Other Ways To Connect

Friday, January 25, 2013

Password perils

In the brave new world of the cloud, you need a way to prove to the cloud that you are really you and not some Romanian hacker.

This is called user authentication, and for better or worse the state of the practice for user authentication is the pesky password.

On the surface the password seems quite reasonable.  You present the program with a word or phrase that only you should know.  If you are successful, then the program can assume that all further interactions really are from you (and not your child, your neighbor, or the Romanian hacker).

However, passwords have problems.
  •  Easy to guess passwords.  You want a password that is easy for you to remember but hard for others to guess.  Your anniversary date, your child's name, or your dog's name are probably easy enough for someone who knows you to guess.  If the password is short or a standard English word, then the Romanian hacker has it in a list, and he can set up a computer to launch a brute force attack against your account.
  • Using the same password everywhere.  You want a password that is easy to remember.  You have to authenticate yourself against dozens of services now, so it seems reasonable to use the same password everywhere.  However, not all organizations have the same level of security and vigilance.  The low security, low vigilance service will get hacked eventually.  Even organizations that should know better get hacked.  For example, my IEEE professional organization had all their members' passwords released this year.  If you use the same password everywhere, an exploit at one service means that the hacker will eventually try the same credentials at someplace more interesting like Citibank or American Express.  So at least use a different class of passwords at servers with very sensitive or money-oriented services.
  • Probably the biggest threat to a password authentication approach is social engineering.  With social engineering someone talks you into giving them their password.  The person seems to have quite a legitimate reason for needing your password.  Perhaps they say that they are from your bank and they need to adjust some things for your account.  The person sounds sincere and legitimate, so you give them the requested information.  Now they are into that account and probably other accounts with the same password.
What is a person to do?
  • You could use a password vault or a password manager to record all of your account names and associated passwords.  A low tech version of this is a sheet of paper or a booklet that you keep in a secure location, i.e. not on a sticky note next to your computer at work.  Search for "password vault" on Google for lots of higher tech versions.  A software password vault will store all of your passwords and account names.  You need a master password to open the password vault.  So the one password for the vault still needs to be easy enough to remember but secure.  But with a password vault, it becomes feasible to use truly random passwords and unique passwords for each account.
  • Another approach is to use an authentication against another service as an authentication for your own service.  For example, I can log into my bug tracking service using my corporate gmail account.  Or I can log into a game site using my Facebook account.  This means you have to track fewer passwords, which is good.  But you must understand how much you trust the authentication on the original service.  For example, I'm happy to use my Facebook authentication on a game site, but I would never consider using it for my online bank account.
  •  If you read a security textbook, they tell you it is most secure to use random passwords.  20 years ago password length was limited to 8 to 12 characters, so randomness made a lot of sense.  Today almost all services allow for arbitrarily long passwords, so it makes sense to choose random phrases rather than random character sequences.  This xkcd comic makes the point very well.  You are going to be far more likely to remember a pronounceable nonsense phrase rather than a non-pronounceable nonsense character sequence.
What other options are there?
  • Biometrics are popular in movies, and things like fingerprint readers are becoming mainstream.  You can order one in most new laptops and desktops.  Biometrics catch the fancy because you cannot lose (except in extreme cases) or forget your fingerprint or retina pattern.  But biometrics work best in combination with something like a pass code.  Depending on what is being measured, biometrics accuracy ranges from 90% down to 60%.
  • Many banks (and SafelyFiled) offer an extra password or access code.  In certain situations, you must enter an access code sent to your mobile phone.  This raises the bar for the hacker.  Not only do they need to get your account name and password, they must get your mobile phone (or change your registered mobile phone to theirs).  Having to enter an extra access code is a hassle, but when used to "prove" the security/validity of a new location or new account it can be quite helpful to reduce security risk.
  • Many corporate environments use one-time passwords. An employee working away from the office is given a secure card.  He uses a PIN to access it, and it shows a password.  When he logs into the corporate server, he enters that password.  The next time he activates the secure card, a different password is shown.  This is a great solution for a controlled corporate environment, but not such a good solution for a consumer environment.  It isn't practical to have a secure card for every service you access. 
There is no "right way" to address the password problem.   Be diligent and aware of protecting your passwords.  Find a system that works for you to manage a variety of strong passwords.  Keep your ears open for new options, because authentication technology continues to evolve.

Friday, January 11, 2013

Meet SafelyFiled — a different kind of web company

Picture a room full of hip 20-somethings working around the clock, music blaring in the background, messaging to each other in a language no one understands, hoping to cash out and retire before they’re 30. That’s not us.

As internet companies go, SafelyFiled is a bit different — and we’re proud of our differences. We don’t use our tech skills to dazzle you with our brilliance or amuse you with quirky icons or animations, but to make it easier for you to make your life more organized and productive. 

We simply want you to feel great about having your affairs in order!

We think “peace of mind” is cool.
You might say we have a more mature approach to our business. We pay attention to those little details that matter to you — an adult taking care of important family documents. And we’re 100% dedicated to the service we provide our members.

As you may have guessed by now, we’re not 20-somethings. We’re a team of seasoned professionals. So we invested a lot of time designing SafelyFiled to be both intuitive and easy on the eyes — especially for those of us who have to squint to read most other websites.

Double-deadbolt security is a must.
We also pay attention to the news, so we fully appreciate your concerns about security. Those concerns are well founded.  That’s why we made security our top priority — literally.  For many websites, security is an afterthought that is only really dealt with after a problem pops up. Not us.  The first person we brought on board is a computer security expert who lectures at the University of Illinois in Champaign – Urbana.  Her name is Dr. Susan Hinrichs.  She designed and tested our security protocols first and then built the rest of the SafelyFiled around the security.  Susan will be offering tips in later blog entries.

Write to us. Tell us how you’re using SafelyFiled. 
One of the life and business lessons we've learned already is that our members will use our product in ways we never anticipated.  As long as it's legal, that's great.

We welcome your stories and will share them with the rest of the members. Our Chief Operating Officer, John Dore, and our Chief Technology Officer, Terri Caldwell, spend a fair amount of time with members and they will also share their insights in this blog.

Just remember: we're here to help you make your life more organized and more productive.  We hope that as you get your documents uploaded and share them with your family, that you get that calm feeling that tells you that you've got at least one part of your life under control.

Mark Snow