Create strong, unique, and memorable passwords

Salt and Pepper Passwords

Salt and Pepper Passwords

Password management is a constant struggle.
Most folks just give up on managing passwords and end up using the same password for everything. The problem with that is that some passwords expire, requiring you to change them periodically. So your plan of one single password goes out the window. You end up with an array of different passwords all created at different times without any plan or methodology for all the various sites you visit and at some point it will happen. You will forget your password.

Now most websites have ways to recover your password by simply clicking a link, maybe verifying the name of your favorite pet, and responding to an email with a link to reset the password. So password recovery is fairly simple and common.

But my goal is to give you tips to create your own unique memorable password creation and management system so you’ll never forget a password again. It’s a method I call “Salt and Pepper Passwords“.

Creating strong passwords.
Complexity and length add to the cryptographic strength of any password. Now I won’t go into the math behind it, but the longer your password, and the more complex, the stronger the password. Length is fairly simple… more characters take longer to guess. And in general, complex passwords contain a blend of letters (A,a,B,b,C,c,…), numbers (1,2,3,…), and special characters (~,!,@,#,$,%,^,&,*,…).

What good is all this length and complexity if you can’t remember what you created? I mean Cx$t78#vbR9d6^pGW is a long complex password, but who can remember it? Let alone type it with any accuracy when all you see is •••••• on the screen.

Creating memorable passwords.
You may have heard about the Mnemonic device method of password creation. That’s the method where you think of a sentence “Mary had a little lamb whose fleece was white as snow!” and then create a password from it…

Mhallwfwwas!

Now that’s a long, and fairly strong password that is easy to remember… But imagine having to come up with a unique one of those for each site you log into.

My Salt and Pepper Password method is a simple way to help you to create long, strong, memorable, unique passwords for all your sites. It is loosely based on the ATM card idea. Your PIN number is only 4 characters, and they are all numbers, so how secure can it be? Well, the security is dual layer because it’s something you have (your ATM card) combined with something you know (your PIN). So my method uses the same principle.

Salt = $a1T
SALT
The part I call the salt is like your PIN. It should be short, easy to remember, meet the complexity rules, never be written down, and kept a secret… just like your ATM PIN. You are going to throw salt on all your passwords, it’s the “Something You Know” part of your password management system. For example, I’ll use $a1T as my salt. It uses an UPPERCASE (T), lowercase (a), number (1), and special character ($) so it meets the complexity rules. Now don’t use my salt. Come up with your own, and have fun with it, you’ll be typing it a lot from now on.

Pepper
PEPPER
The part I call the pepper is like your ATM card. It adds to the length of the password adding strength and is the “Something You Have” part of your password management system. The pepper will be tied to each site to keep it unique from your other passwords. You can even write it down and keep it in your wallet or purse. Because without the salt, it’s useless, just like your ATM card is useless without your PIN. How you choose the pepper is up to you. I’ll give you a few ideas, and follow up with a couple examples, but ultimately how you choose your pepper is up to you.

Pepper needs to relate to the site you are logging into. You can use word association (Amazon.com = jungle), part of the site name (Amazon.com = amaz), or whatever will help you to remember it (Amazon.com = books). Once you decide on how to choose your pepper use the same method on every site and you won’t have to write it down. But even if you keep a list of pepper in plain site you’re still okay.

SALT and PEPPER
Let me give a few examples to show the salt and pepper work together.

Ex: Amazon.com
So you’ve come up with your salt ($a1T) and are now on the Amazon site ready to change your password. You’ve chosen to use word association to create your pepper (jungle). Now it’s time to put your salt and pepper together and make a unique, strong, and memorable password. How you combine them is up to you, and by making up your own rule it adds even more security. Here’s a few combinations I came up with:

  • $a1Tjungle
  • jungle$a1T
  • jun$a1Tgle
  • $ajungle1T

For illustration purposes let’s say I choose the third option where I split my pepper after the third letter and insert the salt in between. In my wallet I could just keep a card that says “Amazon Jungle” and no one would know.

