TechByter Worldwide

Listen to the Podcast


16 Jun 2019 - Podcast #647 - (23:00)

It's Like NPR on the Web

If you find the information TechByter Worldwide provides useful or interesting, please consider a contribution.

PayPal

Subscribe

16 Jun 2019

Password Managers Revisited

A password manager is essential. That's something I've preached for a lot of years and for the same number of years, I've recommended one specific password manager. Well, surprise! I've changed my mind. Yes, a password manager is still essential (now more than ever), but the application I use and recommend has changed.

My previous favorite, LastPass, is still a good and capable application, but a recently released update made some changes that I didn't particularly care for and then led me to a re-evaluation. There's no shortage of choices (in alphabetical order). Where free versions are noted, be aware that they sometimes have significant limitations.

The key point is that you need a password manager, period. You probably already know why: Passwords need to be site specific and complex. If you re-use a password, even a complex password that's 35 characters long (example: 5v,gwpdNqp3}GoU)HUXKXRme3.1Dz,aX-x@) it's useless because once a scammer manages to obtain the password, the crook has access to every account you've protected with that password.

Remembering complex passwords is all but impossible for even a single site and remembering them for dozens or hundreds of sites isn't something any normal human being can do. A password manager keeps all your passwords in a single encrypted and password-protected location. Most can generate strong passwords and many can store information about credit cards, Social Security numbers, and other important details. The password you create for the password manager must be complex, strong, easy to remember, and impossible to guess. That's a challenge, but you have to do it only once.

Some pundits warn against using password managers because all of your passwords are in a single location. What if the password manager's on-line server is breached? What if someone gains access to your master password? These concerns are overblown because password managers communicate with your computer only via an encrypted connection and passwords are encrypted both on the cloud-based storage and on your computer. To gain access to the password manager, you'll probably need to use multi-factor authentication whenever the service sees a connection from a new location or a new device.

My criteria for a password manager include support for Windows, MacOS, Android, and IOS because I use all of those platforms; support at least for Chrome-based browsers and Firefox; synchronization across devices; and the ability to autofill login credentials, addresses, and credit card information.

One password manager that lacks many of these features but is still worth considering is KeePass Password Safe. It's an open source application that runs on nearly every type of device. The auto-fill functions are limited and it doesn't sync across devices automatically because passwords are stored only on the computer or mobile device. As an open source application, it's free, but the technology is old.

If you want to save time and don't want to bother analyzing a baker's dozen password managers, just jot the names down on scraps of paper, drop the scraps into a bowl, and select one at random. No matter which you pick, you'll be far better off than having no password manager.

Here's a spoiler: After using LastPass for many years, I have switched to 1Password. They are both good applications, but some of the updates to LastPass this year seemed not to be improvements. The process of switching was easy: Like most other password managers, LastPass offers the ability to export passwords, and 1Password can import that file. By default, LastPass displays the passwords on a browser screen that can then be saved as a CSV file. 1Password, however, suggests that users just copy the full contents of the displayed page and paste the information into 1Password. That's better because you never need to save the file to the computer where, even after you've erased it, the data persists.

1Password Was My Choice

The latest version has a new interface and new capabilities, including a security audit (previously available in the MacOS version only) and the ability to handle two-factor authentication. If you're still using Internet Explorer, it's not supported, but this is a reason to stop using Internet Explorer and not a reason to avoid 1Passsword.

 Click any of the small images for a full-size view. To dismiss the larger image, press ESC or tap outside the image.

In addition to the password manager application, there are extensions for browsers and these are essential. After installing the application, you'll be asked if you want to add the extension when you next open a browser.

I like 1Password's security for the application. To open it from a new device you'll need to provide the email address you use for the account, your 1Password password, and a private key. The key is long and starts with A3. Example: A3-E9TCRE-4Q09Q1-WXZPD-RE9TD-K7PCC-RGHF3 (this is NOT my key). Once entered, the key is stored on the device. Instead of typing the key, users can scan a barcode if the device has a camera. Entering the key needs to be done only once for each device.

TechByter Image1Password, like LastPass, reports compromised logins, vulnerable passwords, and reused passwords (yes, I still have some of those for sites that have no financial data). It also has reminders for sites that use HTTP instead of the secure HTTPS, sites or credit cards that will expire soon, and inactive two-factor identification sites.

Stored information is categorized as site logins, secure notes, credit cards, identities (shipping addresses), Social Security numbers, and credentials for wireless routers.

TechByter ImageVulnerable passwords are usually of three types: (1) Library logins that are usually four-digit numbers but must be combined with an ID that's at least 10 characters long, (2) passwords that are shared with many users are are intended to provide minimal protection for trivial data, and (3) logins that are in the process of being decommissioned and have no password.

