Poojan (Wagh) Blog

Requests for comment

My Password Setup

without comments

So, I’m basically making this post so I can share with friends/family. In this post, I will explain what I do for managing passwords, including two-factor authentication (2FA), and give some options for getting 2FA. Before I do that, I will explain how I got to the conclusion on what I am using.

For those that don’t know me, I am not a security expert. You should do your own research (and maybe consult the security experts out there). I could be wrong about some of my conclusions. And more generally, what might work for me might not work for you.

Also, the scope of what I explaining here is only for my personal accounts. My company (and most out there) has an IT policy for work accounts.

You can skip past the Intro, if you don’t need convincing on why reusing passwords is insecure. Also, I put my recommendations right up-front in the Bottom Line section, if you don’t want to read the whole article.

Bottom Line

My bottom line recommendation is to look in to the following combination and see which one works for you: something to manage your password, and something for 2-factor rolling codes (OTPs).

For managing passwords, you can go with a hard-paper notebook (where you write passwords down and you never store them on a computer) or a password management app, such ass KeePass, Bitwarden, or LastPass.

For getting 2-factor rolling codes (OTPs), you can go with a device such as a YubiKey or an app such as Authy, Microsoft Authenticator, or Google Authenticator.

Intro

There have been a lot of password leaks lately. I mean, a lot. This multitude of leaks culminated in a meta-dump of everyone’s password. That is, someone compiled many of the previous leaks and put them into one big password dump. As a result, if you’ve been using a password for any amount of time, and if any of the sites you used practiced sub-par security practices, your password is probably available on the Internet.

(You can check here. Just enter an email and it will likely show which of the many breaches your password appeared. Alternatively, you can enter a password here and it will show you if that password was in a data dump. But I’ll save you some time: yes, your email and password are available online.)

Now, one solution is to use unique passwords, and don’t share them between websites. In this case, even if one of your favorite websites leaks their users’ passwords, you only have to worry about someone hacking your account on that site.

Unique passwords solves most, but not all the ways people can gain access to your account. Most experts recommend a 2nd factor called one-time-passwords (OTPs) to use in combination with unique passwords. OTPs are basically a rolling code that changes with time.

Remember that there can be a huge profit motive to someone hacking your account. They may want to get your LinkedIn network, your FaceBook contacts, or your financial institution. Taking these two steps can make these attacks much more difficult.

Incidentally, similar recommendations are being provided to US officials participating in elections, albeit with Google’s own hardware product.

The Limitation with Passwords

If you want to create unique passwords for each site, you’ll need to create a lot of passwords. And you probably want to use either a notebook to write them all down, or a password manager to store them (in a secure, encrypted format).

This unique password is a reasonable solution. But, it does suffer from a significant problem: someone could impersonate a website. If, for example, I wanted to go to real cat video site but typed the address in wrong. I mistakenly go to fake cat video site. Fake cat video site has completely impersonated real cat video site. Unless I paid very close attention to the web address, I would not know the difference.

I then type in my password (unwittingly) to fake cat video site. Now, they have my password. They have complete access to my account at real cat video site. They can do whatever they want with that password–including delete my videos, or even replace them all with dog videos.* The problem with passwords is that they are static. Once you’ve handed it out, the cat is out of the bag.

This website imitation is easier than you think online: fake cat video site can pass all traffic through to real cat video site without you knowing. They don’t actually have to copy the information; they can simply forward every request and return every answer. This attack is known as a man-in-the-middle (MITM) attack. Passwords can’t help you with them.

2-Factor Authentication

To mitigate this deficiency, most experts recommend something in addition to the password, a second factor. This is called 2-factor authentication (2FA).

The simplest and most obvious way to add a 2nd factor is to add a rolling code: that is, an extra code that changes with each login attempt. With this rolling code, if you log in to fake cat video site with your password and rolling code, they get access to your real cat video site account only once. They can do some damage, but they do not have permanent access. If they try to log in again, they will need a new rolling code.

