There’s a growing trend on web sites that require a login, and it is getting annoying. And I can’t see any real upside to the decisions that web site designers and developers are making.
What I’m referring to is sites that attempt to disable password managers. They’ll use all kinds of tricks, ranging from a simple ‘autocomplete=”off”’ to JavaScript that clears the form, to building form elements dynamically so they aren’t picked up by browsers or password managers, among others.
I believe that they are thinking that this increases a site’s security by preventing unauthorized logins. You know, someone other than the authorized user logging into the site, being able to do so because the password is automatically filled in. While that makes sense, the bigger issue is that they are actually reducing the site’s security with this behavior.
Why do I say that? Because it forces people to use really, really bad passwords.
In today’s world, there is basically no such thing as a “good” password generated by a human. People notoriously pick passwords that are way, way too easy to crack. Even when we think we are being clever, some hacker somewhere has already been just as clever and coded the method that we think is unique into a password cracking library. Basically every method you’ve come up with for creating a password, a hacker has already done it.
So the only good passwords are those that are generated completely randomly. Using what we call a cryptographically secure pseudo random number generator. Only passwords created by a PRNG can be considered secure enough to thwart hacking. They should also be long too – 12 characters at an absolute minimum. These passwords are virtually impossible to remember, especially considering that every web site we visit should have its own unique password. Honestly, could you remember your passwords if every site’s was unique and they looked like x^HsNpeGo}V%Xd~, [lfGY%KW$4McJ(3l, or Jo@Rl-p4Vc7Esy? I seriously doubt it. So people using good, secure passwords use password manager software to generate and remember these kinds of passwords for them.
(I can honestly say I have no idea what my passwords are on 99% of the web sites I visit. In most cases I’ve never actually even seen them.)
Unfortunately it seems that many web site developers think you can remember these kinds of passwords. Otherwise they wouldn’t be trying to disable password managers. They are intentionally trying to force you to remember your passwords. So they’re forcing people into using passwords like “monkey123” or “k3lly@96” which they can remember, but would be cracked by a hacker in a matter of seconds (or even milliseconds), and since people are bad at remembering passwords they’ll reuse the same passwords on multiple (if not every) site(s).
So while their intended effect is to prevent unauthorized logins, what they’ve effectively done is make their user’s accounts much easier to hack. Not only are their user’s passwords bad, they’re probably the same as another site that has already been hacked.
Intended effect: improved security, actual effect: horrendous security. The law of unintended consequences strikes again.
So, please, if you are in charge of designing or developing a web site, resist the urge to prevent users’ browsers or password managers from filling passwords in for them. The site will be far more secure if you actually allow users to use secure passwords.
(While I’m on the subject, having a site suggest a secure password when a user creates an account isn’t a bad idea either. It should be displayed on the page so they can see what it is, as well as pre-filled into the password fields. Most browsers and password managers will automatically pick up on data pre-filled into those fields and save it for the user. Oh, and always use HTTPS for any page that requests or displays account data.)
P.S. You can always get a truly random password from my web site. The passwords aren’t saved anywhere, and only you ever see it.
P.P.S. If you aren’t using a password manager, you should be. The one I like is LastPass. If you’re concerned about your passwords being accessible to someone, just choose a really, really good password for your account. These sites include your account password as part of the encryption key, so nobody can get to your password data without it. And you can make it even harder to crack by turning on Two-Step Authentication too.
Showing posts with label security. Show all posts
Showing posts with label security. Show all posts
Wednesday, May 3, 2017
Tuesday, October 14, 2014
Why Web Sites Don’t Need to Store Your Password
It seems counterintuitive, but web sites that require logins don’t actually need to store your password. And they actually shouldn’t – it is a very bad idea to do so. We see too many leaks of account databases for it to ever be safe to store passwords in any form, even if encrypted.
So how can a site validate a login if it doesn’t store the password? The answer is something really cool called a hash function. I know your eyes just glazed over, but bear with me, the concept is actually simple.
A hash function is a way of processing data that is one-way… you can put data in, and always get the same result coming out, but there is no way to reverse the process to get back the original data. I won’t get into the specifics of how hashes actually work, but I can describe a very simple hash that will illustrate the principle.
