Best Practices for Password Security

In today’s internet-connect age, strong passwords are your first line of defense against unauthorized access to your personal and professional accounts. Following best practices for password security is crucial to protect your sensitive information from cyber threats. Here are some essential guidelines to help you create and manage secure passwords.

1. Use Long and Complex Passwords

  • Aim for passwords that are at least 12 characters long.
  • Include a mix of uppercase and lowercase letters, numbers, and special characters.
  • Avoid using common words, phrases, or easily guessable information like birthdates.
  • Check this list of the top 100,000 passwords taken from list of 10,000,000 passwords compiled from default, breached, pentesting lists, listed in order of usage count. To use this list, you can search within your browser (control-f or command-f) to search whether your password comes up, without transmitting your information over the Internet.

2. Use Unique Passwords for Each Account

  • Never reuse passwords across multiple accounts.
  • If one account is compromised, others remain secure.

3. Use a Password Manager

  • Password managers generate and store complex, unique passwords for all your accounts.
  • You only need to remember one master password to access your password vault.
  • Here are several that offer free options/versions:

4. Be Wary of Phishing Attempts

  • Never enter your password on a site you accessed through an email link.
  • Always verify the authenticity of websites before entering login credentials.

5. Implement Multi-Factor Authentication (MFA)

  • Enable MFA whenever possible for an extra layer of security.
  • This typically involves something you know (password) and something you have (e.g., a mobile device for receiving codes, USB security key).
  • Many sites are requiring this in addition to passwords.

By following these best practices, you can significantly enhance your password security and protect your digital identity from potential threats. Remember, the strength of your passwords is often the key to safeguarding your personal information in the digital world.

Change ownership of a domain in Google Domains

I used the following steps to transfer a domain name from one Google account to another Google account.  It seems that this procedure has changed recently and existing solutions found on the Internet are out of date.  Surprisingly, Google did not provide the solution either.  I  found the current solution by trial and error.   This is very different from the normal transfer procedures used to transfer a domain name documented by Google and others Domain Name System (DNS) registrars.

  1. Go to Google Domains and login to the Google account that currently owns the domain name (example.org).
  2. Select the domain name that you want to transfer.
  3. Add the receiving Google account as a shared user for full access.
  4. Login to the receiving Google account and verify access to the target domain name.
  5. Edit the contacts to reflect changes for the domain name.
  6. Make sure a funding source is set, if using auto-renew option.
  7. Delete the previous Google account from the Users list.
  8. Optionally, login to the Google account that previously owned the domain name to verify it does not have access to the domain name.

Hopefully Google will index this post so their customers do not have to get frustrated trying to find the solution as I did.

 

Why does Firefox need it’s own print dialog?

Recently Firefox started loading it’s own dialog when trying to print a web page, about version 85.  I have never had any real problems with the Ubuntu’s print dialog, so I was surprised when the Firefox version showed up.  I really like the Simplify Page feature which cleaned up a lot of poorly formatted web pages in print.  Were they trying to compete with Chrome’s print functionality?  I hate the way Chrome defaults to printing in the cloud!  Am I being paranoid or is this a new way for Google to get more of my data.

Back to the real issue, how to get the system dialog back in Firefox.  Unfortunately the designers left that out of the Preferences dialogs.  Luckily there is another way.

  1. In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button accepting the risk.
  2. In the search box in the page, type or paste tab_mo and pause while the list is filtered
  3. Double-click the print.tab_modal.enabled preference to switch the value between true (new experience) and false (classic)
  4. If there is another preference named app.normandy.startupRolloutPrefs.print.tab_modal.enabled and it’s set to true, you can double-click that one to switch it to false as well. If you do not have that one, no need to create it.

 

Imagine a Football Game with No Rules

Today the FCC is voting to remove rules for Internet Neutrality that were adopted February 26, 2015.  Removing these rules would allow the few Internet Service Providers (ISP) to manipulate your Internet traffic as they see fit.  Comcast was found to be throttling BitTorrent traffic in 2011 and did not stop until the current rules were adopted.  I applauded these new rules in this blog in 2015.  Now the FCC wants to remove these rules and allow ISPs to treat us however they want with few alternatives for consumers.