There are many ways of getting such a rolling code. One of the most convenient is to use an authenticator app, such as Authy, Microsoft Authenticator, or Google Authenticator. (All of these use a common standard, so you can use any of these with most sites that support a rolling code authentication app.)

These methods uses your phone to create the rolling code (which changes every 30 seconds or so on an app on your phone). For many people, this is a safe enough option. There are flaws with this method, but it really is a very good compromise between convenience and security. If you are going to do nothing else, enable 2-factor authentication using an app.

The problem with app-based authentication is the scenario where you lose physical control over your phone. Or you install an app or download something that compromises your phone. More generally, if someone has access to your phone, you can’t count a security app on your phone to really be a 2nd factor. That 2nd factor app (if it sits on your phone) really becomes more of formality in logging in to an app on your phone.

That said, if you lose your phone and someone has the ability to unlock it, there are much bigger worries than them logging into a specific app or trying to steal a specific account.

The official name of the rolling code is one-time-password (OTP). I use an OTP wherever I can. However, I don’t use an app on my phone to store it. See the next section.

What I Do for OTP

I use a YubiKey for one-time passwords (OTP).

The reason I like the YubiKey is that it allows you to store/generate a one-time password on a hardware device: the small YubiKey itself (which fits on a keychain).

In addition, the YubiKey solves another problem: it’s independently portable. I generally have it on my keychain, where all my keys are. And most people are used to keeping their keys secure. In my case, I duplicate my credentials to two keys. One is a USB-C key (usable on my phone and recent computers) and the others is a regular USB-A key (for backup). So, I have a backup YubiKey that stays at home.

You do need to plug the YubiKey in to your phone or computer to read the codes, but this is done securely: only that single code gets passed through your phone/computer and onto your screen. No one can steal the secret code that generates all the codes; it is protected within the hardware of the YubiKey itself.

I also do create backup/recovery codes and print them out. These allow me to log in if I lose both my YubiKeys. (Or if they get corrupt.) I don’t store the backup codes on a computer. They are hard copies and kept in a fire-proof envelope. (Most sites, including FaceBook, allow you to create backup codes.)

What I do for Password Manager

There are many options for software-based password managers. The one I use is KeePass 2. The reason I use it is that it’s free (open source), has options for Windows, Linux, and Android. (I’m not sure about Apple/iOS, but I’d guess there’s a solution there.) And cloud sync is optional. You can store it on a single device, and that device does not necessarily need Internet access. The downside is that if you do want to sync it across devices, it takes some configuration.

Other Options for Password Management

Paper Notebook

While I don’t use a paper notebook—I like the convenience of having a software password manager—they are a good solution. It’s the cheapest (in terms of up-front time and money) solution.

You probably have a notebook lying around your house. If not, take a look at books on Amazon written by Lourdes Welhaven. The only thing to be careful of is that you generate good passwords, which are hard to guess. Your brain is pretty bad at doing random. So, here’s a systematic way using dice (if there are no restrictions on password length). If there are restrictions on password length, go here or here. Incidentally, password-generation is a place where password-management apps really shine.

No one can hack into your computer and steal your trove of passwords, if they are not on your computer. That said, people hacking a regular Joe’s computer doesn’t seem to be the way passwords are leaking–or at least it isn’t the only way. It is, in fact, the websites we use that seem to be the weak link. Every time a website gets hacked, your password at that website spills on the internet.

Other Password Management Apps

There are quite a few other options if you want to for a cloud-bases service. I’ve heard good things online about BitWarden and LastPass. I don’t have any direct experience with any of these, but I have come across many good comments about BitWarden.

I did try BitWarden very briefly on my Android device, but I kept KeePass because the Keepass2Android App has an extremely useful feature: you can set it up as a software keyboard in Android. It can then enter your username/password in other apps with a button on the screen.

The SecurityNow Podcast is sponsored by LastPass, and I generally am comfortable with their recommendations; they seem to have a decent vetting process for their sponsors.

