Web services and network managers nearly always require a minimum degree of password difficulty to prevent standard password-cracking techniques from guessing them quickly. We’re also cautioned not to reuse the same passphrases on different sites and are routinely blocked from recycling the passwords we’ve used previously.

Considering the number of times PC users sign into a service or network each day, we may need to remember a half-dozen hard-to-guess passwords, not to mention the various sign-in IDs we use along with the passwords (full name or first initial-last name? Case sensitive? An e-mail address?). Many computer professionals need access to dozens of secure systems, which stretches the limits of anyone’s memory.

Your three options are to use a password-management program, to write your passwords down on paper (or record them in an encrypted text file), or to devise a method for memorizing hard-to-guess passphrases. While no single technique is right for everyone, here’s why I suggest the memorization approach.

The pros and cons of password managers
For many people, the best way to protect their data and identity is to use a password manager, which either stores your passwords in the cloud or on a local drive–often a USB thumb drive or other portable storage device. The obvious risk is that the vendor’s server is hacked or you lose the drive that stores your passwords.

Last May, the LastPass password-management service reported a breach that may have exposed users’ passwords, although LastPass CEO Joe Siegrist stated that people who used strong master passwords were not threatened.

Other password managers work without storing your passwords on a Web server. The Tech Support Alert site recently compared several free password-management programs, including LastPass, RoboForm, and KeePass.

The hard-copy approach to password management
If you forgo the password-manager route, your options are to write your passphrases down or to memorize them. Whenever you record your passwords on paper–even if you record only a mnemonic that reminds you of the actual characters–you’ve made your accounts a little more susceptible to unauthorized access.

That hasn’t stopped computer experts from recommending that users jot down their passwords and keep the paper in a secure location. Gunter Ollman, a researcher for security firm Damballa, concludes that recording your passwords on paper is the lesser of several password evils; more risky is using the same password at multiple sites, setting your software to remember passwords, failing to change passwords frequently, using an easy-to-guess password, and reusing past passwords.

Likewise, computer expert Bruce Schneier reiterated on his Schneier on Security blog the advice of Microsoft executive Jesper Johansson to record your passwords on paper to encourage use of strong passwords.

The obvious downside of the paper approach is that someone will find the paper taped to the bottom of your keyboard or tucked into your wallet and access your private data before you’re able to take preventive measures. Or you may simply lose the paper and have to do the recover-password-by-e-mail two-step for each network and service you need to access.

The wetware approach to password storage is still the safest
As you might have guessed, Mr. Schneier’s 2005 post recommending that you write down your passwords generated quite a few comments to the contrary. Most of the commenters suggested their own technique for remembering strong passwords.

Of course, the bad guys pay close attention to this information and will attempt to incorporate the approaches in their password-cracking efforts. The key is to get creative in altering something you’ve already memorized, such as song lyrics, family members’ first names, or place names from your past.

An alternative method leverages something nearby. For example, there may be a product near your workstation that has a prominent model or serial number, or a book within view of your seat has an ISBN number on the back cover. Rather than using the exact number, add or subtract two or three numbers or letters, so “1158748562″ becomes “3370960784,” or “BCGA1339″ becomes “DEIC3551.”

The only problem I’ve encountered with my own password-mnemonic creation is that some vendors require a mix of upper and lower case letters and numbers. I have become resigned to having to go through Apple’s “Forgot your password?” e-mail routine about every other week.

This is doubly upsetting because my system uses from 12 to 16 random alphabetic characters (found in no dictionary and following no discernible pattern). As the How Secure Is My Passwordsite indicates, the all-text, all-lower-case password I devised would take much more effort to crack than an eight-character password that meets Apple’s requirements.

Check the strength of your passwords at the How Secure Is My Password site, which indicates how difficult your password is to crack, and whether it’s on the site’s common-password list.(Credit: screenshot by Dennis O’Reilly)

Only time will tell whether PC users will ever be able to securely store their sign-in credentials in their systems’ software or on a service’s Web server. For most people, the safest approach to passwords is to rely only on their own personal gray matter. Let’s hope a secure alternative to passwords arrives before our memories give out.

 Dennis O’Reilly @ CNET

If unethical journalists can do it chances are anyone can, right?

To test my theory I called up Kevin Mitnick, who wrote about the hacking and social engineering that landed him in jail in a fascinating book coming out this summer, “Ghost in the Wires,” and who serves as a security consultant, helping clients protect against privacy breaches such as this.

Phone hacking, also known as “phreaking,” is easy to do, Mitnick said, adding that he could demonstrate it on my phone if I wanted proof. So I gave him permission to access my voice mail and told him my mobile phone number.

