Category: Security

The greatest threat to your online security is the strength of your password.

No more excuses. The academic year is over for most of you. Set aside an hour to devote to your online security.

You know all those websites you log into? They should each have their own password. Seriously. If hackers break into one site, they use those usernames and passwords to try logging into other sites. If your passwords are unique, they will fail. Also, those passwords should be long and contain different kinds of characters.

Use a password manager

If you don’t already have a password management system, get one. No, the post-it notes on your computer monitor and your password-laden Rolodex does not count.

I use LastPass, but there are other good ones out there. With LastPass, you only need to remember one password. And you do need to remember it. LastPass doesn’t even know what it is. With LastPass, your passwords are encrypted locally before being sent to LastPass. That means that if anyone breaks into LastPass, all they will get is a bunch of encrypted gobbledygook.

LastPass will generate random passwords for you, autofill your username and password into websites, and allow you to share passwords to designated sites with trusted family and friends. That means I have no idea what the password is to my bank account – and I don’t have to. It’s a random string of letters, numbers, and special characters of some length, probably more than 16 characters. And because I have shared this password with my wife, she could have changed it this morning for all I know. In any case, LastPass has saved the change. The next time I log in, LastPass will use the most recent username and password.

Also, LastPass is free. Pay $12 a year for added features. Totally worth every dime.

When you run LastPass, give it permission to pull any usernames and passwords you have saved in all of your computer’s web browsers. Then let it delete that information from your web browsers – you don’t need it there; it’s in LastPass. Install the LastPass extension in the web browsers you use most often. And install the LastPass app on your phone.

Log into the LastPass website and run the “security challenge”. LastPass identifies sites that have had security breaches and, for the sites it can, LastPass offers to change your passwords to those sites. That’s right. You don’t have to log into those sites and change your passwords. LastPass will do it for you. LastPass also looks for weak passwords, reused passwords, and old passwords.

Also, you can store credit card information and other “form fill” information like email address, home address, phone number. And you can store anything information you want in a “secure note”.

Create a strong password

While I use the LastPass password manager to automatically log me into websites, I still need a password I can easily remember to get me into my computer in the first place.

Step 1. Think passphrase, not password. Longer is stronger. Never use a word that can be found in a dictionary. Hackers, once they have your username – most commonly, your email address – they will try the most common passwords first, like 12345 or password. Then they’ll run through the dictionary trying each word as a password. Then in a brute force attack they’ll use an algorithm to try every lowercase letter/uppercase letter/number/special character combination. The more characters you use, the longer it will take for their algorithm to generate your password.

longwindingyellowbrickroad

26 characters, lower case alphabet only
Search space size: 6.4 x 10³⁶

Time to search that space: 20 trillion centuries

Search space size is the “count of all possible passwords with this alphabet size and up to this password’s length.” Time to search that space assumes that if the computer program is making one hundred trillion guesses per second, this is how long it would take the computer program to search all possible passwords given these parameters. Explore how changing password length and including different kinds of characters changes your password strength.

Step 2. Add a special character

?longwindingyellowbrickroad

27 characters, lower case alphabet, special character.
Search space size: 6.61 x 10⁴⁷
Time to search that space: 2 trillion trillion centuries

Step 3. Make one letter upper case

?Longwindingyellowbrickroad

27 characters, upper & lower case alphabet, special character.
Search space size: 1.26 x 10⁵²
Time to search that space: 40 thousand trillion trillion centuries

Step 4. Add a number

?1Longwindingyellowbrickroad

28 characters, upper & lower case alphabet, special character, number.
Search space size: 2.4 x 10⁵⁵
Time to search that space: 76 million trillion trillion centuries

Last thing to do

Sleep better tonight.

 

 

Years ago you created a Dropbox account and installed Dropbox on your home computer, your work computer, your personal laptop, and maybe even a work laptop. It was, and is, a great way to access all of your files wherever you may be. Do you remember when you used to email files to yourself? Or tried to remember whether the newest version of a file was on your home computer, your work computer, or a flashdrive – wherever you might have left that flashdrive, whichever flashdrive it was? Dropbox has even more powerful functionality with Microsoft integration. You can now edit documents with others, live, via Dropbox.com. But that’s not what this post is about.