Okay, let’s do another one…

Ex: Monster.com
So now I’ve gone to Monster to update my password to use the new system. Using the same word association method for choosing my pepper I go with (godzilla). Add in my salt after the 3rd letter and… god$a1Tzilla …my strong, unique memorable password is born. I get out my wallet card and write down “Godzilla Monster” right below “Amazon Jungle”.

When your password expires or changes all you need to do is choose a new pepper and update your wallet card. Okay, let’s do one more…

Ex: iTunes
Now it’s time to get the iTunes password in line with the Salt and Pepper password system. The same salt goes on everything, so all we need is some pepper. But what word associates with iTunes? I came up with (mp3 music). I know. not very creative. So throw my salt in after the 3rd letter and we have mp3$a1Tmusic. Then I decide that since my pepper was pretty simple I wasn’t even going to add it to my wallet card.

So to sum up…
Something you know is your salt, put it on everything.
Something you have is your pepper, it is related to the site somehow.
Your method for combining Salt and Pepper can be whatever you want.
You method for choosing your Pepper can be whatever you want.
If you choose the methodology it will be easy for you to remember and difficult for others to guess

Never forget your password again.

If you do forget your password, all you need to do is reset your password by coming up with a new pepper, and then throw a little salt on it.

This is by no means an ultra high security password generation method. For that I’d recommend checking out GRC’s Perfect Passwords Generator. But if you are going to use passwords like that then I recommend using a password manager. I use LastPass to manage and keep track of my passwords. Because even with a good methodology for creating passwords, it’s really handy to have all your credentials securely stored in one place. With the Premium version you can use the app on mobile devices and integrate password management with your fingerprint reader.

I hope this helps,
Erik

Leave a Comment

TeamViewer first impressions

TeamViewer – first impressions

I recently tried out TeamViewer for the first time after it was recommended to me by another tech. Most of the support calls I get have to do with virus removal, and internet access is usually compromised, or at least degraded, so remote support isn’t an option. But this call was for printer support, so I thought I’d give it a try. Here are my first impressions…

The website

I was impressed with their website, easy to navigate and everything was explained in plain language making a great first impression.

Here’s a blurb from the TeamViewer.com website…

With TeamViewer you can remotely control any computer as if you were sitting right in front of it – even through firewalls. All your partner has to do is start a small application, which does not even require installation or administrative rights.

The install

There’s basically two parts to using TeamViewer, the person who is going to have remote control needs to download and install the Full version and the host only needs to download and run the TeamViewer QuickSupport version. I was able to walk the person through the TeamViewer website over the phone to download and run the QuickSupport app. Easy peasy.

When you launch TeamViewer QuickSupport you get assigned an ID and a Password. Give that information to the person who is going to remote control your computer and they’ll enter it into the full version remote connection tab. Abracadabra, hocus pocus, like magic the connection is made.

Remote control

For the printer I was troubleshooting I was able to quickly browse around the computer and check the usual suspects: event viewer, device manager, print drivers, IP address, etc. Because I was remotely connected it was like I was sitting in front of the computer and I was able to poke and prod and gather tons of information on the problem that would have taken me much longer to walk someone through over the phone. The speed and display were good so I was instantly a fan.

TeamViewer also provides the ability to transfer files, simply by “drag-n-drop” from your local machine to the remote computer. Since I already had the latest print drivers on my computer that saved me from having to go out to the web on the remote host, searching the manufacturer site for the drivers, filling out the contact form, and downloading them again. It was simply… drag, drop, done. I can see this being helpful for virus support too, since many viruses block access to downloading anti-malware tools and updates.

The downside

The troubleshooting eventually led me to having to restart the physical printer while holding down a reset button on the network adapter in order to have it get a new IP address via DHCP. So an on-site visit was needed to complete the job. So while TeamViewer allowed me to quickly provide a remote diagnosis, nothing beats physical access to the device you’re trying to fix. Especially when you need to press buttons and unplug cables and such.

The result

Ultimately I had a great first impression of TeamViewer. If I can find a way to integrate it into my work flow I’ll get a site license and become an evangelist, but for now I’m providing a link to the TeamViewer.com site here in hopes that you might find it useful. It’s free for personal use, and is simple to setup and get connected. Give it a try and let me know your results.

