Your first--and sometimes only--line of PC defense is your password. Even the most carefully crafted password can be rendered useless if you don't keep it secret. This is not such an easy thing to do, especially considering all the clever tricks data thieves have come up with to grab it, with or without your knowledge. More dangerous is the lackadaisical approach many people take to creating, using, and protecting their passwords. Here are 10 ways to use passwords to best effect.
1: Don't write it down. Ever. Either it will be so easy to find that you might as well not use any password at all, or you'll forget where you put it and somebody else will find it and use it to access your system. You may think your password is safe on that sticky note inside the third appendix of "Mastering OS/2, Second Edition," but that's the first place your larcenous pet walker will look (apologies in advance to all pet walkers for disparaging their noble profession).
2: Devise a password-creating system that's all yours. There are dozens, hundreds, maybe even thousands of Web pages and other resources offering advice on how to craft strong passwords. Of course, these are the first places the people in the business of cracking passwords look for tips. It's not difficult to come up with your own system that combines a variety of methods. One possibility is to start by reversing an inactive phone number from your past, then convert the numbers to letters, so "213-555-1212: would become "bm-eee-ll" (remove the hyphens, if you wish). Make it even stronger by adding the street name of your childhood home converted from letters to numbers, which would change "Maple" into "13-1-15-12-5". Now really mix things up by placing the numbers inside the letters: "bme13115125eell".
The benefits of having your own system over using a random password generator is memorability: If you remember your system, you'll look at the above sequence and see the phone number and street name, not just the actual letters and numbers. No, I won't tell you the password-creation system(s) I use, but they don't have anything to do with old phone numbers or street names. Honest.
3: Don't send your password via e-mail or give it out over the phone. OK, there are exceptions to this "rule," such as when your company's help-desk staff are troubleshooting your system over the phone, but even in those rare instances, it's a good idea to change your password immediately after you give it out (see more on changing your password below).
4: Disable AutoComplete for user names and passwords. Yes, this feature of Internet Explorer, Firefox, and other browsers can save you time when you're online, but it also lets anyone who gains access to your Windows login, or to your PC when you're logged in but away, to visit all the secured sites in its database, change the passwords, and otherwise act in ways you may not appreciate. To disable this feature in IE, click Tools > Internet Options > Content, and choose the Settings button in the AutoComplete section. Uncheck User names and passwords on forms (you may also want to uncheck the other two AutoComplete options: Web addresses and Forms). Click OK, and then choose the General tab, and click Delete > Delete Passwords (and any other options, or Delete all to wipe your browser clean). Click Close and OK.
Uncheck User names and passwords on forms in Internet Explorer's AutoComplete Settings dialog box.
In Firefox, simply click Tools > Clear Private Data (or press Ctrl-Shift-Delete), check all the items, and click Clear Private Data Now.
Erase personal information from the Mozilla Firefox browser by checking items in the Clear Private Data dialog box.
5: Change your password often. Even if you haven't had reason to share it recently (as mentioned above), get into the habit of refreshing stale passwords. The more important the data your password protects, the more often you should update it. One way to force yourself to change your Windows login password is by using the password options in Local Security Policy (it's called "Local Security Settings" in Windows XP). In XP, click Start > Run, type secpol.msc, and press Enter. In Vista, press the Windows key, type secpol.msc, and press Enter. In both versions, select Password Policy under Account Policies. Double-click Maximum password age in the right pane, enter the number of days you want to go between passwords, and click OK. The other options in this dialog box let you enforce password history, set a minimum password age or length, require that the password meet Windows' complexity requirements, and store encrypted passwords.
Force Windows to require a new login password after a set number of days via the Local Security Policy dialog box.
6: Clear the cache after using a public PC. If you log into a Web site from a PC other than your own, make sure you wipe out all traces of your use by deleting the browser's personal data. See the steps described in "Disable AutoComplete for user names and passwords" above.
Note that many public PCs reset to the defaults as soon as you log out, but don't trust them. In fact, it's good practice to change your passwords whenever you use them in a public setting, even on your own laptop after attending a conference or other event, for example. Snoops love to hang out at such places, whether using a keystroke logger, or simply looking over your shoulder as you log in.
