Join 3,572 readers in helping fund MetaFilter (Hide)


Nothing--you're screwed.
December 13, 2004 2:11 PM   Subscribe

Safe Personal Computing. Bruce Schneier, cited frequently on Metafilter, has a new article on his blog in which he gives home users concrete actions they could take to improve security. As the holidays come and I make the rounds to disinfect and repair all my family's computers, I'll be printing this out and sticking copies to their monitors.
posted by sohcahtoa (73 comments total)

 
I bet I'm not the only Mefite who is called upon for tech support at the inlaw's on Christmas morning. The suggestions in his article are excellent. Additionally, I have a USB thumbdrive, before I visit a relative's house where I expect to make a support call I make sure I have loaded: Spybot, Stinger, Ad-Aware, Firefox, AVG, and the Zone Alarm firewall. All of these are free for personal use. I hide IE and set Firefox for default. I make sure Automatic Updates are enabled. If they have broadband, I take them to the store and buy the cheapest NAT router available.
posted by sohcahtoa at 2:11 PM on December 13, 2004


That sounds a little drastic to me.
posted by _sirmissalot_ at 2:20 PM on December 13, 2004


For example: Don't open cartoons, videos and similar "good for a laugh" files forwarded by your well-meaning friends; again, immediately delete them.

I know lots of older-type folks who would say, "What's the point of having a computer, then?"
posted by _sirmissalot_ at 2:25 PM on December 13, 2004


write down your password for your online banking and stick it in your wallet? even my 4 year old knows you don't write down passwords.
posted by bizwank at 2:27 PM on December 13, 2004


Unplug the computer and walk away if you're that worried.
posted by trey at 2:27 PM on December 13, 2004


See, the problem is trey, is that these people aren't worried, don't know that they should be worried, and are spouting gigs of spam each day.

Thats the problem.
posted by Freen at 2:32 PM on December 13, 2004


The 2 most important things in my mind are to:
a) get people off the security nightmare that is IE
b) get them behind a NAT router.

If you are like me, the default tech contact for the tech-impaired relative, that should reduce your customer support load by about 95%.
posted by mcstayinskool at 2:33 PM on December 13, 2004


HA-HA!! I've got a Mac so I don't have to worry about all those viruses and spyware you stupid PC userjoi[r9t03ejiojogoire[ojrgt

...

*SYSTEM FAILURE IMMINENT. YOU HAVE BEEN ROXXX000RED!!!*

You will be redirected to coreyfeldman.info in two seconds.
posted by Debaser626 at 2:36 PM on December 13, 2004


Keep your online banking passwords in your wallet? Is he serious?
posted by euphorb at 2:36 PM on December 13, 2004


yes, Debaser626, I use linux and I puff my chest up and think how kewl I am and stuff...doesn't stop my father-in-law from spraying spam out his cable modem from his compromised Windoze machine. And it doesn't stop him from calling me either.
posted by mcstayinskool at 2:37 PM on December 13, 2004


the third most important thing is, to append to mcstayinskool:

c) get people to stop using Outlook
posted by Ryvar at 2:41 PM on December 13, 2004


even my 4 year old knows you don't write down passwords.

And for a 4 year old, that's good advice. But eventually we all grow up and gain the ability to keep at least basic personal possession reasonably secure.

Passwords are a great challenge. If you make your password very difficult to guess or brute-force, you also make it hard to remember; if you make it easy to remember, you make it (potentially) easy to social-engineer; if you keep the same one for too long, again, it becomes easier to social engineer.

Password rules that require a high change-frequency, disallow reusability, or require a lot of extra conditions (long minimum lengths, shifted characters, non-alpha characters, non-numeric characters, etc.) just make them harder to remember. The solution is to write them down, as blasphemous as that seems: Just down write them on your goddamned blotter. Write it down, and keep it somewhere safe. That way, you can create a nice, secure password (like "*dk@&HHy^.") without fear of forgetting it.
posted by lodurr at 2:42 PM on December 13, 2004


This comes up on AskMeta often, so here are three threads with a ton of tips for software: 1, 2, 3.
posted by monju_bosatsu at 2:43 PM on December 13, 2004


should be: "... jus don't write them on your goddamned blotter."
posted by lodurr at 2:43 PM on December 13, 2004


BTW, I think getting them to stop using Outlook is number 1 or 2, not number 3.
posted by lodurr at 2:45 PM on December 13, 2004


euphorb: Keep your online banking passwords in your wallet? Is he serious?

