The Password Conundrum – Part 1

PadlockOpenMasterKey
Obligatory password-blog-post lock picture. We can all breathe easy now that the status quo has been upheld.

Introduction

This is the first part of a three-part article in which I’ll discuss managing online accounts and password security. In this first part, I’ll talk about the embarrassing state of my own account management – or lack thereof, what prompted me to get my act together and form a realistic account management strategy, and a brief note on what my personal needs for account and password management entail.

In the second part of this article, I’ll go over some of the tools and strategies that I researched while I was figuring out how I was going to manage my accounts. I’ll cover password managers, using complex passwords, and multi-factor authentication.

In the third part of this article, I’ll discuss my overall account management strategy: what I did and didn’t do, and also my rationale behind each choice. I hope that by the end of this article, you’ll have a good idea of what is available to help you get your accounts under control and to also make informed choices regarding what methods and technologies that you want to use to help keep your accounts and personal information secured.

A shameful tale of woe and regret

I’ve been an Internet user for about half my life now. That’s been enough time to collect many, many accounts. I have at least 3 email accounts, accounts on the usual social networking sites, and a slew of random accounts for online stores and services. I figure that I have somewhere around 30 personal accounts that I’ve set up over the years. There are many others that I’ve lost track of, consigned to the briny depths of the web to be forever forgotten.

It’s time for a confession dear readers: I have committed a grievous evil. I have re-used passwords for multiple personal accounts with wild abandon. On top of that, before this article, I had not changed passwords on some accounts for years. What’s worse is I know better than this; I follow best practices for passwords in my professional life obsessively. Seriously, there was an intervention and everything. I guess it would be at this point where I’d say something about the cobbler’s son having no shoes.

passwords
This was pretty much the extent of my super sophisticated personal password scheme. Luckily, I kept the post-it note under my keyboard where no one would ever find it.

Continuing down this cliche’d path, I’ve heard that people don’t change until the pain of staying the same is greater than the pain of changing. For me, the pain came just a few days ago when I received an email from UbuntuForums.org. The email stated that they’d been compromised and that the attacker had gained access to their database of usernames and encrypted passwords.

I have an account on Ubuntuforums.org. Had I used the same username and password on Ubuntuforums.org that I used on other sites? I couldn’t remember. *CRAP*! Time to put my big boy pants on and get this password mess sorted out.

First, I had to figure out what sites I had accounts on. I started a list of all of the sites I could immediately recall, then I went through my archived emails and found several more sites. I have A LOT of accounts.

Over the years I had halfheartedly skimmed many articles (like this one) that provided advice on proper account and password management. All these questions started popping into my brains: Should I set up a password manager? Which password manager should I use? How complex does my password need to be? How can I set up multi-factor authentication and how well does it work?

It was about this time that I started to become overwhelmed. I needed to do some reading. I researched and read way too many articles and blog posts and here is the strategy that I found would work for me. Others may not have the same security needs, so, as always keep in mind that YMMV.

Requirements

I spent some time thinking about what my needs were and how I access my accounts. I use a variety of computers and devices. I have multiple beat up, old computers running Windows and Linux based OSes in varying stages of obsolescence, an iPhone, and a broken iPad which I may replace in the distant future. I access email and other accounts from my own, trusted systems and other’s that I don’t trust.

It would be nice to be able to access my various accounts easily and securely, regardless of the computer or device I am using. I need to be able to remember my passwords. At the very least, the passwords for my most important accounts – Email, banking, etc. need to be different from each other. Services like Linkedin, Dropbox, and Twitter get “hacked” with some regularity, so being able to easily come up with secure, memorable passwords without repeating old ones is a necessity too.

So this concludes the first part of my three-part password conundrum saga. Check back soon for part two where we dive into the tools, methods, and concepts behind building a solid account/password management strategy.

