Poojan (Wagh) Blog

Requests for comment

Archive for the ‘Web’ Category

My Password Setup

without comments

So, I’m basically making this post so I can share with friends/family. In this post, I will explain what I do for managing passwords, including two-factor authentication (2FA), and give some options for getting 2FA. Before I do that, I will explain how I got to the conclusion on what I am using.

For those that don’t know me, I am not a security expert. You should do your own research (and maybe consult the security experts out there). I could be wrong about some of my conclusions. And more generally, what might work for me might not work for you.

Also, the scope of what I explaining here is only for my personal accounts. My company (and most out there) has an IT policy for work accounts.

You can skip past the Intro, if you don’t need convincing on why reusing passwords is insecure. Also, I put my recommendations right up-front in the Bottom Line section, if you don’t want to read the whole article.

Bottom Line

My bottom line recommendation is to look in to the following combination and see which one works for you: something to manage your password, and something for 2-factor rolling codes (OTPs).

For managing passwords, you can go with a hard-paper notebook (where you write passwords down and you never store them on a computer) or a password management app, such ass KeePass, Bitwarden, or LastPass.

For getting 2-factor rolling codes (OTPs), you can go with a device such as a YubiKey or an app such as Authy, Microsoft Authenticator, or Google Authenticator.

Intro

There have been a lot of password leaks lately. I mean, a lot. This multitude of leaks culminated in a meta-dump of everyone’s password. That is, someone compiled many of the previous leaks and put them into one big password dump. As a result, if you’ve been using a password for any amount of time, and if any of the sites you used practiced sub-par security practices, your password is probably available on the Internet.

(You can check here. Just enter an email and it will likely show which of the many breaches your password appeared. Alternatively, you can enter a password here and it will show you if that password was in a data dump. But I’ll save you some time: yes, your email and password are available online.)

Now, one solution is to use unique passwords, and don’t share them between websites. In this case, even if one of your favorite websites leaks their users’ passwords, you only have to worry about someone hacking your account on that site.

Unique passwords solves most, but not all the ways people can gain access to your account. Most experts recommend a 2nd factor called one-time-passwords (OTPs) to use in combination with unique passwords. OTPs are basically a rolling code that changes with time.

Remember that there can be a huge profit motive to someone hacking your account. They may want to get your LinkedIn network, your FaceBook contacts, or your financial institution. Taking these two steps can make these attacks much more difficult.

Incidentally, similar recommendations are being provided to US officials participating in elections, albeit with Google’s own hardware product.

The Limitation with Passwords

If you want to create unique passwords for each site, you’ll need to create a lot of passwords. And you probably want to use either a notebook to write them all down, or a password manager to store them (in a secure, encrypted format).

This unique password is a reasonable solution. But, it does suffer from a significant problem: someone could impersonate a website. If, for example, I wanted to go to real cat video site but typed the address in wrong. I mistakenly go to fake cat video site. Fake cat video site has completely impersonated real cat video site. Unless I paid very close attention to the web address, I would not know the difference.

I then type in my password (unwittingly) to fake cat video site. Now, they have my password. They have complete access to my account at real cat video site. They can do whatever they want with that password–including delete my videos, or even replace them all with dog videos.* The problem with passwords is that they are static. Once you’ve handed it out, the cat is out of the bag.

This website imitation is easier than you think online: fake cat video site can pass all traffic through to real cat video site without you knowing. They don’t actually have to copy the information; they can simply forward every request and return every answer. This attack is known as a man-in-the-middle (MITM) attack. Passwords can’t help you with them.

2-Factor Authentication

To mitigate this deficiency, most experts recommend something in addition to the password, a second factor. This is called 2-factor authentication (2FA).

The simplest and most obvious way to add a 2nd factor is to add a rolling code: that is, an extra code that changes with each login attempt. With this rolling code, if you log in to fake cat video site with your password and rolling code, they get access to your real cat video site account only once. They can do some damage, but they do not have permanent access. If they try to log in again, they will need a new rolling code.

There are many ways of getting such a rolling code. One of the most convenient is to use an authenticator app, such as Authy, Microsoft Authenticator, or Google Authenticator. (All of these use a common standard, so you can use any of these with most sites that support a rolling code authentication app.)

These methods uses your phone to create the rolling code (which changes every 30 seconds or so on an app on your phone). For many people, this is a safe enough option. There are flaws with this method, but it really is a very good compromise between convenience and security. If you are going to do nothing else, enable 2-factor authentication using an app.

