Download Free Norton Identity Safe Beta – Simple, Secure, Password Management For Windows, iOS, And Android

Fair or not, I look upon weak password control – which leads to a catastrophe – as a self-inflicted injury. According to Norton research – 45 % of us re-use the same, easy to remember password, across multiple sites. Which, virtually assures, that should a hacker gain access to such a password – the door is now open for illegal access to all accounts. A catastrophe waiting in the wings.

I understand the dilemma. Complicated, in other words, safe passwords are often hard to remember, whereas easy passwords, in other words, unsafe passwords, are generally easy to remember. And, a single password is surely easier to remember than a series of passwords, simple or not.

What a troublesome problem!

Good news:

Today, Norton will release Norton Identity Safe Beta – the free public beta of a service which will allow you to secure and synchronize logins, passwords, credit cards, and other web form information across PCs, iOS and Android devices – using the cloud.

As an added bonus, Norton Safe Search is included.  Safe Search bumps up a user’s confidence level since a user can easily see (from search results), if a website is safe before visiting the site.

Norton Identity Safe setup walkthrough.

Consider very carefully as to whether “Remember Password” is appropriate in your situation.

Pay close attention to the password requirements.

Almost finished.

On completion, a web page will open with the following. From what I can see in this early test – since the application seems to rely on the Toolbar for access – you must accept. In Firefox, for example the Toolbar can be controlled through Tools – Add-ons.

Not quite finished. It’s time to check your inbox – confirm your email address. Click on the link………

and – finished!

Norton Identity Safe Home:

Norton Identity Safe Fast facts:

Simplified password management – Eliminates the hassle of remembering multiple logins and passwords, as users only need to remember one master password for quick, secure access to their favorite sites.

Streamlined user experience – Shows users their logins with thumbnail images, allowing them to log in to a desired site by clicking on the image, or for mobile and tablet users, by simply touching the screen.

Share Via – Allows users to safely share online content by sending URLs through email and social networking plugins, directly from Norton Identity Safe beta.

Automatic login synchronization across devices – Enables users to store a password on one device, and easily log in from another device – wherever they go.

Supported browsers:

Download at: Norton Identity Safe

Note: Norton Identity Safe Mobile Edition beta application, must be installed on mobile devices to access Norton Identity Safe.  The mobile applications complement the PC client, which must be downloaded and installed prior to installing the mobile applications.

Note:  If you have Norton Internet Security or Norton 360, you already have Norton Identity Safe installed.

Norton let me know of the pending release of Identity Safe Beta, yesterday. So, you’ll understand, this is not a review – but rather, a heads-up.

If you choose to download Identity Safe, I would be most interested in your personal observations as to functionality and value.

Helpful hints – here are some guidelines on choosing a strong password:

Make sure your password contains a minimum of 8 characters.

Use upper and lower case, punctuation marks and numbers.

Use a pass phrase (a sentence), if possible. For example, I use an 18 alpha character pass phrase (upper and lower case), supplemented with 4 numeric characters on this site. And, only on this site.

Since brute force dictionary attacks are common, do not use single word passwords that are words in a dictionary.

Use a different password for each sign-in site.

If you have difficulty in devising a strong password/s, take a look at Random.org’s – Random Password Generator – a very cool free password tool.

WordPress Password Fiasco

Fair or not – “You don’t know what you don’t know” is a throwaway phrase, often used to describe a typical Internet users range of knowledge as it applies to security risks. What’s worrisome about relying on the truth of this statement is – it can be applied much more broadly – it doesn’t just apply to casual computer users. It applies equally to you – and, to me.

Virtually on a daily basis, another previously unknown (or, undisclosed), vulnerability in an application, operating system, website, cloud service, or in an Internet protocol is discovered by “security researchers”. Here’s today’s, from my Daily Net News column.

Improper SSL Implementations Leave Sites Wide Open to Attack – Security researchers are buzzing about the flaws in the Secure Sockets Layer system and the fact that a significant portion of the Internet is vulnerable to attack.

