Tuesday, January 26, 2016

Apps to Manage Passwords So They Are Harder to Crack Than ‘Password’

More on password strength, this time from the New York Times.

"It became official again this week: We are awful at passwords.

Year after year, studies show that many people still rely on passwords that are so weak that even a 5-year-old could crack them. According to a study released this week by SplashData, a developer of password management software, consumers continue making the riskiest choices with passwords by consistently using overly simple ones.

The highly unimaginative “123456” and “starwars,” for instance, were among the most commonly used passwords of 2015, SplashData said.

Now for a confession: I am no better than the rest of you. The password management app Dashlane recently ran a security audit of all my passwords — and what it found was ugly. It revealed that out of my 70 passwords, I had reused the same one 46 times. Twenty-five of the passwords were flagged as being particularly weak, or easy for a hacker to crack.

In my shame and embarrassment, I put together a guide of best practices for passwords and tested some tools that would help manage them. Here’s what it boils down to: To have the safest passwords protecting your digital life, each password should be unique and complex. But since memorizing 70 unique and complex passwords is nearly impossible, we also need password manager programs to keep track of them all.
 
Jeremiah Grossman, the founder of WhiteHat Security, a web security firm, says he memorizes only a few passwords, including one to unlock his computer, and another to unlock an encrypted USB drive containing a file with a list of all his passwords for dozens of services. None of his passwords are memorable because they are random.

“I select them quite literally by banging on the keyboard a few times like a monkey,” Mr. Grossman said in an interview, adding, “My setup is a bit more paranoid than the average person.”

The rest of us need password managers, a type of app that locks passwords in a vault and allows access to them with one master password. I tested three popular password management services — LastPass, Dashlane and 1Password — for several days. All were similar, with 1Password standing out as the most cleanly designed (and least annoying) password management tool.

To put the password managers to the test, I began by cleaning up my password hygiene. I spent two and a half hours logging in to all 70 of my Internet accounts and changing each password, one at a time. Following the advice of security experts, I created long, complex passwords consisting of nonsensical phrases, lines from movies or one-sentence summaries of strange life events, and added numbers and special characters. (Samples: My favorite number is Green4782# or The cat ate the CoTTon candy 224%.)

Then I turned to the password managers, which store your passwords and make them accessible with a master password. Naturally, your master password should be rock solid. So for each of the three apps, I created a complex master password and jotted those down on a piece of paper. After a few days I memorized those passwords and threw away the paper.

I recommend 1Password for several reasons. The app consistently and automatically detected whenever I logged in to websites or created new passwords to ask if I wanted to add a password to the vault.

When logging in to a site, I clicked on the 1Password icon in a computer browser or opened the app on a phone, entered my master password and selected the service I wanted to log in to in order to plug in the password. (1Password can be set up to require the master password after a certain amount of time, say five minutes, if you don’t want to keep entering it; on iPhones it can be configured to unlock the vault with your fingerprint instead of the master password.)

Of the password managers I tested, Dashlane was the most frustrating because it nagged me with too many questions. After I used Dashlane to log in to TicketWeb to order movie tickets, the app asked if I wanted to save a copy of the receipt inside its vault. In the process of doing that, it froze the browser and I lost access to the web tickets for a moment. Also, whenever I created a new password, Dashlane sent notifications asking if I wanted the app to automatically generate passwords for me — which was not my preference.

Dashlane said the app was proactive about notifications partly because it was designed for users who may not be technically savvy.

“With password management becoming something that mainstream consumers care about, the simplicity of the product needs to be completely different,” Emmanuel Schalit, Dashlane’s chief executive, said in an interview. “We tried to build a solution that a not sophisticated user could use.”

The third app, LastPass, was less annoying than Dashlane, but in multiple instances it did not detect when I was logging in to a website to add the password into its vault. That required me to manually create a new password entry to add to the vault.

Each of the apps offers the ability to share password vaults across multiple devices, like smartphones, tablets and computers. Wireless synchronization for passwords is a necessity: You don’t want to be locked out of a service on your smartphone because you left your laptop containing all your passwords at work, for instance.

What distinguishes the password management apps is how they share your passwords among different devices, and how much they charge. Dashlane is initially free and hosts its own cloud server to share passwords across your devices, but it costs $40 a year to use the cloud service. LastPass is also free up front; it offers the ability to share passwords across devices for $12 a year.

The app 1Password came out on top because it offered the most value for the money. For a one-time payment of $50, you get a license to use 1Password on a computer. You can use the core features of 1Password on iPhones or Android devices free — if you want to unlock extra features, like the ability to store serial numbers for software licenses, it costs $10.

The downside is that AgileBits, the developer of 1Password, requires users to set up their own cloud syncing with third-party services like Dropbox or Apple’s iCloud, which are free to use. Fortunately it’s not difficult to set up password synchronization over the cloud. There is also an option to synchronize your password database over a Wi-Fi network, but that’s not as seamless.

Mr. Grossman of WhiteHat Security, who does not use a password management app, said he preferred LastPass for its security features. LastPass supports multi-factor authentication, meaning that when you log in with your master password, you will receive a newly generated code on another device, like a smartphone, that you have to enter to unlock the vault. It’s an extra layer of protection.

“We’ve been very popular among security professionals and I.T. folks,” said Amber Gott, a marketing manager for LastPass.

There is always a risk that password management companies themselves will get hacked. LastPass reported last year that its network was breached and that hackers gained access to user email addresses and password reminders.

To avoid that, you may want to skip password managers. If that’s your preference, Mr. Grossman said there’s always a low-tech way to keep track of passwords: Jot them down on a piece of paper and keep the list in a safe place. The best part about that approach? It’s free.