I suspect that he is. The whole suggestion is:
Passwords: You can't memorize good enough passwords any more, so don't bother. For high-security Web sites such as banks, create long random passwords and write them down. Guard them as you would your cash: i.e., store them in your wallet, etc.
If you must write down a password, your wallet is probably the best place to store it. If your wallet goes missing, you know you have a problem. If the file on your computer is copied, who knows when you might figure it out.
posted by KirkJobSluder at 2:45 PM on December 13, 2004


Sohcahtoa: Hijack This, Thunderbird and Sun Java belong on that drive too. Also, Ethereal is handy (if overkill) for recovering forgotten POP3 passwords when cutting over to Thunderbird.

I'm finding there's a fairly reliable (if modest) living to be made in extending inlaw-level tech support to the general public on a fee-for-service basis. I charge $20/hour capped at $50/visit.
posted by flabdablet at 2:48 PM on December 13, 2004


I'm still careful, even though I'm on a Mac.

In 10.3.6, using Exposé, Mozilla has a "secret" window which it keeps open outside your field of vision. First time I saw it, I went apeshit, until I visited the mozdev forums.

Unfortunately, attacks on OS X are more vicious than the random myDoom or Trojan (not widespread, just vicious) as 99% of the systems are unprotected, and the attacker is usually someone with a vendetta against a particular company/organization (Really, who would bother to write a virus which would only affect 4%, unless you were really pissed?), so they often have an "in" to fool users into clicking their links/activating the virus.

But, hey, I got my backups, and have no pertinent info on my machine. (I would be pissed about the pr0n though, which I can't back up as I use the AIT drives at work)
posted by Debaser626 at 2:48 PM on December 13, 2004


I've solved the password problem. Jes' sayin.
posted by nicwolff at 2:49 PM on December 13, 2004


nicwolff:
Neat trick, but are 8 letter passwords using only 16 characters really that good? If you are going to use this method, you should at least use base64 rather than hexidecimal.

For example (although I'm using the md5 distribution of another person.)

Personally, one of the sacrifices I make is that I'd rather use a longer password than deal with camel case, so I'm fond of diceware myself.
posted by KirkJobSluder at 3:01 PM on December 13, 2004


I keep all my passwords in a password protected file on my Palm. Seems weird, but I only have to remember 1 password.
posted by knave at 3:04 PM on December 13, 2004


A couple of FREE programs that I STRONGLY recommend to the clueless (and concerned) are:

RegProt or StartupMonitor - These are essentially registry "firewalls" that inform you when something is trying to change a registry entry and let you decide if it is a good idea. Use the one that works best for you.

CookieWall from AnalogX - Simple, small footprint cookie manager.

For login and password management, try SSOPLUS, which stores all your login names and passwords and automatically fills in the login info when you return to the page. It only needs one master password for you to remember. I just started checking this one, but it looks pretty good.

Try these programs. They will make you safer and your browsing much easier. Oh yeah, did I mention they are all FREE?
posted by Enron Hubbard at 3:17 PM on December 13, 2004


> That sounds a little drastic to me.

Right in the linked article, he reaches out a hand to folks who might feel as you do, and he provides a good estimation of the most probable conclusion: "...you're screwed."

He backs it up, too. His site's chock-full of careful analysis. Go read it.
posted by SteelyDuran at 3:19 PM on December 13, 2004


Gordon Luk has a nice rebuttal.
posted by waxpancake at 3:21 PM on December 13, 2004


Yeh, except that "rebuttal" basically amounts to giving up on a lot of fronts. The attitude seems to be "don't bother, because a) you're going to get hit anyway and b) you're too ignorant to really do any of this stuff."

I agree with Gordon that many of the things Schneier says aren't for beginners; but beginners don't read Schneier's site. The essay isn't for the beginners -- it's for their "tech support" (i.e., their knowledgeable friends and family). For the people who are called upon to help, Schneier's advice is liable to be quite sufficient.

Though I will agree that the "secret police" reference probably didn't win him any extra converts...
posted by lodurr at 3:39 PM on December 13, 2004


...delete the files 'command.com' and 'cmd.exe.'"

You can have my command line when you pry it from my cold, dead fingers.
posted by mr_crash_davis at 3:45 PM on December 13, 2004


Giving up or facing the facts? You can't take the spyware-encrusted, Mom & Pop user, who thinks that the "hard drive" means the beige box that you turn on, and get them to start following 20 or so detailed technical commandments. Gordon's point about the likely consequences of telling these people to delete "things they don't use" on their PC seems apt.
posted by crunchburger at 3:56 PM on December 13, 2004


But Schneier's not telling those people to do that -- he's telling the people they go to for support.