I’ll venture a guess and suggest – you didn’t know about this. Nor, did I. More to the point perhaps, what needs to be asked is – did cyber criminals know?

What about this one from two days ago?

 Kaspersky: 12 different vulnerabilities detected on every PC – Researchers from Kaspersky have sampled their customer base, and found out that on average, every PC has 12 different vulnerabilities.

The vulnerabilities described are not self inflicted – instead, they are specified, or unspecified, vulnerabilities in Flash, Adobe Reader, Java, and Adobe Shockwave. There’s no need to wonder if cyber criminals are aware of these vulnerabilities – they most assuredly are.

WordPress Password – I didn’t know, that I didn’t know.

More than once, I’ve made the point here, there are certain companies which put forward unrealistic assertions that their Web operations are inviolate – they can’t be hacked. One of those companies is WordPress.com.

So, I was hardly taken by surprise when I received the following email from WordPress, yesterday. Not surprised – but, pretty pissed at the approach taken by WordPress to describe a potentially devastating circumstance for WordPress bloggers who run popular sites.

Hello Bill Mullins,

We recently found and fixed a mistake that we’d like to tell you about. Passwords on WordPress.com are saved in a way that makes them extremely secure, such that even our own employees are unable to see your actual password – the one you enter to login to your WordPress.com account.

However, between July 2007 and April 2008, and September 2010 and July 2011, a mistake in one of our systems used to find and correct bugs on WordPress.com accidentally logged some users’ passwords in a less secure format during registration.

We’ve updated our systems to prevent passwords from being logged this way in the future, so this will not happen again. We don’t have any evidence that this data has been accessed maliciously or misused, but to be on the safe side we are resetting your password since your account is among those affected.

Please change your password using this link or copy and paste the URL below into your web browser:

https://wordpress.com/wp-login (I have removed certain parameters here)

If the password you used when you registered on WordPress.com was one you use elsewhere, you should change it there, too. In the future, remember that it’s good practice to always use unique passwords for different services.

We are terribly sorry about this mistake. No one likes having to create new passwords and we’d like to include a 15% off coupon to say we’re sorry. The coupon can be used for a custom domain, a design upgrade, VideoPress, or a storage space increase. Just use the code below on any of the upgrades on the WordPress.com Store:

pc21d064ae

If you have any questions, please reply to this email and one of our Happiness Engineers will get back to you as soon as possible.

Thank you,
The WordPress.com Team

Some salient points:

Why on earth would WordPress send an email that has all the hallmarks of a phishing scam – quote: “to be on the safe side we are resetting your password since your account is among those affected”. Huh – you’re going to reset my password? So there was zero chance of me clicking on the password reset link. The only secure method was a password reset from this blog’s Dashboard.

“A mistake in one of our systems” – At the desk I’m sitting at, I tend to call this type of “mistake” a vulnerability.

“In the future, remember that it’s good practice to always use unique passwords for different services.” Yeah, sure – WordPress is just about the last organization I’d take advice from in terms of password control!

Offering a 15% discount on WordPress products “to say we’re sorry”, is ill advised and inappropriate. This “bad news” – “good news” approach, is out of bounds.

Finally, referring to support staff as “Happiness Engineers”, makes me wonder what these people smoke after breakfast. It’s a little late for ‘60s terminology, it seems to me.

I titled this article “WordPress Password Fiasco”, not because WordPress found itself in an unknown vulnerable position, which by extension applies to me as well – but because the manner in which a serious situation was handled, is appalling. At a minimum, WordPress has an obligation to disseminate news of this potential breach widely on the Internet. This is not business as usual.

Consider the number of serious breaches that occurred in the last year, which initially were classified by the victimized organization as inconsequential. Until, that is, information slowly leaked, that in many cases, the penetrations were disastrous. Think Sony.