7: If it's too valuable to lose, don't keep it on your PC. If you just discovered the secret to changing marshmallows into gold, you may not want to trust the formula to any hard drive, whether or not it's password-protected, or connected to a network at all. In addition to the threat of data-crackers, the drive could fail, leaving your fate in the hands of some data-recovery service. If you have to store a digital copy of some important file, place it on an optical disc designed specifically for archiving, and store that disc in a safe place, such as a bank deposit box. And--of course--make a copy that you store in a separate, secure location. When optical drives are replaced by some new-fangled storage medium, copy the data to a secure version of that medium, but you probably don't have to worry about this for at least a couple of years.
8: Create a password-reset disk. It doesn't have to be a floppy, which is a good thing since few new PCs even have floppy-disk drives. But a reset disk is the best protection against a bad memory--yours more likely than the computer's. Log into the account you want to protect, open Control Panel's User Accounts applet, select the account, and in XP, click Prevent a forgotten password in the left pane. In Vista, click Create a password reset disk in the left pane. Step through the Forgotten Password Wizard, selecting the removable medium of your choice when prompted. Label the removable device appropriately, and store it somewhere safe but easy to remember. It's one thing to forget your password, but quite another to forget where you put your password reset disk.
9: Use a password-management utility. I hesitate to rely on a third party to protect my passwords, but one that has been around for a long time is RoboForm, which comes in free and $30 Pro versions.
10: Ask for some help to reset your password. If you've forgotten your password and don't have a password-reset disk handy, log onto another administrator account on the system, open the User Accounts applet in Control Panel, click Change an account in XP, or Manage another account in Vista, select the account, and change the password. A couple of weeks ago I described how to activate Vista's hidden administrator account.
You can also change the password by booting from your XP install CD and running the Repair option. Vic Ferri provides step-by-step instructions.
Tomorrow: the quick, simple, and free way to embed videos in e-mail.
You trust Microsoft Office with your most important documents, spreadsheets, e-mail, and presentations. Unfortunately, many of the default security settings in Office applications may not provide a sufficient level of protection for your data, your system, and your reputation. Follow these steps to fine-tune the security settings in Office 2003; tomorrow I'll cover the new security options in Office 2007's Trust Center and elsewhere.
Office 2003 lets you encrypt files so that you need a password to read or edit them. In Word 2003, open the document and click Tools > Protect Document. To restrict the styles that can be applied to the file, check Limit formatting to a selection of styles, and click Settings. Uncheck the styles you don't want to allow, or choose one of the other style-restriction options, and click OK. To make the document read-only, check Allow only this type of editing in the document, and select one of the options in the drop-down menu: Tracked changes, Comments, Filling in forms, or No changes (Read only).
Choose an option in Word 2003's Protect Document dialog box to restrict access to the document.
You can also designate the people who can access the file by clicking More users, entering their user names or e-mail addresses, and clicking OK. When you're done, click Yes, Start Enforcing Protection. In the resulting dialog box, choose either Password and enter the password twice that will decrypt the file, or select User authentication, which allows the people you designate to remove the file's protection.
The User authentication option requires Microsoft's Information Rights management, which requires the Windows Rights Management client. This in turn requires a .NET Passport account, and your agreement to the "free trial," though there's no indication if or when the trial will end. Microsoft promises to maintain the privacy of your files, and to make them available for three months after the trial ends, if you maintain the .NET Passport account. There may be a good reason to go this route, but to keep things simple, I stick with the password option. To remove these settings, click Tools > Unprotect document, and enter the password (if you chose this method of protection).
Choose Password and enter the password that will open the file, or select User authentication to allow the people you designate to read, edit, and/or comment on the document.
To protect a worksheet or file in Excel 2003, click Tools > Protection, and choose your preferred protection method: Protect Sheet, Allow Users to Edit Ranges, Protect Workbook, or Protect and Share Workbook. If you choose the first option, you're prompted to enter a password to unlock the sheet, and you can limit the actions people can take when working on the sheet. The second selection opens a dialog box in which you can specify the ranges that will be unlocked by a password by clicking New and entering the ranges. You can allow specific people to edit, or list the users who can't edit the range without a password by clicking Permissions and entering their user or group names. The third and fourth options are similar to the first, but apply to the entire workbook rather than a specific worksheet.
In PowerPoint 2003, click Tools > Options > Security, enter a password that will let the presentation be opened or modified, and click the Advanced button to select an encryption type. This dialog box also lets you remove hidden data from the file, and adjust your macro security settings (the default allows only signed macros from trusted sources, though this is of questionable value since "trusted sources" is pretty meaningless).