Say, for the sake of simplicity, we are creating a web site that uses a 4-digit PIN as a password to log in. We know that storing the PIN itself is dangerous because it could be leaked out or viewed by site administrators, so instead we add up the four digits and store that sum. So if my PIN is 2468, we store 20 (2+4+6+8) in the database. When we go back to the site to log in, the site can add up the four digits we enter for the PIN, compare that result against the sum in the database, and validate that we know what the correct PIN number is. A hacker that gets his hands on the database only knows that the sum of the digits is 20… he can’t possibly know that the original PIN was 2468. They’d have to guess what the original PIN number was by trying different combinations.
Of course this is overly simplified. This demonstration hash function wouldn’t really work in the real world because it is too easy to figure out combinations that would let hackers in. This situation is called a collision… 8642, 5555, 8282, 1991, and 6446 all produce the same hash value of 20. But real hash functions used for account login verification are much, much more complicated, and aren’t normally subject to problems with collisions. But you get the idea. Instead of storing the actual password, we store a value that is calculated from the password. We can validate that someone knows the password without actually storing that password.
This has other advantages as well. For example, using a hash function there is no limit to the length of the password, because hash result values are always the same length regardless of the amount of data going in. Someone could enter 6 letters, or 200 random symbols, and either one can be hashed down to a value of a standard length that can be stored in the database.
Because of this, you can sometimes tell web sites that don’t use hashes to securely store passwords because they enforce a maximum length for passwords. This isn’t always the case, but it can be one indicator that the site’s security has been poorly designed. But if you are signing up for an account on a web site and they have a low limit on the length of the password, like 12 characters, you might look for other signs of poor site security or privacy policies. And definitely don’t reuse a password from another site. Or just steer clear.
The down side to using hashes is that if you forget your password the site has no way of sending it to you… because they actually don’t know it. That is why sites generate a brand-new, random passwords that they send to you via email when you forget your password. They honestly have no idea what your password was, so the only solution is to create a new one and use that temporarily until you create your own.
The whole process is considerably more complicated than I’ve described here – or at least it should be. Just using a hash isn’t sufficient, either, because we’ve got affordable computers these days that can calculate billions of hashes per second and are therefore capable of brute-forcing short passwords very quickly. (A 6-letter password, for example, would be cracked hundreds of times over in just one second using a simple hash). But for a site to use a hash on passwords is one step in the right direction.
Monday, May 23, 2011
They Know More Than You Think
I don’t want to sound like an alarmist, but companies like Google and Facebook know a lot more about you than they let on. I certainly don’t want to cause a panic, but I do think that people ought to know what they’re really signing up for when they use services provided by these companies.
The prevailing thought about these web sites is that they only know what you tell them. It would really be nice if that were true. Unfortunately, it is not. Let’s start with Facebook.
It used to be that Facebook could pretty much only record what you are doing on their site. They only had information on you that you gave to them (or they could collect about you from your friends). Those days are long gone. They have access to SO much more.
We all know that Facebook has the ability to build an absolutely enormous social graph of us. It has more information than even our closest friends and family do about our past, who we know, where we’ve been and what we were doing when we were there, etc. It’s pretty amazing that a site with so much personal information has become so popular, and that we continue to give it information. But it goes way beyond what most of us are aware of.
Is there a way to prevent this? Yes. If you sign out of Facebook before visiting other web pages, and use the Private browsing mode of your web browser (InPrivate in IE, Incognito in Chrome, etc.) there isn’t a way for Facebook to be able to follow you around. Just be careful not to sign in again without doing it in the private browsing mode.
And just so you know… “deleting” information from the Facebook site doesn’t actually delete it from their databases. It just turns it off so that they don’t show it to others. But they don’t actually ever remove anything on anyone. They’ve still got it filed away.
If anybody on the internet knows more about your surfing habits than Facebook, it’s Google. Their advertising network extends to an absolutely massive number of web sites. And every site that contains ads provided by Google is also tracked. They hold onto an overwhelming majority of the online advertising market, and the odds are in their favor that any particular web site you visit has advertisements served by Google. Chances are that Google knows every web site you ever visit.
Combine this with Google wanting to get into other aspects of your life… providing the operating system for your cell phone or tablet, Internet service to your home, keeping your Health information, maps for driving directions, etc. on top of virtually every web site you visit and every Internet search you perform (this would include anything you shop for online), they have access to a lot more data than anyone could ever imagine. It has the potential to be very scary, and a huge mess if that data were to get out.
Why Care?