I’m hopeful, that months from now, I won’t have to replace “Think Sony” with -“Think WordPress”. But, then again – “I don’t know what I don’t know”.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Ashampoo Database Hacked – What You Need To Know

I could spend all day, every day, reporting on nothing more than the latest cyber criminal targeted intrusions into enterprise IT systems.  Two reports from my today’s Tech Net News column illustrate that we are barely scratching the surface of this significant, continuous, and rapidly expanding problem:

European Space Agency website and FTP servers hacked

Dramatic increase in cyber attacks on critical infrastructure

If you’re an everyday reader here, then you may recall that I regularly recommend that you take advantage of the German software developer Ashampoo’s, occasionally offered free application multipacks.

The downside (for some) is, you must register and provide an email address. Additional benefits can be gained by registering as an  Ashampoo member, which includes creating a password.

Unfortunately, Ashampoo has become a victim of a cyber criminal targeted intrusion aimed at their customer database. According to the company:

“Hackers gained access to one of our servers. We discovered the break-in and interrupted it instantly. The security gap through which the hackers gained access was closed immediately.

The stolen pieces of information are data of addresses such as name and e-mail address. Billing information (e.g. credit card information or banking information) is definitely not affected … it is not stored on our system.”

If you have taken advantage of Ashampoo’s offers, then it’s important that you exercise extreme caution with any future emails sent by the company and, any unsolicited email sent by any company, for that matter.

As well, if you have registered as an Ashampoo member, it’s important that you change your account password. Additionally, if you have used the same password elsewhere (you’d be surprised how often this occurs), it’s imperative that you change these passwords immediately.

My thanks to my buddy John B. (a great Scot!), for bringing this unfortunate incident to my attention this morning.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Conseal Security Takes Portable Device Security To Another Level With Conseal USB

“This tape will self-destruct in five seconds!” – Mission Impossible.

Growing up in the 1960’s, I though that was just the coolest phrase – and the underlying technology, of course. As a way of keeping confidential  information out of the hands of the bad guys, what could be better than that? BOOOM!

Today, safeguarding confidential information is far more complex – and there are many more “bad guys”. Information, in a very real sense, is currency – and the need to protect it is every bit as real as if it were hard currency.

Unfortunately, protecting critical data in an age of extreme data portability (USB sticks, portable Hard Drives, memory cards …. ) against theft, or loss, is exasperated by the very nature of portable technology.

How hard is it to lose a USB key through theft or misadventure – easy (personally, I’ve lost two over the years).

How hard is it to lose a portable Hard Drive through theft or misadventure – easy.

How hard is it to lose a memory card through theft or misadventure – easy.

How hard is it recover any one of the storages devices mentioned? Hard. Hard. Hard.

While it’s true, that both password and encryption applications, offer some protection against unauthorized access should a portable storage device vanish, neither provides absolute protection. Both password cracking, and decrypting applications (and the computing resources necessary), are readily available to those with less than honorable intentions.

What’s needed then, is a technology that not only offers password protection and file encryption, but the ability to remotely destroy data on a non-recoverable device – if it becomes necessary.

I suspect that the Ministry of Defense in the UK, would have been delighted with this type of technology had it been available when, in 2008,  fifty eight Ministry of Defense unencrypted drives – which contained details of troop movements, locations, and travel accommodation, were “lost”.

Certainly, portable media device theft, or loss, is not restricted to organizations; it can just as easily happen at an individual level. For example, in the U.K., in 2008, – 9,000 USB drives were found by dry cleaners in various articles of clothing. It’s safe to say, that data loss and data leakages related to lost or stolen computer portable devices, are now commonplace.

Luckily, Conseal Security has just released a security safety system  that not only includes strong AES encryption, it allows protected devices to be remotely self-destructed, if they are lost or stolen. Moreover, as part of the package the ability to lock devices to specific networks, domains or specific computers, is included. A bonus feature includes a capacity to review all access attempts on a device.

Application setup, including creating an account which provides access to all of the programs features, is straightforward.

The initial account password will be emailed to you. The temporary account password in the screen capture shown below, has been changed.

Once logged in, you can proceed to manage the portable device attached to your machine.

In the following screen shot, you’ll notice I have logged in and entered a name for the attached device.

The USB drive I used for this test was quite small (512 MB), so the encryption and registration took less than two minutes.

As per the message box, no files were accessible on Drive F: (the original drive designation) – instead the files were on Drive G: (the newly concealed drive).

