This post is about crafting a strong password and using LastPass, a security oriented password manager that I have been using for a few weeks now with great success.
For years I used the same password for Gmail, for Facebook and for other things. It was a remarkably simple one, just the name of an obscure and insignificant character played by a girl I vaguely liked in a high school production; the character's name doesn't even appear in the more commonly known movie version. No reason anyone would ever guess it, and no one did. Then to beef it up I added a random string of numbers to the end. In the last decade, having a password that no one would guess was good enough.
Now it's not because in most cases hackers won't be trying to use personal information to break into your specific account (although of course you still want to be on guard for that, don't use your birthday or the unencrypted name of the girl everyone knows you like). It's more likely to be phishing (tricking you into giving up your password) or a computer program churning through all possible combinations looking for yours. So aside from avoiding obvious passwords (for throwaway signups that I don't care about protecting sometimes I use "passwords" as my password), the key to a strong password turns out to be length.
From the New York Times (thanks Megan M):
Here’s a little quiz: Which is the stronger password? “PrXyc.N54” or “D0g!!!!!!!”?
The first one, with nine characters, is a beaut. Mr. Gibson’s page says that it would take a hacker 2.43 months to go through every nine-character combination offline, at the rate of a hundred billion guesses a second. The second one, however, is 10 characters. That one extra character makes it much, much stronger: it would take 19.24 years at the hundred-billion-guesses-a-second rate. (Security researchers have established the feasibility of achieving these speeds with fairly inexpensive hardware.)
Don’t worry about the apparent resemblance of “D0g,” with a zero in the middle, to the word in the dictionary. That doesn’t matter, “because the attacker is totally blind to the way your passwords look,” Mr. Gibson writes on his Web site.
“The old expression ‘Close only counts in horseshoes and hand grenades’ applies here,” he says. “The only thing that an attacker can know is whether a password guess was an exact match or not.”
Mr. Gibson says that as long as the password is not on a list of commonly used passwords and is not found in a dictionary, the most important password factor is length.
The Times article goes on to endorse LastPass.com, which is a password manager. It is free, but for $12/year you can also add it to your smartphone. It takes a little fiddling to get used to, but basically LastPass lets you randomly generate passwords ("i9H120VgQrRhzmL") and stores them for you. This lets you have long, random, complicated and unique passwords for each log-in without having to worry about remembering them yourself. This is a huge improvement over using the same password for multiple accounts or using passwords simple enough to remember many of. Once I've logged into LastPass whenever I open a website that has a log-in page LastPass fills in the information and enters. Of course your LastPass password (the "last password you'll need" I assume the title means, although you'll want to change it from time to time) is now the master key and must be absolutely memorizable to you and unguessable to spying people and robots. LastPass is so committed to security that their own employees can't access your password and your data is never on their site in unencrypted form, so if you lose your password you've got problems. I'd honestly recommend writing this password down somewhere sneaky.
Using LastPass has simplified my computing experience by only requiring me to remember one password (hint: using a long phrase makes it easy to remember but difficult to hack) while allowing me to use a very long and complicated, randomly generated and unique password for each site. Because LastPass saves my passwords I am free to change them often, which is what you should do but don't because you don't want to memorize new passwords. I also believe this should help prevent phishing, because LastPass won't mistake a mockup of Facebook of Bank of America's website designed to fool a human into submitting his or her password.
I learned about LastPass from James Fallows, naturally enough.
SPECIAL NOTE TO SARAH CONNOR, THIS IS ESPECIALLY URGENT.
Once again Facebook has created a cool-feature-with-creepy-implications, and once again FB has decided to activate it for everyone without telling us about it or making it easy to choose not to participate. I'm talking about Facial Recognition, an upgrade to FB's capabilities that allows it to identify your face from the crowd of millions of pictures uploaded every day. As I understand it, FB is compiling a database of pictures linked to names and the ability to recognize faces. This might make tagging people in pictures a little easier, but it could also mean a stranger could tag you (I think so far FB doesn't currently allow that, but their M.O. is to enable features without warning and by default, so . . .) in a picture you didn't even know was taken. Sketchier than the auto-tagging feature is the fact that FB has started compiling this information (your face matched to your name) at all, without much warning and certainly without asking. Even Google, which is first-and-foremost a search engine, thinks this is too invasive. One creepy implication of this kind of database is that a stranger could take your picture and then use it to find your name and then everything the internet knows about you. Might be cute in a movie but IRL ("in real life") we might not want to go there.
Solutions:
1. Opt-out of auto-tagging:
Go to Account (in the upper righthand corner of the screen)
Select Privacy Settings from the drop-down menu
Click "Customize Settings"
Under "Things others share" there is a section "Suggest photos of me to friends" click "Edit Settings" to the right.