For the most part I don’t care if the web sites I visit are known to the world. But there are a few exceptions… If I were to get sick, and use the Internet to search for treatment or cures, I wouldn’t want the whole world to know what I’ve got. Or if I had children, I wouldn’t want total strangers to know where they live or go to school. It isn’t that we necessarily have to worry about what we’re doing, but who knows what we’re doing.
I’m not trying to say that the sky is falling here or anything like that. I just want everyone to at least be aware of what information these companies have access to. It goes way beyond what they appear to know at first glance. They’ve got connections with literally millions of web sites, and together they all collect a lot more information on you that you could possibly dream of.
If nothing else, I’d advise caution. Use the Private mode of your browser more, or maybe even all of the time. Use different browsers for different web sites. Sign out of web sites when you aren’t actually using them. And above all, be careful in what information you’re willing to share with them.
Thursday, May 5, 2011
Apple Location Issue: Somewhat Better, but Still Bad!!!
Apple put out a press release last week, and issued a software update yesterday that addresses the location tracking issue that was made public two weeks ago. It’s a step in the right direction, but there are still unanswered questions and things to be concerned about.
The software update does a few things right. iOS version 4.3.3 makes some good changes…
- Only 24 hours’ worth of data is stored on the phone.
- The local cache of location data can be turned off entirely.
- The data file is not backed up to your computer.
These are all great steps. Apple should be commended for making these changes. However, they haven’t really gone quite far enough. The data on the phone is still not encrypted (that change is coming sometime in the future), potentially making it available to apps and people if a phone has been jailbroken or a software exploit is discovered that allows access to such files. I’m not going to make too much more of a stink about that because on easy way to avoid that is to not jailbreak the device in the first place.
Their press release was still a little bit troubling, though. First, they engaged in a game of semantics. They claim that “Apple” does not track “your” location. Instead, the phone keeps a list of cell phone towers and WiFi access points near its location. Uhhh… how much different is the location of things near you from your current location? WiFi access points typically have a very short range (how far away from your house can you use your WiFi?) so the accuracy of WiFi location data is actually fairly good. Nice try, Apple, but your word game doesn’t work on me.
The more troubling thing about their release is something that I haven’t heard anybody bring up, anywhere. One of the things they stated was that the data on the phone isn’t really the phone’s location, but a local cache of list of cell towers and WiFi access points that have been near your phone, right? Well, that data is coming from an Apple database. And that database is huge. Certainly bigger than what can be stored on a phone. So Apple sends small subsets of that data to the phone, and this is stored locally (indefinitely for iOS <4.3.3, 24 hours for 4.3.3) to make calculating your location easier. Sounds okay conceptually, right? Well, there’s a big problem with that. In order to decide what data to send to you, Apple has to know what cell towers and WiFi access points are near your phone in the first place. They haven’t made any sort of statement about what they are doing with that data.
Imagine this scenario… you’re lost, and you need to know where you are. You might call a friend and tell them a little about what you see around you. You can describe buildings and other landmarks, hoping that based on that information your friend will be able to help you figure out where you are. But in the process, haven’t you revealed your position to your friend? It just isn’t possible to get your location using this method without letting someone know where you are. This is exactly what happens with cell phones (not just the iPhone) when they use this method to locate themselves.
Apple claims that it uses a unique ID number which isn’t tied to your account, and it changes (now) every 24 hours when making these requests. Microsoft has said it changes the ID number as well periodically, but not how often. Google never changes this ID number. So in theory, Apple can only track a phone for 24 hours, Microsoft for an indefinite amount of time, and Google can track it forever. They all claim they can’t tie this to an individual phone, but that just is not accurate. Here’s why…
Every data conversation that takes place on the internet does so using an IP address. It’s sort of like a phone number, and it is used to route data from point A to point B. It’s fundamental to the way that the Internet works. For two computers to have a two way conversation, both have to know the other’s IP address. So these conversations where phones download the list of nearby cell towers and WiFi access points have to include this IP address. It’s absolutely required.
If the cell tower and WiFi location data was hosted by a third party (as all three of these players once did), there might not be as much to worry about because the IP address couldn’t necessarily be tied to an individual phone. The trouble is that the companies providing the location data are the same ones that create the operating systems for the phones. And you have to sign into their services to use the devices. With the iPhone, you have to tie it to your Apple ID. With Google, it has to be tied to your Google Account. With Windows Phone, it has to be tied to your Windows Live account. And all devices call home to update various aspects of those services… such as checking for app updates or checking email, for example. Those conversations ALSO take place using an IP address, which happens to be the same for both these services as well as the location database download as well. Bingo… they have a link between you, your device, and your location.