Advertisements

So you want to learn to pick locks

Pin_and_tumbler_lock_pickingLockpicking is awesome. No lie. Picking open your first lock is exciting, unsettling, and possibly addicting. It’s exciting in the sense that you become aware that locks can be viewed as mechanical puzzles and that once you know how to solve them, you have the keys to the kingdom.  It’s unsettling because once you get the hang of it, you start to realize just how easy it could be to pick the locks that you depend on to keep you and your possessions safe. Picking locks is addicting because of the exhilaration, the sense of empowerment, the thrill of exerting your will toward something designed to prevent you from opening it without a key and prevailing.

Lockpicking isn’t just for spies and thieves. In most states in the US, picking locks that you own is entirely legal. Yes, this skill can be used for nefarious purposes but in most cases, if you want to break into a building, using a hammer, or even a rock is a much quicker and more effective way to gain entry – it works every time. Lockpicking is growing as a legitimate hobby and there are competitions in the US and internationally where enthusiasts get together and compete in lockpicking races and other challenges.

So now that you’re interested in lockpicking, the question is how do you get started? Well, I’ve been interested in this subject for quite some time and I have found several links and resources that have proven to be extremely useful. Lucky for you, I have gathered and listed those resources below.

 

Buying lock picks

To get started, you’ll need some picks. Toool (that’s with three o’s) is The Open Organization of Lockpickers. Toool’s purpose is to “advance the general public knowledge about locks and lockpicking. By examining locks, safes, and other such hardware and by publicly discussing our findings we hope to strip away the mystery with which so many of these products are imbued.” Their “Beginner’s Blend Pick Kit” can be purchased from their website at a reasonable price here: http://toool.us/equipment.html

Lock picks can also be purchased from these sites: 
http://www.sparrowslockpicks.com/
http://www.lockpicks.com/
 

Locks for learning how to pick

If you want to stay out of trouble, you should only ever pick locks that you own, or locks that you have been given permission to pick by the owner. So what locks are good for learning how to pick? I think that there’s an informal consensus among lock pickers that the Master Lock number 3 model is one of the best locks for beginners to learn on. It has only four pins in it which means that it is usually somewhat easier to pick than a lock with five or six pins. Locks can become harder to pick over time as the parts become fatigued from use. As someone who is learning lockpicking, you will probably want to go out and buy a new lock instead of using that rusted old padlock that’s keeping the shed door closed. The Master Lock number 3 is  easy to find at most hardware stores as it is a very popular and inexpensive model of lock.

There are also sets of locks for learning how to pick called progressively-pinned locks. Usually a set of progressively-pinned locks starts with a lock that only has one pin in it. Once you get the hang of picking a lock with one pin in it, you can move on to the next lock in the set that has two pins, and so on. Many sites that sell lock picks, also sell progressive-pinned locks. You can buy a set of progressively-pinned locks from the US Toool website as well: http://toool.us/equipment.html

 

Educational resources

Next you’ll also want some instructions, guidance, some information on how to go about this lockpicking business. There are some really cool people who invested a lot of time and effort into creating some fantastic resources that will help you learn how to pick locks.

This guy who goes by the name Deviant Ollam, wrote THE BOOK on lockpicking. The title of this book is “Practical Lock Picking, Second Edition: A Physical Penetration Tester’s Training Guide”, ISBN-13: 978-1597499897. You can pick it up from Amazon by clicking on the link here: http://amzn.com/1597499897

Schuyler Towne is obsessed with locks and lockpicking. So much so, in fact, that he put together a terrific series of instructional videos that cover the very basics all the way up to intermediate and advanced topics in lockpicking. Mr. Towne released these videos for free on You Tube and can be viewed here: http://www.youtube.com/playlist?list=PL66CD42F86F3A1F85

 

Meetings and  groups

Are you interested in lockpicking but not sure you’re ready to jump in with both feet? There are lockpicking groups all over the US that meet up usually every month where you can get hands-on training by enthusiastic and friendly people. There are many lockpicking groups in the US but probably the one that’s most wide-spread is the US Division of Toool. If you’re interested in attending a Toool meeting in the US, chapter meeting locations and times can be found here: http://toool.us/meetings.html 

 

Other resources

There are many forums and sites dedicated to lockpicking but I have found Lockpicking101.com to be one of the best.

http://www.lockpicking101.com/