Not only did you find Dropbox useful for storing your work files, you found it useful for storing your personal files. But do you really want your vacation photos on your work computer? One issue I’ve seen with those non-work photos on a work computer is that many work computers are backed up to an institutional or company server. Even if the photos are Rated G, they are taking up tons of space on servers that don’t have a ton of space. It’s one thing if those photos are work-related. It’s another thing if they are not. Or, less ethically troublesome, maybe you just have some folders that contain files that you don’t really need anymore. You’d like to keep them as an archive, but they don’t need to take up space on your computer’s hard drive.

Let’s separate the Dropbox folders you don’t need on your work computer from the folders you do need using “selective sync”.

Selective sync lets you tell Dropbox which folders you want to sync with a particular computer. To choose which Dropbox folders you want synced on your work computer, from your work computer click on the Dropbox icon in your system tray. Click on the gear icon, & select “Preferences”.

In the Dropbox Preferences window, select “Account”. Click on “Selective Sync…” The popup will show you all of your Dropbox folders. Leave checked the ones you want to sync to this computer; uncheck the ones you want removed. Click “Update” and “OK”.

Dropbox will delete the unchecked folders from your work computer, but they will still exist at Dropbox.com. I promise. Those unchecked folders will also still sync with any other computers you have. If you want to remove, say, 2009 committee minutes from your home computer, repeat this process from your home computer.

You can always resync those folders by going back into preferences, and checking the folders you want to sync to that computer.

You’re not doing anything else this evening. Take the opportunity to free up some space on your computer disk drives.

 

You’ve probably heard about Heartbleed by now. This Gizmodo article does a nice job explaining what it is and why it’s problematic. How do you know which of the sites you’ve logged into are at risk? How do you know if that service has updated their software to fix the bug making it safe to change your password on that site? There are 496 sites for which I have a username and password. How am I supposed to know which ones are vulnerable. As a LastPass user, LastPass will tell me. [If you’re not yet a LastPass user, this previous blog post, although a bit dated now, will give you the overview of what LastPass does.]

Run the LastPass security check

Log into the LastPass website. On the far left, click “Security check.”

On the next page, click the big red “Start the Challenge” button. You will be asked to re-enter your LastPass password. You’ll see your security score and ranking which is based on things like how many weak passwords you have and how often you reuse a password. Scroll down and you will see this.

For the websites marked “Go update!” go change your passwords. Remember to use the LastPass random password generator to create strong, unique passwords. When you assign a new password to a website, be sure to tell LastPass that you are replacing an existing LastPass website so you avoid having duplicate LastPass entries: one with the old password and one with the new password.

Dropbox example

I went into my account settings in Dropbox, clicked on the Security tab, and selected “Change password.” That generated this popup. I clicked the LastPass icon to automatically fill in my current password. Next, click lock/arrow-around-it icon to generate a new password.

LastPass will give you a new password based on the parameters you used the last time you generated a new password. You can change the length of the password, and if you click on advanced options, you can decide if you want special characters, numerals, etc. Once you’re happy with your password, you will get this popup. Click “Yes, Use for this Site.” The new password LastPass just created will replace the old password in your LastPass Dropbox entry.

Click “Change password” and Dropbox will make the change.

Done!

Now, go do it for all of the sites LastPass says you should update.

If you are going to hand your laptop to a prostitute as collateral while you visit an ATM, might I suggest that you use a service like FolderLock to secure the personal health information of the 652 clients you have stored on said laptop?

This was the news story I was reading this morning that immediately preceded me choking on my toast.

The woman of ill-repute thought the laptop more valuable than the forthcoming cash, so she pawned the laptop. Now, I doubt that anyone who had their mitts on the laptop really cared about the healthcare records, but I still wouldn’t want to be the owner of the laptop – or one of the people whose healthcare records were compromised. Or the prostitute, for that matter.