Following encryption of the drive’s contents you will have a number of options to choose from, including –

Access Control

You can set up rules to control where and when this device can be unlocked.

Alerting

You can set up alerts to email you when this device is used.

Self Destruct

You can securely delete the contents of this device if it has been lost or stolen. It will become a blank disk.

Unlocking the portable device is an uncomplicated process – as shown in the following screen captures.

A taskbar popup will notify you on successful completion of the “unlock” process, as illustrated in this screen capture.

Fast facts:

Remote self destruct – If your Consealed device is lost or stolen, you can remotely destroy the data it contains. Press a button on a website and the contents of your device will be securely wiped when next inserted.

Who’s accessed your data? – View a log of who attempts to unlocks your Consealed device, including who they are and what computer they used. The log shows all access attempts and contains sufficient information for law enforcement officials to uniquely identify the computer used.

Define who can access your data – Specify the computers or network domains which can unlock your Consealed device. Also specify what times of the day it can be unlocked. Rules can be changed even when the device is out of your hands.

Safe from password guessing attempts – Even fairly complex passwords can be guessed on average within 16 minutes. Conseal’s “Dual Locks” system completely secures your protected data against password guessing attempts. Consealed devices can only be unlocked with permission from a central server.

Warnings of attempted break-ins – Receive email warnings when someone tries to unlock your Consealed device, directly and uniquely identifying the user, where they are, and what computer they used.

Strong encryption – Your data is stored using super-strength 256-bit AES encryption (approved by governments to protect ‘Top Secret’ information).

Takeaway: A very impressive and elegant solution to a potentially disastrous occurrence at a cost that’s appropriate.

Conseal USB Licenses:

Home User – 1 year’s protection. Non-commercial use only. Up to 5 devices £19.95.

Corporate User – 10 devices £140 (for 1 year). 100 devices £99/month. 1000 devices £830/month. 10,000 devices £5950/month.

Conseal Security offers a full no-quibble 14 day money-back guarantee from date of purchase.

System requirements: Windows XP and above.

Devices: You can Conseal literally any USB storage device. This includes memory sticks, USB pen drives, external hard disks, SD / MMC / xD / CompactFlash cards. It also includes all Firewire, eSATA and USB3 devices. Conseal is completely device and manufacturer independent.

Further details, and a 15 day Trial download are available at the developer’s site – Conseal Security.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Cyber Criminals Bump Up Efficiency Using Cloud Services

In a comment response yesterday to regular reader Mal C., I made the point – “It’s the person at the keyboard, that’s where the trouble starts – not the OS”. Continuing the discussion with regular reader John B., I expanded on this –

“It’s the person at the keyboard, that’s where the trouble starts – not the OS”, is operative – no matter the operating system.

Just one example: Email accounts are continuously been phished (“your account will be deactivated”, is a popular approach), with the objective being to have the user respond with, password, DOB, mobile telephone number, etc.

If the phish is successful (and many are), the crook ends up controlling that account. Cyber crimes like this, are not system specific. They depend on unaware, undereducated users, for their success.”

As luck would have it, this morning I got an invitation from Commtouch, to post an upcoming article here on Tech Thoughts (which will be published on their site shortly), that partly supports this view.

Cloud Streamlines Efficiency of Identity Theft

Working with cloud-based services significantly improves economies of scale – for cybercriminals, too. Phishers are already benefiting from free hosting by hiding phishing pages within hacked legitimate sites.  Now, they are leveraging cloud-based form management sites, such as Google docs or formbuddy.com. to collect information from unwitting victims.

With this technique, the phisher does not have to worry about creating/managing/storing back-end form data and can more easily scale the harvesting of phished data.  Those duped into filling out the form will not be aware of this nuance.

We just hope victims are paying attention when they fill out a seemingly legitimate form that directly asks for an “email address password.” If their attention lags, they are giving the phisher a significant pay-off for a minimal investment: Identity theft.

This attack targets users of HomeAway holiday rentals – See the images below. Click on an image to expand.