Which is to say, Gordon misunderstands the audience. Neither his audience nor Schneier's is so technically unsophisticated that they don't know enough not to screw this stuff up badly enough to risk their data.
posted by lodurr at 3:59 PM on December 13, 2004


Where do you get a free copy of AVG anti virus? I tried their site and somehow ended up with a 30 day demo that I have to pay for instead.
posted by mathowie at 4:08 PM on December 13, 2004


SplashId does the "one master password to rule them all" trick well. Fairly user friendly, Blowfish encryption, with Palm, Mac, and Windows versions.
For those who insist on writing out their passwords without encrypting, I tell 'em to write all the following information down on the same paper or in the same file:
1 - name
2 - social security number
3 - date of birth
4 - mother's maiden name
5 - address and phone number
6 - number and expiration date of your favorite credit card
If you're confident enough in your password-storage system that you'll put that info in with it, I'll trust you on it.
posted by mistersix at 4:11 PM on December 13, 2004


If you're confident enough in your password-storage system that you'll put that info in with it, I'll trust you on it.

Am I confident enough to write down my one master password? No. And the same caveats apply for that master password that apply for any password: It needs to be secure enough that it's going to be difficult, at best, to memorize.

Single master password approaches really only centralize the failure mode. If you're carrying around a laptop protected on some kind of single-master-password basis, you're an accident waiting to happen.

And anyway, master-password systems are at least as much of a problem for unsophisticated users as anything else suggested here, since you can't trust them to use such a system properly any more than you can trust them to do any of these things properly.
posted by lodurr at 4:18 PM on December 13, 2004


Er, what *is* the security risk of the Windows command interpreter (cmd.exe)? Is it just to make it hard for people with rootkits? Seems to me that you'd want to keep it around for ping and ipconfig, at the very least.
posted by eschatfische at 4:20 PM on December 13, 2004


Matt: There's a separate free edition. You probably downloaded the commercial version.
posted by neckro23 at 4:22 PM on December 13, 2004


Wait a minute, you mean my passwords shouldn't all be "password"?

Next you're gonna tell me that my login isn't "login".

Actually I'm looking forward to retinal scans for everything. Except for porn sites, those are renal scans.
posted by fenriq at 4:27 PM on December 13, 2004


Schneier himself did the "one master password to rule them all" thing too, but only for Windows. PasswordSafe encrypts your passwords with AES, and handles the clipboard correctly, never displaying a password on the screen so that you can use the password safe even when someone's watching over your shoulder. Bruce is no longer developing PasswordSafe but development has been taken over by volunteers.

MyPasswordSafe is a port of PasswordSafe to Linux that works the same way Schneier wasn't involved in the port, so you need to trust or verify that the guy that did the port didn't screw up the crypto on the way.
posted by mendel at 4:29 PM on December 13, 2004


lodurr: I think I've read some things from Schneier which suggests that he takes a broader view of computer security than what this debate about passwords suggests. Lets be honest here. For most people, posession of a wallet can make a lot of institutional passwords moot. Likewise, the strength passwords I use to encrypt my weekly backups is based on the fact that anyone with a crowbar can take my computer home with them and get that data. I think there is a valid critique that we spend too much time arguing about passwords.

I think the problem with your claim that he is not addressing the "average internet user" comes in the first paragraph of his essay.
posted by KirkJobSluder at 4:36 PM on December 13, 2004


Well, tech support for family can be easy as long as you handle it properly. Remind them gently that a computer is an expensive piece of machinery, like a car. Follow the advice of your "mechanic", and it will run much better and last longer.

Now, most people have certain things in their mind that a computer is "supposed" to do for them. Find this out, it'll save you a lot of time. Don't lie and say they can't do something that they can. They'll find out one way or another, and they won't trust what you say again, and you might as well give up on effective prevention.

Schneier is appropriately paranoid, but it's important to know how the non-techie sees his or her computer. They want to do things with it, and they don't like being restricted from their own machine. They need to know why insecure things are insecure, and without any techno-babble whatsoever. If you worry about spammer hijackings or trojans, call it a virus. They'll realize virus = bad.

If you simply cannot keep that certain member of the family from obscene security holes that annihilate their system all the time, and they won't accept Linux or a Mac due to the lack of games, refer them to a friend of yours who knows tech support. You can't charge your own family for tech support, but your friend can, and when they're shelling out $20 a visit every week when they find all sorts of new virii, they'll quickly learn to avoid this behavior. It's a last resort, but most people just don't get that you don't have time to spend 10 hours a week at Uncle Joe's, cleaning his computer from viruses he obviously got at porn sites.

