It's a question I get asked a lot: what's a good way to remember passwords for a computer?
Here's how Christopher Horn over at Real Simple chose to answer it:
Writing down random log-in user names and passwords is unsafe and leaves them vulnerable to getting lost. Use a spreadsheet or a word-processing document to keep track of all the information safely. List the link for each website you have an account with and the specific user-name and password information that goes with that account. Click the Save As option under the File tab and name the document. The Save As window will have an Options or Security Options key, which you should select. Navigate through the menus, entering the necessary password--for both opening and modifying the document--until you have successfully secured and saved your list. To retrieve the information, open the file and enter one password to access all the others.
I disagree.
There are some problems with Horn's answer. What happens if you want to log in to an account using a different computer? And, shouldn't you encrypt the file as opposed to just using a password?
Even the security people at Microsoft have told me that using the passwords within Windows and Office aren't necessarily your strongest security option. I know that password protection within Word or Works can be defeated with a variety of password-cracking programs. John the Ripper is perhaps the best known program and uses lists of common dictionary words to brute force unknown passwords. Chances are, Real Simple readers will probably use "password" as the password for their password list. But, still, placing a password on a file (placing a lock on it) is not the same as encrypting the entire file (scrambling the contents so only you can read it).
Me? I go low-tech. I write down all my passwords with pen and paper and do so in such a way that it would take someone a long while to associate a password with a given account. I also change these passwords from time to time. And I don't store my low-tech, highly obfuscated password crib sheet anywhere near my computer.
For a more thorough discussion of the various issues around passwords and password management, check out Elinor Mills' latest CNET News feature.
If you use the RealPlayer on Internet Explorer, watch out. Researcher Elazar Broad has posted to the Full Disclosure mailing list a so-called heap overflow vulnerability that makes it possible for an attacker to modify heap blocks after they are freed and overwrite certain registers. This could allow code execution on a compromised machine. The vulnerability affects all versions of RealPlayer running under Internet Explorer.
Exploit code for this flaw has not yet been made public.
Without a patch from RealPlayer, security experts recommend disabling the killbit for the following ActiveX ClassIDs:
- 2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93
- CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA
To avoid the loss of functionality, security experts recommend using RealPlayer in a browser that doesn't support ActiveX, such as Mozilla Firefox (for Windows and Mac).
StopBadware.org said Tuesday it has labeled two versions of the RealPlayer media player as "badware," or spyware.
RealPlayer 10.5, it claims, "fails to accurately and completely disclose the fact that it installs advertising software on the user's computer." And RealPlayer 11, it claims, "does not disclose the fact that it installs Rhapsody Player Engine software, and fails to remove this software when RealPlayer is uninstalled." Ryan Lukin, PR manager for RealNetworks, disputed some of the claims.
Lukin said the Message Center in 10.5 feeds only news and information, product updates, movies, video clips, and is clearly identified during installation. He said the change was that the check boxes in 10.5 were prefilled (requiring you to opt out), whereas in version 11 they were blank (requiring you to opt in). Lukin disagrees that the content served through the Message Center qualified as advertising.
As for version 11, Lukin said that by virtue of being a full-service media player, RealPlayer needs the Rhapsody ActiveX component because people may want to hear Rhapsody-encoded music clips. He agrees that once RealPlayer is uninstalled, the Rhapsody software should also be uninstalled. Lukin said RealNetworks was looking into making this change in a future release.
In the meantime, StopBadware recommends that users do not install either versions of RealPlayer, "unless the user is comfortable with the software behaviors we identify or until the application is updated to be consistent with the recommendations in this report."
Full details of the StopBadware.org alert about RealPlayer can be found on the organization's site.
- prev
- 1
- next
