passwords

How Strong is Your Password?

A recent Wall Street Journal interview (https://curiosity.com/topics/the-real-rules-for-strong-computer-passwords-go-against-everything-youve-been-told-curiosity) about passwords indicated that a password like “correcthorsestaplebattery” is stronger than “Tr0ub4dor&3”. So I checked it out with a password strength checker (http://www.passwordmeter.com/). Wrong! The long password was rated weak with a score of 25 and the shorter password was rated very strong with a score of 100! The reason for the low score of the long password - no numbers or symbols and all lowercase. Just using one uppercase letter and adding one number gave it a rating of very strong with a score of 100. What this means is that you can use a string of unconnected words - at least three - with at least one uppercase and one number or symbol to make up a memorable password. Trouble is, you need to make up a LOT of passwords - one for every account you have. So the easy way out, as suggested by the article, is to use a password manager where that memorable password gives you access to the password manager and let the password manager make up complex passwords for each of your accounts. Done! Only one password that you need to remember.

And then I checked out my favorite combination password, a pattern like lllnlllnLLLn, where lll are lower case letters, n is a number, and LLL are uppercase letters. 12 characters in all. It was rated very strong with a score of 87. Adding just one more character, either another number or a symbol, changed the score to 100.

If you want to test your password, use the above link - but don’t use your password verbatim. Just use the same pattern with different letters, numbers and symbols.

Oh, did I say that you only need to remember one password? Not quite right. You need to remember your computer login password also.

John R Carter, Sr.

Passwords

We all use passwords for security purposes. How should they be composed? Following is an article that recently appeared in the Wall Street Journal. If you read it, then you can decide if you should or want to change your passwords. 

I volunteer at the Prescott Library helping people with questions/issues with their Apple products, and password problems (forgotten, mostly) account, I bet, for over half the problems people are having.

Jim Hamm

 

Never Mind Old Password Rules…   Wall Street Journal 8/8/17 p. A-1   Expert who touted mixing letters, digits, symbols now regrets it

BY ROBERT MC MILLAN

“The man who wrote the book on password management [now says]: He blew it…   Back in 2003, as a midlevel manager at the National Institute of Standards and Technology, Bill Burr was the author of ‘NIST Special Publication 800-63. Appendix A.’ The 8 page primer advised people to protect their accounts by inventing… new words… with obscure characters, capital letters and numbers— and to change them regularly. The document became… the go-to guide for federal agencies, universities and large companies looking for a set of password-setting rules to follow…  

“The problem is the advice ended up largely incorrect, Mr. Burr says. Change your password every 90 days? Most people make minor changes that are easy to guess…   Also off the mark: demanding a letter, number, uppercase letter and special character such as an exclamation point or question mark…   ‘Much of what I did I now regret,’ said Mr. Burr, 72 years old, who is now retired…. In June, Special Publication 800-63 got a thorough rewrite, jettisoning the worst of these password commandments…   The new guidelines… drop the password- expiration advice and the requirement for special characters…   Long, easy-to-remember phrases [are now recommended] over crazy characters, and users should be forced to change passwords only if there is a sign they may have been stolen, says NIST, the federal agency that helps set industrial standards in the U.S….”

“Academics who have studied passwords say using a series of four words can be harder for hackers to crack than a shorter hodgepodge of strange characters…   In a widely circulated piece, [it was] calculated it would take 550 years to crack the password ‘correct horse battery staple,’ all written as one word. The password Tr0ub4dor& 3—a typical example of a password using Mr. Burr’s old rules—could be cracked in three days, according to… calculations, which have been verified by computer-security specialists…”

Are You at Risk From This?

        A very serious warning comes from John Carter.  "GIGAOAM, CNN Money, BBC News, and others have released a notice that there is a bug called 'Freak' that was found in software used to encrypt data passing between web servers and web users. 
        "Browsers so far noted to be affected are Safari, Google Chrome, and Windows Internet Explorer. Initially, the flaw was thought only to affect some users of Android and Blackberry phones and Apple’s web browser. For sure, every version of Internet Explorer is at risk.

        "What is at risk is personal and financial data open to attackers. This bug only allows attackers to capture data, but that includes passwords which then opens up the possibility of the attacker stealing all your money and your identity.
        "The horror part of the story is that this bug is the result of the government insisting on 'weak' encryption so that it could break in wherever it wanted."
        Of course you will want to read the full story yourself.  See  herehere and here.
        John closes with these final remarks, "It might be wise to limit Internet browsing using only Firefox until things settle down.  The news broke as early as March 4, 2015."