While I hope that most of us would not use our laptops filled with private student data, such as grades and assignments, as collateral for, well, any activity really, legal or illegal, having a laptop stolen is a real possibility. If it’s portable, it can walk away.

This might be a good time to review the FolderLock post and get your sensitive student information locked up.

Laptop cable lock

Now is also a good time to get a laptop cable lock to physically secure your computer if you don’t already have one. Granted, a cable lock wouldn’t have been much help in this circumstance since he voluntarily surrendered his laptop. But work with me. I’m trying to provide some new information here.

You’re at the coffee shop grading papers. You need to make a run to the restroom. Do you pack up your laptop and take it with you? Do you let it sit there unguarded? Perhaps you ask a stranger (!) to look after it? My recommendation? Use a cable lock.

On your laptop is a little slot built just for cable locks. The location varies from computer to computer. On my Fujitsu, it’s on the back corner. If you look carefully, you’ll see the lock icon to the left of the slot.

Take the lock end of the cable and wrap it through an open slat in a table or a chair. I also wrap mine through a handle on my laptop bag. Next, send the lock end through the loop at the other end of the cable. Now, attach the lock to the computer. If it’s a combination lock, enter the correct digits, then press the button on the lock. That will cause the tabs at the end of the lock to come together. Slip the compressed tabs into the lock slot on your computer. Let go of the button, and give the numbers on the combination lock a twirl. That’s it.

Of course this isn’t exactly high-tech security. Bolt cutters would slice through the cable in no time, but someone walking around a coffee shop with bolt cutters would certainly draw the attention of the other patrons.

Here’s a video of how to use one of Kensington’s newer models, the “Click Safe.” This video shows a keyed lock, but you can also get it as a combination lock. Mostly I just wanted to show you how to use any locking cable, regardless of the actual locking mechanism.

Your computer files. Are they locked away from prying eyes? Are they backed up? Are they backed up offsite, away from fire and flood danger?

For the most part, I don’t have super-secret data on my computer. I teach psychology.

My work computer is a laptop that I tote around with me. I have never had my laptop stolen, but that was true for everyone who had their laptop stolen for the first time.

Security I already have in place

If I left my computer sitting on the roof of my car, it blew off on the 405 and rendered junk by a passing Kenworth, I would still have access to my files through Dropbox.com. I used to have an external hard drive at home I would use for backup, but it occurred to me that this would not help in case of, say, a fire at home. I’m a big fan of offsite backup.

In the case of mischievous riffraff, the thief needs to get into my laptop by guessing or bypassing my computer login. Once in, if they go into my web browser, they won’t be able to automatically log in to sites like Barnes and Noble or, more problematic, Wells Fargo. None of that username/password information is stored in my browser. All of that is stored in LastPass (see this blog post). When I travel with my laptop, I tell LastPass to log me out every time I close my browser. Even so, if I discovered my laptop stolen, I would immediately hop on my smartphone, tablet, or someone else’s computer and change my LastPass password. Just in case.

But all of my files and folders are theirs to see. Granted, I don’t much care if they want to read my syllabus, in fact, that would be kind of nice. I can’t imagine anyone being interested in committee meeting minutes. Reading those might be punishment enough for stealing my laptop. Student grades and assignments are more problematic. Realistically, does the average computer thief really care what Jane or John Doe got on their first psych exam? Probably not. But that doesn’t mean I’m not nervous about it.

Folder Lock ($39.95, free trial).

With Folder Lock, I can lock or encrypt files or folders. There is a lot of encryption software out there. Folder Lock gets high marks for both security and usability.

After downloading and installing Folder Lock, you’ll be asked to create a master password. Make it good. And do NOT forget it. Repeat: Do NOT forget it. And do NOT write it on a sticky note you put on your monitor. Nothing kills security faster than handing the keys to the thief. I have my password saved as a “secure note” in LastPass.

Locking a file or folder

Folder Lock is ridiculously easy to use. To lock a file or folder, navigate to the file or folder location, then drag and drop into Folder Lock.