Hope this helps,
Erik

Comments (2)

Help, my Google search has strange results!

This is one of the more frequent things I hear from folks. You type a search request into your favorite search engine, but the results are all unrelated to the actual query. And there are lots of obviously bad sites showing up in the search results. Short and simple, you’ve got malware.

A while back I came across an article written by Rorschach112 called How To Fix Google Redirects – and all the steps/tools outlined in that post are very effective at resolving a lot of the Google redirect problems that I have had to deal with. So I thought I should post a link in case you’re the type of person who likes to fix-it-yourself.

How to fix Google Redirects, aka Win32/Olmarik, Rootkit.Win32.TDSS.u, Win32/Alureon.F, Backdoor.Tidserv!.inf

This infection hijacks your browsers to divert search engines to malware sites. Another symptom is getting the error message “DCOM server protocol launcher server terminated”. It is important that you do not try fix this infection manually, or to let your anti-virus program do it, as it can result in an unbootable machine if removed badly. This guide is designed to remove the infection easily and effectively, with no side-effects.

Rorschach112 goes on to describe step-by-step what you’ll need to do. He includes links to the specialized tools you’ll need and provides screenshots of what to expect along the way. It’s a simple straight-forward self-help document. So if you’re search results aren’t what you expect, give it a try.

So how did I get infected with this stuff?

I found the article above while researching the Backdoor.TidServ infection that Symantec found on someone’s computer. As it turns out this particular virus had originated back in 2008 and has morphed quite a few times and is still actively affecting machines. It uses various techniques to trick a user into installing the virus.

Some of the infection methods involve posting links in blog comments, or web forums that point to sites which have been hacked via SQL injection. By exploiting weaknesses in database security a malware author can insert code into a web form which can alter the contents of a website, often without the web site owner becoming aware until well after the damage has been done and the site visitors have been infected. This is sometimes referred to as a drive-by infection, because the visitor to the site may innocently stumble upon a site that has been hacked in such a manner and not be aware the they’ve picked up a virus until much later when they try to search for something.

Other methods of infection involve peer to peer file sharing services. The majority of traffic on these file sharing services is from people trying to obtain pirated/illegal software and keygens or cracks to unlock software for free. The malware authors often post their wares with names of popular search items and just sit back and wait for folks to download, install and infect themselves.

So why do virus writers do it?
Well, the answer is quite simple really. Money.

By redirecting your search results to sites of their choosing they can trick you into visiting sites which have a pay-per-click kickback to whomever referred the visitor to the site. If a virus writer could infect and refer 1,000,000 people it adds up quickly.

Even more profitable are the pay-per-install programs. There are companies which offer affiliates a small fee from sales of their software. Symantec studies found one software in their research that paid referrers $0.15 per install. That may not sound like much, but if a person controlled 200,000 machines with a backdoor trojan and told them all to install that piece of software it’s a quick $30,000.

Be safe out there, and as always, if you need anything I’m here to help!
-Erik

Leave a Comment

So you think you have a virus?


Is your computer running especially slow?
Are your search results hijacked?
Are you getting pop ups?

It seems like a never ending battle at times. Malware (malicious software) keeps changing and finding ways to infect your computer. The first thing you’ll need to do is get rid of the malware, the next step is taking the preventative measures to make sure you don’t keep getting hit.

Getting rid of the virus…
Most folks already have a desktop antivirus solution in place. If not, then I recommended a couple free antivirus programs earlier. The important thing is to make sure whatever antivirus software you have is updated and set to scan on-access, also called real-time scanning. Outdated antivirus software is worse than no antivirus because it gives you a false sense of protection. So the first step is to update your antivirus software and run a full scan.

A second opinion…
Often times, the first thing a virus does to your system is disable your installed antivirus, so an online scan would be helpful in those situations. Online scanners are nice because they are always up to date. Also, the different software vendors look for different threats, so if you have McAfee or Symantec installed, you can run the TrendMicro, Eset, or Kaspersky scans to be sure your local antivirus didn’t miss anything.

Here are a few links to different online virus scanners to help you get a second opinion.