Click on the box that says "Enabled" and toggle it to "Disabled."
2. Ask Facebook to pretty please stop compiling photo identification data on you.
This is the part that should help prevent strangers from identifying you by photo.
While signed into Facebook, click this link. It will open a page in the Help Center from which you can message the Facebook Photos Team. The pre-written text is "Please remove all photo summary information associated with my account that could be used to make photo suggestions." and I would leave that to avoid confusion. Send it. You will receive no confirmation that they have obeyed, however.
DropBox is a nice free (extra storage costs though) program that makes it easy to transfer any kind of file between two computers. You simply set up an account which is linked to your email, then install DropBox onto every computer you wish to link. Dropbox will create a folder on each computer (in a default location or you can choose, I put mine on the desktop for easy access) and as long as the computers are all connected to the internet this folder will sync between them, meaning that files added on any computer will quickly become accessible on every linked computer. Likewise, deleting files in one DropBox folder will cause them to be deleted on every linked computer. So far I've found this to be an excellent way to transfer files from my computer to my Android phone.
Even better, you can share subfolders with other DropBox users. Sara has been sending me media files through DropBox, and I have used it to send a mountain of pictures of Michelle to Mike (her daddy). Once Ann gets hers set up I will use it to finally transfer pictures I've taken at her concerts.
The basic, free subscription gives you 2gb worth of space which is pretty good. The plans for purchasing more are pretty expensive though. If you refer or are referred you get 250mb of bonus space, so use the links I've provided.
This is the best and easiest syncing and sharing program I've found. I've tried using a-drive for this sort of thing but that is more of a backup function and is cumbersome for sharing. I think of DropBox as a wormhole PORTAL that connects two computers . . . things placed into one folder appear (not quite instantly unless they're small files) magically on the other side!
Taking a break from the nightmare scenarios of Facebook and Email hijacking, I want to promote a sweet little free program that I've been using for years. CCleaner is a very easy way to keep your computer from accumulating junk files over time, which wastes harddrive space and can slow performance. It runs quickly (the first time may be slower because there's more garbage scattered around your computer than there ever will be again), effortlessly, without much input from you, and in several years of use has never once deleted files that it shouldn't have on any of my computers. It empties your trash folder, which I for one always forget to do. It's a nice feeling when it reports that it's eliminated 400 MB or some large amount of unnecessary files. I've been using CCleaner consistently for many years so I rarely have much accumulated junk, but on a computer that has never been cleaned you may eliminated several Gigabytes of waste and significantly improve performance.
I suppose I should give ratings? 10/10. This program does a few things and does them extremely well, easily and for free. (When you go to the page it will ask for a donation, and if you can afford to give by all means do, but below and to the right there are links to download without paying.)
This program is updated frequently so if you tell it to notify you when there is an update this will happen a lot. Updating is just a matter of downloading the newer version and installing over, you don't have to uninstall the old version. Generally speaking it's a good to keep your programs updated for better functionality and improved security.
As far as I know, CCleaner only runs on Windows computers. Google suggests "Cocktail" and "Onyx" as Mac OSX equivalents, but never having used them I have no information to share. Check the linked descriptions and reviews.
Anyone who follows geek websites knows that Facebook is not very concerned with security, but Google has a much better reputation. That's why I was surprised this spring when James Fallows reported the rise of Gmail hijackings. Since then it has happened to people I know and to government officials. It's also happening to Yahoo, Hotmail and AOL.
The solution for Gmail is similar to the "Login Approvals" Facebook precaution I advised you to take. Google calls it 2-Step Verification, and I've been using it without a hitch for a couple of weeks now. Because phishing and other forms of data-theft have compromised the security value of passwords (even good, strong ones), 2-Step Verification requires someone signing into your account to have both the password and a physical object - your phone or your computer. The first time you log onto each computer after initiating 2-Step Verification you will be asked to provide a code which Google will send to your phone. A hacker in China or Seattle might have your password (sooner or later one probably will) but won't have your hardware.
Google explains the process for activating 2-Step Verification here, and there's a "wizard" that guides you in setting it up. I have an Android phone and I use the program "Google Authenticator," downloaded free from the Android Market, to generate codes when I need to login to gmail (and Calendar and Reader and Google Docs, etc.) on a new computer. IPhone and Blackberry have equivalent apps and if you don't have a smartphone you can get the codes via text message.
While losing control of your Facebook account must be annoying, you really shouldn't keep personal data there. Losing control of your email must be devastating. Although the 2-Step Verification process sounds complicated it really is not difficult to set-up and once it is up and running you rarely have to do anything differently (unless you sign into email on new computers frequently.)