You can't just continuously fool-proof their computer, something will get them sooner or later. You have to teach them basic Internet survival skills, or else you're going to be holding their hand for a very, very long time.
posted by Saydur at 4:41 PM on December 13, 2004


fenriq: The implications of retinal scans are scary. It's one thing to have a really hard-to-duplicate key, but it's another thing entirely to have a lock you can't change. What happens when what was thought to be hard to duplicate ends up easy?

Fingerprint scanning turned out to be easy, for instance — all you need is a gummi worm.
posted by mendel at 4:45 PM on December 13, 2004


Mendel, yeah, I know there are issues with the lock you can't open if you lose the key.

But I wasn't aware that I could break into the Pentagon with a gummi worm. That is damned cool! Who needs MacGyver anyway?
posted by fenriq at 4:59 PM on December 13, 2004


...delete the files 'command.com' and 'cmd.exe.'"

You can have my command line when you pry it from my cold, dead fingers.


Too right. If I have to troubleshoot a PC's network connection and I find out they've taken this piece of advice, I might just post him the whole box and get him to fix it for me.

There is a lot of stuff there which is good advice and is maybe common sense to those in the know, but there is a lot of tripe as well. Passwords kept in wallets, shutting down you PC when not in use (what, even after sticking it behind a NAT'ed firewall?), I still don't do Internet banking etc, etc.

Mind you, as another person who has the job of cleaning up PCs, I never fail to find it amusing when the parents of 15 year old boys start asking us how all the porn pop ups have appeared on their machine...
(should I tell them, or let them work it out for themselves?)
posted by qwerty155 at 5:00 PM on December 13, 2004


As much as I respect Bruce Schneier, there's a lot of bad advice in this article.
posted by Nelson at 5:06 PM on December 13, 2004


Anyone that recommends getting rid of cmd.exe or command.com can't possibly have their head screwed on straight. Or has never had to fix a family member's computer. At the very least, rename it as IAMTHEREALCMD.EXE or something.
posted by angry modem at 5:23 PM on December 13, 2004


As much as I respect Bruce Schneier, there's a lot of bad advice in this article.

I agree. Plus, I still fail to see the point of the article. If you are Internet savvy enough to find and read his article, you probably know all the basic advice he is providing. And if you are not that savvy, you're never going to read that article either.

In addition, I really don't like the "don't use Internet Explorer" advice (among many others I don't like). I don't think Firefox has gained enough market share to justify giving that advice. Yes, I use Firefox; but only because I know when a site doesn't look right in Firefox and can switch over to Internet Explorer. Forcing a computer novice to switch over to Firefox pretty much equals to locking that person out of several sites, including many financial sites...
posted by tuxster at 5:27 PM on December 13, 2004


Just buy a Mac already.
posted by AlexReynolds at 5:48 PM on December 13, 2004


qwerty155: Passwords kept in wallets,...

Pardon if I seem a bit dense. But while everyone is griping about it, nobody seems to be providing good reasons why it would be a bad idea in terms of the usability/security tradeoff to have a strong password in a wallet, as opposed to a weak password in falible human memory. If you read more of Schneier than this article, you would know that he comes from the perspective than an unusable security system is equivalent to no security system at all.

If we start from his point of view that reasonably secure passwords are extremely difficult to memorize, then you have two choices:
1: keep the password in a safe place.
2: use a weak password that you can memorize.

Schneier seems to be of the opinion that 2 is not a good option, so where is a safe place to keep your password?

I think that a wallet is as good as it gets. First of all, just the basic information that comes with a wallet gives an attacker all the information needed to bluff past many passwords. So having the password in the wallet provides minimal additional risk over loosing a wallet to begin with. Secondly, people usually know if a wallet is lost or stollen within a few hours, and can take quick action.

Now you can say, "never write down passwords," but newsflash for you, it doesn't work. It doesn't work, it hasn't worked for nearly 20 years of computer use, pretending that we can get everybody to be comfortable with memorizing strong passwords is magical thinking. After 20 years of failure, we need to start making some difficult choices as to whether we persist with something that does not work or whether we start looking at alternatives.

shutting down you PC when not in use (what, even after sticking it behind a NAT'ed firewall?)

NAT firewalls don't protect you against software that dials out from a NAT host to another host.
posted by KirkJobSluder at 5:50 PM on December 13, 2004


For AVG, try this file from free.grisoft.com. The grisoft.com pages are timing out for me. So far, so good with AVG on my son's pc.
posted by theora55 at 6:01 PM on December 13, 2004


I would like to use my comment in this thread to inform everyone that I've followed the Mefites' advice from my previous AskMefi question and my parent's computer now works splendidly. I've provided them with Norton Ghost, so whenever a problem arises, they just pop in the CD and Norton Ghost does the rest.