TrendMicro Housecall
http://housecall.trendmicro.com/

Kaspersky Online Scan
http://www.kaspersky.com/virusscanner


ESET online scan
http://www.eset.com/onlinescan/

Keep in mind that running an online scan can often take a long time, so plan to run the scan overnight, or when you’ll be away from the computer for a number of hours. Also remember that online scanning is a reactive process. Nothing beats the peace-of-mind you get by having updated desktop protection running full-time and keeping you safe.

Staying protected…
In an earlier article I wrote that choosing a desktop protection solution can be as easy as using whatever comes pre-installed on your computer by the manufacturer, whatever is on sale at the local bulk warehouse store, or whatever your friends and family use and recommend. I even posted a few of my recommendations

But be careful and do not install more than one antivirus software because they can conflict with each other, slowing down your computer and possibly leaving you unprotected as they fight over who gets to scan your files.

If you get a pop-up virus warning that isn’t from your installed antivirus software, then you’ve already been infected by a rogue program. Give me a call. I’m here to help.

Leave a Comment

Tis the season, the computer virus season.

Be careful what you click...
Hey, it’s me again, happy holidays! Last time I posted a few recommendations for security software. The feedback I received was great, I am glad you found the blog post useful. My goal is to keep providing helpful information for you.

Now is the time of year the virus writers are taking full advantage of all the holiday e-cards being sent. So please use caution when clicking links in email. Take the time to verify that you know and trust the sender, and be sure that the link you are about to click is from a reputable site.

For example, a recent spam email I got was from Halmark-Greeting, notice there was only one “l” in Hallmark. Some junk mail is easy to spot due to typos, either intentional or not, but others are more difficult to spot.

Here’s a tool I use and recommend to help check out web links:
McAfee Site Advisor McAfee Site Advisor

“SiteAdvisor software adds safety ratings to your browser and search engine results.”

So, first you need to download and install the Site Advisor tool from McAfee. Then, anytime you search, (using google, yahoo, bing, etc.), the results will have a Site Advisor icon to indicate whether the link is good, bad, or unknown. It’s really that simple. So instead of clicking a link in an email… just copy/paste it into your favorite search engine and let Site Advisor… um, advise you. 🙂

If you have any questions or comments, please let me know. I’m here to help.
-Erik

Leave a Comment

How are you staying protected?

Here’s a simple checklist for you:

  • Practice safe computing procedures
  • Keep all your software updated
  • Install anti-virus software on every computer
  • Install anti-malware software on every computer
  • Install a personal firewall on every computer
  • Backup often
  • Have a recovery plan in place

Safe Computing Practices

This basically means that you need to be careful, and use common sense. Don’t open unknown attachments, install unknown programs, use P2P file sharing, and things like that. It only takes a few seconds to click on something… and hours and perhaps days to recover from the damage.

Software Updates

In a previous blog I mentioned Secunia as one of the good guys out there helping to keep your software updated. It’s important to update all your software on a regular basis. That includes Windows, Office, Adobe, Java, Anti-virus, Anti-spyware, and anything else you can think of. Malware programmers are always looking for holes into your computer and unpatched software is a prime target. Out of date protection is worse than no protection because it lulls you into a false sense of security.

Anti-virus

There are lots of good anti-virus programs, so choose one that you like and stick with that. Here are a couple links to some free anti-virus programs that I’ve used and recommended. Just remember to only install one anti-virus. Having multiples can cause conflicts and render both useless leaving you exposed.

Avira Antivir Personal

MS Security Essentials

Anti-Malware

This one is easy for me to recommend. I’ve used it and it’s tried and tested to be one of the best.

Malwarebytes Anti-Malware

Firewall

At a minimum you should be running the built in Windows Firewall. But it’s recommended that you install a personal firewall as well. The Windows firewall blocks incoming ports preventing the bad guys from getting into your computer. A personal firewall also blocks outgoing ports which helps to prevent malware from “phoning home” and downloading more malware onto your computer. Here are a couple links for personal firewalls.

Online Armor

Outpost Firewall

Backup

There are many different backup solutions available today: from manually burning CDs/DVDs of your photos, to using software to copy important files to external USB storage, and even using scheduled backups to online storage. The important thing is to backup early and backup often. You never know when disaster may strike so always keep a copy of your important files.