A look at the page source reveals that the filled in form is sent to “formbuddy.com” and not collected directly by the phisher.  Formbuddy.com collects and stores all the responses to the “form” shown above, and then emails a neat summary to the phisher (whose login name is “fanek”).

As a matter of interest, WOT (Web of Trust) warns against visiting formbuddy.com, as per the following screen capture.

As an aware and educated computer user, I know that you wouldn’t be deceived by this type of clumsy attempt to defraud – under no circumstances would you disclose your email address password to anyone.

As I said at the opening, these schemes depend on unaware, undereducated users, for their success. Unfortunately, that describes far to many Internet users.

About Commtouch:

Commtouch provides proven Internet security technology to more than 150 security companies and service providers including 1&1, Check Point, F-Secure, Google, Microsoft, Panda Security, Rackspace, US Internet, WatchGuard and Webroot,, for integration into their solutions. Commtouch’s GlobalView™ and patented Recurrent Pattern Detection™ (RPD™) technologies are founded on a unique cloud-based approach, and protect effectively in all languages and formats.  Commtouch’s Command Antivirus utilizes a multi-layered approach to provide award winning malware detection and industry-leading performance.

More information is available here.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Weak Password Control – A Self Inflicted Injury

Over the weekend, Gawker.com was attacked, leading to a compromise of some 1.5 million user login credentials on Gawker owned sites, including Gizmodo, and Lifehacker.

According to Gawker Media –

Our user databases appear to have been compromised. The passwords were encrypted. But simple ones may be vulnerable to a brute-force attack. You should change your Gawker password and on any other sites on which you’ve used the same passwords.

In an ironic twist to this tale of woe, it turns out that Nick Denton, the site’s founder, had not followed his own advice and in fact, used the same password for his Google Apps account, his Twitter account, and others.

So what gives? Why would someone with the supposed technical competence of Denton be so boneheaded? I suspect it’s because the reality is – he’s no different than any typical user when it comes to establishing and enforcing proper password control. A lackadaisical effort is the norm.

I understand the the dilemma. Complicated, in other words, safe passwords are hard to remember, whereas easy passwords, in other words unsafe passwords, are easy to remember. And, a single password is surely easier to remember than a series of passwords, simple or not. No surprise then, that most computer users’ employ a single, easy to remember, and consequently – unsafe password.

So what’s a user to do to avoid this critical security lapse? Well, you could follow the most common advice you’re likely to find when it comes to password control, and install a “password safe” – an application designed to store and retrieve password.

The Internet is full of advice that on the face of it seems reasonable, responsible and accurate. You know how it is – if you hear it often enough then it must be true. In my view, the password safe advice falls into this category.

Let me pose this question – you wouldn’t hang your keys outside your front door, would you? Of course you wouldn’t. Then why would you save passwords on the Internet, or on your computer? If there is one computer truism that is beyond dispute, it’s this – any computer application can be hacked, including password safes.

I have never saved passwords online, or on a local machine. Instead, I write my passwords down, and record them in a special book; a book which I keep ultra secure. There are some who disagree, for many reasons, with this method of password control, but I’m not about to change my mind on this issue.

I know that on the face of it, writing down your password seems counter intuitive, and flies in the face of conventional wisdom, since the issue here is one of security and safety.

But, ask yourself this question – is your home, office, wallet etc., more secure than your computer? If the answer isn’t “yes”, then you have additional issues that need to be addressed.

While it may be true that you don’t want your wife, lover, room mate, or the guy in the next office, to gain access to your written list of passwords – and writing down your passwords will always present this risk; the real risk lies in the cyber-criminal, who is perhaps, thousands of miles away.

Computer security involves a series of trade-offs – that’s just the reality of today’s Internet. And that brings us to the inescapable conclusion, that strong passwords, despite the fact that they may be impossible to remember – which means they must be written down – are considerably more secure than those that are easy to remember.

Here are some guidelines on choosing a strong password:

Make sure your password contains a minimum of 8 characters.

Use upper and lower case, punctuation marks and numbers.

Use a pass phrase (a sentence), if possible. However, not all sites allow pass phrases.