Today I will write about Facebook's Platform for third party apps (applications made for Facebook but not by Facebook), why they're a major vulnerability for your account, and how and why to turn the Platform off and secure your account. While the Account Settings adjustments I recommended yesterday should all be easy calls (and I think FB should make them mandatory instead of opt-in), this involves a genuine trade-off: massively improved security and reduced risk of hijacking, but also the loss of those third party apps.
The Problem
Third party apps are dangerous for three main reasons that I am aware of:
1. You're trusting your account's safety to more people. FB is already unreliable, and now you're depending on FB and who knows who else to protect access to your account.
2. Yesterday I begged you to enable Secure Browsing (HTTPS) for Facebook, and you did it! But most apps don't permit Secure Browsing and force you to revert to HTTP. This is like using a condom with your partner but sleeping around without protection.
3. With Platform enabled (as it is by default) you can pile up applications without realizing it. A couple of people I've helped regain control of their accounts have had piles of Apps enabled that they didn't recognize and never used. Every one of those is a vulnerability, I'd wager especially those that are sneaky about getting themselves attached to your account.
The Solution (if you can live without Mafia Wars)
1. In the upper right-hand corner select Account
2. From the drop-down menu select Privacy Settings
3. In the lower left-hand corner pic Apps and Websites: Edit your settings
4. Apps you use will list the applications that have permission to access your account and therefore potentially provide access to hijackers and identity thieves. Any there you don't recognize? That's what I'm talking about.
5. Deactivate them individually. (Even if you want to keep some, deactivate the ones you don't use.)
6. Click "Turn off all platform apps."
Ta-da! Your FB profile is now much more secure, and the inability to access Farmville might also make more productive citizen of you. I've had the Plaform turned off for a couple days now and since I didn't really use the apps nothing has changed. The core FB experience (statuses, pictures, wall postings, groups) remains the same.
Tomorrow I'll write about securing Gmail. If you use a different email service, I strongly suggest looking up security protocols because they're all under attack.
Problem
FB accounts are being steadily hijacked this year. At this rate soon FB will be like MySpace; hijacked or false accounts run by computer programs ("bots") sending crap ("spam") to each other with no human users left on board. For years Facebook was the cleaner, safer alternative but now it is going downhill too. The main line of defense for your account is your password, but clearly that is no longer nearly good enough. A friend whose account I helped recover this week had a Hebrew password and some bot either guessed or stole it. The bots are either stealing our passwords from somewhere, guessing them somehow, or forcing entry by some back door.
To save itself, and especially to encourage people to trust it as a marketplace (do not do this - never ever ever give Facebook your credit card) Facebook should immediately make several changes to the way it handles your account. Instead, FB has chosen to leave accounts vulnerable by default and allow you to choose ("opt-into") more secure settings.
Solution
In the upper-righthand corner, go to Account, then Account Settings.
Scroll down to Account Security and click it.
Here we will activate three security protocols that will make it much harder to hijack our accounts or steal our information.
1. Secure Browsing (https)
Activate this to tell FB to use HTTPS rather than HTTP whenever possible. This encrypts data being transferred between your computer and Facebook's server and will make it harder to hack. The core FB experience of pictures and statuses and wall posts and messages will not be affected but will be much more secure. Certain FB Apps (all those games and third-party features) won't work on HTTPS and will ask you to switch to unsecured HTTP to use them. I recommend you stop using those (tomorrow we will talk about disabling them completely), but if you do switch at least you'll be protected some of the time.
This is especially important if you go online on public wifi networks, for example at a coffee shop, library or school.
2. Login Notifications
Selecting either "Send me an email" or "Send me a text message" will cause Facebook to notify you when a new computer logs into your account. If you've done the logging in of course you will ignore the message. If you haven't, you'll know your account has been violated. Once you've signed into every computer you use Facebook on once you should stop getting notifications. If you're a student who frequently logs in from public computers this might get annoying.
3. Login Approvals
This is part of the new "Two Factor Authorization" trend that is taking hold now that passwords provide insufficient security. You'll need to give FB your cellphone number, which I did not like doing, and from now on when a new computer is logged into your account the person logging in (hopefully you) will have to use a code that FB will send to your phone via text message as well as the password. Just as the password requirement is no longer a sufficient lock on your account, knowing it will no longer be a sufficient key. This sounds more complicated than it is in practice because you only have to set it up once per computer. I've been using it for weeks and it doesn't change my daily experience at all.
I really don't like giving FB my phone number and I hope they'll give an option to use email instead soon. But Two Factor Authorization is absolutely key to make sure that some guy in Russia or some kid in Ontario can't get into your account even if they steal your password (which sooner or later they will).