03/10/2017

A Personal Story: How a Small Mistake Nearly Had Catastrophic Consequences



Key-Hanging

Mike was an extraordinarily talented programmer--we're talking a top 1/10 of 1% kind of a guy.

He'd had been sick for some time, but his passing was a shock to us all. After he died, his business partner contacted me. "Kevin," she began, "You were the only one Mike trusted with his programs."

Understanding what someone has done with their digital life is no small task--doubly so when they're a programmer--trebly so when they're a business owner.

So, the first thing we did was look for his passwords so we could get access to their systems.

Perhaps the worst thing we uncovered?

His passwords were all over the place. Some were at home. Some were on his laptop. Some were on his office computer.

What. The. ____.

With tremendous help from another highly trusted programmer I knew, the three of us began to cull each of his computers for important data, passwords, and the keys to understanding how to resuscitate their business.

To be honest, were it not for the skill of the highly trusted programmer I brought in to help, it would have been over. Why?

His two most important passwords have no web-based password recovery and no practical way to reset them.

So, now what?

Over the next several days, little by little, we got things together and the business was on its feet again.

Let me tell you, going through something like this gets you thinking and helps you prioritize in a hurry.

Now that the dust has settled, fellow editor, Josh Christofferson, and I have begun working on something to help solve the computer organization and security issues we all deal with—and seldom realize how devastating they can be.

Stay tuned. More to come in 72 hours or less.



09/25/2015

How to Tell if Your Passwords Are Secure (Our Ultimate Guide to Passwords.)


7

How to go from this...   to this...1
 
1without giving up your sanity




Ah, the password.

Everyone has their own technique for making a password. Most suck.

Today you'll learn how to make passwords that:

  1. are easy to make
  2. are easy to remember
  3. help turn your PC into a steel-reinforced vault


Q. Is there a way to tell if I have a good password?

A. Yes. There are a few online tools, including one at Microsoft to check your password strength.

It's available for free here:

A better one in our view is this one:

The Microsoft one relies largely on the length of your password, which is in our view less important than its complexity.

Q. How do you make a good password?

A. There are a lot of good password tutorials out there. Here are a couple:

Microsoft has a fairly good tutorial here:


It's reasonably good, buuuut if you're interested in an even better way, here's an article from renowned security guru Bruce Schneier:


Here's our own short 3-step version of how to make a secure password:

  1. Start with a phrase or sentence that means something to you.
  2. Take the first letter of each word. Leave the punctuation.
  3. Swap out a letter or two with numbers, leaving everything else:

Here's what it looks like in action:

  1. That's a winner! A World Series winner for the Cardinals!
  2. Taw!AWSwftC!
  3. Taw!AWSw4tC!

First, it's memorable. It's a phrase important to you. Maybe it's a movie quote, like:

    "I made him an offer he couldn't refuse."

Whatever the case, since it's important to you, it's memorable.

Second, you have a password that's very hard to guess (or crack.)

Last, it has all of these things:

  • upper case 
  • lower case 
  • number
  • special characters
  • +8 characters

...which many passwords these days require.

Q. Now that I've made a good password, can I reuse it?

A. No. No. No. No. Aaaaand... No. Not if it's for anything the least bit important.

Most importantly, neverreusepasswords usedfor your email account(s). Ever.

And, don't store 'emin your browsers "autosave" feature either.

Why?

Reuse a password even once--or have it stolen from your browser's "autosave"--and you risk giving the bad guys access to everything.

Let's say you reuse it at a highlytrusted online merchant, perhaps Target, after all, they'll never get hacked, right?

(Oh, wait, they did, and sadly, millions of credit card numbers and other customer info were exposed.)

If you reuse your password, assume the bad guys will try to login to your email account with the same password they stole from the online store.

Mind you, they're notgoing to be testing email accounts by hand. They don't have time for that.

They have little programs to automatically test passwords. Sure, they're not going to get everyone, nor do they care.

They just need some to work, and they've now turned their initial break-in into even more.

Q. Should I use two-factor authentication?

A. Yes. A loud and thunderous, YES.

Two-factor authentication (sometimes called "2-Step Verification" or TFA) is an easy way to make your account security stronger... even if the bad guys have stolen your username AND password.

It's a bit like needing two different keys to open a safe deposit box. One key you have, one key you have to ask someone else for.

Without both, you can't access the box.

Same goes for the bad guys, if they only have one key (your password), they can't get in without the other key that you have.

Two-factor authentication can put the kibosh on someone breaking into your accounts.

Here's how it works at sites that support two-factor authentication:

  1. Enter in your username and password like normal.
  2. Upon seeing your username and password, the site sends a random secret code via text message to your cell phone.
  3. Enter this code into the site you're logging into.

Without that random secret code, you can't get in.

The other benefit: if someone tries hacking your account, you get text messages with the secret codes, letting you know someone is trying to muck with your account.

Sadly, not enough banks support two-factor authentication, but gmail, zoho, twitter, and a lot of other places do.

The bottom line with TFA: if you can use it, you should.

Here's Google's documentation on two-step verification:

https://www.google.com/landing/2step/

As always we welcome questions by email or phone.