Outlook 2003's security options let you encrypt outgoing attachments, restrict the sites that can send you scripts and active content (the same list that's in your Internet Options), and limit the receipt of images and file downloads. But two of the most important things you can do to protect yourself from malware in Outlook are to turn off the Reading Pane (aka Preview Pane), and to view your mail as plain text. To deactivate the Reading Pane, click View > Reading Pane > Off. And to switch from HTML mail to the safer plain text, click Tools > Options > E-mail Options, check Read all standard mail in plain text, and click OK. When you want to view a message in its original HTML format, click the beige message bar across the top of the message window and select Display as HTML.
Protect yourself from malicious messages in Outlook 2003 by selecting "Read all standard mail in plain text" in the program's E-mail Options.
Protect your reputation with the Remove Hidden Data tool: Maybe you're one of the many Office users who have suffered the embarrassment of sending someone (or a lot of someones) a file that hadn't had its revisions and comments deleted. To minimize the chances of the public seeing more of your files than you intend, download Microsoft's free Remove Hidden Data tool. (I described this program and four other great Office freebies in an earlier post.)
Tomorrow: get more out of the new security options in Office 2007.
You probably know about the "hidden" administrator account in Windows XP. It's the only account on XP systems on which no other accounts have been created.
Until you add a new account, you zip right to the desktop when you boot the OS, with no stop at the Welcome screen. Once you set up one or more new accounts, the default administrator disappears, though you can bring it back in both XP Home and Pro. (More on this below.)
Vista ships with this account disabled, which is not such a bad thing because every user on the PC should have his or her own custom account, even if "every" translates to "one."
Still, this back-up administrator account can come in handy if you encounter some problems logging into or otherwise using Vista. To enable it, right-click the Command Prompt on the Start menu (it is likely listed under Accessories), choose Run as administrator, type net user administrator /active:yes, and press Enter. You should see a message stating that the command completed successfully. Type exit and press Enter again to close the Command Prompt window.
Enable Windows Vista's backup administrator account from the Command Prompt.
When you restart Windows, you'll see a new account labeled simply "Administrator." The first time you log into this account, Windows will tell you that it's preparing the desktop before the system's default desktop appears. Click Start > Control Panel > User Accounts and Family Controls > Change your Windows password > Create a password for your account, enter your password twice, add a hint (if you wish), and click Create password. (If you use Control Panel's classic view, the settings to create a password are in the User Accounts applet.)
To disable this administrator account, follow the steps above to return to the Command Prompt in administrator mode, type net user administrator /active:no, press Enter, type exit, and press Enter again.
Give XP's hidden administrator account a password
This administrator account is a well-documented security risk in Windows XP because by default it doesn't have a password, which means anyone can log into your system via this account, change the passwords for all the other accounts, and perform other mischief. To give the account a password in XP Home, restart the PC, press F8 before Windows loads, select Safe Mode, and press Enter.
The only selection will likely be Microsoft Windows XP. With this option highlighted, press Enter again. You'll see a Welcome screen with an account labeled Administrator. Click this account, choose Yes at the warning, open the User Accounts applet in Control Panel, click the Administrator account again, choose Create a password, enter the new password twice, enter a hint (if you wish), and click Create Password. You may also be asked if you wish to make this account's files private. Make your selection and click Finish.
There's a much simpler way to make this administrator account visible on the Welcome screen in XP Pro: Open the Tweak UI Powertoy, click Logon in the left pane, check Show "Administrator" on Welcome screen in the Settings window on the right, and click OK. Note that you'll still have to log into this account and follow the steps above to add a password for it.
Select the Logon option and check this option to add the hidden Administrator account to the Welcome screen in XP Pro.
Tomorrow: Your options for moving Excel data to a Word document.
The New York Times recently reported a heartwarming story about a lost digital camera being returned after a kindhearted stranger analyzed the photos on the camera to find the owner.
The camera was left in the backseat of a New York taxi, and contained sightseeing photos of Manhattan, as well as Florida snapshots including people wearing name tags. Leads took the hunt to Ireland, back to New York, and finally to Syndey, Australia, where the rightful owner lives. He was "over the moon" with gratitude to get his camera back.
This story has a happy ending, and perhaps most of us would be glad to get our camera back in that situation, but it also made me uneasy to realize how much personally identifiable information was stored on one camera card. I would rather have a locked camera than could not be accessed if it was found, than have a stranger be able to peer into my photos.