Recovery

Recovery is as simple as reversing your backup plan, or at least it should be. Again, you can only recover what you’ve already backed up. If you’ve used backup software to save your files to external media, CDs/DVDs/USB storage, etc, then make sure to store a copy of that software along with your media.

I hope that this checklist helps to outline the steps to staying protected on the internet. The only truly safe and secure computer is one that is not connected to the internet and unplugged from the wall. Of course it may be safe but it’s not very useful. 🙂

As always, if you have any questions or comments feel free to contact me.
Be safe out there,
Erik

Comments (2)

Do not forward virus hoaxes!

We’ve all seen them. Most hoaxes are started as a joke, but then they get passed on to gullible users, who in turn spread them even further thinking that they are doing their friends and family a favor by spreading the *warning*. The majority of warnings you get via email are fake and deleting them is the best course of action. But if you receive a virus warning from someone via email, and you don’t want to delete it, do us all a favor and check it against these three sites before passing it on.

Symantec Hoax Alerts: http://www.symantec.com/avcenter/hoax.html
Symantec Security Response uncovers hoaxes on a regular basis. These hoaxes usually arrive in the form of an email. Please disregard the hoax emails – they contain bogus warnings usually intent only on frightening or misleading users. The best course of action is to merely delete these hoax emails. Please refer to this page whenever you receive what appears to be a bogus message regarding a new virus, or promotion that sounds too good to be true.

F-Secure Hoax Warnings: http://www.f-secure.com/virus-info/hoax/
This page is considered the industry standard information source for new virus hoaxes and false alerts. Hoax warnings are typically scare alerts started by malicious people – and passed on by innocent users who think they are helping the community by spreading the warning.

McAfee.com Virus Info: http://home.mcafee.com/virusinfo/
Find out which viruses are infecting PCs in your neighborhood and around the world.

All it takes is a little critical thinking to put an end to the hoax spam we all receive. If anyone along the way checks it out and finds out it’s false the chain breaks and the spam stops.


Hope this helps,

Erik

Leave a Comment

5 ways to stop spam

I don't like SPAM!

I don't like SPAM!

One of the questions I get asked fairly often is “Why am I getting so much junk email?” The answer is simple… money.
Well, it’s more complicated than that, but ultimately that’s what it comes down to.

Money? Yes, money.
Estimates say that in 2005 there were *only* 30 billion spam emails sent… in 2007 the number jumped to over 90 billion. (source: wikipedia) The amount tripled in just 2 years and it seems like we are getting even more unsolicited commercial email (UCE) in our mailboxes every year. Why? Because it’s almost free to send email and it works. People still respond to these messages. The bad guys make money from folks ordering prescription pharmaceuticals, viewing pornography, buying replica designer watches, downloading software, and even turning your computer into a spam email sender. The return on investment in huge because it is basically postage due advertising where the cost is paid by the recipient. And it only takes a tiny fraction of people buying this junk to keep the incentive for the spammers.

So what can you do about it?

1) Don’t respond – Take away the financial motivation for the businesses who send junk mail. Most of us don’t respond, but it’ll only stop if everybody stops buying from companies who use unsolicited email for their marketing. Don’t fall for the trick of “unsubscribe from these emails” either. Any response to junk mail just serves to verify your email is legitimate. A verified address is more valuable to spammers because they can now sell your email address to another spammer.

2) Turn off auto-preview – Many email clients automatically open up email as a  “benefit” to users. Actually, it benefits the junk mail senders, virus writers and malware creators more than it benefits users. Auto-preview does a few things that help keep spam alive. Auto-preview might download images from the web which is another method spammers use to “verify” your email address.  Auto-preview may allow security threats to automatically launch multimedia files, harmful executables, infected PDF’s, etc.

3) Keep your system updated. – Out-of-date security is worse than no security. Software vendors have made a concerted effort to regularly update their software to ward off new and emerging security threats. But if you don’t keep your software updated, then the bad guys can exploit known flaws and install malware on your machine. So how does keeping your computer secure stop spam? Malicious software known as “trojan horses” are designed to allow a hacker remote access to your computer so he can turn your computer into a spambot. An army of these bot machines are rented out to spammers at the rate of $700/hr allowing them to send email from multiple machines at alarming rates.