Coincidentally, the first person to use the machine was my Mother and she crashed Windows on the very first log on.

So thank you everyone. And, good post.
posted by Colloquial Collision at 6:05 PM on December 13, 2004


i love the free and daily-updated avast antivirus, and long since disabled norton. the cleaner is free and also very good in tandem with avast.
posted by moonbird at 6:21 PM on December 13, 2004


Thanks.
posted by semmi at 6:25 PM on December 13, 2004


KJS, I totally agree with you.

A sweep of your average office or home will reveal written-down passwords, personal and corporate, not to mention enough personal info to enable some serious identity theft. People are pretty damned careful with their wallets, and this seems like a compromise that acknowledges the realities of human behaviour (something Schneier is really insightful about compared to most people who write in this field).

My only reservation is that in my country several banks have chosen to use numbers printed on ATM cards as usernames, which is pretty damned stupid anyway, but definitely not a good thing when combined with a password in the wallet.
posted by i_am_joe's_spleen at 6:39 PM on December 13, 2004


In addition, I really don't like the "don't use Internet Explorer" advice (among many others I don't like). I don't think Firefox has gained enough market share to justify giving that advice

I really don't know why people think this stuff is difficult. Software firewalls are not a difficult concept to grasp, and neither are hardware firewalls. You can replace IE with Mozilla or Firefox without people freaking out. I'm more skeptical about crypto, but 99% of PC users will never have a need for a command line. Yes, it's nice to have if you need it for troubleshooting; so rename it, fine.

I know this is not rocket science and I know it can work because I've made it work. I'm not talkng from a naive perspective, here. I've done lots of tech support, both the friends 'n' family thing and the real, job-description thing, in lots of different kinds of roles. I've done purchase-to-grave support for PCs and Macs for a couple of different stretches. I know what people can be expected to handle, and I know what I've helped them handle. Most of this, they can handle.
posted by lodurr at 6:59 PM on December 13, 2004


It surprises me that nobody has suggested one of the simplest methods of password protection: camouflage. Any seemingly random pattern of letters, numbers and characters can be hidden among any other. I once had to keep track of a four-digit key sequence for a phone card (let's say it was 5739), and I didn't use it often enough to memorize it. So, I wrote something like this on a small card in my wallet:

183457391230
093727592461

What nefarious stranger, seeing that, could possibly realize that the fifth through eighth digits were the key to my valuable overseas phone card?

Hiding things in plain sight is often a valuable technique. Sherlock Holmes knew it, and it can work for you, too.
posted by Faint of Butt at 7:18 PM on December 13, 2004


For high-security Web sites such as banks, create long random passwords and write them down.

But what do you do when your "high security web site" (cough, Bank of America, cough) actually throttles the passwords (4-7 numbers and/or letters, case sensitive) so that you cannot enter a reasonably secure one?

Even better is the fact that your default ID for their online banking is your Social Security number. Schneier might want to mention something about THAT as well.
posted by QuestionableSwami at 7:22 PM on December 13, 2004


another option is to have a substitution procedure that is easy to do (and remember) and just remember simple passwords but pass them through this procedure to generate your real passwords as needed.

for instance:
say your easily remembered password is: thisismypassword

you could then have your real password be that the first however many digits your bank or whatever will allow of the result of running "thisismypassword" through an md5 hasher n times. where n is secret.

occasionally mix it up by running the whole mess through rot13 in between md5-ing it and you should be pretty safe in assuming that no one is going to randomly reproduce the order in which you did things.

(i pick rot13 and md5 because dave's quick search will do these, but you can use anything that's quick and easy; there's even enigma and vigenere applets on line)
posted by juv3nal at 7:52 PM on December 13, 2004


Faint of Butt - I do something similar. Basically, my passwords are written down in an easy-to-remember (but hopefully hard-to-figure-out) personal mnemonic code.

So, for example, I might write down metafilter h3, which would mean my metafilter password was ha6Vn3a, or some such.

