Harmony Group Atlanta

Experience Matters

Blog

Security: Passwords

What does a good password look like?

You won’t like the answer.

Because it’s this: 456965230ee038b6ebd0e9369062113c861f5423e1146137e0bee8b2d322cbfb

That is an excellent password. It’s long, it’s complex, and most of all, you can’t remember it.

“Hold on,” I hear you say, hypothetical reader. “Why shouldn’t I be able to remember my own password?”

Because you are point of failure Number 1. How many passwords have you given out to people? Can you trust them? Can you really?

I don’t say that to sound scary. But it’s a practice in security circles that if a password is actual very, very important, that not even the person(s) who use it can call it up easily.

It gives you time to think, and to act on the thought, “Does this person actually require my password?” 99/100 times the answer is a very firm “No.” For example, your bank calls you. They tell you that there’s some potentially fraudulent charges made against your card. What does your bank actually need to verify that it’s you?

It’s not your card number. That’s in their database. They already know it. It’s not your name, same situation. It’s not your address, phone number, zip code, PIN number, SSN, none of it.

Typically, they will, instead, ask for the last 4 digits of something, a card, your SSN, etc. Even better is when they ask for just the numbers on your address. They know the rest. Someone asking for too much info is red flag number 1 that something is wrong with any situation.

People engaging in social engineering will usually move too quickly to give you much time to think. They’ve presented you an emergency and you need to act right now! But you don’t. What really happens if that call is legitimate and you hang up? You call your bank at its number and go through and get the charges declined. No love, time, or money really lost. A real bank employee, should a real person call you for this sort of thing, will absolutely understand if you respond with, “I will call my bank back directly, thank you.”

But say you’re not very good under pressure. You fold quickly. That’s fine. Your password is long and unmanageable , and you have to go look it up to even give it out. Now you have precious long minutes to consider if this is even a little bit real.

“Well, okay, good point, but,” I hear my lovely hypothetical reader say, “now I have this long string of numbers and letters just sitting in a note pad document, or, worse, on a note pad. That’s just as bad!”

Well, yes. So don’t do that.

Instead, use a password manager. First, they generate hilariously long passwords like that for you, so you don’t have to play a miniature drum solo on your keyboard to generate a password. Second, they store the passwords in an encrypted database, so they’re not in an unsecured word doc, or on flammable, easily stolen, note paper.

There are hosted services, like OnePass, LastPass, or Dashlane to use. There are decentralized services, like Myki, and then there’s the favorite of IT Professionals everywhere, Keepass, for keeping a local database.

Hosted services are great! If you feel you can put your trust in another company to securely host your passwords. Which you can, by the way. That’s not scare tactic. If any one of them decided to lose their minds and start selling password data, it’d be found out quickly, and many, many bad legal things would happen to them. But if you have a personal hang-up with cloud hosting, I get it.

Myki is the only decentralized service I’m aware of. Each device the app is installed on keeps its own encrypted local copy of the database, which in turn can be restored or accessed from any of those devices. The only thing that touches Myki servers is an encrypted packed to pass the data between devices when a update to the database happens. They can never actually see any data you move between devices. But, again, you are using someone else’s device to push your data around, and some people have hang-ups with that. Understandable.

Keepass is your solution for total control of a single encrypted password database. You just keep a cloud backup of it every night, and don’t lose your password. Bam. Done. No issues.

“Okay, that’s nice. But,” I once again hear my hypothetical reader ask, “What about that one password you’re using to unlock the database. Shouldn’t that be really long? Should I be able to remember it?”

Yes. To both questions.

“Doesn’t that create a single point of failure?” You ask, pointedly, hypothetical reader.

Yes. However.

First, any given hosted service is going to be up to current best practices and standards for storing and preventing access to encrypted data. Second, if you are using a hosted service, Two-Factor Authentication is your friend. Please use it.

Third, a decentralized service attack requires that an attacker have administrative access to one of your devices. If they have that, you have larger issues than your passwords being stolen.

And, finally, an attack on a local database requires, that, again, an attacker has access to the hosting device. Which would create a much larger issues than just your password being stolen.

Oh, and using the remember password feature in browsers? Totally fine. Use it all you like. Just be careful about where you’re syncing that data. I’m looking at you, Google Chrome.

“Okay, so, how do I remember my obnoxiously long password for my password manager?” My hypothetical reader asks.

I’m just going to link to this XKCD comic that I feel explains it best.

But, to summarize in case XKCD is blocked at your work place (why?), pick any 4 given common words, smush them together into one string (WITH SPACES!). The example given is “correct horse battery staple”. Now come up with some cute mnemonic to remember this for yourself, which you almost already did, most likely, and now you have a strong, human readable, human memorable, password.

This should be the only password you have like this. The rest are machine generated and meant to take until the heat death of the universe to brute force via machine guessing.

Well, unless you have to log into the IRS website… which disallows the use of password managers and copy/paste functionality in its password field. For reasons. None of them well explained.

Listen, the IRS is still running the entire tax system off of a program written in COBOL that has caused an estimated billion dollars in technical debt to get out from under into something more modern. We’re going to guess their problems go far and beyond their strange password policies.

Sometimes it really is the service’s fault when you get hacked. But you can do your best to avoid it in the meantime.

Stay safe online, and in the wide world.