The problem with app-based authentication is the scenario where you lose physical control over your phone. Or you install an app or download something that compromises your phone. More generally, if someone has access to your phone, you can’t count a security app on your phone to really be a 2nd factor. That 2nd factor app (if it sits on your phone) really becomes more of formality in logging in to an app on your phone.

That said, if you lose your phone and someone has the ability to unlock it, there are much bigger worries than them logging into a specific app or trying to steal a specific account.

The official name of the rolling code is one-time-password (OTP). I use an OTP wherever I can. However, I don’t use an app on my phone to store it. See the next section.

What I Do for OTP

I use a YubiKey for one-time passwords (OTP).

The reason I like the YubiKey is that it allows you to store/generate a one-time password on a hardware device: the small YubiKey itself (which fits on a keychain).

In addition, the YubiKey solves another problem: it’s independently portable. I generally have it on my keychain, where all my keys are. And most people are used to keeping their keys secure. In my case, I duplicate my credentials to two keys. One is a USB-C key (usable on my phone and recent computers) and the others is a regular USB-A key (for backup). So, I have a backup YubiKey that stays at home.

You do need to plug the YubiKey in to your phone or computer to read the codes, but this is done securely: only that single code gets passed through your phone/computer and onto your screen. No one can steal the secret code that generates all the codes; it is protected within the hardware of the YubiKey itself.

I also do create backup/recovery codes and print them out. These allow me to log in if I lose both my YubiKeys. (Or if they get corrupt.) I don’t store the backup codes on a computer. They are hard copies and kept in a fire-proof envelope. (Most sites, including FaceBook, allow you to create backup codes.)

What I do for Password Manager

There are many options for software-based password managers. The one I use is KeePass 2. The reason I use it is that it’s free (open source), has options for Windows, Linux, and Android. (I’m not sure about Apple/iOS, but I’d guess there’s a solution there.) And cloud sync is optional. You can store it on a single device, and that device does not necessarily need Internet access. The downside is that if you do want to sync it across devices, it takes some configuration.

Other Options for Password Management

Paper Notebook

While I don’t use a paper notebook—I like the convenience of having a software password manager—they are a good solution. It’s the cheapest (in terms of up-front time and money) solution.

You probably have a notebook lying around your house. If not, take a look at books on Amazon written by Lourdes Welhaven. The only thing to be careful of is that you generate good passwords, which are hard to guess. Your brain is pretty bad at doing random. So, here’s a systematic way using dice (if there are no restrictions on password length). If there are restrictions on password length, go here or here. Incidentally, password-generation is a place where password-management apps really shine.

No one can hack into your computer and steal your trove of passwords, if they are not on your computer. That said, people hacking a regular Joe’s computer doesn’t seem to be the way passwords are leaking–or at least it isn’t the only way. It is, in fact, the websites we use that seem to be the weak link. Every time a website gets hacked, your password at that website spills on the internet.

Other Password Management Apps

There are quite a few other options if you want to for a cloud-bases service. I’ve heard good things online about BitWarden and LastPass. I don’t have any direct experience with any of these, but I have come across many good comments about BitWarden.

I did try BitWarden very briefly on my Android device, but I kept KeePass because the Keepass2Android App has an extremely useful feature: you can set it up as a software keyboard in Android. It can then enter your username/password in other apps with a button on the screen.

The SecurityNow Podcast is sponsored by LastPass, and I generally am comfortable with their recommendations; they seem to have a decent vetting process for their sponsors.

Note that the Have I Been Pwned site I linked in the intro is sponsored by 1Password.

Other Options for OTP

Authenticator Apps are pretty neat. You set it up once by scanning or typing in a long code given by the website you want to use it with (FaceBook, Microsoft, Snapchat, etc). There’s a different code for each.

Then, after setup, it generates a rolling number that’s needed every time you log in. What’s nice is that the apps conform to a standard. So, you can have one app installed for all your different websites.

I have heard Authy. Authy is multi-platform (Windows/iOS/Android) and will sync across platforms. Google Authenticator is equally good, but it doesn’t sync your OTPs across platforms. Similar with Microsoft Authenticator.

One could make the case that OTP’s should be unique to the device they are on, but for most people, the convenience of setting Authy up once is worth the risk. There are those, however, that disagree: using an authenticator app is better than nothing, but a dedicated hardware security key is much better.

Google also has their Titan security key solution, which is hardware-based. I have not done any analysis comparing it to YubiKey. I just know the YubiKey supports many standards and does whatever I need it do do. I started with YubiKey many years ago and never saw a need to switched. I also have a cautious opinion of Google solutions because their repeated exit from markets.

SMS for Two-Factor

I really don’t like this option, and I wish companies would stop providing it. (Especially banks, where this seems to be prevalent.)