Admittedly, I'm not what you would call a sophisticated user, so if this is a stupid idea I'd appreciate someone telling me and letting me know why.
posted by kyrademon at 8:31 PM on December 13, 2004


Faint of Butt's idea reminded me of this excellent half-baked idea: write down a bunch of PINs (or passwords in this case) on the card - only you know the right one.
posted by jewzilla at 8:51 PM on December 13, 2004


I really don't know why people think this stuff is difficult. Software firewalls are not a difficult concept to grasp, and neither are hardware firewalls. You can replace IE with Mozilla or Firefox without people freaking out.

lodurr, regarding the browser issue: I never said it is difficult. What I said was that there are enough significant sites out there that don't support Firefox, that if you replace IE with Firefox on someone's machine, you are effectively locking them out of these sites. Some samples include including Yahoo Games, Yahoo Sports GameCenter (live tracking of games), Launch Music, Faretracker, and, of course, Windows Update. Then there are sites where advanced features are not accessible (because they use VBScript or Active-X) such as MSN Investor and Expedia. Finally, there are sites that just show up butt ugly and sometimes illegible.

How many times did you tell your novice "friends 'n' family" that because of your unilateral decision that Firefox is the better browser for them, they will not be able to access these sites?

Now, about the firewall: many firewalls will give cryptic messages about some .exe or .dll or some service trying to access the Internet. How exactly those novice users knows which ones to allow and which ones not to? My experience is that if you watch novice users, you'll see that after a couple days they simply start saying yes to every warning message that comes up, making the firewall quite ineffective...
posted by tuxster at 8:51 PM on December 13, 2004


NAT firewalls don't protect you against software that dials out from a NAT host to another host.

No, but up to date AV software that stops you getting dialers on your PC in the first place will.

As for the question of a better method of passwords, a couple of MeFi have beaten us to it. I work for a small IT firm that supports over a dozen other small companies, so as well as my own personal logins I have all the passwords for these to remember as well (prob >30 or so). And none written down.
Simply choose one of your favourite phrases/TV programmes/bands and change a couple of the letters for numbers: 'th3s0pran0s','t0mw@1t5','butcher5h00k' etc, etc
Works for me.
posted by qwerty155 at 1:52 AM on December 14, 2004


tuxster: I find that if I explain to people that IE is just not secure, and should only be used as a last resort if they can't make Firefox work, most people see the sense in that. I've only had one person (an older guy, very set in his ways) stick with IE after trying out Firefox (getting Thunderbird past the first few retraining hurdles was an uphill battle - if it were not for the embarrassing spam he was getting lots of, he'd probably have stuck with OE).

Also, Yahoo Games works fine for me with Firefox 1.0 and Sun Java (J2SE 1.4.2-05); what problem have you had with it?

And on the internet banking thing: my credit union IB site wouldn't display menus with any Mozilla-family browser and they only offered tech support for IE and Netscape 4.x, so I stuck with IE for that until I got irritated enough to investigate. Then I installed Chris Pederick's User Agent Switcher extension into my Firefox, and now it works perfectly as long as I tell Firefox to pretend it's actually Opera 7.54. Go figure.

I understand there's an ActiveX plugin for Firefox that allows explicit control over which controls are allowed to run and which sites are allowed to install them. I haven't played with it myself, but it seems to me that the "need" for IE is now more a belief than a reality.
posted by flabdablet at 3:32 AM on December 14, 2004


I keep all my passwords in a password protected file on my Palm. Seems weird, but I only have to remember 1 password.
posted by knave at 3:04 PM PST on December 13


Yup. me too.

Too many to remember them all, especially since they are complex passwords and are changed every 90 days.

Great little freeware program for the Palm. Password protect the Palm and then password protect the passkey file.
posted by nofundy at 4:56 AM on December 14, 2004


You guys make me feel like I'm wandering through Times Square every day with my wallet sticking out of a wide open backpack. I have dopey simple passwords and buy things from sites I've not heard of before.

At least I do use Firefox, but just because I love tabs!
posted by CunningLinguist at 5:29 AM on December 14, 2004


As much as know I should be using Firefox for security reasons, I can't give up Maxthon (crappy name, excellent program) which is IE based but similar to Firefox in many ways.

Tabbed Browsing Interface
Mouse Gestures
Super Drag&Drop
Privacy Protection
AD Hunter
Google Bar Support
External Utility Bar
Skinning

If you have to use IE for some reason, try this. I have no problem with sites displaying correctly and I haven't gotten any spyware/malware for the last nine months since I started using it.

Of course, its FREE.