The situation is even more crucial when it involves smartphones. ... Read more
Brace yourself for another fine example of the tech-savviness of federal bureaucrats (and yes, this sentence is dripping with sarcasm).
According to a report released Friday (PDF) by the Treasury Department's inspector general, 60 percent of a sampling of 102 Internal Revenue Service employees, when contacted by government auditors posing as help-desk employees, were perfectly willing to reveal their usernames and change their passwords to ones suggested by the callers.
The auditors said they were particularly alarmed by this year's findings against the backdrop of a similar test in 2004, when only 35 percent fell for the trick. In 2001, 71 percent succumbed to the requests, which led the IRS to take "corrective actions" designed to raise awareness about social-engineering attempts and password protection requirements.
Clearly the Internal Revenue Service needs to do much more to warn about the perils of such "social-engineering" attacks on its computer security and to drive home that sharing usernames and passwords with anyone is forbidden, the report said.
Despite frequent evidence of attempted external intrusions to the tax agency's aging computer systems, it appears no successful attacks have ever occurred, the report said. But if employees are so easily fooled by requests from fake insiders, they could create real threats to sensitive taxpayer information and overall IRS security.
The report included a two-paragraph response from Daniel Galik, the IRS's chief of mission assurance and security services, who said, "We continue to re-emphasize computer security practices, including social engineering, to IRS personnel."
One of the beauties of the iPhone is its supposed near-ubiquitous access to a huge amount of your personal information from one access point. Think about it: your contacts, text messages, e-mails, music, photos, stock portfolios and bookmarks, even to what you're doing and when, are all in your hand or pocket.
Over iced tea on a sunny day in San Francisco, a friend who is quite the entrepreneur noted that if you ever, god forbid, dropped your iPhone or lost it, or if it should get stolen, the next person who picked it up would have access to all that stuff about you.
Of course, because you have to activate the iPhone with AT&T, it should figure that if you reported it stolen, the particular handset associated with your account shouldn't be able to access the AT&T network. (Note: I've heard of some people breaking in and hacking the iPhone so that it could be used on different networks than AT&T).
That said, your information is still physically located on the iPhone. This leads me to wonder if AT&T can send some kind of disrupter, fry-my-iPhone signal out that would fry your iPhone--the ultimate nuclear option. Sounds drastic, but you never know how valuable information can be. Remember when Paris Hilton's BlackBerry was allegedly stolen? That is, after someone hacked into her T-Mobile Sidekick? BlackBerrys apparently are capable of receiving a "kill signal" that will disable access to your BlackBerry e-mail if it is located on an enterprise server, but what if it's not?
A world of worry lurks here for the contents of your iPhone, right?
But, like others, I've recently come to see that you could simply use the password function on the iPhone. No, not the old TV show Password but rather a key lock function that many cell phones have. Not many phones, however, enable users to provide a unique personal identification number to unlock the device. The iPhone's password function (located under "general" menu) requires that you type in a PIN every time you use the iPhone after it goes idle.
Well then, who uses the password function?
One person I know who works at a big tech company and has e-mails that, I presume, require discretion and protection, uses the password function. Another person, also of a large tech company, says that if he had work e-mail on his iPhone, his company would force him to lock it. But for now, he says, "who cares if someone reads my e-mail?" It must be elementary for tech companies to institute stringent privacy protection policies.
Others I have met have said that when they leave their iPhones at their desks or workstations, they lock theirs too.
As for me? Well, I'm just paranoid. I already shred most of my documents anyway. Call it the lawyer in me, but despite the extra keystrokes, I think it's still a good idea, even if we're not as famous as Paris.
If you ever wanted to be Nevada's governor for a day, it doesn't seem to be that hard.
In what could be a whopping security hole, Nevada has posted the password to the gubernatorial e-mail account on its official state Web site. It appears in a Microsoft Word file giving step-by-step instructions on how aides should send out the governor's weekly e-mail updates, which has, as a second file shows, 13,105 subscribers.
Excerpt from Nevada's state government Web site: How to be the governor for a day. And we're sure he replies to all of his own e-mail as well.
The Outlook username is, by the way, "governor" and the password is "kennyc". We should note at this point that the former Nevada governor, a Republican, is Kenny C. Guinn, which hardly says much about password security.
The current governor of Nevada is Jim A. Gibbons, also a Republican, happens to be widely disliked. His approval rating of 28 percent accomplishes the rare feat of being below President Bush's. It doesn't help, we assume, that Gibbons is facing an FBI probe over possible illegal gifts.