Once again, I am no security expert, but experts don’t like it and SMS has failed in the past.

* I am a dog person (too), but people like their cat videos.

Written by PoojanWagh

March 28th, 2020 at 11:00 pm

Kudos to Barnes & Noble

without comments

I recently went back on my previous decision to avoid B&N. There prices on audiobooks were pretty good (compared to both Audible and eMusic). So, I bought this (note the Amazon link):

Read the rest of this entry »

Written by PoojanWagh

January 11th, 2010 at 2:12 pm

Posted in Web

Tagged with

Weird Chrome SVG bug

with one comment

Google Chrome seems to have a bug in its rendering of SVG files. Here’s what it looks like:

Chrome SVG

Here’s what the same files look like under Firefox:

Firefox SVG

The HTML file I used to test this is:

<html>
  <head>
    <title>Test</title>
  </head>
  <body>
    <p>The received in-phase is <object type="image/svg+xml" data="665dd30fd32270d75e7871a23e9ae2b3.svg"></object>and the quadrature is…</p>
  </body>
</html>

The embedded SVG file is:

<?xml version="1.0" encoding="utf-8"?>
<svg:svg width="9.485391pt" xmlns:svg="http://www.w3.org/2000/svg" viewBox="0 -8.332031 9.485391 12.854414" xmlns:svgmath="http://www.grigoriev.ru/svgmath" height="12.854414pt"><svg:metadata><svgmath:metrics top="9.8251171875" bottom="1.8387890625" baseline="4.5223828125" axis="8.5067578125"/></svg:metadata><svg:text font-size="12.000000" text-anchor="middle" y="0.000000" x="3.061523" font-family="Times New Roman" font-style="italic" fill="black">x</svg:text><svg:g transform="translate(5.724609, 2.683594)"><svg:text font-size="8.520000" text-anchor="middle" y="0.000000" x="1.684863" font-family="Times New Roman" font-style="italic" fill="black">I</svg:text></svg:g></svg:svg>

I’m basically trying to support MathML with SVG as a backup over at the circuit design site. I guess the 7% of visitors that use Chrome will have to deal.

Written by PoojanWagh

December 9th, 2009 at 6:00 pm

Posted in Web

Tagged with , , ,

Banning Barnes & Noble (for use of Webloyalty)

without comments

Technorati Tags:

Update 2010-1-3

I’m back to using Barnes & Noble. Every now and then, they have an ebook or MP3 audibook that’s way less than either eMusic or Audible. Also, I do know to look out for the WebLoyalty (etc) pitch, so it doesn’t bother me as much now.

Original Post

I’ve been pretty happy with Barnes & Noble as an alternative to Amazon. I just bought What Got You Here Won’t Get You There: How Successful People Become Even More Successful and unfortunately found the following link to Webloyalty

image

Sigh. I have a hard time leaving Barnes & Noble; their discounts are good, but I’m afraid I might have to because of their affiliation with Webloyalty

Written by PoojanWagh

November 30th, 2009 at 6:44 pm

Posted in Web

Tagged with

Want 4G? Go with ClearWire

without comments

It’s clear that ClearWire’s software gives the user a better 4G experience than Sprint.

I’ve been using Sprint’s 4G for almost a week. As I posted before, I didn’t particularly like their connection software popping up their start page every time I connected to their 4G network–especially since I had to connect several times on my train ride into the city. Don’t get me wrong, the Sprint SmartView software will auto-reconnect (although I’m still not sure how I got it to do so) in the background if your 4G signal gets dropped–except every time it does so, there’s the sprint start page again, completely interrupting your work.

I coworker had issues installing SmartView on his Windows 7 64-bit machine. (I’m running 64-bit Vista right now.) He read somewhere that ClearWire’s software will install on Windows 7. Since Sprint and ClearWire are the same 4G network (Sprint divested/invested in ClearWire), the software should work. So, I happily installed ClearWire’s software trying to “upgrade” from SmartView.

It didn’t work. What’s worse is that SmartView refuses to function. Even after a complete de-install/re-install. Even after deleting sections of the windows registry, and the Sprint sub-folder in my %APPDATA% folder. (For those of you who don’t know what registry and %APPDATA% are, be thankful, and just realize I was taking desperate measures to cope with broken software.)

As it turns out, one of our IT guys told us that the 32-bit version of Clear’s software seems to work with Sprint’s 4G network (meaning, it authenticates under a Sprint 4G account–Clear and Sprint have the same network). However, the 64-bit version doesn’t. That didn’t help my Win7-64 friend and I.

