How to master the art of passwords

Passwords are a way of life for nearly everybody who uses any kind of software. No viable alternative is imminent: fingerprint readers, retina scanners, voice identification, and USB tokens all have limitations. Nothing is as simple and inexpensive as an old-fashioned string of keystrokes.

Web services and network managers nearly always require a minimum degree of password difficulty to prevent standard password-cracking techniques from guessing them quickly. We’re also cautioned not to reuse the same passphrases on different sites and are routinely blocked from recycling the passwords we’ve used previously.

Considering the number of times PC users sign into a service or network each day, we may need to remember a half-dozen hard-to-guess passwords, not to mention the various sign-in IDs we use along with the passwords (full name or first initial-last name? Case sensitive? An e-mail address?). Many computer professionals need access to dozens of secure systems, which stretches the limits of anyone’s memory.

Your three options are to use a password-management program, to write your passwords down on paper (or record them in an encrypted text file), or to devise a method for memorizing hard-to-guess passphrases. While no single technique is right for everyone, here’s why I suggest the memorization approach.

The pros and cons of password managers
For many people, the best way to protect their data and identity is to use a password manager, which either stores your passwords in the cloud or on a local drive–often a USB thumb drive or other portable storage device. The obvious risk is that the vendor’s server is hacked or you lose the drive that stores your passwords.

Last May, the LastPass password-management service reported a breach that may have exposed users’ passwords, although LastPass CEO Joe Siegrist stated that people who used strong master passwords were not threatened.

LastPass is available as a Firefox add-on and as an extension for Internet Explorer, Chrome, and other browsers. The version for mobile devices costs $1 per month.

Other password managers work without storing your passwords on a Web server. The Tech Support Alert site recently compared several free password-management programs, including LastPass, RoboForm, and KeePass.

The hard-copy approach to password management
If you forgo the password-manager route, your options are to write your passphrases down or to memorize them. Whenever you record your passwords on paper–even if you record only a mnemonic that reminds you of the actual characters–you’ve made your accounts a little more susceptible to unauthorized access.

That hasn’t stopped computer experts from recommending that users jot down their passwords and keep the paper in a secure location. Gunter Ollman, a researcher for security firm Damballa, concludes that recording your passwords on paper is the lesser of several password evils; more risky is using the same password at multiple sites, setting your software to remember passwords, failing to change passwords frequently, using an easy-to-guess password, and reusing past passwords.

Likewise, computer expert Bruce Schneier reiterated on his Schneier on Security blog the advice of Microsoft executive Jesper Johansson to record your passwords on paper to encourage use of strong passwords.

The obvious downside of the paper approach is that someone will find the paper taped to the bottom of your keyboard or tucked into your wallet and access your private data before you’re able to take preventive measures. Or you may simply lose the paper and have to do the recover-password-by-e-mail two-step for each network and service you need to access.

The wetware approach to password storage is still the safest
As you might have guessed, Mr. Schneier’s 2005 post recommending that you write down your passwords generated quite a few comments to the contrary. Most of the commenters suggested their own technique for remembering strong passwords.

Of course, the bad guys pay close attention to this information and will attempt to incorporate the approaches in their password-cracking efforts. The key is to get creative in altering something you’ve already memorized, such as song lyrics, family members’ first names, or place names from your past.

An alternative method leverages something nearby. For example, there may be a product near your workstation that has a prominent model or serial number, or a book within view of your seat has an ISBN number on the back cover. Rather than using the exact number, add or subtract two or three numbers or letters, so “1158748562″ becomes “3370960784,” or “BCGA1339″ becomes “DEIC3551.”

The only problem I’ve encountered with my own password-mnemonic creation is that some vendors require a mix of upper and lower case letters and numbers. I have become resigned to having to go through Apple’s “Forgot your password?” e-mail routine about every other week.