Since brute force dictionary attacks are common, keep away from single word passwords that are words in a dictionary.

Use a different password for each sign-in site. This should be easy since you are now going to write down your passwords. Right?

You are entitled, of course to disregard the advice in this article, and look at alternatives to writing down your passwords, including Password Safe, a popular free application. As well, a number of premium security applications include password managers.

Interestingly, Bruce Schneier, perhaps the best known security guru and a prime mover, some years back, behind the development of  Password Safe, is now an advocate of – you guessed it; writing down your passwords.

If you have difficulty in devising a strong password/s, take a look at Random.org’s, Random Password Generator – a very cool free password tool.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Gmail Password Phishing Still Going Strong

For months now, Gmail inboxes have been flooded with one form or another, of the “Your Account Information Has Changed” phishing attack. Unfortunately, I don’t expect to see this Gmail  accounts scams reducing in volume any time soon.

This morning I received another email, purportedly from the Gmail Team, in which the spam scammer attempts to convince me that this is the genuine article.

Unlike most of these type of emails though, this one does not contain the usual misspelling, grammatical, and punctuation errors. In fact, this notice, as the following screen capture shows, is a brilliant forgery. And, it gets better, yet.

Despite the fact the cyber crooks involved here, have taken extraordinary care in developing this scam, the notice still shouts out the need to “stop and think” – before clicking.

No personalized greeting – Google, which knows more about me than anyone, except perhaps my mother, has chosen to use a generic greeting – Hello. How strange is that?

My information is incomplete – How can this be? I’ve been a Gmail user since day one, and I don’t recall that Google has ever been accused of losing data. This just doesn’t make any sense.

Of course, I didn’t response to this password phishing attempt and click on the enclosed link. But, those users who fell for this crafty scam were taken to a forged version of Gmail’s login page and, I’m quite sure – happily provided the requested information.

Google provides excellent advice on their page – Messages asking for personal information, from which the following has been taken.

Here’s what you can do to protect yourself and stop fraudsters:

Check the email address of the sender of the message by hovering your mouse cursor over the sender name and verifying that it matches the sender name.

Check whether the email was authenticated by the sending domain. Click on the ‘show details’ link in the right hand corner of the email, and make sure the domain you see next to the ‘mailed-by’ or ‘signed-by’ lines matches the sender’s email address.

Make sure the URL domain on the given page is correct, and click on any images and links to verify that you are directed to proper pages within the site. Although some links may appear to contain ‘gmail.com,’ you may be redirected to another site after entering such addresses into your browser.

Always look for the closed lock icon in the status bar at the bottom of your browser window whenever you enter any private information, including your password.

Check the message headers. The ‘From:’ field is easily manipulated to show a false sender name. Learn how to view headers.

If you’re still uncertain, contact the organization from which the message appears to be sent. Don’t use the reply address in the message, since it can be forged. Instead, visit the official website of the company in question, and find a different contact address.

If you enter your Google account or personal information as the result of a spoof or phishing message, take action quickly. Send a copy of the message header and the entire text of the message to the Federal Trade Commission at spam@uce.gov. If you entered credit card or bank account numbers, contact your financial institution. If you think you may be the victim of identity theft, contact your local police.

Note: Despite 20+ years of experience using Webmail, one of my Gmail accounts was hacked recently. I have yet to work out exactly how this was accomplished.

It’s important that you know that Google is not immune to hacking, as the fairly recent fiasco in China, in which Chinese hackers compromised Chinese activists’ Gmail accounts, illustrates. In fact, Gmail hacking is a much more common occurrence than most users are aware of.

To further illustrate just how common this is, the article I wrote on being hacked – My Gmail Account Hacked From Nigeria, continues to be one of the most read articles I’ve written.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Should You Forget About Password Safes and Write Down Your Passwords?

There are days when Surfing the Internet, it seems to me,  is like skating on thin ice – one wrong move and you’re in trouble. I know – this past weekend I got hacked. After 20+ years – BAM!

There are any number of possibilities as to what happened, but one of those possibilities is not unauthorized access to my online saved Passwords. I don’t save passwords online. I never have, and I never will.