Here I have added a folder. With the folder “locked,” it no longer appears in the original folder. It’s there, but it’s hidden. In fact, since this is a Dropbox folder, I still have access to it everywhere I have Dropbox installed. [That means that I had better have good security on my mobile devices – at minimum a lock screen. Save yourself the worry and install Lookout Mobile Security ($30/year and worth every dime) – locate your mobile device or wipe it clean.] If I want to access this folder from this computer, I have to go into Folder Lock and double-click on the folder. If I click on it once, I can unlock it (it will be visible again) or remove it (it will also be visible again). Which option I choose depends on whether I’m going to want to lock it again or not.

Encrypting a file or folder

This is upping the security significantly. Encryption scrambles the file data so that it’s unreadable to everyone except the person who holds the key. In this case, your key is your Folder Lock master password. If you are going to be storing sensitive data in the cloud, say in Dropbox or any other web-based storage service, encrypt it before storing it.

In Folder Lock, encrypted files or folders are stored in “lockers.” Click “Encrypt Files” and then “Create Locker.”

Name your locker and identify where you’d like that locker to be stored.

Next you’re asked to create a password for the locker. Don’t forget this one, either. (Create another secure note in LastPass!). Now choose “type” – the default is fine. Choose the maximum size for this locker – how much crap are you going to want to store in here?

After the very satisfying congratulatory message at having set up your locker, let’s go back to the main Folder Lock program. We see the locker we just created.

In fact, Folder Lock has created a whole new drive on my computer. It acts just like any other drive. Copy or move stuff into it like you would any other folder.

When you exit Folder Lock, you will be asked if you want to close this locker. Say yes. With Folder Lock closed, the drive will disappear. To access it, you need to run Folder Lock again. Here you can see my locker status shows that it’s closed. To open it, double-click on the locker and enter your locker password.

The folder with the locker contents will open, and the new drive will appear again.

Backup

If you don’t want to save your encrypted files or folders in Dropbox or some other cloud-based storage service, you can use Folder Lock’s secure backup.   Folder Lock will not be able to access your files. They were encrypted (scrambled) on your computer. The only way to unscramble them is to have your password, which Folder Lock doesn’t have. That’s why you can’t ever forget your master password! There’s a storage fee depending on how much space you want. The smallest amount, 10 GB, is $5/month.

Backups are done automatically. All you have to do is save your files like you normally do, and Folder Lock will drop them in the queue for uploading.

Protect USB/CD and encrypt email attachments

Need to take your encrypted files with you on a flash drive? Use this option to copy your existing lockers or create new lockers on a flash drive or other portable media. If you lose your flash drive, no worries. No one can get into your files without your master password.

When you encrypt email attachments, Folder Lock compresses them into a password-protected zip file. The recipient will need to extract the files using a zip program like the free 7-Zip. The recipient will be prompted to enter a password – give them the password you attached to the file when you created it. For obvious reasons, it’s best not to do this in the same email message as the password-protected file.

A quick note on email. Email is the least secure method of sending information. In fact, at many institutions, email is considered public communication. Your IT staff – and the IT staff of your recipient(s) – can easily read your email. They probably aren’t as a matter of course because, frankly, your email is as exciting as your committee meeting minutes. That and they have plenty of their own email to read.

Folder Lock isn’t the only tool that can password-protect attachments. The aforementioned 7-Zip can password-protect zip files. But if you’re already in Folder Lock, you can do it with a couple clicks of the mouse. This feature alone, however, is not a reason to purchase Folder Lock.

Make wallets

Keep all kinds of stuff in this password-protected space – like your credit card information.  This isn’t a feature I use; anything I would store in here I already have stored in LastPass.

Xtras and settings

With these buttons at the very top of the Folder Lock screen, you can do things like shred files, or go into “stealth mode” where it’s not obvious that you even have Folder Lock installed. When you go stealth, you’ll be asked to set a hotkey combination. That’s the keyboard combination you’ll use to run Folder Lock. Don’t forget that, either!

Conclusion

Up your security.  You’ll sleep better at night.