Wednesday, January 20, 2016

World's Most-Used Passwords Are Still Awful, According To 2015 Data

Get smart folks! Found this on Huffington Post:

You already know this: passwords are the first line of defense against cyber criminals, who are only getting smarter and more devious with each passing day.

So why do people still insist on using easy-to-crack passwords? According to SplashData’s annual “2015 Worst Passwords” list, it seems some folks just never learn.

The list, which ranks the most commonly used passwords by Internet users, reveals just how terrible many people’s password choices are.

“‘123456’ and “password” once again reign supreme as the most commonly used passwords, as they have since SplashData’s first list in 2011, demonstrating how people’s choices for passwords remain consistently risky,” wrote the password management applications company on its website.

Other awful passwords in the top 25 include “qwerty,” “welcome,” “letmein” and “monkey;” “starwars,” “princess” and “solo” also made this year’s list:
  1. 123456 
  2. password 
  3. 12345678 
  4. qwerty 
  5. 12345 
  6. 123456789 
  7. football 
  8. 1234 
  9. 1234567 
  10. baseball 
  11. welcome 
  12. 1234567890 
  13. abc123 
  14. 111111 
  15. 1qaz2wsx 
  16. dragon 
  17. master 
  18. monkey 
  19. letmein 
  20. login 
  21. princess 
  22. qwertyuiop 
  23. solo 
  24. passw0rd 
  25. starwars
The list, compiled from more than 2 million leaked passwords last year, indicates that “many people continue to put themselves at risk for hacking and identity theft,” SplashData wrote.

The company said it hopes its list will be a wake-up call for people to start using more secure passwords.

“We hope that with more publicity about how risky it is to use weak passwords, more people will take steps to strengthen their passwords and, most importantly, use different passwords for different websites,” said SplashData CEO Morgan Slain in a statement.

Most experts agree that strong passwords are random (no obvious words and combinations); long (more than 12 characters); and use a mix of numbers, letters and symbols. Also be sure to change your passwords periodically.

Using random password generators and password managers can also be useful. 

Tuesday, December 29, 2015

Malwarebytes - Final Decision

It is a little over a month now since I last wrote about Malwarebytes.

I have been continually nagged by the company to renew my Premium license, but as I said on 11/19, I would probably not renew.

I have decided not to renew. I have uninstalled the Premium version and installed the Free version. If you are inclined to install the free version, and I do recommend that you do, you can download Malwarebytes Anti-Malware 2.2.0 from the good old reliable download site, Filehippo. The url is http://www.filehippo.com/download_malwarebytes_anti_malware/

Click on the green box in the upper right hand corner to download the latest version.

Here is why I decided to go with the free version: in the year that I had the premium version installed on our 3 machines, it never found one problem on any of the 3 machines. This was a surprise to me. I have been singing the praises of Malwarebytes since was back, maybe 7 years or more. In a year 2008 blog post I stated "I have learned that Malwarebytes Anti-Malware is better than SuperAntispyware."


So the bottom line is still that I love Malwarebytes. I will run the free version weekly on our machines, and I recommend that you do too. I just can't recommend the Premium ($) version. The Free version does the trick for me.

I feel I must add that I have used Microsoft's free anti-virus program for years now, and it is my first line of defense against viruses and malware, and it does a fabulous job. Net, I do not pay for an anti-virus either.

Microsoft's free anti-virus had been known as Microsoft Security Essentials, but Microsoft changed its name to Microsoft Windows Defender. Believe me, DEFEND it does.

Happy New Year to all!

Friday, December 4, 2015

CCleaner

I still cannot say enough about CCleaner. In my opinion it should be installed on every Windows system.

It is still free, but be forewarned  that the company, Piriform, now offers two versions that come at a cost. I do not use either of the fee-based programs - I should say YET! In some cases when I have downloaded the latest version I am reminded of, and encouraged to buy, one of the fee versions. To date I have not succumbed to the temptation!

This program used to be called "Crap Cleaner" until they gave it a less offensive name of CCleaner. That is what it dies, it cleans the crap from your system, and that is good. It is small and very fast. If you run it once a week it will probably take 30 seconds (after your initial run which will likely be longer) . 

I encourage all Windows users to get CCleaner. I can only recommend the free version because I have no experience with the fee versions.

You can download the free version here: http://www.piriform.com/ccleaner or on my favorite web site for downloading stuff:  http://www.filehippo.com/.

If you do not use this tool and if you do download it and have any problems or questions, write me at pcdoc@our4sons.com.

Tuesday, November 24, 2015

Windows 10 - Again

I finally figured out how to get the "Get Windows 10 APP", visible to the PC user by the icon in the system tray, on my desktop. These icons started to appear on our systems back in (about) June or July 2015. However, it did not appear on my desktop PC. It did appear on our two laptops, and W10 was subsequently successfully installed.

So this week, after puzzling over this for many moons, I did a manual Windows Update and selected an Optional update to install Internet Explorer 11. I restarted my system afterwards, and the Get Windows 10 App icon immediately appeared in my system tray! Very strange I thought.

Anyway, I went ahead and installed W10 replacing the W7 installation already there.

The installation of W10 went very well and without any hitches.

I really do like W10, and that is why I decided to leave the older systems behind.

I recommend W10 wholeheartedly and without hesitation for most users. I would say that IMHO you should have 8 GB of RAM. This is not required, but based on my experience I would not recommend W10 until/unless you have at least 8 GB of RAM.

I worked on a customer's machine that had upgraded to W10 but had only 4 GB of RAM. It works. It doesn't complain, but I believe W10 will be much happier with a minimum of 8 GB of RAM.

BTW, my PC Doc e-mail address has changed, and it is pcdoc @ our4sons.com (drop the 2 spaces).