For the record, we didn't try sending fake gubernatorial mail with the "kennyc" password (or "jimmya" either), so we don't know whether it actually works or whether it's been changed for the new administration. Although the listserv's administration interface is publicly-accessible, there might be a firewall that limits connections to the Outlook server, for all we know. Because other accidentally-public documents on the NV.gov site continue to list the "kennyc" password, though, we wouldn't be surprised if the password remained the same.
We did, however, briefly consider that a message titled "Governor_eAlert_07.19.07: Why I am resigning in disgrace" or "Governor_eAlert_07.20.07: Why I am switching to the Libertarian Party," would be more interesting than the run-of-the-mill actual titles like Economic Development Funding Paying Immediate and Long-term Benefits.
Other documents on the Nevada Web site list internal phone numbers and, oddly, because we didn't think anyone in this biz used fax machines anymore, a "PRESS RELEASE BLAST FAX LIST" for our colleagues in the Nevada media.
We did try calling and e-mailing the press office on Friday morning but didn't hear back by our publication deadline. Maybe we would have had better luck if the e-mail inquiry had come from the governor himself...
Note: Reporters are, of course, only as good as their sources. A tip of the hat this time to a fellow who goes by the name of Don Malaria.
Update as of 11am: The offending Web site has been taken offline, although the password files are still available through Google's cache. We did speak to Melissa Subbotin, the governor's press aide, but never got a response in terms of how this happened.
According to a post Monday on the Washington Post's "Security Fix" blog, AOL's password system may not be quite as secure as it would have you believe. A tipster e-mailed blog author Brian Krebs to say that even though AOL allows your password to be 16 characters long, it only counts the first eight. This could spell bad news for AOL members who might not choose their passwords wisely--namely, those who might include their usernames in them.
"Let's take a fictional AOL user named Bob Jones, who signs up with AOL using the user name BobJones," Krebs wrote in his post. "Bob--thinking himself very clever--sets his password to be BobJones$4e?0...even though Bob thinks he created a pretty solid 13-character password--complete with numerals, non-standard characters, and letters--the system won't read past the first eight characters of the password he set, which in this case is exactly the same as his user name. Bob may never be aware of this."
But even though the Washington Post blog has certainly raised the profile of the potential password flaw, it's not necessarily anything new. As one commenter on the post writes, "it's an old, well-known, well-documented underlying issue in the one-way hashing function crypt() once used by UNIX (among other) systems for passwords."
AOL representatives did not immediately respond to requests for comment.
Security experts have warned that password recovery tools for OpenOffice, the open-source application suite, are vulnerable to abuse.
The release of version 1.0.4 of Intelore's OpenOffice Password Recovery software on Thursday allows IT managers and systems administrators to recover OpenOffice passwords and discard formatting and editing restrictions--for example, locked cell protection and permissions. The software allows password recovery through brute force and dictionary-based attacks, or a combination of both.
"Even if you have lost passwords for all your OpenOffice programs and documents, Intelore's solution can help you quicker than any similar program--OpenOffice Password Recovery supports simultaneous processing of several recovery projects with different attack profiles," said Dmitry Rozenbaum, chief executive officer of Intelore.
Although password recovery tools for Microsoft applications have been available for at least six years, OpenOffice Password Recovery is one of the first commercially available tools for open-source products. But security experts have warned that such tools could be open to abuse.
"These kinds of tools can be used for both good and bad," said Graham Cluley, senior technology consultant for security vendor Sophos. "It's a grey area in software. Cottage industries for such tools are mushrooming. These applications can help people, but in the wrong hands they're a bit of a security concern." Cluley added that IT managers could set policies about who could have access to such tools on a business network.
Paul Wood, senior analyst at e-mail security vendor MessageLabs, said that it opened a possible attack vector from disgruntled employees. "One attack vector is if a rogue employee has access to file-share password-protected documents. They can copy them, take them offline, and brute-force them at their leisure." Wood added that companies should lock down privileges, and consider encryption for sensitive documents.
OpenOffice Password Recovery version 1.0.4 is available to download for evaluation. The full business version costs $129. The product offers Unicode support and allows for recovery of multi-language passwords. OpenOffice Password Recovery version 1.0.4 can also recover a password containing typing errors, according to Interlore.
- prev
- 1
- next