All three companies have claimed that they do not upload YOUR location to their services tied to your account. The problem is that they DO have enough information in various places to be able to piece together your location. A request for a list of nearby cell towers and (Your login to a company’s services + IP Address) + (WiFi access points + IP Address) = You + Your Location.
I’m not saying that the companies are actually doing this, I’m just saying that the potential is there for these companies to tie a lot of information together than they’re admitting. In all cases, you, your location, your purchasing habits, the contents of your email, and more can all potentially be tied together. The possible implications can be scary.
The good news is that Apple now allows Location Services to be turned off entirely, so the phone won’t even ask for location information tied to nearby radio signals. The down side is that turning this off completely disables all GPS functions. It is technically possible to enable GPS functionality without the local cache functionality, but none of the phone manufacturers are allowing that. GPS devices do it all of the time, but for some reason cell phones aren’t allowed to.
Thursday, April 21, 2011
Q&A On the iPhone Location Tracking Issue
While it has been known for a while, news finally broke to the public yesterday that any model iPhone or iPad running iOS 4.0 or higher keeps a log file of its location, and that this file is copied to your computer every time you backup your device. The problem is actually deeper than that, though. This is a very serious privacy and security issue, IMHO. The articles on the Internet don’t really seem to be painting a great picture of what this means. So here’s my attempt… I hope it helps to clarify a few things!
Q: What’s going on?
A: All models of iPhone and iPad have been recording your location regularly into a file on the device. The news stories here specifically relate to iOS 4.x, but prior versions of iOS are doing the same thing, they’ve just been recording it into a different file. These files cannot be deleted, and this “feature” cannot be turned off. The information even persists from one device to another if you replace one phone or iPad with another and restore a backup.
The data being recorded includes at least the device’s location, the time of day, and a list of WiFi networks available at each of these locations. The file in and of itself does not contain your personal contact information, but it would be very easy to determine where you live or work.
Q: Does the phone send my location to Apple, or anyone else?
A: Not in and of itself. Apps on your phone can be given permission to access your location, and there is no way to stop them from uploading your location information, but this flaw in and of itself does not cause your location to be sent to anyone else; it is saved on your phone and computer, but not uploaded anywhere else, at least as a direct result of this issue. Jailbroken devices do not require that apps be granted permission to access location data; they can get to it anytime they want.
Q: Doesn’t that mean I’m safe?
A: Not necessarily. There are several ways that anyone who wants to can get to this data if they are persistent enough.
Q: What does that mean?
A: If you have jailbroken your phone, any app on the phone can gain access to the location data without your permission. In addition, a jailbroken phone that has not had its root password changed from the default is remotely accessible to anyone who wants to log in, and it is EXTREMELY easy to get to. This includes access to the location log file.
Apple has also had a poor track record of security on iOS devices. Hackers have been able to gain entry quite regularly ever since the device was first released (this is how some jailbreaks work, just as one example). If someone were to want to target you, it’s entirely possible that someone with moderate hacking skills could obtain this file, whether it be through your phone (because it is always on the Internet) or computer (through software installed there). Even if you haven’t been specifically targeted, once an exploit to a phone (or computer) is known, it is a consistent and regular practice of hackers to scan for vulnerable devices. Computers are a little safer if they are behind a router, but phones are connected directly to the Internet without a hardware firewall to isolate them from attack.
Q: What if I’m not running iOS 4.x on my phone or iPad?
A: While it hasn’t been widely mentioned in the news, iOS versions prior to 4.0 also log location data. The data is just stored in a different file in a different format. But it’s there.
Q: Doesn’t someone have to have physical access to my phone or computer?
For most people, this is the case. But not for everyone. If your device is jailbroken and you haven’t changed the root password, remote access to your phone (and this file) is available for anyone who wants to get in. It’s very simple to get to it.
As far as access to the data on the computer, ideally nobody else has access to your files remotely. But that requires that you keep your computer fully up-to-date and make sure you’re running current and high quality antivirus and antispyware software, even on Macs. Viruses and spyware could very easily gain access to this data, and make it available to third parties.
Q: How would I know if someone had gotten access to my data?
A: You probably wouldn’t have any way of knowing.
Q: What would happen if I lost my phone?