He called me right back on a conference call so I could hear what was going on. First he dialed a number to a system he uses for such demonstration purposes and entered a PIN. Then he was prompted to enter the area code and phone number that he wanted to call (mine) and the number he wanted to be identified as calling from (again mine). Next thing I know I’m listening to a voice message a friend of mine left me last night that I hadn’t erased.

“See how easy it is?!” Mitnick says as my jaw drops.

He was able to get into my voice mail by tricking my mobile operator’s equipment into registering the call as coming from the handset–basically pretending to be me. To do this, he wrote a script using open-source telecom software and used a voice-over-IP provider that allows him to set caller ID, but there also are online services that provide similar capability that non-hackers could subscribe to. It might be easier or harder to accomplish depending on the mobile operator, he said. (I’m keeping some of the details sketchy to avoid providing a how-to for phreaking.)

“Any 15-year-old that knows how to write a simple script can find a VoIP provider that spoofs caller ID and set this up in about 30 minutes,” Mitnick said. “If you’re not adept at programming, you could use a spoofing service and pay for it.”

This technique, called Caller ID Spoofing, has been used and abused for years. In 2006, a caller ID spoofing account in the name of Paris Hilton was suspended for voicemail hacking, with other celebrities, including Lindsay Lohan, allegedly being victims, according to IDG News Service.

The method is more sophisticated than that allegedly used by the British journalists who are accused of using default PINs to access victims’ voicemail accounts, assuming correctly that many people wouldn’t bother to change the PINs. Since the phone hacking scandal first erupted about five years ago, mobile operators in the U.K. have changed their practices and most now require people to set their own PINs for remotely checking voice mail.

If I want to avoid having anyone use Caller ID Spoofing to access my voice mail again, I need to change my phone settings to require a PIN even when checking voice mail from my mobile device. But that doesn’t address the fact that mobile operators don’t authenticate caller ID. “The magic is that my VoIP provider allows me to set any caller ID and the other operators trust it,” Mitnick said. “Caller ID is automatically trusted.”

Mobile phone industry specialist David Rogers suggests on his blog that operators should consider preventing people from accessing mobile voicemails remotely at all.

Meanwhile, the Truth in Caller ID Act of 2010, which was signed into law late last year, prohibits anyone intending to defraud, cause harm, or wrongfully obtain anything of value from knowingly causing any caller ID service to transmit or display misleading or inaccurate caller ID information. This could send the caller spoofing services off shore but likely won’t put an end to the practice.

by Elinor Mills @ cnet.com

While they were on the road, their home in Mesa, Ariz., was burglarized. Hyman has an online video business called IzzyVideo.com, with 2,000 followers on Twitter. He thinks his Twitter updates tipped the burglars off.

“My wife thinks it could be a random thing, but I just have my suspicions,” he said. “They didn’t take any of our normal consumer electronics.” They took his video editing equipment.

Most people wouldn’t leave a recording on a home answering machine telling callers they’re on vacation for a week, and most people wouldn’t let mail or newspapers pile up while they were away. But users of social media think nothing of posting real-time vacation photos on Facebook showing themselves on beaches hundreds of miles from home, or sending out automatic e-mail messages that say, “I’m out of the country for a week.”

“I’m amazed at how many people get on there and say they’re going on vacation,” said Lee Struble, head of security at Monroe Community College in Rochester, N.Y.

Struble, 53, is a member of Facebook with more than 200 friends, many of them classmates from high school and college who recently reconnected through the site. “Some of these people you haven’t seen in 20 or 30 years,” said Struble. “But they know where you live or can find out pretty easily, they can do a Google Maps search and can get directions to your house, and you’re telling them that you’re going to be gone.”

Struble is careful about his outgoing e-mail messages. “I just tell people I’m going to be out of the office; I don’t say I’m going to be out of town,” he said.

Despite the fact that so many people share their vacation plans via the Internet, most Americans don’t think private information is secure online. “We actually polled on that question, and the majority of people, teenagers and adults, think that a determined searcher can find them — no matter how careful they are with information,” said Lee Rainey, who has studied Internet behavior extensively as director of the Pew Internet and American Life project in Washington, D.C.

New communication technology has always brought with it new risks and rules, usually learned the hard way. When telegrams were a primary means of long-distance communication, correspondents struggled to craft messages that would convey meaning without revealing private business to the operator. Party line phones were often conduits of news and gossip. And Prince Charles showed the world painfully that mobile conversations could be intercepted when his pillow-talk call to Camilla Bowles was made public.