If you have questions, you can contact me at my Harmony Group email address: AJ@HarmonyGroupATL.com

~AJ

Security: Praxis

What’s that word? You might not have seen it before. Why is it in a blog post about security?

Let’s start with just pasting in the definition from googling “Praxis Definition”.

prax·is/ˈpraksəs/

nounFORMAL

  1. practice, as distinguished from theory.

“the gap between theory and praxis, text and world”

  1. accepted practice or custom.

“patterns of Christian praxis in church and society”

This post, as a summary, will be about making a total life change to be about being secure. It’s a change in perception and action that requires time and effort but can (usually) be for the better.

As an example of security culture, imagine you are a political activist. It doesn’t matter what you’re an activist for, in this case. You have acquaintances and friends who are also activists, one would hope.

One day, you start a conversation with one of them. Midway through the conversation, they say, “Well, at the last protest I….” This is your time to hold up a hand and say, “Stop. I don’t want to know.”

Not because you genuinely don’t want to know. It’s probably a good story. But for your own safety and security, you shouldn’t know. Because if you know, you then have to, should that action be illegal, either A) lie to the police if or when you’re asked about it, or B) exercise your 5th amendment rights (supposing you’re in the USA). Neither of these are good options.

For IT professionals, we’re often trusted with information we, frankly, should never have known in the first place. Our time to hold up a hand and say, ” Stop. I don’t want to know.” is when anyone starts to recite a password to any system we do not directly have administrative rights to, or any system we do not absolutely require access to.

I have actually had people start to tell me their bank passwords. No thank you.

Should something happen, and it has, the first stop on anyone’s mental check list of “Who Done It?!” is going to be people they’ve given the password. And trusted individuals are given a pass, ex: Spouses. If I’m on the list, and not a trusted individual (and we’re never going to assume this), I will be receiving a call from the police.

I do not want a call from the police.

Even if I’ve done nothing wrong. Especially if I’ve done nothing wrong.

There’s a different topic in that, but it’s not for this blog on this website.

On the opposite side of this praxis (that is, opposite to ensuring you only know what you need to know), there is ensuring that others only know what they need to know, and do not know what they don’t need to know.

There are basic things, like: Don’t keep a physical record of your passwords, don’t say them out loud while typing, etc.

But further than that, there’s keeping logs.

System administrators already know this well. Logs are your friend. They prove who did what and where and when they did it. Anything you use that keeps logs, pay attention to them.

My bank, for example, sends me an email any time I login from any application or device, complete with that device’s ID and approximate location. I love this. But I’ve heard people complain about the constant emails associated with logging like this.

Until they get one when they haven’t logged in. Logs are your friend.

And, the final step in total praxis of security, is this: Shut your mouth(s).

That sounds really simple, but it’s that “(s)” part that’s important. You have more than one mouth. Or do you not also have a Facebook, YouTube, Twitter, LinkedIn, Instagram, Snapchat, Google Account, NewestSocialMediaPlatformHere, etc.?

I’ll give you a big hint about these services. The farm is free for the cows.

Did you know you can go into your Google account page and not only see a complete log of any voice command you’ve ever given your device, BUT LISTEN TO A COMPELTE RECORDING OF IT?

This applies to Amazon Alexa, too. Does this implicate Amazon or Google in some nefarious plot? Not really. Practically speaking, there’s no way for anyone (human) to listen to all of those voices, and there is, at best, an algorithm that listens for when someone cusses at their Alexa or Google home because it didn’t hear a command right, and tries to learn from that for better voice recognition.

But this does highlight something. As a culture, we’ve decided to just give away private information. We decided that’s an okay thing to do and haven’t considered the ramifications of it.

Twitter, for example, has a very powerful search API. If you don’t remember that terrible thing you said in September of 2010, but someone else sort of does, and wants to find it, and use it, well, it’s as easy as bringing up the helpful knowledge base article on the API, and then away they go!

Also, turn off location on your posts. C’mon, that’s just creepy, and it’s been discussed as an avenue for people wanting to break into your house to abuse.

Should you stop using social media? No. It’s actually an incredibly powerful and useful tool for interconnecting with everyone around you.

Should you be more aware of what you’re saying, or more importantly, giving away? Absolutely.

There’s even more to say on this topic, but that’s not necessarily for this blog, or this website. This post is more about the idea of engaging yourself in security culture and exercising good praxis of the ideas it presents.

This is a process. No one changes their habits overnight. But if you take your personal security seriously, you may find that you, at the very least, feel safer, though if I stopped you from being the sort of person who puts their phone number on Facebook publicly, I’ll count that a victory.

Stay safe online, and in the wide world.

~AJ

Let’s Talk About Security

So Harmony has a blog now. And guess who got pegged to write about security topics?

The selft proclaimed security enthusiast. That’s who.

This post is more of an introduction to the topic. We’re going to discuss the what, why, and how of security stuff, and how important and frankly out there some of the things can be.

It’s a hugely evolving landscape, too. Just recently, Microsoft stopped reccommending that you force a password change every x months. Wrap your head around that!

It’s that and a whole lot of other stuff that we’ll be talking about in my section of the blog.

I also do a lot of web development, and specifically in WordPress. And will be speaking about security and its application to WordPress in June 2019. You can find the Kennesaw WordPress meetup group here.

Stay safe online, and the wide world.

~AJ

Skip to content