Imagine if the government removed all the NFL rules and football games were played with no rules.  How would you know the score?  There would be no penalties and fans could jump on the the field (what’s a field) and run away with the ball (we don’t need a ball).  Crazy, right!  To let ISP make the rules and not tell anyone (both Comcast and CenturyLink did this with data download limits) will make consumers confused, frustrated and angry with no where to turn for help.

The FCC is suppose to help U.S. citizens, not delivery us to corporations for their profit.  Comcast and CenturyLink did not invent the Internet, the U.S. government did with citizen funding, so we invented it, we want rules to protect the Internet’s democratization and our use of it.  If the current administration cannot work for us, we need to find a way to do it ourselves.

It maybe to late to comment on the action, but give it a try at the FCC web site.

Password Shenanigans

There seems to be a trend in web security that requires that you type your password, no pasting allowed!

This combined with other password “requirements” are creating problems for people like me that use very secure long passwords.  That means I use a password safe that generates long random strings of letters and numbers like:

kUTaVYPuw6KdCLsqhfJ35qHdZcgCqR

BTW, this password is random and not used by me, anywhere!

So when I sign up for a site that does not allow pasting my really secure password, but requires that I type it manually, I end up with passwords like:

Secure4Stupid!

Making my password much less secure. Also most sites use the “onpaste=return false;” trick.  This only stops the stupid people, as 5-15 minutes with a Greasemonkey script will defeat that “security” feature.  So let’s not think that every idea about password security is a good idea.

Even the following idea is probably not that secure given that password crackers use dictionaries that contain the words: correct, horse, battery, and staple.

xkcd comicAnother annoyance is sites that do not tell me what the maximum length is for a password on their site.  Almost no one tells you this even though they tell you, you must enter at least 8 characters, using letter and numbers….  Since I have had several sites truncate my password, without error or warning, I now have to look at the HTML source code to see if a hint is there.

So here is some password advice for web-site developers and their customers.

  • Do tell us the minimum and maximum lengths, characters allowed (numbers, letters, symbols, etc.).  Make the maximum something like 255, to allow secure passwords and phrases.
  • Do use a hashing algorithm to store passwords for you password protected applications.  This also allows for very long passwords, but fixes the hash value length that you need to store to authenticate your users.  A really useful function is the Unix crypt() library function that is implemented in numerous languages including C, Perl, PHP, Python, and Ruby.
  • Do use standard HTML for accepting passwords for compatibility with more devices.
  • Do not disable pasting which causes users to create weaker passwords.
  • Do not store passwords in plain text on any system.  For clients, use a password safe program to generate and store passwords. For applications and servers, use a strong hashing algorithm to store and compare passwords.
  • Do not use JavaScript for security as it is easily circumvented.
  • Do not reuse passwords for multiple sites.

For more advice on password security:

39,000 emails and counting….

Today my Junk folder filled up and would not accept anymore messages!  39,019 junk/spam email messages since January 1, 2015 and that is just the blatantly junk messages.  I receive many more messages from organizations that I have contact with that can “legally” send me emails from their push marketing campaigns. Guess what?  I do not read most of these emails and if I do I will be less likely to do business with your organization!  Sending me an email every other day will not cause me to buy your product more often.  In fact, the opposite will happen and I will buy less or none at all!  Selecting the “Do Not Email” preference does not seem to work with most organizations.

Barracuda Central reports that of 440,517,446 emails received 10/15/2015, by networks that use their products, only 62,534,611 (14.2%) are legitimate emails and 371,958,217 (84.44%) are spam!

The Economist reports:

[spam] is also bad for the environment. According to a report from an environmental consultancy, ICF International, commissioned by McAfee, a computer-security company, some 62 trillion unsolicited e-mails were sent in 2008, using 33 terawatt hours of electricity. That is equivalent to the energy consumed by 1.5m American homes or 3.1m cars over a year. If generated by coal-fired power stations it would release 17m tonnes of carbon dioxide, some 0.2% of global emissions of this greenhouse gas.