A: The chance isn’t high, but if someone with even moderate technical skills were to have access to your phone they could download the location data file and see everywhere you’ve taken your iOS devices since you got them. Even if the phone is locked with a password, there are very easy ways around this. Once your phone is in someone else’s hands, there isn’t really any guaranteed way of preventing them from getting access to your location data. If you have signed up for the Find my iPhone program or connect to an Exchange server, you could remotely wipe the phone and hope that nobody had downloaded the data before you sent the wipe command.
Q: Some people seem to say this isn’t worth worrying about. Is that true?
That depends. The chance that someone wants to get your location information specifically isn’t very high. My take on this is that you’re better safe than sorry. If you don’t care if anyone knows where you’ve been, you may not need to worry about this much. The chance that advertisers or hackers want location information in general is very high.
Q: What can I do to prevent my location from being recorded?
A: As of right now, the only thing you can do is turn off the phone completely (not just put it in standby) or put it in Airplane mode. But this obviously prevents you from using the phone. As long as the device is turned on and the cellular feature is turned on, it’s recording your location.
What makes this worse is that there is NO WAY to delete this file or turn the logging feature off. It’s built into the phone at a very low level and it can’t be controlled by any setting on the phone. iPhones have been recording this data for a very long time now, long before iOS 4 came out. Forensic scientists have known about this for a while, but it is only now being made public.
Apple has not yet released a fix for this issue, and they haven’t even stated yet if they intend to do so. We’ll just have to wait and see.
Q: I don’t believe it. Can you prove it?
A: Right now the only way to see for yourself is if you are synchronizing your phone with a Mac. In which case, you can download a piece of software and see the tracking data yourself. It probably won’t be long before someone writes a similar utility for Windows, and if I see any news on that front I’ll update this blog post. I’ve considered writing such a utility myself, but I have too many other things going on at the moment to bother.
Q: Does this affect other phones too?
A: This flaw does not affect other non-Apple devices. The same researchers that found the flaw in the iPhone have also investigated other popular phones and haven’t found any evidence that any other phones exhibit the same behavior.
Q: If I wipe everything on my phone, does that mean the data is gone?
A: Your prior location information will be deleted from your phone, but it will be restored if you restore a backup from your computer. In either case, the phone/iPad will start recording location data again, even after being wiped.
Q: Why should I care?
A: I can’t speak for you, but I’d rather my devices not record information about where I live, work, shop, and socialize. It’s bad enough that cell phone carriers record phone location continually; I’d rather that the location of my home not be recorded inside of a device that could be lost or stolen. Not that I have anything to hide, but I personally just don’t want that information out there available to anyone, especially companies that might be trying to sell me something.
Q: Can any steps be taken to protect myself?
A: Turn on the encryption feature for device backups in iTunes. That will at least prevent access to this data from your computer. There isn’t much that you can do to prevent access to the data on the phone other than stop using it. If you’ve jailbroken your device, at a very minimum change the root password, but I’d recommend removing the jailbreak entirely.
Q: Are you doing anything differently?
A: I don’t have an iPhone, but I am definitely going to be more selective about where I take my iPad. I protect myself very well against attacks against my computer, so I’m not too concerned about that. If I had jailbroken my iPad I would be taking that off right now.
Saturday, May 30, 2009
Viruses are NOT a Technology Problem
There is a myth that has been going around for YEARS that if you run Windows on a computer that it is automatically going to become infested with viruses. It is perpetuated by many, particularly in the “I’m a Mac, I’m a PC” ads, but also by the companies that create anti-virus software in hopes that you’ll buy their product to protect yourselves from the inevitable technological intrusion into your virtual computer space. And most of us buy into it. The truth is, that it is NOT true that running Windows will guarantee that you’ll become infested with viruses. (I’ll prove it later in this post.) Windows in and of itself is not the problem. The problem isn’t even technological at all. It’s social.
The term used to describe the techniques used by viruses writers to get their software onto your computer is actually called “social engineering.” Basically it means they trick you into installing the viruses on your computer. They’ll do things like disguise their software as something else that you’re likely to want or want to see. They use methods to make you believe that these things are coming from trusted sources, like friends or family. Combined, those are pretty effective methods. (And truthfully, these same methods work on ANY operating system; they aren’t specific to Windows.)
This might be a blow to the ego of some, but if your computer has become infested with a virus, it is because you let it install itself. You opened a file you shouldn’t have. You installed some software you shouldn’t have. You are the one to blame that it is there. Please don’t blame your computer. Don’t blame your operating system. You did something that let the bad stuff in. The wolf knocked at your door, and instead of replying with a “not by the hair of my chinny-chin chin” you said “come on in.”