This is doubly upsetting because my system uses from 12 to 16 random alphabetic characters (found in no dictionary and following no discernible pattern). As the How Secure Is My Passwordsite indicates, the all-text, all-lower-case password I devised would take much more effort to crack than an eight-character password that meets Apple’s requirements.


How Secure Is My Password siteCheck the strength of your passwords at the How Secure Is My Password site, which indicates how difficult your password is to crack, and whether it’s on the site’s common-password list.(Credit: screenshot by Dennis O’Reilly)

Only time will tell whether PC users will ever be able to securely store their sign-in credentials in their systems’ software or on a service’s Web server. For most people, the safest approach to passwords is to rely only on their own personal gray matter. Let’s hope a secure alternative to passwords arrives before our memories give out.

 Dennis O’Reilly @ CNET

Report: Spam down, but malware continues hold

Spam may be down but malware marches merrily on.

That’s the message from the “November Threat Landscape Report” released yesterday by security vendor Fortinet.

Global spam levels ultimately fell 12 percent in November after Dutch authorities took down a large Bredolab network made up of 140 different servers. The Bredolab botnet was typically used by cybercriminals to send out spam selling fake drugs, according to Fortinet. Spam had actually fallen as much as 26 percent the week after the network was dismantled but was able to stage a bit of a recovery afterward.

(Credit: Fortinet)


The ever-present Koobface botnet, known for affecting Facebook users, also suffered a hit on November 14 when U.K. Internet service provider Coreix took down three of its central “MotherShip” servers. The perpetrators of Koobface use these MotherShip servers as their main command-and-control systems to direct the spread of the botnet and control infected PCs. The bad guys communicate with the MotherShip machines through intermediary servers.

Though the takedown of the MotherShip servers dealt Koobface a severe blow, the success was short-lived as the botnet operators were able to use stolen FTP accounts to hijack other servers, according to Fortinet.

“We confirmed that on November 14, when the primary servers were taken offline, the intermediary servers failed to proxy content, which effectively crippled the botnet,” Derek Manky, project manager for cyber security and threat research at Fortinet, said in a statement. “Unfortunately, we saw communication restored five days later on November 19th. This is likely due to the fact that Koobface contains an FTP harvesting module.”

Looking at other botnets, Fortinet found another prominent threat in November in the form of Sasfis, a botnet that infects PCs by using the standard port 80 reserved for HTTP traffic. Increasingly, botnets are using common ports to spread in an effect to blend in with normal traffic. Detections of Sasfis command-and-control servers were third on the top 10 attack list maintained by Fortinet.

Fortinet also discovered in November that the Hiloti botnet was using legitimate DNS queries to report back to its command-and-control servers, another example of a botnet trying to use standard protocols to avoid being detected.

Finally, zero-day vulnerabilities were found last month in Adobe Shockwave, Adobe Flash, Microsoft PowerPoint, Apple QuickTime, and Microsoft’s Internet Explorer. All of these weaknesses were cited by Fortinet as critical as they leave the applications open to attacks that are able to run code remotely.

In terms of sheer malware attacks among the top countries hit in November, the U.S. accounted for 35 percent, up from 32 percent in October. Japan took 22 percent of the total attacks, up from 16 percent the prior month. And Korea took the brunt of 12.5 percent of the world’s total malware attacks, up from less than 9 percent in October.

(Credit: Fortinet)

Read more:

Lance Whitney, CNET

Feb 9 Microsoft has Big Security Patches for all OS

Here are two keys words for Microsoft Windows shops to remember come this Patch Tuesday: “six” and “restart.” Six is the number of a critical bulletins Microsoft will release on February 9 that affect all the currently supported versions of Windows on both the desktop and server. And a system restart will be required for these Windows patches, which will mean down time for servers. In fact, 10 of the record-tying 13 bulletins require a restart. In all, five are listed as critical, seven important and one moderate. Microsoft getting better at Patch Tuesday updates, experts say The last time Microsoft had so many bulletins was in October 2009. In the preliminary patch information issued Thursday, Microsoft does not say how many total vulnerabilities are in those 13 bulletins. In October, the number was 34. Experts say on average there are two vulnerabilities per bulletin. “Bulletin six is definitely key, we can see that both server teams and desktop teams are going to be impacted,” says Don Leatham, senior director of solutions and strategy for Lumension. Leatham says IT teams should look at their maintenance windows and see how and when they can get these critical patches out. “With bulletin six it might be worthwhile to move up the maintenance window if need be,” he says. Many organizations with patching policies time server maintenance with patch releases. Leatham says users should not wait to scramble on Tuesday but instead should start prepping as soon as possible. “Usually when there have been bulletins like this in the past that cover every single Windows platform it means it could be fairly low level in the OS,” he says. This month, the other trend is that there are fewer patches on the applications side. Only two patches address applications and both are for Microsoft Office. Microsoft had a single patch last month, which was in the font engine of Windows. Follow John on Twitter:

Microsoft to release free security software soon

Microsoft plans to release the final version of its free antivirus software soon, according to a note sent to testers late Sunday.

“The final version of Microsoft Security Essentials will be released to the public in the coming weeks,” Microsoft said in the note.

Microsoft first announced its plans for the product, then code-named Morro, last November, at the same time the company said it was scrapping its paid Windows Live OneCare product.

Public beta testing of Security Essentials started in June, with Microsoft reaching its goal of 75,000 testers just one day after it issued a call for them.


Ina Fried, CNet

Dell launches first laptop with Intel’s Core i7

SAN FRANCISCO–Dell is launching its first laptops with Intel’s new Core i7 processor for laptops.

The Intel “Clarksfield” Core i7 processor boasts four cores and is the chipmaker’s first mobile chip based on its new Nehalem microarchitecture. Most Intel processors will move to this design in 2010.

Dell is trying to take an early lead in embracing the new technology. Dell’s flagship product for the mobile Core i7 will be the 15-inch Alienware M15x gaming laptop. Dell is also offering the chip as an option on other laptop models worldwide, including the Studio 15 and Studio 17.

At the Intel Developer Forum today, David Perlmutter, executive vice president and co-general manager of Intel Corporation’s Intel Architecture Group, is discussing Intel’s mobile Nehalem platform that also includes a future chip codenamed “Arrandale,” which will integrate graphics into the CPU, or central processing unit.

The Core i7 is packaged with the Intel PM55 Express chipset–companion silicon that assists the processor in communicating with the rest of the system. Two features that differentiate Core i7 from Core 2 Duo processors (the most-widely-used chips in laptops today) is Turbo Boost and Hyper-Threading. Turbo Boost speeds up and slows down individual cores to meet processing and power-efficiency needs, respectively. Hyper-Threading can double the number of tasks–or threads–a processor can execute.

The Alienware M15x configurations include the Intel Core 920XM CPU and 1GB NVIDIA GeForce GTX 260M graphics chip.

The Dell Studio 17 will feature the Intel Core i7 720QM 1.6GHz processor, a 1GB ATI Mobility Radeon HD 4650 graphics chip, 17.3-inch HD+ (1600×900) display, and 9-cell battery.

The Studio 17 starts at $1,099.

Dell will also offer the Studio 15 with Core i7. Configurations include Core i7 720QM 1.6GHz, 512MB ATI Mobility Radeon HD 4570 graphics chip, and 4GB of memory. Pricing start at $999.

And the Dell Studio XPS 16 will come with a Core i7 option, with a starting price of $1,249, Dell said.