Note that the Have I Been Pwned site I linked in the intro is sponsored by 1Password.

Other Options for OTP

Authenticator Apps are pretty neat. You set it up once by scanning or typing in a long code given by the website you want to use it with (FaceBook, Microsoft, Snapchat, etc). There’s a different code for each.

Then, after setup, it generates a rolling number that’s needed every time you log in. What’s nice is that the apps conform to a standard. So, you can have one app installed for all your different websites.

I have heard Authy. Authy is multi-platform (Windows/iOS/Android) and will sync across platforms. Google Authenticator is equally good, but it doesn’t sync your OTPs across platforms. Similar with Microsoft Authenticator.

One could make the case that OTP’s should be unique to the device they are on, but for most people, the convenience of setting Authy up once is worth the risk. There are those, however, that disagree: using an authenticator app is better than nothing, but a dedicated hardware security key is much better.

Google also has their Titan security key solution, which is hardware-based. I have not done any analysis comparing it to YubiKey. I just know the YubiKey supports many standards and does whatever I need it do do. I started with YubiKey many years ago and never saw a need to switched. I also have a cautious opinion of Google solutions because their repeated exit from markets.

SMS for Two-Factor

I really don’t like this option, and I wish companies would stop providing it. (Especially banks, where this seems to be prevalent.)

Once again, I am no security expert, but experts don’t like it and SMS has failed in the past.

* I am a dog person (too), but people like their cat videos.

Written by PoojanWagh

March 28th, 2020 at 11:00 pm

A Morning in Fond du Lac

without comments

I woke up on Saturday morning in Fond du Lac, Wisconsin. I took some pictures.

Written by PoojanWagh

January 19th, 2020 at 11:07 pm

Posted in Uncategorized

Tagged with , ,

Orion

without comments

My first foray into astrophotography—if you can call it that. I took two pictures at two different exposure lengths and then merged them.

Written by Poojan Wagh

January 11th, 2020 at 5:40 pm

Posted in Uncategorized

Tagged with , ,

VOIP Cost Calculations

without comments

So, in August we made a total of 1755 seconds of outgoing calls from our landline.

I currently use voip.ms to make these outgoing calls. Their rate (using premium routing) is 1 cent per minute. (Curiously slightly higher for toll-free calls.) Anyway, I paid a whopping 30.7 cents for all these outgoing calls in August.

Right now, I still have AT&T handling incoming calls. If I were to cancel AT&T, I would save roughly $20 per month.

Instead, I would have to pay for incoming calls as well. As well as 911 (E911) service. Both voip.ms and CallCentric (a service which seems to be mentioned a lot online) provide E911.

With CallCentric, their North America Basic plan includes E911 and 120 minutes of outgoing calls; this costs $1.95 per month. (After 120 minutes, which I probably won’t use, it’s roughly 2 cents a call.) In addition, I can pay $1.95 monthly plus 1.5 cents per minute to receive calls. (I could also  pay $5.95 for unlimited outgoing calls, but given how few calls we take, that does not make much sense.)

With CallCentric, the costs would come out to $1.95/month + $1.95/month + 1.5 cents/minute-incoming. So, $3.80/month + incoming 1.5c/minute.

With voip.ms, as I said before, they charge per-minute on outgoing calls. (This is why I picked them in the first place: no monthly fees, and very cheap usage rates.) For incoming calls, the rate is $0.85/month plus 0.9c/minute. For E911, I pay another $1.50/month. So, I’d pay $2.35/month + 1c/minute-outgoing + 0.9c/minute-incoming. (voip.ms also has a $4.25/month unlimited incoming call plan. However, it isn’t clear to me whether this includes E911.)

So, all of this depends on how many incoming calls I receive on average. (Unfortunately, AT&T does not list this on the bill, since it’s basically free—er, included with my monthly service.) I can’t imagine it amounts to more than a few hours per month. And to be honest, the differential between CallCentric and voip.ms is so low, I don’t know that it matters (roughly a buck or two in the end).