TechByter ImageLogging onto a website can be initiated in 1Password by clicking the application's icon in the browser or by pressing Crtl-Alt-\ and searching for the site name; or the user can navigate to the site's login page and click the user name field, which then gives a list of credentials associated with the site.

Few of these features are unique to 1Password. Zoho and True Key cannot automatically fill website forms and do not allow multiple identities for filling in website forms, which eliminated them from my consideration. Only 1Password, Keeper, LastPass, RoboForm, and Sticky Password can enter passwords in device-based applications, which makes them preferable.

For me, the second choice would now be LastPass, which has an uncommonly robust free version. The paid version is also good and it includes an option to share passwords or sections of the password database with others. 1Password doesn't explicitly allow sharing, but the company does offer a family version for up to five users. That plan also includes 10GB of secure on-line storage.

The Free, Quiet Open Source Password Manager

TechByter ImageKeePass has been around for about 16 years and the interface has a dated look. There's no ability to synchronize automatically across devices because it doesn't use cloud based storage. But it's a powerful application that runs on just about every imaginable operating system and device.

It was my first choice (and one of the few choices available) in the early 2000s. I've continued to keep it installed and updated on later Windows computers, but haven't installed it on a MacOS computer or any portable devices. Still, it's worth considering.

The setup process offers the ability to use a master key and cautions that if the key file is lost, the database cannot be opened by anyone.

TechByter ImageThe interface has more in common with Windows 95 or Mac System 8 than it does with Windows 10 or MacOS. Still, it's serviceable. It's a good idea to read the instructions when installing and starting to use any application and reading the instructions is essential for KeePass because it doesn't work the way competing applications do.

If you aren't using a password manager and don't have the time or desire to perform the needed research now the free version of LastPass would be a good starting place. Or, if you have the time to perform 1Password's somewhat more complex initial setup, I can recommend it. Nearly all of the password managers can import data from a web browser if you currently store passwords there. Browsers are better than they used to be, but passwords stored in browsers should not be considered secure.

So the important first step is to install a real password manager. If you know which features are most important, reviewing the developers' websites will narrow your choices. But as I said near the outset, installing any of the password managers I've listed here is far better than proceeding without one.

Short Circuits

Ignore these Email Deactivation Notices

The message said This email is to notify you that we have received your request to terminate the service(s) listed below. It claimed to be from techbyter.com and it said that my email account would be terminated. I deleted the message.

TechByter ImageThe first and most obvious giveaway is the fact that I am the email administrator for techbyter.com and I knew that I hadn't asked myself to delete my account and that therefore I hadn't sent myself a message advising myself that my account would be deactivated. But what if you receive a message like this at your work address? Would you click the link to cancel the deactivation? Please don't!

Click it and a website that is registered in Iran will attempt to place malware on your computer. This could be something that damages data or it could be something that attempts to find and exfiltrate proprietary data. It may try to capture the user's log-in credentials or it could be part of an advanced persistent threat. There are lots of possibilities.

Fortunately, some organizations' IT departments have protections in place to identifiy these kinds of messages and delete them so that employees never see them and the best organizations work to educate their people so that bogus messages are reported even when they breach the protective measures.

Here are some of the indicators that the message is fraudulent. Spotting most of these requires no technical knowledge or intelligence, just a cautious eye and a reasonable amout of paranoia:

Anyone who receives a message like this at work should immediately NOT CLICK THE LINK. After carefully not clicking the link, if there's any concern that the message might be legitimate, then contact the IT department or a manager to ask. This message is reasonably well done. No egregious grammatical errors exist. The wording is generally reasonable, but still several clues are present that identify the message as a scam.

Messages From Any ICU Top-Level Domain Sender — Just Delete Them

One of the new top-level domains is ICU (I see you), but the sponsoring organization (Shortdot SA in Luxembourg) seems not to be interested in honesty, accuracy, or legality. Someone there recently obtained my email address and I've started receiving a flood of spams and scams from domains ending in ICU.

TechByter ImageBy flood, I mean dozens of spam and scam messages from ICU domains every week. Dozens! And yet I have never received a legitimate message from any address with an ICU top-level domain. They range from scams involving medical solutions to offers that will connect me with love interests. In other words, the unwanted commercial messages from the ICU domain are just that: Unwanted.

TechByter ImageDepending on your anti-spam application, I recommend blocking all communications from any ICU domain. I've used Mailwasher Pro for many years and the application makes it easy to mark any message from the top-level domain as spam. I simply specify "*@*.icu" as a source of spam and every message from any ICU domain will be marked as spam.

