4 September 2011
I’ve been using Password Safe for about 3 years, and would recommend it to everyone. Yes, it’s free. I just downloaded the latest version, and discovered the following pretty cool features:
1. You can ask the program to automatically fill in password fields on websites. Cutting and pasting wasn’t hard, but this is twice as easy!
2. It’s now possible to customize the passwords the program generates for you. Choose the number of characters, the number of characters that should be lowercase, the number that should be uppercase, etc. You can even ask the program to generate passwords that are readable (rather than gibberish).
Yes, those features are for lazy people. But laziness in these areas will give you more time to spend elsewhere, like replacing old passwords every few months.
If Password Safe doesn’t quite do it for you, Beta News has a review of a range of password managers. Perhaps one of them will strike your fancy.
2 July 2011
… are also the most common passwords in the world. That’s not an accident – they’re the worst because they’re the most common.
If you’re using one of these passwords for your iPhone (or anything else, really), stop it!
Here is another list of passwords to avoid, many of which are unsurprisingly similar to the first list.
There are a lot of technically difficult and time-consuming ways to protect your security, and there are justifiable reasons to balk at them. Avoiding the most common passwords, however, is not one of those ways. It is the ripest and droopiest of the low-hanging security fruit. Pick it.
12 March 2011
In the previous post I said that I thought there were only two possible ways that a hacker could have gained entry to my Hotmail account: mind-reading or brute force.
There is actually a third possibility I failed to mention. I used to log in to my Hotmail account via this page:
I should have been using this page:
Notice the difference?
The page I should have been using has been verified by VeriSign to be an authentic Microsoft website (hence the green banner in the ULR bar) and it is also a “secure page” that will protect my username and password from “eavesdroppers“. I know this because the URL for the second page starts with https rather than just http.
The reason the second page is deemed secure is that when I enter my username and password, that information is passed along to Microsoft’s servers through an encrypted tunnel. The concept is very similar to VPN security, which I’ve written about before.
The upshot is that the second website will prevent eavesdropping and man in the middle attacks, both of which can be a problem if you are sending important information (like username and password details) through the internet while using a wi-fi hotspot.
Perhaps my email account got hacked last year because I logged on through the unsecure site while using a public wi-fi network somewhere. Don’t make that mistake.
If you’re listening, please remove your unsecured log in page from the web!
19 February 2011
Last year, I was annoyed (and, admittedly, impressed) that someone hacked into my Hotmail account. There were only two ways someone could have got in: they read my mind or they set a machine to guessing for a very long time and the machine eventually guessed right.
At the time, I implored Hotmail to change their security system so that guessers would have to enter a CAPTCHA with every few wrong guesses. That would slow them down enough to make it nearly impossible to brute force their way into any account with a reasonably strong password.
I doubt the Hotmail folks read this blog and decided pull up their socks as a result, but I was delighted to see, upon my most recent Hotmail login attempt, a similar change to the one I recommended (see picture below). My account is obviously still under siege, and Hotmail is preventing too many password guesses. The only downside is that they won’t let me into my account, either.
So I feel satisfied that Hotmail now has security features that will keep my account safe, even without the strongest possible password. Just in case, though, I’ve updated my password to be ultra-strong. It’s more than 16 characters long (I don’t want to say exactly how long, because that would make it easier for a hacker to guess), contains numbers, letters, and freaky characters. It looks something like this: gA4wL[l0iX+yJ$j1. Hackers, I wish you good luck :).
14 July 2010
An old and out of use Hotmail account, which I log into every couple of months just to prevent Hotmail from letting my account expire, was hacked in late May. Whoever or whatever (I suspect it was a machine) hacked into my account didn’t do anything terribly malicious. They simply borrowed my address for a month and sent out loads of spam to everyone on my contact list and many more who were not. Sorry! And thanks to the friend who I inadvertently spammed and gave me the heads up about the problem.
What Went Wrong
I have no way of knowing how my account was compromised, but I suspect a brute force attack. Hotmail doesn’t lock accounts or insert any other barrier after a few (or even many) unsuccessful password entry attempts, so a machine could go on happily guessing at least one password per second for as long as it took to find the right one. Unfortunately, I made that process easier by having a password that was all lowercase and lacked special characters. Worse, even though I change most passwords every three or four months, I hadn’t changed that password since I opened the account. It wasn’t a giveaway password – it was 8 digits long and had a combination of letters and numbers – but I could have and should have done more.
Thankfully, the hackers didn’t change the locks while they were making use of my little piece of online real estate, and I was able to log in and reclaim full possession of the account. I set the new password to be extra robust.
And if anybody from Hotmail stumbles across this post: please consider asking people and machines who get their passwords wrong, say, five times in a row to pass a captcha test. Gmail does it. You should, too.