Password Craziness

There is a light at the end of the password tunnel. The only question is when will the endless craziness of longer and more complex passwords finally be tamed, for surely, either by reason or futility, it will end.

Surely you've seen the current craze, eight character passwords containing a combination of lowercase, uppercase, numbers and special characters. Let's say for the sake of argument that this is truly needed and worth every bit of aggravation. How long will it last? The basic math says about 10 years, given that Moore's Law holds and computing gets one-half as expensive every eighteen months, and that there are about 80 possible characters to choose from when building a password. To keep the same relative immunity, in 10 years it will take a 9 character password, in 20 years a 10 character passwords, etc., until such time that users revolt, or hopefully, start to question why in this world of marvelous technological innovation they must increasingly carry the security burden.

But why wait until the fires are burning around your feet and the smoke is rising to take a fresh look at the problem and solve it sooner rather than later. A few things to consider.

• It appears that the single biggest issue is using hashes to store passwords. Then if the bad guys get the hashes, it's straight-forward to crack common passwords. If this is indeed a real problem, then fix it. Use something else. Like encryption. Duh.
• Passwords can be cracked by brute force by simply trying every possible combination. This assumes that no prevention mechanism is in place to stop this tack from being successful. Since most passwords are validated by servers, this limits the number of attempts per second to the speed of the server and the intervening network, in most cases limiting the attempts to hundreds or maybe a thousand attempts per second. Compared to the over 1 quadrillion possibilities of an 80-choice, 8-character-long password, the math says it takes over 3 million days to try them all. I'll be lucky to live 30,000 days. I'll take my chances.
• Passwords that are easy to remember are easy to guess, probably taking only a few thousand attempts via a "smart force" method. Very true, and assuming that the above server just blindly tries as fast as its little Ghz will allow, a very real threat. But since humans can't try more than once every few seconds and will undoubtedly give up after a dozen or so attempts and go find that sticky note they knew they would need someday. So why can't the server just let the user try a few times and revoke their account? That actually works well unless someone, inside or outside your company's "four walls", decides to enter your userid and a few bad passwords and lock you out of your computer. It happens, trust me on this one. The best solution is for the server to simply "slow down", ever more slowly processing new attempts. The hacker can't try any more than the user will try before giving up. This is the clever method used by Lotus Notes for years. If you're lucky enough to have Lotus Notes available, try a few bad passwords and see what happens. I promise it won't hurt.
• If the hackers know all the common passwords, why do systems allow any of them to be used? Ah, the simple questions are the best, aren't they? If "egbdflth" is not in the list, wouldn't it be just as good as "Eg^-3U8i"?
• Passwords that protect files are prone to hacking, since many copies of the file can be made and large numbers of computers can simultaneously try to guess the password. Sooner or later they will get in, and that time can be greatly lengthened by stronger passwords. Ah, we've uncovered a truly good use for strong passwords. Finally. Anyone out there do this on a regular basis?

Why force unreasonable passwords on people? In my book if it's not in the hacker's list, it's good enough. I believe that's the reason behind the lowercase, uppercase, number and special character craziness. They're just trying to get you to pick a password that's not very likely to be in the hacker's list. But that makes the password much harder to remember than it really needs to be. That in turn leads to extremely weak password reset tools which "challenge" you with questions like your mother's maiden name. Wow, that's really secure. Not.

The larger strategic challenge is designing solutions that are simple at the edge and not just passwords. Simplicity is the best security and removing the human element is essential to that design. Stop requiring users to solve our security problems and start looking for solutions that address the real problems.

My Home PCs – Part 4 – Toys for Geeks

The final installment of this four-part blog contains some utilities that most home users will never need, but I find them indispensable. With the exception of WinDirStat, these toys take a reasonable amount of technical knowledge to use, although they are unlikely to cause your PC any problems if you want to give them a whirl. If nothing else, it's interesting to run Wireshark and Process Monitor to see the sheer volume of what's going on inside your PC. It's a much busier beast than you probably think.