What did help immensely was this post at the sprint forums. This guy “manned up” and modified the Clear software so it’ll connect to the 4G network using a Sprint account:

image

And it worked for me! So, no more trying to get SmartView running again. This software is way better. It’s much smaller and less intrusive. Its default install automatically reconnects when the signal is dropped. It has more updated drivers, and it supports 64-bit Win7. It’ll connect using either the 4G or the 3G modems built into the U300 (which Clear also sells).

The lesson learned here is that Sprint is distracted by 4G. It’s not their main thing. They’re supporting a bunch of other devices, and they don’t invest as much in their SmartView software. However, 4G is all ClearWire does. It shows in their software’s usability.

Just an FYI: there are no guarantees to any of this working for you. Also, the buttons on the clear software “my account”, “my usage”, “my local” won’t work for me because I don’t have a clear account… but that might change.

ClearWire also supports the built-in Intel WiMax radio inside my Lenovo T400. So, I’m going to try out their service as an official subscriber. That means I give up connecting using 3G, but that’s not so bad. It’s almost worse to have the 3G backup, because your 4G connection will imminently drop, the software will connect you on 3G, and you’ll be stuck on 3G unless you manually reconnect to 4G. Also, the U300 works better with a proprietary Y cable (supplied by Sprint/Clear) that allows for more power; it’ll be nice to not have to worry about that cable.

Incidently: if you connect to Clear’s network (using Intel’s proset WiMax utility), you’ll get an offer for a 30-day free trial (until the end of the year)—which you won’t see on their home page or anywhere else. So, it pays to just try to connect and get the offer. You do have to agree that they get to send you emails during the 30-day trial period. I’ll post a follow-up with how ClearWire’s service looks (as an official subscriber), but for right now, I’m much more impressed with ClearWire than with Sprint.

Written by PoojanWagh

November 18th, 2009 at 8:37 am

Posted in Web

Tagged with , , , ,

More speed testing on Sprint 4G WiMax

without comments

I’m taking the train along Metra’s Milwauke District West. Here’s a test close to the Elgin Station:

That’s right: 5 Mbps down and 1 Mbps up. Except that by the time I reached the next station, the 4G was disconnected. I can’t say that this is due to Sprint’s 4G network, due to their software, or if it’s due to my laptop. Regardless, it’s annoying. I do have a couple firmware updates to install, though. I tried doing it last night, but I’m not exactly sure how to (the button to update didn’t seem to do the job.)

Another thing that’s annoying? After I reconnect, the Sprint Smartview software opens Sprint’s web site in my browser. This is mildly annoying when I have firefox up (it just adds another tab). However, it’s absolutely intolerable when I don’t, because I just want to get back to work, but instead, all of a sudden, firefox pops up with:

image

I’ve been looking for a way to stop SmarView from doing this, but I haven’t found it yet. Incidently, I had to reconnect twice while writing this post.

OK: make that 4 times. If anyone is wondering, I’m using the U300 (can’t tell if it’s Sierra Wireless or Franklin) modem. It supports both EV-DO and WiMax. It does not automatically hand over. I’ve also tried getting SmartView to auto-reconnect to WiMax, but that doesn’t work either. You have to manually reconnect when disconnected.

Written by PoojanWagh

November 13th, 2009 at 8:38 am

Posted in Web

Tagged with , , , ,

Sprint’s Chicago 4G Initial Speed Tests

without comments

I’ve been upgraded to Sprint’s 4G WiMax. I’ve tried it for all of 10 minutes. The connection (coming out of downtown on the Metra) was a little spotty. I keep getting disconnected. It’s unlikely but possibly the fault of my laptop (the Lenovo T400 seem to have trouble holding a WiFi connection, but AT&T and Sprint 3G mobile broadband seem fine). Anyway, here’s the speed test results:

1.047 Mbps download isn’t bad. However, I’m extremely happy about the 657 kbps upload. That’s going to be some good VNC.

A little further out (near the Grand/Chicago stop on the Metra Milwaukee District West line), I got the following:

2.3 Mbps down and 731 kbps up. Nice! Hopefully, the connection holds stable.

Written by PoojanWagh

November 12th, 2009 at 4:51 pm

Posted in Web

Tagged with , , ,

An Open Letter to Barnes and Noble

without comments

I got mad after just completing a purchase with Barnes & Noble. Seriously? They expect to compete with Amazon in the online game? Amazon at least takes security seriously. That’s the very basics of competing online: customers must trust you with their credit cards. Anyway, here’s the rant I sent them:

I’d like to express my gross dissatisfaction with your association with WebLoyalty, Inc.

