Posts Tagged ‘security’

Kent’s Super-Simple, Excellent Password Advice

Thursday, September 22nd, 2016

This excellent advice is simple, in fact its excellence depends upon being simple. Complicated is the enemy of security. If you follow this advice you will be among a very rare elite in how secure your passwords will be.

Four parts:

1. Write down your passwords. On real paper, with a real pen or pencil, and keep the list safe. If you want to get fancy, maybe don’t quite tell the truth, at least not the whole truth, maybe leave something off each password (something you will remember), so if someone finds the list they won’t quite know any of the passwords on the list. And keep the list safe.

2. Now that you can keep track of what your passwords are, never recycle passwords between accounts. So, if someone breaks into one site, your other accounts aren’t at risk. (Today’s news, as I write this, is information on 500,000,000 accounts were stolen from Yahoo.) Don’t reuse passwords in different places.

3. When you make up a new password, dream up something you think no one will guess. (I know, you already do that.) Now, to be extra secure, add something even you couldn’t guess. Maybe look at the time, exactly how many minutes past the hour? Include that in the password. Or look around you, pick something else—but pick something you could not anticipate—and include it as part of the password.

4. Keep this entirely manual, the whole approach is low-tech for a reason. Computers are usually pretty insecure. (Ask Yahoo…) Don’t automate any of it, because that’s really hard to do safely (ask Yahoo), keep it manual. Don’t even photocopy your password list, because copiers are really computers these days. Don’t take a picture of the list, because cameras are also computers these days. Yes, backups are good, but sorry that has to be manual. The benefit is, as long as you keep all of this manual, you can trust your common sense, because you will understand every aspect, you have real expertise manual stuff because you can see it.

That’s it. Low-tech as hell, which means most techies will hate it, but who cares that it’s controversial as hell? It’s smart. Because it is simple.


P.S. And I really am so very sorry you can’t use a password manager program, but they are just too complicated, they will have security problems, admit it, you know it in your heart they will. Don’t trust them.

Android Pattern Unlock Insecure

Tuesday, May 10th, 2011

When I first saw the pattern unlock feature in Android phones I thought: Cool!

And I used it on my Nexus One.  Until I realized that it is a really stupid idea if I want my phone to be secure.  Don’t do it.

The problem is that the phone screen gets smudged.  And when you unlock your phone you will leave a new smudge trail revealing your pattern.

Here is how to read it: With the phone turned off hold it up to a bright light, but angle it so that so that it reflects something dark.  The smudges will be obvious.

Turn the phone on, note where the pattern dots are, turn it off and see what smudges align with the pattern dots.  Turn in on, turn it off, and you will be able to see the pattern.  (At least if the phone wasn’t used much with dragging gestures on top of the pattern area.)

New smudges will write on top of old smudges, they will be “in front”, so to reproduce the pattern in the right order start with the smudges that are “behind”, and trace towards the “front”.

It is tempting to wipe off the screen to clear the smudges of your unlock pattern, but beware: A clean screen is even easier to read than a dirty screen, so if you ever forget to wipe it after entering your pattern, your unlock pattern will be very readable.

This doesn’t mean your pattern lock is completely insecure always.  If you unlock your phone and then use it a lot with plenty of dragging gestures in the pattern area, then turn it off, your unlock pattern will be very hard to read.  But do you ever turn on your phone, maybe just to check the date, and then turn it off?  If so, your lock pattern is not hard to read at all.

So the unlock pattern is cool, but a bad idea.  Instead you should use a unlock code number.

“But wait!” I hear you say.  “Can’t those smudges be read too?”

Yes.  But they are taps not drags, so the order is hard to read.  And, this means a 4-digit PIN is not so good.  If someone can figure out what the 4-digits are, there are not that many combinations to try.  Only 24 (4×3x2×1, or 4 factorial).  Increase your PIN to 5-digits and the number of combinations are 57, not great, but a lot better.

I suggest you make up a truly random PIN of, say, 6-digits.  (Have a spinner from a board game?  Maybe use that.) then fill in the other digits in, say, left-to-right, top-to-bottom order.  If the person who finds your phone can see your PIN uses all ten digits (with no repeats), that narrows it down to 3,628,800.  Because your phone limits how fast PINs can be tried, that is pretty good, and you only have will have a PIN that is pretty easy to remember.  A PIN with repeated digits is cool, but the smudges might show which digit is repeated, diminishing its value somewhat.

The only catch is that it takes a moment to enter a long PIN each time you turn on your phone.

If, however, more and more of your life is in your phone, it might be worth it.

-kb, the Kent who tried to figure out how to photograph the smudges of an unlock pattern lock, but it is tricky to get the lighting right.

©2011 Kent Borg