• Wireshark - This program captures all network data packets coming into and going out of your PC, very similar to the professional Sniffer tool. Although having a network background is useful to understand all the packet headers, it's more useful to understand how an application works to make the best use of the data captured. It's a good idea to shutdown as many applications as possible before running Wireshark to reduce the data being captured. You can download Wireshark at http://www.wireshark.org and there are some very good introductory videos and other documentation at http://www.wireshark.org/docs. You'll also be installing WinPCap, included in the Wireshark download, which is the component that interfaces between Windows and Wireshark.
• Process Monitor - This is one of many sysinternals utilities that Microsoft provides and the one I find the most useful. It shows real-time file system, registry and process activity, in short, all the stuff that's happening inside your PC at a very detailed level. The tool provides filters to reduce the flood of data it produces to a more manageable level. The download is available at http://technet.microsoft.com/en-us/sysinternals/bb842062.aspx, which includes both individual links to the different tools and a single download if you want the entire suite.
• VirtualBox - For those of us that like to try out new operating systems such as Ubuntu Linux and Google Android and want to make it painless, VirtualBox is the answer, and can be found at http://www.virtualbox.org/wiki/Downloads . This Sun product comes in two versions. VirtualBox OSE (Open Source Edition) is free for all purposes and VirtualBox is free only for personal use and product evaluation. More details can be found at http://www.virtualbox.org/wiki/Editions. Virtualbox creates a virtual environment for its guested operating systems and boots up image files in the .iso format. It also handles virtual machines packaged in the Open Virtualization Format (.ovf).
• Google Calendar Sync - In today's world of technology we have a lot of duplicate tools, one for our work life and one for our home life. But having separate tools sometimes causes issues and in my world having two calendars was particularly painful. Enter Google's free Calendar Sync tool, which can sync an Outlook calendar to a Google Calendar. I have my normal Google calendar that comes with my personal GMail account, which is my home life calendar. I have another Google Calendar, using a different account, which contains a synchronized copy of my work life calendar. I setup this second account to be viewable by my home life account and I can view both my calendars at the same time, giving me a complete view of my life. And my wife does the same, shares both of her calendars with me (and vice-versa) and I can see our combined four calendars all at the same time.
• WinDirStat - We all seem to run out of hard drive space and finding good candidates to delete or move elsewhere can be tedious. WinDirStat solves that by scanning a hard drive and building a visual, color-coded "block map" of every file where the size of each block is proportional to its size. Click on the block and that file is highlighted and its directory structure displayed. By far the easiest way to clean up a hard drive I've found. This utility can be downloaded at http://sourceforge.net/projects/windirstat.

My Home PCs – Part 3 – Media and More Media

The first two parts of this four-part blog covered the not-optional portions of most home PCs, since handling email and feeding your web-browsing habit is probably the reason you bought a PC in the first place. But a PC is a computer and not just an average piece of furniture. And the best thing about owning your own computer is that it can run other software. In my case, most of that software handles various media, from music and pictures to video and audio. This list contains the ones I use most often.

• Apple's iTunes - A must for those of us that have an iPhone or an iPod Touch, although Songbird (see below) is a strong contender for basic iPod music players. iTunes allows you to buy, rent or download music, videos, movies, TV shows, 100,000+ applications, and my favorite, podcasts. My personal podcast favorites (all free of course) include GeekBriefTV, The Jazz Suite, Dilbert, The Welch Way and TikiBar TV. You can find iTunes at http://www.apple.com/itunes. You'll also get QuickTime in the download (see blog part 2 for more info) and Bonjour, which allows various Apple devices to find each other without a lot of messy configuration. You might also pick up Safari, Apple's very capable web browser, although it's #3 in my book. See blog part 2 for better choices.
• Mozilla's Songbird - An open source media player that can be downloaded from http://www.getsongbird.com. The one major drawback to iTunes is needing to build playlists in order to download specific music to an iPod. And if you have a lot of music and you ever need to rebuild all your playlists in iTunes, you'll find that's a huge hassle. Songbird can sync music-based albums or artists without needing to predefine anything. iTunes and Songbird can co-exist on your PC, but only one of them can control an iPod at a time.
• Audacity - Another open source favorite, Audacity can record and edit audio. I've used it to create ring tones for my cell phone by clipping a few seconds from an audio file, and to build compilations of various components into a single audio file. Audacity is located at http://audacity.sourceforge.net. SourceForge is a treasure trove of open source software and worth searching when looking for free software.
• Google's Picasa - Simply a great, free photo organizer that can import pictures from a scanner or digital camera. Simple to post photos to their free web service, order prints, group photos into albums, and their latest feature, facial recognition. Picasa includes some basic photo editing capabilities, but the three I use most frequently are cropping, lightening and straightening. Cropping allows you to just include a portion of a picture, lightening is great to fix those "too dark" pictures and straightening allows you to rotate a picture slightly, for example, to make that door in the background appear perfectly vertical. You can find Picasa at http://picasa.google.com.
• AutoStitch - Sometimes you just can't get the scene you want in one picture and viewing several pictures just doesn't work for you. AutoStitch takes a series of pictures and "stitches" them together to form one panoramic picture. The result will need to be cropped (see Picasa above), but it's truly magical what this program produces. To find the download, enter "AutoStitch" into your favorite search engine.
• Skype - The most popular free Internet voice and video service, it now handles about one-half of all international voice minutes. Calls between PCs are free and very popular in situations where friends and family are at a distant college or on an oversea assignment. My personal favorite is to access audio conference calls, since these are normally "800" number calls (free), avoid using my cell phone minutes and I can use a $10 headset which frees up my hands. Skype even lets you know when you start talking into your muted phone. You can call any phone for a per-minute fee if needed. Call quality on Skype is stunning, just like those "you could hear a pin drop" commercials from years ago. Also useful to call places that cell phone companies typically block to avoid fraud (in my case the U.S. Virgin Islands). The software is available at http://www.skype.com.
• Google Earth - You can get lost for days (in front of your PC) traveling around the world exploring the canals of Venice, the streets of Paris, the Pebble Beach golf course or the neighborhood where you grew up. Download from http://earth.google.com.