We need to find ways of securing the Internet email systems to prevent the overwhelming deluge of spam email.  And now I receive junk texts!  We need to act now before these good technologies become worthless for real communication.

Long Live the Internet!

Today the FCC adopted new rules for governing the Internet in the United States.  These rules will protect and insure a open and neutral Internet. The FCC’s Open Internet Order contains the following rules.

  1. No Blocking;
  2. No Throttling;
  3. No Paid Prioritization;
  4. Standard for Future Conduct;
  5. Greater Transparency;
  6. Reasonable Network Management;
  7. Interconnection;
  8. Reclassification of broadband Internet access service as a telecommunications service under Title II;
  9. Major Provisions of Title II that the Order WILL APPLY:
    1. No unjust or unreasonable practices or discrimination,
    2. Allows investigation of consumer complaints,
    3. Protects consumer privacy,
    4. Ensures fair access to poles and conduits by providers,
    5. Protects people with disabilities,
    6. Bolsters universal service fund support for broadband service in the future.

You can read the entire FCC statement at http://www.fcc.gov/document/fcc-adopts-strong-sustainable-rules-protect-open-internet or a PDF version here.

Stop Using Microsoft Internet Explorer

If you are using Microsoft Internet Explorer (IE), there are hackers actively using a software bug to gain control of Microsoft Windows computers.  Stop using IE now! This is twice as dangerous as the Heartbleed Bug because an attacker can take control of your computer and do whatever they want with it.

US-CERT issued an alert about the active exploitation of a use-after-free vulnerability in Microsoft Internet Explorer. This vulnerability affects IE versions 6 through 11 and allows a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

US-CERT recommends that users and administrators review Microsoft Security Advisory 2963983 for mitigation actions and workarounds. If you are still using Windows XP, Microsoft will not provide updates or solutions and you should consider installing and using an alternate browser such as Mozilla Firefox (free) or Google Chrome (free).

For more details, please see VU#222929 and FireEye’s Blog entry.

Heartbleed Bug – End of the World or Non-event?

heartbleed xkcd comicThat about covers the risks.  Now what can you do about it?  First, update your computer (Windows, Mac OS X or Linux/Unix), right now!  Before you read the rest of this post.

Most software vendors/service providers recognized the serious nature of this bug and updated their software (the easy part).  So getting the fix is usually easy. The biggest problem is trying to determine if your information has been compromised.  You can’t!  Attacks leave no trace or very little on the computers that gave up their private secrets.  This bug has been out in the wild for 2 years!  Maybe nobody found it and took advantage OR somebody did and has all our passwords.  N.S.A is that you?  The actual risk is probably somewhere in between those extremes.

Most security experts are recommending that we change all our passwords and replace all of our SSL certificates.  At the very least change your password on you bank account log-in, but you probably don’t need to change your Facebook password (everybody has all that info).  And definitely change your password if you use one password for everything.  Yea, it is hard to remember all of them, but you can let your computer do the remembering.  Start using a password safe like KeePass or KeePassX to create and store long secure password using one password, that you have to remember, to save them on your system in an encrypted file.

More info about Heartbleed Bug:

 

D-Link Router Backdoor Vulnerability

The US-CERT, a part of the Department of Homeland Security,  has issued a warning that certain D-Link routers have firmware that contains a backdoor for remote users to access router administrative functions without entering the administrator password.  Besides D-Link, Planex and Alpha Networks devices may also contain this firmware.

According to D-Link, the following D-Link routers are affected:

  • DIR-100
  • DIR-120
  • DI-624S
  • DI-524UP
  • DI-604S
  • DI-604UP
  • DI-604+
  • TM-G5240

For more detailed up-to-date information go to this D-Link page on this issue.

According to the original vulnerability report, the following Planex routers are likely affected:

  • BRL-04R
  • BRL-04UR
  • BRL-04CW

If you have one of these routers, check to make sure that the remote configuration from the Internet is not allowed (default setting).  This may have been changed by ISPs that remotely administer customers Internet connections.

Security researcher Craig Heffner found these routers’ internal web server will accept and process any HTTP requests that contain the User-Agent string “xmlset_roodkcableoj28840ybtide” without checking if the connecting host is authenticated.