Personally I don’t run anti-virus software. I never have. I do install it, because that’s what you’re “supposed” to do, but I don’t let it run scanning and watching my computer all of the time. After I install it the very first thing I do is disable it. I don’t like the slowdown that comes with having everything I do be monitored by bloated software that isn’t going to find anything anyway. And despite the fact that I do not run antivirus software, I have NEVER had a single virus on ANY of my computers. Ever! I’ve been running Windows for nearly 15 years and I haven’t had a virus yet. I’ll run anti-virus scans every once a while just to make sure that I’m still clean, but NONE of those scans have EVER found even a single virus.
If susceptibility to viruses was a technological problem with Windows, my computers would be massive infestations of virus muck. They wouldn’t be usable. And they’d be out there trying to find ways to infect others. How have I been able to remain clean? Just by being careful about what I install and keeping my computer up to date with security patches. That’s it. No more. No magical hardware firewall watching my Internet activity. No magic fairy that shows up in the middle of the night to clean off anything that may have arrived that day.
But the situation gets even worse for the theory that Windows inherently becomes infested with viruses when I tell you that I also don’t run any firewalls. Yep, I turn those off too. And here’s another kicker… I break the cardinal rule of data security: three of my computers have public IP addresses (meaning they are totally exposed to, accessible from, and visible to the Internet). Gasp! That’s an absolute security no-no! Nobody should EVER run Windows with a public IP address, right? Well, I wouldn’t recommend it for most people, but the truth is that Windows, despite its many flaws, is not the primary cause of viruses becoming installed on our computers, so I really don’t worry about it. Viruses are installed by people, not their operating system. It’s people tricking other people into installing their ill-intended garbage that gets computers infected.
I’m not the only one that doesn’t run anti-virus software. In a recent episode of the Security Now podcast, noted security expert Steve Gibson also admitted that he doesn’t run it either. If a security expert doesn’t run it, then the computer he’s using isn’t the main cause of the problem, is it!?
So why do Windows PCs so often have viruses? Mostly because they’re so popular. If you’re someone conjuring up evil plans to take over the world by creating virus software, who are you going to target? The 90% of computers running Windows? Or the 7% running a Mac, or 1% running Linux? Which offers a better return on your time investment?
Windows XP also made an easy target because it makes it so easy to install software. No password or validation required to do an installation; installers can just run and do whatever they please whenever someone starts them. (That has changed with Vista; passwords and validation are required there, just like OS X and Linux.) Not requiring a password to install has never been a good idea, but it isn’t the cause of viruses on computers. It just made it easier for the bad guys. Big difference. And viruses are software; they just have a different intent than something like Firefox.
With all of this said, I will not recommend that most people run without anti-virus software or a firewall. Most people should take those steps to protect their machines. But these tools are just extras layer of protection; they should not be the only form of protection used. Neither will ever be able to make up for all of the shortcomings of someone using a computer. Even with both installed, it’s still up to you to avoid the bad stuff. And that, my friends, is a social problem, not a problem with technology.
Wednesday, May 20, 2009
Tip: Show File Extensions
There is one very easy thing to do in Windows to make it easier to determine if a file on your computer (or coming in via email) can be potentially harmful. And that change is to make file extensions visible.
Windows, for some inexplicable reason, hides the extensions of files by default. Is “document” really a document? You can’t really tell by looking at a file whether it is a picture, a text file, a song, or a potentially evil program. With file extensions turned off there just isn’t any way to be sure. Fortunately this is a very easy thing to fix.
In Windows Vista:
1. Click Start, type the word Folder and wait for the search results to come up. Click on Folder Options.
2. Click the View tab, scroll down to “Hide extensions for known file types” and UNCHECK it.
3. Click OK to save the change.
In Windows XP:
1. Click Start, Control Panel, Folder Options.
2. Click the View tab, scroll down to “Hide extensions for known file types” and UNCHECK it.
3. Click OK to save the change.
With file extensions turned on and visible you will know just by glancing at an icon what type of file it really is. And if you see something ending in .EXE, .COM, .PIF, .SCR, you will know that it is actually a program. If one of these file types is coming to you via email, just delete it. If you find one of these files somewhere that a program shouldn’t be (like on a USB flash drive, or your Documents folder), don’t open it. Programs should always be stored in C:\Program Files, so if you see one somewhere else, leave it alone.