TechByter Image< One morning's partial list of scams

Mailwasher allows me to examine every message, spam or not, before downloading it. So far I haven't found any messages from the ICU TLD to be ones that I want to save.

TechByter ImageSpammers and scammers develop new scams every day. One of the messages I received recently claimed to be from CNBC, but was really from an ICU domain. The CNBC banner was bogus and so was the "Health and Science" subhead. A "learn more" link led to an ICU domain that immediately transferred to another page.

The message said "All words on this page are an ad that was sent to you." I pondered that for a bit. Obviously it was sent to me. Obviously it was an advertisement. Clicking any link in the message would be highly illogical, yet the message offered "If you rather not get these anyomore then please tell us as this page" and later "Cut out your name from our list by entering your information now". Both of the links go to the same location and following either would not be wise.

TechByter ImageBecause of the extreme number of spams and scams from the ICU top-level domain, I went beyond marking messages as spam in Mailwasher. The Mailwasher application gives me the opportunity to examine messages and then decide whether I want to download them or not.

Having seen the quantity and quality of messages flowing from the ICU top-level domain, I decided to intercept them at the server level so that Mailwasher would never even see them. If you operate your own domain, SpamAssassin may be available to you. If so, it's easy to create a filter that looks for certain characters in the sender's address (".icu", for example) and then deletes the messages so that you'll never have to see them.

This is a big hammer and it's one that I employ only when I'm certain that some part of the email will contain text that absolutely identifies the message as one I don't want to see. The new ICU top-level domain filter is one of only three that I've set up on the server.

Top level ICU domains — just another scam to watch for. My recommendation for any message from the ICU TLD is simply to delete it without even thinking about opening it.

Spare Parts

Sony Cameras Challenge the Big Guys

In the early days of digital photography, the late 1990s, Sony introduced the Mavica, a camera that used 1.4MB floppy disks to record images. The images were horrid and the resolution was low. Until a few years ago, I favored digital cameras made by traditional camera manufacturers such as Nikon and Canon. That is changing.

Sony is now the nearly undisputed leader when it comes to manufacturing sensors and those sensors are used in the IPhone 6, the Samsung Galaxy S6, Nikon digital SLRs, and Olympus mirrorless cameras. So far, Canon hasn't joined the move to Sony sensors. But what about cameras? Sony's Alpha series has received excellent reviews and the company has done something unusual with the menus that run the cameras: When possible, settings are in the same locations on menus in all cameras and they have the same names. That's not always true for cameras from the traditional camera manufacturers.

TechByter ImageAnd Sony continues to introduce respectable lenses for their cameras. For example, the FE 200-600mm f/5.6-6.3 G OSS Super-telephoto Zoom Lens that will start shipping later this year. It's a huge, heavy lens for Sony's full-frame cameras and is the 51st lens offered by Sony. That number of lenses gives Sony parity with manufacturers such as Canon and Nikon.

The lens is compatible with Sony's E-mount 1.4x and 2.0x teleconverters, extending the reach to a maximum of 840mm at f/9 or 1200mm at f/13. Optical stabilization is built in to the lens and an 11-blade circular aperture mechanism gives out-of-focus backgrounds at distinctive blur (called "bokeh"). The zoom function is internal to the lens so that its length doesn't change as the lens is zoomed in or out.

When released in August, the lens will sell for about $2000. If you'd like to read more, see Sony's website.

Technology to Save the Connection to Your Flight

One of the many frustrations about airline travel involves connecting flights. The flight you're on arrives late and it's at the far end of the airport from where the next flight leaves. United Airlines is introducing ConnectionSaver an application that intended to improve connections from one United flight to the next.

ConnectionSaver attempts to identify departing flights that can be held for connecting customers but also to ensure that those who have already boarded the aircraft arrive at their destination on time. When passengers opt in, they will receive text messages with directions to the gate for their connecting flight and information about how long the walk will take.

The application will scan flights for customers who are making tight connections to determine if the connecting flight can be held without inconveniencing other customers by taking into account factors such as the time it will take for late connecting customers to travel gate-to-gate as well as the impact the hold may have on other flights and customers.

United launched its ConnectionSaver tool on all flights at Denver International Airport in February, and then expanded it to Chicago O'Hare International Airport. The company says that more than 14,400 customers, who would have otherwise missed their connections, were able to make their flights thanks to ConnectionSaver. Flights that were held for connecting customers were delayed an average of six minutes.

United plans to begin using the technology in all of airline's hubs by this fall and eventually to all airports where United has a presence. Additional information is on the United Airlines website.