Archive for the ‘security’ category

LastPass Hacked

June 16, 2015

I hate passwords. I have too many accounts and too many passwords to remember. So, I resorted to using LastPass not too long ago for simplifying sign on services. Okta was another service I’d had the opportunity to use and I found the experience of both to be quite good.

Until this morning.

There is no substitute for a good, strong password portfolio + a regimen of deprecating them on a schedule. If you’re good at eating at least once per day, you should be capable of changing your passwords once every six months (if not more frequently).

Apple has Keychain. Google has Authenticator. I’m sure Microsoft has something (probably called Keychain or Authenticator because they’re too lazy to come up with their own product names). Anyway, the point is, picking one of these and electing for an extremely long factor passcode that is 100% machine generated is probably the best way to go. I, personally, like GUIDs with mixed upper and lower case letters mixed in PLUS another character in there somewhere such as a “!” (which I don’t use). But you get the idea. A password such as has a lot going for it:

!c40d2b17-42f8-4908-b341-F6538CBE997C

First it’s nearly 40 characters long. A human isn’t going to remember a randomly generated string of mixed case and letters very easily. That is a good thing. Nor is that person going to bother to write that sort of thing down or easily transcribe it to a friend or relative.

The one thing it sucks at now is it’s public and has probably been scooped up by some machine and folded into the crazy ass long list of passwords to try while attempting to brute force past a security wall of some kind. Plus all it’s variants. Don’t even waste your time recycling it.

But, that type of password is ideally suited to living in something like Keychain and probably forgotten. Easily discarded and reset regularly. See, we get attached to passwords. It’s the familiarity of the thing. A birthdate mixed with an address mixed with a childhood friend’s dog’s name. The problem with anything remotely like those… The cracking algorithms and raw compute power available today can make mincemeat out of those in nothing flat. The ability to recurse through all the variations with brute force velocity is astounding and only getting better and cheaper to do so.

Blockchain holds a lot of promise. If you’ve not been paying attention to digital security or alt digital currencies like Bitcoin… The Blockchain holds a lot of promise. A LOT! Our digital identities are at risk. Our state secrets are at risk. Our banking is at risk. Our infrastructure is at risk. Oddly enough, our flesh and blood lives are now inextricably weaved with the digital fabric of the world. We are cyborg in William Gibson’s finest sense of it. Wearables are an interesting aside.

What’s a netizen to do?

If you’re a Mac, like me I use Apple’s built in password generator. Follow these very simple steps:

1) Click on the Apple Menu (upper left) and select System Preferences

2) Click on Users and Groups

3) Click on Change Password. If it asks for iCloud Password, Cancel or Change Password… Choose Change Password. Don’t worry, we’re not changing anything. We’re just fabricating a new password for you to use elsewhere or at the very least showing how to do it at a later time.

4) See the icon that looks like a key? Click that and a small window like the one pictured below will show up.

LastPass GUID Keychain Blockchain

 

5) One of the first things you’ll see is the Type menu dropdown. I prefer Random. Pick anything you like. But, remember, anything resembling a word is going to be more easily cracked. Apple probably oversimplifies the Quality meter. Generally speaking the farther that meter is to the right, the better the password.

6) Next, change the length of your password. See how you can manipulate the quality and security of your new passcodes? And, it’s all built into OSX.

Well, this is all good and fine. We have a new, strong password generator in our pocket.

How do we put this into practice?

I’ll show you, in my next post (because I have to create screen shots and write against an outline I’m creating in my notebook – yes, pen and paper) how to go about integrating Keychain into your web browsing of secure sites AND using Keychain across Apple devices.

See, Apple’s already solved this problem and I placed my faith in a couple of companies because of employment policy. Well, screw that. Apple has more cash money and a declared interest in the security of the digital fabric. I believe them when they say it. Google, Microsoft… not so much. Facebook, not at all. Those guys are out to monetize our behaviors across a broad spectrum, not make our lives better.

LoJack Alternatives?

June 23, 2008

Wondering what alternatives are out there for Mac laptop security in addition to LoJack, DynDNS and the staid but true Kensington laptop security cable.

I’ve heard there are some accessories that can be installed in the computer to effectively pin-point its location for recovery purposes. Wonder if these are PCMCIA or if they fit inside the laptop and work their magic? Also, I’d be interested in ways to script a wiping of the entire home directory in the event the machine fell into the wrong hands.

I’m sure the audience won’t disappoint. Supply links for extra credit please :)

Public WiFi Security

August 31, 2006

We’ve been talking about wireless security at the office lately. Everyone should be concerned about it.

SCENARIO

Employee from Division X is on the road at a conference then is going to make a business call afterwards.

While at the in between sessions at the conference they plop down in one of the wifi hotspots and start corresponding But wait, there’s more!


Follow

Get every new post delivered to your Inbox.

Join 28 other followers