4) Use layered protection – As with all security, a layered approach works best. Most email providers will offer spam protection for their users. Then add another layer on your desktop to catch anything that might slip through the first layer. Typical desktop protection costs between $30-40/year. Below are a few of the top rated desktop solutions. McAfee and Norton also offer protection within their security suites.

MailFrontier
MailFrontier Desktop –
http://www.mailfrontier.com/products_matador.html

SonicWall
SonicWall Anti-spam Desktop
http://www.sonicwall.com/us/products/anti-spam-desktop.html

Cloudmark
Cloudmark Desktop
http://www.cloudmark.com/desktop/

5) Don’t give out your email address to just anyone – It may be too late for this last bit of advice. I urge people to treat an email address like a credit card: only give it out to folks with whom your are doing business or whom you inherently trust. If you receive more junk mail than legitimate mail it may be time for a new email address. There are lots of freely available web-based emails out there, Gmail, Yahoo, MSN, to name a few.  Sign up, send your friends and family the new email address, and start using that as your primary email.

gmail
GMail
http://mail.google.com/

yahoo
Yahoo –
http://mail.yahoo.com/

msn
MSN
http://www.msn.com/

If you have any questions or comments let me know. I’m here to help.

-Erik

Leave a Comment

How secure is your internet connection?

Gibson Research Corporation – GRC.com

Have you tested your shields lately?

The folks at GRC have created a web-based scanner that will tell you exactly how secure (or insecure) your connection to the internet is (or isn’t). Click on over and you’ll find ShieldsUP listed under Services at GRC.com

Here’s what they have to say about their scan…

This Internet Common Ports Probe attempts to establish standard TCP Internet connections with a collection of standard, well-known, and often vulnerable or troublesome Internet ports on YOUR computer. Since this is being done from our server, successful connections demonstrate which of your ports are “open” or visible and soliciting connections from passing Internet port scanners.

via GRC | ShieldsUP! — Common Ports Probe .

The ShieldsUP scan is one of the tools I use and recommend, (along with lots of other offerings from GRC.com more on those later). It takes a minute or so to run the port probe, but the satisfaction that your internet connection is secure is well worth the wait. And if your connection is insecure you will get detailed information on the open ports, what the risks are, and what you can do about it.

Head on over and run the scan. If you don’t get a “True Stealth” rating let me know and I’ll see if I can help. Here’s the results of my most recent scan…

Your system has achieved a perfect “TruStealth” rating. Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests. Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests). From the standpoint of the passing probes of any hacker, this machine does not exist on the Internet. Some questionable personal security systems expose their users by attempting to “counter-probe the prober”, thus revealing themselves. But your system wisely remained silent in every way. Very nice.

As you can see, the results are written in a clear and friendly style. Gibson Research Corporation is another one of the good guys out there helping to tame the wild and woolly internet for folks like you and me. Now go check your shields.

Leave a Comment

Are you protected?

Are you protected?

Tech Tip – Vulnerability ScanningSecunia.com

Most Windows users know about Windows Update and probably have it set to check automatically for critical updates to Windows. But what about the rest of your software?

That’s where Secunia comes in to play. I first learned about Secunia from one of the network security conferences I regularly attend and found them to be one of the good guys.

Here’s what they have to say about their software inspectors…

Scan, detect, and update vulnerable programs. The Secunia Software Inspectors are the first internal vulnerability scanners that focus solely on detection and assessment of missing security patches and end-of-life programs – the result is an unprecedented level of scan accuracy. Scanning for missing security patches and vulnerabilities have never been easier or more precise.The Software Inspectors are perfect supplements to Windows Update as they inform about missing patches for thousands of third party programs. Secunia offers three Software Inspectors, each with a specific user focus.

I personally use the free PSI (personal desktop) product on my home computers and run the online scanner as part of my diagnostics when servicing clients. Give it a try and see what you think.


http://secunia.com/vulnerability_scanning/

Comments (1)