Brooke Crothers, CNet

Intel Core i7-975 Extreme

Core i7-975 ExtremeSpecs: Socket LGA-1366; Core clock: 3.33GHz; 32KB data/instruction cache per core; L2 cache: 256KB per core; L3 cache: 8MB shared; 130W TDP.Test system specs: Motherboard: Asus Rampage II Extreme; Memory: 6GB Corsair DDR3-1600; Graphics: Zotac GeForce GTX 260 Core 216; HDD: 300GB WD VelociRaptor

Intel has held the performance crown for more than three years—ever since the launch of its Core 2 microarchitecture. It goes without saying that the company doesn’t need to introduce a new flagship just to one-up itself. And yet Intel is yanking the cover from a fresh Core i7 CPU: the 975 Extreme.

Although it runs a scant 133MHz faster than its predecessor, we’re hardly able to complain, as this processor costs just as much as the one it replaces. As with the 965 Extreme, Intel’s latest iteration boasts four cores armed with Hyper-Threading. Its QuickPath Interconnect operates at 6.4 GT/s. And the processor’s triple-channel integrated memory controller supports up to DDR3-1066 speeds (officially). Of course, most motherboards expose additional multipliers to push RAM significantly faster, and we were able to get our test platform cruising at DDR3-2133 as part of our overclocking gauntlet. The processor itself topped out at 4.12GHz via a 31X multiplier, standard 133MHz BCLK, and 1.38V.

Performance using those overclocked settings is naturally unrivaled. Even at stock settings, however, our benchmark results are impressive. As we’d expect given Core i7’s established track record in A/V software, DivX and Xvid encoding is lightning-fast. And because WinRAR is optimized to take advantage of threading, it’s able to compress our test archive using all eight of Core i7’s logical cores.

At the end of the day, we appreciate a 3.33GHz processor at the same price as Intel’s former flagship. But at $999, “value” is most definitely a relative term. The 2.66GHz Core i7-920 is still an undeniable favorite. After all, most of the samples we’ve seen are good for 4GHz, so long as you’re willing to overclock. Without question, that’s the route we’d take in building a brand new Core i7-based machine

Paul Cross, ComputerPowerUser

Windows Genuine Could be a Real Advantage

No reader question, this time. Just a rant.

We all hate Windows Genuine Advantage. Not only is it a hassle that might accuse you of stealing something you legitimately bought, but its very name adds insult to annoyance. It’s obviously an advantage to no one but Microsoft.

But with a simple change in policy, the folks in Redmond could use it to eliminate a far more serious problem: The difficulty in obtaining an actual copy of Windows to go with your legally-purchased license.

If Windows came with your computer, you probably have no way to restore it beyond a complete reformat. If you lost the restore discs that came with your PC, or altered your partition table and thereby rendered your restore partition unbootable, you can’t even do that. And you almost certainly don’t have the options and utilities that come with a genuine Windows CD or DVD.

And why not? Because Microsoft acts as if giving away Windows discs is the same as giving away licenses to run Windows. And yet the company must know that’s not true. Otherwise, Microsoft wouldn’t make you go through the activation process, or keep hitting you with Windows Genuine Annoyances. It’s the product key–that long number you have to enter when you install Windows–that defines and proves your purchase of the operating system.

So why can’t Microsoft simply give the disc away. Make it downloadable as an .iso file. Charge $5 to mail a physical disc to those who don’t like long downloads. Make it known that anyone can give the disc to anyone else.

I’m not suggesting that Microsoft give away Windows. You’d still need a unique product key to activate it, and you would get that project key either by paying Microsoft or buying a PC with Windows pre-installed (all such computers already come with a product key sticker). Or you’d already have the product key, but still need a product to install.

This could work just fine with XP, Vista, and (when it ships) Windows 7. Microsoft doesn’t even have to keep selling XP to freely give away the discs; I know plenty of people who “own” XP but need a way to install it.

A great many commercial programs, perhaps a majority of them, are now sold this way. You download the program, install it, try a limited version, then pay for a key that will unlock the full version. They used to call this shareware or demoware. Now its just the way software is sold.

Microsoft: Are you listening?

Lincoln Spector, PCWorld