Diary of a Network Geek

Do you know those horrible password rules about adding random characters and numbers and stuff?

IT professionals hate them, too. Honest. I can say that because I am, in fact, an IT professional and have been for just shy of thirty years. (You can read more about my qualifications to call myself an IT pro at my other website, which includes Jim Hoffman’s CNE Resume, because, yes, I’ve been doing this so long I’m certified in things that no one really uses anymore.) I remember when the standard for passwords changed, requiring normal people to do things like including special characters or numbers and a mix of upper case and lower case letters. We were told that it would make the resulting passwords exponentially harder to guess. At the time, that may have been true, though I doubt it. It turns out, those rules were written by a government bureaucrat who used an out-of-date white paper to make his recommendations. And, now, even that bureaucrat regrets making those rules that only make your password harder to remember. Also, all that advice about translating a famous quote into a password by changing out words for symbols or letters? Essentially useless. With the computing power of moderns machines, the randomness of a short password really doesn’t matter at all. Length is the real key. So, having a password like “P@SSw0rd” isn’t significantly more secure than “password”, except, of course, that hackers are likely to guess the simple words first and “password” is actually one of the ten most popular passwords. So don’t use that. What’s better is to use a longer password, like an entire sentence without punctuation. And, if you have to include numbers and special characters, just tack them at the end or beginning. In other words, something more like “MyPasswordIsVerySecure@9”, because the length of that password IS exponentially harder to guess than “password”. Don’t believe me? Then just look at this infographic that shows how the length of your password is really the determining factor in how hard it is for hackers to crack.

How Long Would Your Password Last Against An Expert?

Of course, some systems limit the length of a password, unfortunately, but, until everyone else catches up to us, you have to work with what you’re given.
Come back next week to see what uncomfortable truths I have to share with you!

This post first appeared on Use Your Words!

Advice from your Uncle Jim:
"Do not follow where the path may lead - go instead where there is no path and leave a trail."

Have my super secret accounts been compromised?

Probably. I know, that’s not really what anyone wants to hear, but it’s also pretty truthful at this point. I mean, if you pay any attention to the news these days, then you’ve heard about all the recent data breaches. Most recently, there’s the Saks Fifth Avenue and Lord & Taylor data breaches, but before that there was Equifax, Under Armour, Uber and more. And, I know for myself, just having a Yahoo-related email account has made me susceptible to having my information compromised multiple times over the years.
But, what if you’re not sure? Or, what if you think you may have had an account that was part of a breach and want to know for sure? Then, head over to Have I Been Pwned and put in your email address. If you’ve been part of any of the big breaches in the past couple years, this site will tell you.
Also, if you’re not sure about that “secure” password you’re about to start using, then you can put that in at this site, too, and if it’s a well-known, well-hacked password, you’ll know before you use it. (That’s important to know because the well-known passwords are easier to pull out of even an encrypted password database.) If you don’t see it at first, just check the top menu for “Passwords” and you’ll get straight to it.

In this day and age, none of us can afford to be lax with our personal data and our data security. So, it may not be my normal “fun” link for Friday, but it’s definitely worth taking a minute to check your on-line safety.

This post originally appeared on Use Your Words.

First of all, you should know I’m talking about computer security, not home security.

Secondly, know that “in a box” really means something more like “all in one place”.
I’m suggesting this site this week because security is on my mind.  Not only in a corporate sense, but in a personal sense.  In a professional setting, I’ve brushed up against something that could conceivably heighten scrutiny of my own personal foot-print on the internet.  And, I’ve had a particular address from a particular Eastern European country banging against on of my WordPress installations pretty hard this past week.  All of which added up to me checking my collected links for a security themed site I could share with you all.
The site is called Security In A Box and it’s a collection of tips, advice and links to programs meant to help keep you safe on the internet.  Their advice covers everything from creating good passwords to staying safe on social media.  And, they have group-specific suggestions for special interest groups who might have an additional level of scrutiny, either by other special interest groups or governments.  It’s quite a good site for everyone, of course, but of special interest to anyone who might find themselves at the sharp end of one of the many sharpened sticks running loose on the internet without keepers.

So, stay safe this weekend and enjoy the lovely weather while it lasts!

I’m going to take a slight departure from my normal free stuff on Friday posts.

