

Starting with version 80, which will be released in mid February, Chrome will allow users to block these annoyances. Mozilla has already taken steps to kill the annoyance. Version 72 of Firefox, released in mid January, accepts the website's notification request but doesn't display a pop-up. Instead, it adds an icon that looks like a speech bubble in the address line.

You can ignore the icon and the and the notification won't be displayed or you can click the icon and choose Allow Notifications or Never Allow. So the annoyances are hidden by default and you must take explicit action to see them or to permanently eliminate them.

Google plans a slightly more automated approach and will automatically block prompts from sites that are generally considered to be spammy while continuing to display alerts from sites such as Twitter and Facebook. If users rarely accept notifications, Chrome will start to block the interruptions.

This will be accomplished by switching the browser's settings to "the quieter notifications UI" according to a blog post. Even if users accept some alerts, sites with low acceptance rates will set to use quieter prompts automatically.

These changes will take care of some annoyances, but sites that pop-up a newsletter subscription box the instant your mouse exits the site will still do that.

Whose Default (Location) is That?

Windows 10 probably knows where you are. The hardware may include GPS circuitry that can pinpoint your location, but it can make a reliable guess even without GPS. Perhaps you'd like Windows to think you're not where it thinks you are.

If the computer doesn't have GPS, Windows examines nearby Wi-Fi networks, the time zone you've set, and the IP address you use to connect to the internet. That's enough to get close. You can turn this feature off if you don't want Windows to know where you are or you can limit which applications know your location.

Open Settings and type location into the search bar. Choose either Location Privacy Settings or Set Default Location. Either of these will take you to the Location tab where you can enable or disable the feature, select which applications you want to have access to your location, and specify a default location.

Enabling or disabling the location service is the first setting on the Location panel. The next option, if the Location service is enabled, allows you to specify whether apps have access to location information. Even if you turn this off, some applications may still be able to approximate your location by using Bluetooth, Wi-Fi, a cellular modem, or other hardware, but with limited accuracy. Apps provided via the Microsoft Store are required to respect the Windows Location settings.

If you choose to give apps access to Location data, you can then turn the permissions off or on for specific apps.

There's also a section called Default Location and this is what Windows uses when it's unable to detect your location. Desktop computers, unlike notebook systems, lack GPS hardware and will probably be connected to the internet via a wire. As a result, some of the clues will be missing. If you've established high security settings or put the computer in airplane mode, Windows can't determine your location. But you might still want some location information to be available.

That's what the Default Location setting is for. Clicking Set Default may surprise you. Instead of showing another Settings panel, it opens the built-in Maps app, opens the pap's settings, and offers the ability to add, change, or clear the default location.

If applications that depend on knowing your location are providing incorrect results, use this to add your current location.

And if you'd like more information on the Windows 10 Location function, visit Microsoft's support site.

Spare Parts

Facebook Promises Better Security, but Don't Hold Your Breath

On Data Privacy Day (28 Jan) Mark Zuckerberg wrote on Facebook's blog that the company's goal for the next decade is to build much stronger privacy protections for everyone on Facebook, admitting "we know we have a lot of work to do here."

Over the next few weeks Facebook will display reminders to nearly 2 billion people, encouraging them to review their privacy settings. A new Off-Facebook Activity tool is available to some Facebook users now, but Facebook makes it hard to find. Here's a direct link. Zuckerberg says "other businesses send us information about your activity on their sites and we use that information to show you ads that are relevant to you. Now you can see a summary of that information and clear it from your account."

Facebook Login lets users sign in to other apps and services using Facebook credentials. This is a feature that most security experts recommend against, even for trivial applications such as games and streaming services. If you use that functionality, you can now track of your activity with Login Notifications, a function that's supposed to be available now.  It will alert users when their Facebook login is used to sign in to third-party apps.

You Can't Make This Stuff Up

A man who ran a company that claimed to protect businesses from distributed-denial-of-service (DDoS) attacks has been arrested for paying to have DDoS attacks launched against other companies. Maybe he was trying to show the company why they need protection. In any event, it wasn't legal.

According to Brian Krebs (Krebs on Security) Tucker Preston of Georgia entered a guilty plea in a New Jersey court. The Krebs on Security account says that Preston will be sentenced in early May. He faces up to 10 years in prison and a quarter-million dollar fine. Krebs and Preston have a bit of common history. When Preston was 19, Krebs exposed other questionable actions by Preston.

Some folks don't learn the lesson the first time.

Twenty Years Ago: Steve Jobs Goes Airborne

In the late 1990s, Apple was nearing bankruptcy when Steve Jobs returned to Apple as an advisor with a salary of just $1 per year. By 2000, the company's fortunes were beginning to turn.

The board of directors gave Jobs 10 million stock options and a Gulfstream jet in appreciation for first-quarter financial success. At that point, Jobs had been the interim CEO for about 30 months and watched as Apple's market valuation increased from less than $2 billion to more than $16 billion. For the quarter ending January 1st, Apple reported earnings of $183 million, up 20% from last year. Revenue rose 37%.

Jobs died in 2011, but the company he co-founded with Steve Wozniak continues to thrive.