Identity Theft Warnings

        A recent notice from LifeLock contains some useful information on identity theft.  It states that a Russian cybergang amassed over 4.5 billion records of usernames and passwords.  See here.  They state that smartphone users are 35% more likely to experience fraud than the average customer.  See here.  And, did you know that identity thieves may target the mail sitting out in your mailbox when your flag is up.  See here. 

Has Your Password Been Stolen?

          David Passell informs us, "I tried the program referenced. It didn't detect any problems via any of my e-mail addresses." Look here:  http://www.zdnet.com/how-to-find-out-if-your-password-has-been-stolen-7000023990/?s_cid=e589&ttag=e589   And read down to see the 49 comments of people adding their own experiences and opinions on this subject. 

Password Problems

        After speaking to the PMUG meeting this morning, Jim Hamm informs us,  "Here's another article about the NSA after our passwords again. As I discussed in my presentation today, articles about passwords and password hacking are increasingly in the news.

        "It's a tough call to balance the needs of national security with the needs for personal privacy."

How Strong is Your Password?

        "Did you ever wonder how long it might take a program to crack your passwords?"  Jim Hamm gets our attention.  "Intel has a site wherein one can enter a password and it will tell you how long it would take. I checked two theoretical passwords I just made up, and here are the results:

                                    jc*12#.....7.25 seconds
                     135791113151.... .007 seconds
        "You'll note using upper and lower case symbols, letters and numbers took longer than a string of just numbers that is twice as long. But both were cracked mighty quickly.
        "Don't use your real passwords, but you might check some passwords similar in style to your real ones to see how long a program might take to crack them.
        "As a last test I contrived a password that looked mighty tough to me. Here's how long it took to crack it:
                        *q#$T23%$jim ....132 years! 
        And here's Jim's assessment,  "Now, that last password would discourage all but the most dedicated cracker...(grin)."

Password Hacking

        "Here is an article, admittedly somewhat lengthy and nerdy, about how hackers can make mincemeat out of your passwords so easily."  Jim Hamm goes on to elaborate,  "After reading the article, I know my passwords are, oh, so vulnerable. I bet yours are, too. I'm thinking about buying something like 1Password, or another strong password generator program, and redoing all my passwords.

        "If you've got a password program you like, let me know if you would."  

Deadline for Password Change

         Commspeed emailed a notice yesterday that on March 1 you’ll lose access to your email account if you have not changed your password by then.  It specified the tougher rules for an acceptable password. 
(So, how’s YOUR password?  Still easy to type in, easy to guess?  Time to toughen it up!  Before you face a deadline from your email provider you might consider a longer, trickier password and fiddle with it now. )
OK, try not to panic.  Phone and ask the tech if it is a genuine email from them.  OK, now dream up a new password, and try and try and try to get it set up online. It won’t go through.  Maybe they’re too busy over there?  Do I have to allow cookies?  What else? 
Three phone calls later, and looking for success soon, it finally worked.  
Look at Mail Preferences and see your account info, mailbox behaviors, and advance settings.  

        Mail  > Window > Connection Doctor shows the connection status.  Why does the drawer show notations in that impossible-to-read  Party Let font?   So, that's it for now. 

Hacking Incident Warns Us About Passwords

        The latest on this situation is updated 8-5.  Read the whole thing.         Jim Hamm sent this link about a horrible hacking of a man's iCloud account.  This evening John Carter sent a further warning of the need to establish strong passwords to avoid such a terrible thing.         Here's the first from Jim:  "Here is a scary tale of woe: Mr Honan's iCloud account was hacked. What's even scarier, the hacker was then able to remotely wipe Mr Honan's iPhone, iPad and MacBook Air! Yes, all dead. If you happen to use a Gmail account, a two-step verification process is available to prevent hacking. As far as I know, this feature isn't available for iCloud. So, one should have a very strong password for your iCloud account. Yes, I know, it's probably remote that your iCloud account will be hacked. Mr Honan thought so, too."           But Jim, can that really be true?  He wrote back with two other sites on the issue.  Here and here.          John Carter went into more detail on what we should do about our own passwords.  ". . . if your passwords are short and simple, be prepared to be hijacked and potentially lose all the money in your bank or all the files on your computer.          "A strong password contains a mix of letters and numbers with at least one uppercase letter, and the password should be at least 8 characters long. A very secure password will be 10 or more characters long. The password should never contain a word that can be found in the dictionary or letters or numbers in a sequence or that repeat.          "Some of my clients do not even have a password to login to their computer, and this is a grave mistake because it makes all your other passwords in the Keychain Access application accessible to anyone that manages to hack into your computer.