Facebook and Twitter are so relatively new that users may not consider all the risks. For Hyman, Twitter was a way to connect with fans of IzzyVideo.com, where he offers how-to videos on video production. His wife teaches scrapbooking through videos at Paperclipping.com. About half of the new episodes they release are free, but viewers pay to access their archives.

“The customers have never met me in person,” Hyman said. “Twitter is a way for them to get to know me. You do business with people you know. I’m a real person. I take my kids to the park. I go on vacation. I’m not just some company!”

He added: “I forgot that there’s an inherent danger in putting yourself out there.”

Detective Steven Berry of the Mesa Police Department, which is investigating the burglary at Hyman’s home, said: “You’ve got to be careful about what you put out there. You never know who’s reading it.”

Despite the potential risks, some social media fans say they have no qualms about sharing their whereabouts.

“I don’t worry about it,” said David McCauley of Boise, a social media consultant who posts a running update of his activities for his Facebook friends. McCauley also communicates constantly on Twitter, where anyone can sign up to read your posts.

“If somebody really wanted to rob me, they could rob me whether they’re Tweeting about it or not,” McCauley said. “Most people who want to follow you (on Twitter) are typically not thieves, or they’re not looking to take your stuff; they just want to follow you and understand you.”

McCauley even plans to offer a description, via Twitter, of a trip to adopt a child overseas.

“In the grand scheme of all the noise that’s out here on the Internet and in Facebook and Twitter, there’s so much going on that it would be hard for somebody to zero in on me, looking for me to be gone,” he said. “I’m just not worth that much.”

Anne Wallace Allen, The Associated Press

See, it’s a sad (and expensive) fact of life: You’re lucky to get 18-24 months from a battery before it loses a good chunk of its charge capacity (meaning it no longer powers your laptop for as long as it used to).

And you’re accelerating this unfortunate timeframe if you leave your laptop plugged in 24/7, which is common for most folks who work at a desk. Because the battery rarely (if ever) gets a chance to discharge, it loses its capacity to hold a charge.

The simple solution: Pull the battery out of the laptop and leave it out when you’re deskbound. Most laptops can run on straight AC power, so there’s no need for the battery. And it’s easy enough to pop back in when you hit the road (though obviously you’ll want to make sure it’s charged, so plan ahead a bit).

It’s a hassle, sure, but consider the price of a replacement battery: usually $100 or more. What’s more, old, discarded batteries wreak havoc on landfills. Sooner or later, they’ll leak acid into the ground. So it’s in your best interests to keep your battery as long as possible, and to keep it from dying a premature death.

Rick Broida, PCWorld

• Ctrl-N: Create a new playlist
• Ctrl-Up Arrow/Ctrl-Down Arrow: Raises and lowers the volume, respectively.
• Ctrl-Left Arrow/Ctrl-Right Arrow: Skip back a song and skip ahead a song, respectively.
• Ctrl-Shift-H: Takes you directly to the iTunes Store home page.
• Space Bar: Play/pause the current song. (In other words, hit Space once to pause the song, again to resume, and so on.)

Rick Broida, PCWorld

So you need to search by metadata–the extra information that defines the contents of a file. Specifically, you need a program that can matches songs with the same title and by the same artist (because Smash Mouth’s “I’m a Believer” is not a duplicate of the Monkees’ original.)

You’ll also have to remember that no list of duplicate songs generated by software will be perfect. A program may not realize that Beatles and The Beatles are the same group. Nor can it always differentiate between the original studio recording and the live concert version. (I’ve known Dead Heads with probably ten versions of “Brokedown Palace.”)

But the right program can give you reasonably accurate lists to work through. Here are three I can recommend:

iTunes: Well, no, I wouldn’t recommend you download and install iTunes just for this purpose, but if you’re already using it, you’ve got a pretty good search tool. Just select File • Show Duplicates. If you have the same song as an .mp3 and a .m4a, iTunes will list both, but it won’t find any .wma versions.

Lincoln Spector, PCWorld

In other words, disconnect the power cords from both, wait about 10 seconds, and then plug them back in. In a minute or two, your network will be up and running again, and your Internet access might be its good old speedy self. I say “might be” because there are loads of other possible culprits for pokey Internet connections.

For example, you might have a spyware problem. Windows’ Internet settings might be FUBAR (or at least less than optimal). If you’re connecting via a wireless router, there could be range issues.

In most cases, however, it’s probably just a router and/or modem in need of rebooting. For the record, my neighbor told me the power-cycling trick worked like a charm. Hmm, maybe I should send him a bill? Nah, I’ll just give him a link to Hassle-Free PC. Feel free to do likewise for friends and relatives who need answers to common PC problems!

Rick Broida, PCWorld