Instead, I write my passwords down, and record them in a special book; a book which I keep ultra secure.

There are some who disagree, for many reasons, with this method of password control, but I’m not about to change my mind on this issue, and here’s why –

The world is full of advice that on the face of it seems reasonable, responsible and accurate. You know how it is – if you hear it often enough then it must be true.

One piece of computer security advice that you’ve probably heard over and over again is – don’t write down your password/s. The problem is; this piece of advice couldn’t be more wrong, despite the fact it seems reasonable, responsible and accurate.

Here’s the dilemma we face. Complicated, in other words, safe passwords are hard to remember, whereas easy passwords, in other words unsafe passwords, are easy to remember. No surprise then that most computer users’ employ easy to remember, and unsafe passwords.

You know the kind of passwords I’m talking about – obvious passwords, like your first name, or your wife’s name, child’s name, date of birth date, etc. – passwords you’re not likely to forget. And that’s the problem – there’s no point in having a password at all if cyber-criminals will have no difficulty in figuring it out.

Cyber-criminals use simple processes, all the way to highly sophisticated techniques, to capture online passwords as evidenced by the Hotmail fiasco last year, in which an anonymous user posted usernames, and passwords, for over 10,000 Windows Live Hotmail accounts to a web site. Some reports indicate that Google’s Gmail, and Yahoo Mail, were also targeted. This specific targeting is one possibility that might explain how my Gmail account got hacked.

Not surprisingly, 123456 was the most common password captured, followed by (are you ready for this?), 123456789. Some truly brilliant users used reverse numbers, with 654321 being very common. Pretty tricky, huh? I’m being a little cynical, but..

I know that on the face of it, writing down your password seems counter intuitive and flies in the face of conventional wisdom, since the issue here is one of security and safety.

But, ask yourself this question – is your home, office, wallet etc., more secure than your computer? If the answer isn’t “yes”, then you have additional issues that need to be addressed.

While it may be true that you don’t want your wife, lover, room mate, or the guy in the next office, to gain access to your written list of passwords – and writing down your passwords will always present this risk; the real risk lies in the cyber-criminal, who is perhaps, thousands of miles away.

Computer security involves a series of trade-offs – that’s just the reality of today’s Internet. And that brings us to the inescapable conclusion, that strong passwords, despite the fact that they may be impossible to remember – which means they must be written down – are considerably more secure than those that are easy to remember.

Here are some guidelines on choosing a strong password:

Make sure your password contains a minimum of 8 characters.

Use upper and lower case, punctuation marks and numbers.

Use a pass phrase (a sentence), if possible. However, not all sites allow pass phrases.

Since brute force dictionary attacks are common, keep away from single word passwords that are words in a dictionary.

Use a different password for each sign-in site. This should be easy since you are now going to write down your passwords. Right?

You are entitled, of course to disregard the advice in this article, and look at alternatives to writing down your passwords, including Password Safe, a popular free application. As well, a number of premium security applications include password managers.

Guest writer, Glenn Taggart’s article from yesterday – LastPass Password Manager – Secure Your Passwords and User Names, offers a terrific review of another free password application.

If you have difficulty in devising a strong password/s, take a look at Random.org’s, Random Password Generator – a very cool free password tool.

As an additional form of protection, you should consider the Firefox add-on KeyScrambler, which will protect you from both known and unknown keyloggers.

For additional info on password management, checkout Rick Robinette’s “PASS-the-WORD”… Basic password management tips” Many regular readers will remember that Rick is a very popular guest writer on this site.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

LastPass Password Manager – Secure Your Passwords and User Names

Popular guest writer, Glenn Taggart, tells you why he made the move from free KeyPass, to free LastPass, to protect his usernames/passwords, while online.

I finally got fed up with trying to remember all of my darned passwords for the various websites I visit. I think I’m somewhere around 30 different usernames and passwords.

Being a freak about security, I don’t have the same password, or username, for anything. Also, my passwords are long and not the type that I can remember since they all have letters, numeric, and various characters in them. My philosophy on passwords is – if you are gonna try to crack me, you’re gonna spend some time doing it.