Written by PoojanWagh

November 17th, 2017 at 6:00 pm

Posted in Uncategorized

Shipping Options while eBaying Electronics

without comments

I’ve been spending some time e-baying electronics lately. (Just trying to get rid of old, unused stuff that never panned out.)

Because, I visit this topic so many times (every time I eBay), I thought I’d put some conclusions for myself on how to ship these.

I really like the priority options from the USPS. There are two options here: flat-rate or regional rate.

First, this chart lists whether it’s better to do regional rate or flat-rate. The important thing to remember is that it’s heavily dependent on the size of the item you are shipping.

If it can fit, the small flat-rate box is preferred. It is $6.65 at the Post Office or $5.95 “commercial base” (which I think means online).

The only issue is that the small envelope is the inside of these boxes are 8 5/8″ x 5 3/8″ x 1 5/8″. This should be big enough for a 3.5″ internal hard disk drive (which measures 5.75″ x 4″ x 1″).

But it’s probably not big enough for anything else (routers, external hard drives, etc.). Instead, for a flat-rate option, you’d have to go with the Medium Flat Rate Box – 1 (top loading). This costs $13.60 at the post office or $12.40 “commercial base”.

Instead, if you have something this big, it probably makes more sense to go with the regional rate box A1. These are 10 1/8″ x 7 1/8″ x 5″. This goes by zones (difference between starting and ending zone). As long as you are within 8 zones, it makes sense to go with these. If you are within one or two zones, it is as cheap as $6.52. (Curiously, this price list is hard to come by on the USPS website. Instead, I’m linking to stamps.com.)

Finally, for 2.5″ SSDs, you can probably get away with a padded envelope (or small flat-rate box). The prices are around the same, but there’s a lot less packaging/padding to add with the envelope.

Written by PoojanWagh

June 25th, 2017 at 4:23 pm

Posted in Home

Tagged with , ,

My plane ride back from San Diego

with one comment

I’ve always held that you can’t judge people by appearance. I also lament the dearth of women in engineering (and STEM in general). Here’s a little anecdote:

On a recent flight back from San Diego (for work), I sat next to two young women.

As people boarded, I overheard snippets of banter from the two women about plans for the weekend and possibly a popular musician.

I started a conversation the way I start every conversation on a plane: “How are you today?” And the young lady closer to me smiled and said she’s doing great. I asked if they were going home, and she said they were on business.

I asked what it is that she does. We talked for a while, and I learned that they work for Abbott Labs. They are in a rotation plan that lasts 2 years, and each rotation lasts 6 months. She had done a few rotations, and one of them was in Chicago. They are both currently assigned to a location 45 minutes away from San Diego.

What struck me here is that this is how things used to be at Motorola (well, sort of—a better example is Intel). I was happy to hear of a company that still invests so much into young talent. That it’s a Chicago company was a nice bonus.

I asked what they do for Abbott, and they are both engineers. I asked if this was chemical and they said biomedical. Abbott basically spun off their pharma business as AbbVie and retained medical devices.

As we took off and I looked along the coast, I asked whether they worked north or south of San Diego. The young lady closer to me said north, ’cause 45 minutes south would be Mexico. I smiled at my obvious error.

For most of the flight, I put my headphones on as they talked amongst themselves. They were clearly traveling together, and I didn’t want to be an interloper.

Closer to Chicago, I heard them talk about restaurants. I asked if they wanted a recommendation. The young lady closer to me reminded me that she had lived in Chicago and she knows the area. I took this rebuke to mean that they prefer to converse amongst themselves, and so I went back to reading the WSJ that I grabbed from the hotel. (I tend to be on the chattier end of things and have to watch it—especially with strangers.) I smiled and suggested that maybe she should give me a recommendation, seeing as how I don’t get out much.