And the idea of hiding PINs/passwords in camouflaged plain sight is an excellent idea. Also, a detailed printed backup of all passwords (except the, uh, questionable ones) placed in a safe deposit box will come in handy if you get squashed by a bus.
posted by Enron Hubbard at 5:57 AM on December 14, 2004


plain sight vote here. i've had my root password sitting on my desk in plain sight for a couple of years now, and nobody but me knows what it is. the sheer number of things you can sit on a desk, i mean, how hard is it to leave a reminder that nobody else would think of?

for example there's an aspirin bottle on my desk right now. on the back there's a printed expiration date and lot number. i think that 7/04_253372K would make an excellent password if i so chose to use it, and who would look twice at an aspirin bottle when looking for a password?

i mean, come on, here are more that could be easily used:
pat2424649 (patent number for my stapler)
B3132HA1114861LH (serial number off a random CD-R)
0-7380-1408-7 (ISBN number for a lab manual)

if it's something you use daily, even a pretty hard password can be remembered. i keep the hidden-in-plain-sight desktop reminder just in case i ever do forget, but so far i haven't had to refer to it.

think of the possibilities... for even more fun, you can code the password; ie, representative rather than written: have a plant on the desk? how about genus name + hex code for the color of the pot?

(and for the record, the root password is for a server in another building. guess i'm a little too paranoid to actually keep it in the same room as the computer it is for...)
posted by caution live frogs at 6:52 AM on December 14, 2004


delete the files "command.com" and "cmd.exe."
HELLO. I HAVE TRIED TO DELETE THE FILE COMMAND.COM, BUT CANNOT. THE COMPUTER WILL NOT LET ME. ALSO I CANNOT FIND CMD.EXE. I THINK I WILL TRY TO USE MY WINDOWS RESCUE DISK AND THEN DELETE THE FILE. I HOPE IT WILL WORK. I AM USING WINDOWS ME.
posted by seanyboy at 7:01 AM on December 14, 2004


How many times did you tell your novice "friends 'n' family" that because of your unilateral decision that Firefox is the better browser for them, they will not be able to access these sites?

First, I didn't make a unilateral decision. I told them what I was doing, and I told them what to do if they couldn't load a site that they used. In all cases where I've been able to follow up, incidentally, they haven't had to load a site that can't be shown in Mozilla. (And it's Mozilla, not Firefox, BTW: I never install Firefox for a novice user. Mozilla is much more stable.)

As for Windows Update: Have you noticed that little option on your Start menu that's labeled "Windows Update"? Funny thing how, even after you install another browser, that gosh-darned thing still loads IE every time you click on it... And what about that there "Auto-Update" doo-hickey that them highfalutin' experts is always tellin' us to eeee-nable. Ain't it cool how that don't use no browser 'tall?
posted by lodurr at 7:04 AM on December 14, 2004


This article is so poorly thought out. It seems he hasn't even considered who his audience might be. Delete cmd.exe? Please...

Here's a tip: If you use Windows 2000 or XP Pro., go to Start>Run, and run "mmc".

Go to Console>Add/Remove Snap-In, and add Group Policy. Bury yourself in the cascading menus for a good half-hour, and you'll find a wealth of options you can set to restrict certain actions on the computer, including disabling some of the security holes in Internet Explorer (like install-on-demand). You can also enable extra logging. Take a look, it's a great thing for any Windows user to explore. Whenever I help someone with their computer, I go straight for "Disable Run Once/Legacy Run List" (two separate options) and "Disable AutoPlay". This prevents a huge amount of spyware/adware from running automatically at the next reboot. There is a "Run these programs at logon" option for adding back the things you really need (trackpad drivers, printer helpers, etc). Many options are repeated in both the User and Machine trees, be sure to address both. Also add the Services snap-in, and disable unnecessary services, like Messenger or Remote Registry Service.

Note: I only take care of Windows machines at work or relatives' homes. If you're serious about security without wanting to study it daily, use something else. Try Linux, or OS X.
posted by odinsdream at 7:36 AM on December 14, 2004


querty155: No, but up to date AV software that stops you getting dialers on your PC in the first place will.No, but up to date AV software that stops you getting dialers on your PC in the first place will.

I've found that many times the gap between discovery and patch is unacceptable. And there is also the social engineering factor. Quite a bit of adware and sypware seems to be desired by users.

As for the question of a better method of passwords, a couple of MeFi have beaten us to it. I work for a small IT firm that supports over a dozen other small companies, so as well as my own personal logins I have all the passwords for these to remember as well (prob >30 or so). And none written down.
Simply choose one of your favourite phrases/TV programmes/bands and change a couple of the letters for numbers: 'th3s0pran0s','t0mw@1t5','butcher5h00k' etc, etc


Will all due respect, l33t substitutions of common phrases, names, bands, and programs are only marginally better than than their plaintext equivalent. Dictionaries and programs have existed for l33t substitutions for over a decade, and a trivial amount of social engineering makes this type of password even easier to crack. So basically what you are advocating is is the compromise that Schneier finds to be unacceptable. Given a choice between writing down a strong password, and using a weak password, you choose to use a pathetically weak password. This is the kind of tradeoff that makes password-based security fundamentally broken.