I still recommend you encrypt your financial usernames/passwords (if they aren’t the type you can’t remember), and keep them local, as opposed to online in the cloud. For the non financial usernames/passwords, I highly recommend you use LastPass.

LastPass is a great local and cloud application that can sync your usernames/passwords from computer to computer. You load in the information and LastPass will autofill both your username and password.

All you have to do is set up one username and one password to access LastPass. LastPass is encrypted, so it would be pretty difficult for someone to access your information without your username and password.

I use three computers on a regular basis – Laptop, home desktop, work desktop. With LastPass, all of my usernames and passwords are a click away.

I know many of you use KeyPass. I have been trialing both programs, and have decided LastPass is my favorite.

LastPass integrates well with all browser platforms and is free to use!

Fast facts:

Automatically log into your websites.

Fill complex website forms with a single click.

Share logins and confidential data with friends.

Seamlessly synchronize your data across multiple computers.

Generate secure random passwords.

Login using an on-screen keyboard.

Create One Time Passwords to use when traveling.

Watch the video on LastPass Basic Instructions: Provides basic introductory instructions on how to use LastPass.

System requirements: Windows 2000, XP, 2003, Vista, Server 2008, Win 7.

Download at: LastPass.com

Guest Writer: This is a guest post by Glenn Taggart of The Crazy World of G, one of the hardest working people I know, who brings a background as a high level super user, to the Blogging world.

Drop by Glenn’s freeware page.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

USBThief – Making it Easy for Cyber Criminal Wannabes

With access to your passwords, cyber-criminals (they come in all shapes, sizes and flavors – so don’t be fooled), can and will, steal your identity and without a doubt severely compromise your financial security. Stolen passwords have the potential to cause serious havoc in your life.

There are numerous ways of course that a password can be stolen. Popular methods employed by cyber criminals include, but are not limited to:

Email scams: Email scams work because the Cyber-crooks responsible use social engineering as the hook; in other words they exploit our curiosity to start the process of infecting unaware computer users’ machines

Search engine redirection: Cyber-crooks continue to be unrelenting in their chase to infect web search results, seeding malicious websites among the top results returned by these engines. Malware, including password stealers can be installed on a computer simply by visiting a site.

Drive-by downloads: Drive-by downloads are not new; they’ve been lurking around for years it seems, but they’ve become much more common recently. They are crafted to automatically download and install malware including password stealers on your computer without your knowledge.

Added to the burden we already carry in protecting our computers, our private personal information, and our confidential financial information, we now have to be careful, and perhaps even suspicious of our friends, or for that matter anyone, who inserts a USB drive including MP3 players, such as a iPod, into a USB port on our computer.

USBThief is a free hacking application – available for download on virtually every torrent download site that I investigated – which can be installed on a USB flash drive, or even an iPod, or other MP3 player.

I haven’t tried (yet), to install this on a Digital Camera, but I suspect (with some modification), that it can be done. Consider how often a friend, or family member, has connected any one of these peripherals to your machine.

USBThief has been designed and crafted with only one purpose in mind, and that is to steal both the passwords, and software keys, on the duped party’s computer.

There is no requirement that the culprit is a seasoned hacker – all that’s needed is that an ethically challenged individual download the program; decompress the archive and put all the files located in the folder “USBThief” onto a USB drive.

After connecting and removing the tweaked USB drive from the victim’s computer, the cyber-criminal simply views the dump folder to view the captured information.

Learning to use this application is an absolute “no brainer” – there are multiple sites on the Internet offering tutorials (including video tutorials), in the use of  USBThief.

Here’s a little blurb from a hacking site:

1.Insert the USB in your victim’s computer.

2.View folder “dump” to see the passwords. It also makes a second dump folder in the batexe folder. Tested and Working perfectly!

I have not written this article to produce paranoia, or to make you suspicious of either your family, or your friends, but so that you are aware of the ever increasing challenges we all face in protecting valuable information in a world that threatens us, at every turn it seems.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.