Don’t worry, this is still free, but it’s not just a “click here and look at this thing” kind of post.  This week, you’ll need to actually do a couple of things to get the full benefit of this post.  Basically, it’s a little Summer DIY project for the mildly geeky and social.

Have you ever been to someone’s home and had to ask for their WIFI…
Read More

No, seriously, it is.

If it makes you feel any better, most people’s passwords are too weak.
I suppose you think it doesn’t matter how “strong” your Gmail (or Hotmail or whatever free email you use) password is, right?  Well, you’d be wrong.  I recently read an account about how one person’s Gmail account was hacked and used to spam and try to get her friends to send the hacker money, all posed as her.  Of course, that was after deleting more than 4 Gigabytes of stored messages and photos.  You can read that account, as told by her husband, over at the Atlantic, in an article titled “Hacked!”  It’s worth reading, especially if you’re not in the IT business.  And, frankly, even for a fellow professional computer geek, it might be eye-opening to see how hacked email accounts are being used these days.  I have to admit, I was a little surprised that the attacker in question actually used the account personally to try and con money out of the victim’s friends and family.

I was not, however, all that shocked to see how many accounts are compromised on a regular basis.  Think the thousands.  Daily.
Right, so thousands of email accounts on which people depend are hijacked, used and abused on a daily basis.  If it hasn’t happened to you, it’s probably only a matter of time.  So, how do they do it?  Shared, easily guessable passwords.
Yes, it’s that easy.
Stop for a minute and think about how many passwords you use on a regular basis.  How many are the same?  How many accounts do you have for things like bank accounts and credit cards and medical records that use the same password as your email?  And how many of those accounts use that same email address as the username?
Getting the picture?

So, what do you do?
First, stop reusing passwords.
Second, make more secure passwords.  And, don’t think that the old way of replacing “L” with the numeral one or the letter “O” with the numeral zero and that kind of thing will work, either.  The hackers are on to that.  It’s better to use words that are not in the dictionary.  So, yes, made up words.  Or, even better, phrases, which is what I’ve recommended for some time.  Having a hard time coming up with one?  Try using one generated randomly for you at passphra.se, a random passphrase generator which was inspired by an XKCD comic.  The comic explains the reasoning behind the passphrase idea and the generator.  Also, XKCD is pretty funny and if you’re geeky like me at all, it’s well worth checking out.

In today’s world, we’re way too interconnected and digital and reliant on those systems to have relaxed security.  It doesn’t matter if you’re a geek or not.  Please, think about your passwords and how easily they might be compromised.  Then think about what that might mean to your life, digital and otherwise.
Now, if you’ll excuse me, I have to go change some passwords…

Advice from your Uncle Jim:
"Aw, damnit, I left my spontaneous quips in my other pants."

Yeah, yeah, happy New Year to you you, too, now, go change your passwords.

No, seriously, change your passwords.  Think about how long it’s been since  you either setup that account or changed the password on it.  Now, consider that there have been some significant security breaches in the past year, including the issues at Gawker and their family of popular websites, and think about how many places you’ve used that same password.  It’s your favorite one, right?  The one you use for all your accounts, because it’s so, so easy to remember?  Guess what, it’s also probably easy to crack and is probably in a database on some hacker/cracker website right now matched up with the e-mail address you used, too.  How long will it be, do you suppose, before someone gets into all your accounts?

Right.
So, go change your passwords.
Not sure how to pick a good one?  Well, if you trust the U.S. Government for security, you can go to their Computer Emergency Readiness Team (aka US-CERT) for advice on choosing a secure password.  If you’re like me, though, you categorically do NOT trust a government agency for your personal security, in which case I recommend that you check out premier security expert Bruce Schneier’s advice for picking a secure password.

I’ll offer two bits of advice on the topic.
First, if any system lets you, choose a password that includes numbers and special characters, not just letters.  The example I always use is “@2brutus”  And, yes, that means I will NEVER again use that as a password. *sigh*  I like to substitute numbers for letters which resemble them, like the number one instead of the letter L or the letter I.  In the example, I’ve taken a  whole word out “et” and substituted the “at” symbol, or “@”.
Secondly, try to use something that is not a single word, but a phrase.  Again, in the example, I took my bastardization of “et tu brute”, which I remembered as “et tu brutus” and mashed it up a bit.  I have known people who use short sentences, however.  One guy I worked with occasionally used lines from Lewis Carroll’s [amazon_link id=”0810911507″ target=”_blank” ]Jaberwocky[/amazon_link], which adds the extra security of words that will most likely never be found in any standard dictionary of any language.