All of those suggestions have a series of flaws. Steganography can be defeated using a simple brute force method in minutes. Serial numbers are weak passwords and a person who has access to your desk can simply add those to the desktop.

MD5-hash a weak password? Not any better than the original weak password. It works if you use a long passphrase, but I suspect that it won't be long before cracking dictionaries contain MD5-hashed common words, names, and bands. The second problem is, again, you are expecting the user to do work. Rather than just letting the user log in, you are asking them to calculate a value in an applet, and paste that value into the login field.

Storing passwords in a password safe again, depends on the ability and willingness of the user to choose a strong master password. Something that we know a large number of users won't or can't do. Instead, we have multiple passwords protected by a pathetically weak password such as "th3s0pran0s".

Which is exactly the problem with the "never write down passwords" dogma. It makes a broken security system even worse, because you have people try to patch over the problems with memory aids vulnerable to social engineering attacks, or worse, bad password generation suggestions.

So again, what specifically is the problem with using a strong password stored in a wallet? In what way is this such a greater risk than giving someone a key to the office? I would argue that a strong password (random letters, numbers and control characters) in a safe place is less of a risk than weak passwords or desktop mnemonic aids.
posted by KirkJobSluder at 11:01 AM on December 14, 2004


An truly honest question here: Is there anyone actually trying to crack my grandmother's password to get onto her online amazon account? Or her hotmail account? I understand there is a slight risk, but is there a clear and present risk?

I remember the panic moments after installing zonealarm and then seeing all of the alerts. A "port probe"!!! Holy christ! It was only after doing a lot of research that I even began to understand what the nature of the risk was to my machine was (i.e., almost none). I keep the firewall on, but I have no idea if it is working. I keep a subscription to Norton AntiVirus up and running, automatically update Windows XP, and run SpyBot and AdAware now and then. That's it--that's all I understand how to do. I try to mix numbers with names I can remember for passwords. And I'm a highly educated professional whom others turn to for tech advice. I am very disappointed in the computer industry--keeping a machine running and your accounts in order should not be this difficult.
posted by _sirmissalot_ at 1:31 PM on December 14, 2004


"A truly honest question . . ." *sigh*
posted by _sirmissalot_ at 1:32 PM on December 14, 2004


As for Windows Update: Have you noticed that little option on your Start menu that's labeled "Windows Update"? Funny thing how, even after you install another browser, that gosh-darned thing still loads IE every time you click on it... And what about that there "Auto-Update" doo-hickey that them highfalutin' experts is always tellin' us to eeee-nable. Ain't it cool how that don't use no browser 'tall?

Pah! That's so typical SNL computer guy that it's not even funny. So, you got me on one site, big deal; good for you! How about the 6 other sites I mentioned, or the 7546 (or so) other sites that I did not waste time mentioning but that have problems by non-IE sites? By the way, since Mozilla and Firefox have the same engines (possibly different versions, but that's not too important), I don't think the difference between the two in terms of site support is that significant (other than cases, where the programmer is too stupid to look at the user agent and lock out Firefox users).

flabdablet: I'm not talking about sites that you can use by faking a user-agent (which a novice would not be able to do by the way), but actual sites that have content not supported by these browsers.

Installing ActiveX for Firefox surely solves some of those compatibility problems, but again makes your computer more vulnarable to viruses, trojans, and spyware (since many use ActiveX as a way to get through, and why Firefox is inherently more secure). But even then, for novices this is too much effort to make it practical...
posted by tuxster at 2:05 PM on December 14, 2004


If a site demands that you use only one of the dozens of browsers available to users in order to access its information, it's not a site worth using. You'd be very hard-pressed to name any site that is sufficiently crucial to someone's day to day usage to justify continued use of a browser that is a ragingly inferior security hole from hell.
posted by Dreama at 2:55 PM on December 14, 2004


Enron Hubbard - Opera has almost all of those. You might want to take a look.
posted by Hactar at 10:10 PM on December 14, 2004


Can anyone tell me what the actual risk of attack is, given x amount of users online at any time,y people tooling around to steal passwords/data/etc., and z people actually obtaining enough of your personal information to do damage? And if this is directed towards people at the workplace or such who handle more sensitive information - wouldn't they have IT professionals in the office for the purpose of protecting said data?

Something tells me this is like a situation not unlike being struck by lightning/being killed by a terrorist attack/being sued by the RIAA...
posted by Tikirific at 2:09 AM on December 15, 2004


« Older Backfence.com wants to see a thousand tiny website...   |   What I had come looking for we... Newer »


This thread has been archived and is closed to new comments