One caution - some of these applications, and other web-based video services, might just require a newer computer to run properly. We're not talking a $1,000+ high-end machine however. Most new machines will run just fine. And if you find yourself in the market, buy an extra couple gigabytes of RAM. You can send me a thank-you note in a couple years.

My Home PCs – Part 2 – Office and Web Must-Have’s

Having completed the five-step PC protection plan detailed in Part 1, it’s time to add some software that will make using your email system and web browser a more complete and pleasant experience. We’ll start with handling the most popular email attachments: documents, spreadsheets, presentations, pdf and zip files, all without costing you a dime. Every program listed below are 100% free for both commercial and non-commercial use.

• OpenOffice is found at http://www.openoffice.org. This is an excellent option if you need an office suite, which many people do, particularly if you have school-age children. OpenOffice can open and save files in its native formats and in Microsoft’s formats. OpenOffice does a nice job opening Microsoft documents and spreadsheets, but struggles with some PowerPoint presentations. It’s a good idea to upgrade your Java Runtime (see below) before installing OpenOffice. An alternative to OpenOffice is Lotus Symphony from IBM, available at http://symphony.lotus.com/software/lotus/symphony/home.nsf/home. Based on OpenOffice, it's limited to documents, spreadsheets and presentations, whereas OpenOffice includes database, drawing and math programs.
• Microsoft’s free viewers for Word documents, Excel spreadsheets and PowerPoint presentations. These viewers allow, as you might suspect, you to view attachments you receive, but does not allow you to change them. They do an excellent job of displaying without losing any of the formatting contained in the original file. To find these, go to http://www.microsoft.com/downloads and search on the word "viewer".
• Microsoft’s Office Compatibility Packs. These allow Office 2007 files (docx, xlsx, pptx) to be converted to Office 2003 formats and used with your older Office suite. There may be some loss when features only in available in Office 2007 were used, but in my experience that's not been a problem.
• Adobe’s Acrobat Reader from http://www.adobe.com/downloads handles viewing ".pdf" files. Your PC probably has an old version on it that works, but keep this current to catch all the newest features and stop some of the most recent hacker attacks.
• 7-Zip handles ".zip" files, a popular format for combining and shrinking multiple files into a single file. It also handles a number of other compressed file formats popular on non-Windows systems.

Your web browser will run across a variety of file types, and having the following products installed will enable you to see and listen to the most commonly encountered.

• Sun’s Java Runtime Environment (JRE), which is needed to run programs that get downloaded from some web sites. It can be found at http://java.com/en/download.

The final four are needed to play the most popular video formats. Silverlight is the new kid on the block, so that one might not be familiar. QuickTime is also packaged with iTunes, which will be covered in Part 3 of this blog, so don't bother installing it here if you plan to use iTunes to manage your music.

• Adobe’s Flash Player can be found at http://get.adobe.com/flashplayer.
• Adobe's Shockwave Player can be found at http://get.adobe.com/shockwave.
• Apple’s QuickTime can be found at http://www.apple.com/quicktime/download.
• Microsoft’s Silverlight can be found at http://www.microsoft.com/silverlight.