So, trust me on this, if you haven’t done it, start the new year right and change your passwords.

Advice from your Uncle Jim:
"In life, as in football, you don't go far unless you know where the goalposts are."
   --Arnold Glasgow

Remember, these are “administrator utilities” not “hacker tools”.

In my business, it pays to make the distinction.
When people call me for help outside the office, the calls usually fall into a couple categories; a virus, a slow computer, a lost password and “how do I do X?”  Sadly, I’ve been doing a lot of virus and spyware removal, but, also, lately, I’ve had a couple of “lost password” calls.  I actually love getting those, for a couple reasons.
First, lost passwords are surprisingly easy to recover if you have physical access to the machine.  It’s funny to me how few people get that.
Secondly, I find recovering passwords fun.  In a way, it was one of the first things that drew me into the business.  I was one of those guys who got hooked by the security bug not by War Games, but by Sneakers.  Yeah, I know, most guys my age especially will tell you it was War Games that really got them hooked.  What can I tell you?  I’ve always been kind of a late bloomer.  And, my dirty, little secret is that after seeing Sneakers, I wanted to be Marty Bishop.  Seriously.

Anyway, my recent experience with Windows password recovery requests gave me an opportunity to refresh my tools.  After Googling a bit, I found a handy About.com page titled “Top 6 Free Windows Password Recovery Tools“.  I downloaded several, most of which were based on bootable CDs of one kind or another.  I like those kinds of toolkits because they don’t require even limited access to operating system, just the ability to reboot the machine from the CD toolkit.
In the end, I tried two; 0phcrack and the Offline NT Password & Registry Editor.

Now, I’m not positive, but I’m pretty sure that 0phcrack is the free, opensource fork of l0phtcrack.  Now, for an old-timer like me, l0phtcrack was THE password cracker to have, back in the day.  Created by a group of well-known hackers, some of whom famously testified before Congress, it was not free.  At least, theoretically.  If you knew where to look, you could get copies.  And, yes, I  them.  But, this version IS free and seems like it had some improvements.
For one thing, the old version had a slightly clumsy text-based interface.  This version has a much nicer interface that seems to use X-Windows.  It’s also far more intuitive to use.  It ran pretty fast, really, though, sadly, didn’t seem to be able to crack the non-dictionary word used as a password on the Windows 7 box I was using it against.

On the other hand, the Offline NT Password & Registry Editor has been around for several years, and had several updates, though it retains the text-based interface.  I don’t remember when I used this the first time, but, so far, it hasn’t let me down in a pinch.  This time was no different.  So, yes, even though it has “NT” in the name, I’ve used it on everything from Windows 2000 through Windows 7 without a hitch.  Of course, your results may vary.  The bonus of this product is also it’s most potentially dangerous drawback; it directly edits the registry and password files.  This is dangerous, in a way, because if something goes wrong, this could, theoretically, lock you out of your machine permanently.  In practice, this has never actually happened to me.
One advantage of this utility is that you can change or simply remove the password for any active user on the system.  Also, you can use it to promote an active user to being an administrator equivalent.  Now, by “active user” what the developers mean is any account that is not disabled.  Though, I think there may be the option to activate a deactivated account.  I’m not positive, though, because I’ve never had to look for it or try to use it.  And, yes, this worked like a charm to simply blank the password on the Windows 7 machine that had apparently forgotten its own password.

So, there you have it.  Two tools to recover lost Windows passwords.
Oh, and, just a quick disclaimer here.  I’m not responsible for any damage you might accidentally do to your machines with these utilities.  Nor am I advocating using them to break into your ex-spouse’s computer to read their adulterous e-mail to their lover.
I’m just sayin’….

No, not the key to install Microsoft Office!

One of the many features of Microsoft Office is the ability to password protect your files. It’s not very strong encryption, but, then again, how many people in your office are programmers who specialize in cryptographic algorithms? Right.
On the other hand, it sure is a pain in the butt when you lose the password for some super important file. Well, the Wired HowTo Wiki has a page titled Recover Your Password-Protected MS Office Docs that can help you out. I especially liked the idea of the e-mail service that let you preview part of the document before paying to have it unlocked. As an IT person, it’s nice to know if I’m paying to unlock the right files for someone at the office before I shell out the cash!