I noticed it recently when completing a purchase. You certainly know that most of your customers don’t gain any value in the services offered by WebLoyalty. In effect, it’s a scam that they will try to get out of in the near future. Most of your customers will be surprised that they unwittingly gave their credit card information to WebLoyalty through your web site.

If you want to beat Amazon and your other online competitors, customers need to trust your web site. They cannot do so when you present links to sites such as WebLoyalty that are notoriously nefarious [1][2].

[1] http://www.grc.com/sn/sn-207.htm
[2] http://www.consumerwebwatch.org/dynamic/ecommerce-investigation-webloyalty.cfm

Written by PoojanWagh

August 26th, 2009 at 11:50 pm

Posted in Web

Tagged with ,

HarvardBusiness Study: 10% of twitter produces 90% of tweets

without comments

I just read New Twitter Research: Men Follow Men and Nobody Tweets – Conversation Starter – HarvardBusiness.org.

A few things strike me about the results:

  1. It meets the 80/20 90/10 rule.
  2. Twitter is basically a broadcast service–not a one-on-one messaging tool.

#2 strikes me because I’ve always seen myself as an outsider. I’ve always felt that there must be a large contingent of twitter users that use twitter to tell their friends where they’re meeting for drinks tonight.

I’ve told friends that the only thing they’ll get from me on twitter is spam. (That’s a bit facetious: I’d like to think that my blog posts have intellectual value that informing people that they can proffer money in exchange for retail products advertisements do not.) If I were a corporation, they’d be filled with tons of marketing.

I suspected that I’m not getting this utility out of twitter because my friends aren’t on there, sharing in dialog.

What I realize now is that there’s a sort of myth behind twitter: it’s generally being used as a broadcast medium. In that respect, it seems less useful for my socializing: I don’t really care what most of my friends are doing each night in Chicago. I’m not in Chicago most nights. If I have a night available to meet up with friends, I’ve already pre-arranged it.

Incidently, I learned about this post from http://twitter.com/HarvardBiz/status/1995340326

Written by PoojanWagh

June 1st, 2009 at 4:10 pm

Posted in Behavior,Web

Tagged with ,

DreamHost vs BlueHost

with one comment

I’ve been thinking about switching from DreamHost to BlueHost. My main reason is price: I’m paying around $10/$9/$8 per month (1/2/3 year term respectively). However, I’ve come across a coupon that causes BlueHost to charge me $5/$4/$4 per month (1/2/3 year term respectively). My DreamHost term expires in June, so I’ll need to either pay month-to-month or sign up for another year.

My difficulty with BlueHost is that you need to pay up-front: there’s no free trial term. I want to lock in this cheap hosting for as long as I can (3 years preferably), and BlueHost will reimburse you if you quit early. But I want to make sure I don’t regret the time I spend switching hosts—and I definitely don’t want to have to undo all my changes sometime in the future. If anyone has any experience with both DreamHost and BlueHost, let me know (in the comments for this post).

Here’s a comparison with the services I’d be interested in:

Service DreamHost BlueHost
IMAP Email YES YES
WordPress YES YES
SSH YES YES (but 1 account)
ZenPhoto YES YES
Backup Space YES NO
SSH tunneling YES ?
Mail Filtering SORT OF SORT OF ?
HTTP-SVN (SyncPlaces) YES NO
Shared SSL NO YES
SSL YES $4/month YES $2.50/month
IkiWiki NO NO ?

The “SORT OF” entry under Mail Filtering isn’t merely a pun: I just mean that both hosts provide mail filtering, but they don’t (for example) do custom sieve scripts.

Between DreamHost and BlueHost, the main difference is in off-site backups. BlueHost does not provide them, so I’d have to continue paying Amazon. (I use Jungle Disk’s interface to Amazon S3.) This isn’t so bad: Jungle Disk’s solution is set-and-forget, with very little intervention required. If I decided to use the FTP space that DreamHost provides, I’d probably go with manent. I haven’t tried it in a while, but it looks really good, and they’ve just added a Windows installer.

For SSL, BlueHost is better since they offer a shared SSL site and they offer unique IP’s (required for SSL) for cheaper than DreamHost. I don’t know if BlueHost provides SSH tunnelling. However, if I can use SSL, I don’t need it (I use SSH tunnelling to secure my HTTP traffic.)

I’ll probably stick with DreamHost for now. But, I’ll continue to obsess over BlueHost. If anyone has any information to tip me in either direction, I’d be relieved to hear it.

Written by PoojanWagh

May 30th, 2009 at 10:57 pm

Posted in Web

Tagged with , , , , , , ,