        "Do yourself a favor and use passwords that are complete garbage. Write them down where you know you can access them quickly. Protecting yourself will save me a trip to help recover your files — if that's even possible. Smile when you have to type in that long gibberish because you know you're being protected. After a few times of typing it in, it will become second nature. 
        "One approach is to alternating case, intermix numbers with letters, and where allowed, toss in a symbol. For your different passwords, you only need to make one letter or number different or add one letter or number."  
        So, consider yourself warned, thanks to Jim and John.          Now, Jim Hamm brings us the update of 8-5. "Here's update three from the guy who was hacked via iCloud and had his iPhone, MacBook Air and iPad wiped clean:         "Update Three: I know how it was done now. Confirmed with both the hacker and Apple. It wasn’t password related. They got in via Apple tech support and some clever social engineering that let them bypass  security questions. Apple has my Macbook and is trying to recover the data. I’m back in all my accounts that I know I was locked out of. Still trying to figure out where else they were."           And here's Jim's final comment -- at least for now!  "The hacker sure must have been one smooth talker to convince Apple's tech support to let him into Honan's iCloud account, which wasn't his. So much for strong passwords. It seems they can be circumvented.  According to another report, the hacker then used  Apple's 'Find My Phone' service to remotely wipe the three devices."

Good Advice on Passwords

        Pay attention: we hear from John Carter who advises we seriously consider ten reasons why we need different Internet account passwords and change them often.
1. There are groups (Anonymous, AntiSec, LulzSec) whose sole purpose is to raid the security of large corporations (Sony is an example) just to prove it can be done and to demonstrate to the public why it is important to not have the same password for every account you have on the Internet.
2. Changing all your passwords every month - even by one letter, number, or symbol - is an effective way to protect your accounts on the Internet.
3. Use a password that contains a minimum of 8 characters (15 is recommended as a strong password) with at least one uppercase, one number, and one symbol (where allowed).
4. If symbols are not allowed in a password (as happens with some sites) increase the password length to at least 10 characters.
5. If a site does not allow symbols and does not allow up to 10 characters in a password it would be best to leave that site alone.
6. Never use a password that makes any sense at all, such as P0pp1 (read as Poppy or Popeye) and avoid repeating characters (as in this example).
7. Use a password generator when at all possible.
8. Keep a written log of all your passwords and keep it updated as passwords change. This is your only hope of remembering them.
9. If you insist on keeping passwords on your computer, such as the Mac Keychain Access or a Password Manager in Windows, then use a strong password to access it, and not like any other password that you use.
10. Repeat #1 through #9 until you get the message.
        Thanks, John, for reminding us!

Password Protection

        Wondering about passwords, we queried David Passell.  Here's his take:
        "The password method I was speaking of finally bubbled to the surface. Of course MS Word, Open Office, and Pages allows you to password protect a single document, check HELP. However, I wanted to password protect a whole folder full of stuff. Like I would put it in Dropbox, but nobody else could see it (I don't know whether they could delete it though--something I don't like about Dropbox.)
        Anyway what I did was:
1. Start Disk Utility
2. Select FILE > disk image from folder
       • Window opens
3. Find the folder full of stuff you want to protect.
4. Click on it
       • A window opens and you will see the [folder name].dmg
5. If you click on the arrows to the right of "compressed" (the default) you will have choices, but you can leave it where it is.
6. Click on arrows to the right of "encryption" and you will be able to choose 128 bit or 256 bit encryption. 128 should be adequate.
7. Click SAVE button on the lower right of the window and you will see

8. Type in a password and then again to verify it. Note that as you type in your password a graph will tell you whether it is a strong or weak password. One punctuation mark seems sufficient to raise it from Fair to Good.
9. Now you will have a [folder name].dmg folder. You could put it in dropbox and nobody but you could open it.
10. To open the folder double-click it.
11. Enter the password and OK and if you didn't make a mistake (I usually do at least once) you will see

12. Now if you click on the disk drive symbol you can access what is there.
NOTE: If you did not uncheck "save in keychain" it will open on your own machine without typing in a password.
13. When you are through EJECT the drive symbol.
        Thanks, David, for your input.