That same folder with file extensions turned on is shown below. We can now see that “Document” is actually an executable, not a text file!
The last extension on a file is the one that actually counts. So if you see Cool New Song.mp3.exe, it isn’t an MP3 file; it is actually a program. Just delete it. Likewise with Free Gasoline.txt.exe. You get the idea.
I’m really not sure why Microsoft insists on hiding file extensions by default. Even the upcoming Windows 7 has this same behavior. As poor as this decision is, at least we can change the behavior easily.
Sunday, August 17, 2008
TOTW #4: Passwords; Rule of Thirds
Computer Tip: Twelve Rules of Good Passwords
I don't do much on-site tech support these days, but over the years that I have, I've noticed a troubling trend with regard to user's passwords. It's pretty bad that an alarmingly high percentage of the time I would be able to guess a user's password within a handful of attempts if I just know a little about them. I sincerely hope that my faithful readers don't fall into that trap, so allow me to share a few tips on selecting good passwords.
Rule #1: DON'T use anybody's name as the basis of a password, especially a significant other. You have no idea how often I see passwords that are just someone's name, especially the name of a spouse or boy/girlfriend. This also extends to the names of celebrities, bands, pets, or movies.
Rule #2: DON'T use an English word as your password, or any other dictionary word in any other language. These are the first passwords guessed by bots on the Internet. And if you have selected "password" or "test" as your password, we need to have a talk about security.
Rule #3: DON'T use any part of a birthday as part of a password. I see passwords that are simply someone's birthday, or a name with the birthday added to the end. If I were a hacker, after trying common English words, I'd try birthdays next.
Rule #4: DON'T use a variant of anything listed above. In other words, don't use leslie01 or kevin2008. That includes adding any variant of a year on to any of the above.
Rule #5: DON'T use your username or email address. Way too easy to guess.
Rule #6: DO select a password that contains numbers, symbols, and some uppercase letters. The more characters you have to select from, the harder your passwords is to guess. If, for example, you only use letters and select a 6 character password, there are 308 million possibilities. Adding numbers, symbols, and varying upper/lower case increases the number of possibilities to 782 billion (a 253388% increase).
Rule #7: DO select passwords, which if they were made visible, look like nonsense. But...
Rule #8: DO come up with some sort of method that allows you to create passwords that you can remember. Make up a sentence about something around you or going on in your life, then take the first letter of each word, adding numbers and symbols. It's easier to remember the sentence than a long string of nonsensical characters.
Rule #9: DON'T use the same password on more than one web site that deals with anything financial in nature. Use different passwords for each bank account, online store, etc. That way, if one of those sites is hacked (or you fall prey to a phishing scheme) and your password is revealed, it won't work anywhere else.
Rule #10: DON'T share your password with anyone or any site but the site where you set it up. Banks, for example, will not ask you for your password over the phone.
Rule #11: DON'T write your password on a Post-It Note and stick it on your monitor. Or the bottom of your keyboard. Or in your desk drawer. Just don't write it down anywhere.
Rule #12: DO make sure your password is 8 characters or longer. Each additional character added makes a password exponentially harder to guess.
Many of these methods are especially important because hackers are constantly trying to hack into web sites and computers connected to the Internet, and the first passwords they try are the ones listed above as part of the DON'T rules. And in most cases they can try dozens, hundreds, or even thousands of passwords every second, so if someone is targeting you it wouldn't take long to break into your account if you break the rules. Here's a link to a list of the 10 most commonly used passwords.
Multimedia Tip: Rule of Thirds
How do you get a picture (video or still) that is appealing to the eye? Well, there isn't any one right answer to that question, but the rule of thirds is a good place to start.
The rule simply states that subjects in your pictures should generally fall along the lines of a tic-tac-toe grid drawn over the picture, with the areas of focus falling at the intersections of the grid lines.
The rule is actually based on the golden mean, but for simplicity sake, just imagine a tic-tac-toe grid, and put your subject on one of the lines, with the most important parts at the grid intersections. For people and animals, the most important part is their eyes, so eyes should usually fall along the upper horizontal line, or about 1/3 down from the top. If someone is looking off to the side instead of directly toward the camera, put them on the vertical line which gives the most room in front of them. Other objects in the scene should fall along other grid lines where possible as well.
Subscribe to:
Posts (Atom)