Finally, near the end of the flight (when they were both quiet and seemingly bored), I asked where they went to school. They had both gone to Cal-Poly (the good one ’cause there are apparently two). I asked where they want to be when they’ve finished the rotation program. They both wanted to move to the Bay area when their rotations were over. The young lady closer to me reminded me that she was almost done with the rotation program.

They both agreed that Northern California was Better. (I said how Northern California is nice because it is cooler and that’s good for running.) The young lady farther from me talked about how in Northern California, they say “Hella”. Like, “Hella-fun day.” But they don’t say that in Southern California.

At the end of the flight, I told them it was nice to meet them and I hope they have a good time this week in Chicago. I said, “Would that be a hella-good time?” They young lady farther from me laughed and said that I got it. The young lady closer to me smiled and said that I don’t have to say “hella”; she’s from Northern California and she doesn’t.

So, here’s why I’m bothering to write about this particular conversation: I was absolutely delighted that the young lady closer to me acted like almost every other engineer I have met—correcting factual mistakes when dealing with people. Because if you don’t correct people, they will veer off in the wrong direction. And Bad Things will happen.

It made me feel glad that I had evidence for something I’ve long held—that there’s no inherent difference between men and women. And you can’t judge people by the way they look. And you can only know someone by interacting with him/her.

And at some point in the past, these young ladies would have been encouraged to be pharma reps, not engineers. (I do not suggest that being an engineer is necessarily better than being in sales—I do suggest that reducing bias and allowing individuals to choose their own career options is better.)

Well done, Universe.

Written by PoojanWagh

November 4th, 2014 at 11:54 pm

Posted in Career/Work-Life

Tagged with

Lowell: Cloud 69

without comments

Confident.

I’m like dynamite. I need a cheerleader.

Written by PoojanWagh

April 23rd, 2014 at 10:42 am

Posted in Music

Tagged with

Nice long run

without comments

I went for my first outdoor run in a long while. I still have some deadlines at work (mid-April), but I got over one hump this week.

And everyone was actually encouraging me to leave at 4, especially after I advertised it all day.

So at 4, I left. I didn’t want to immediately–there’s that usual fear of cold or being out of shape–I went for a run outside. I ran to downtown Dundee and back. All in all, it took an hour.

I listened to The Fault in our Stars, and finished it on my way back.

I then got to work on some computer chores, and did that until the family came home.

I haven’t seen much of the family this week, despite it being Spring Break. It was a nice afternoon and a nice evening.

Written by wagh

March 27th, 2014 at 11:30 pm

Posted in Running

Tagged with

Week(ish) in Review

without comments

Since last time:

Got a friend’s lunch cards automated (8th grade hot lunch) and printed them out for her.
Went to a  memorial service for my wife’s uncle.
Ran outside.
That same day worked from home and increased the bandwidth of a bias loop by about 10x.
Gave some coworkers some info they needed.
Unfortunately, got sick but luckily Monday was a day off.

Written by Poojan Wagh

February 17th, 2014 at 9:37 pm

Posted in productivity

Week (and some change) in review

with one comment

Since the last time:

  • Helped my wife at Cub Scout Sunday
  • Got an eye exam (my eyes got a bit worse this past year–I think not running has an influence)
  • Bought new phones for the house
  • Co-Ran Monday pizza hot lunch
  • Got kids to bed and up in the morning for the two nights/days that my wife was at Manager Tools
  • Ordered new checks
  • Set up my friend Scott to ride the lead bike in the Irish Jig Jog (which means I can now run it–and you should too)
  • Went to First Communion meeting for my youngest child
  • Upgraded my cable modem to DOCSIS 3.0 (with 50% faster connection rates & IPv6: before & after)
  • Finished “David and Goliath” (Malcolm Gladwell) and finished “Highway 61 Revisited” (Mark Polizzotti)
  • Started “Beautiful Ruins” by Jess Walter
  • Ran once (indoors for 50 minutes), Friday of the week before

Written by PoojanWagh

February 7th, 2014 at 8:41 pm

Posted in productivity