Your passwords are not strong enough

If you’re like most people, you’ve grudgingly started to use complex passwords like “hf7s4hfk23” instead of “1234”. If you’re listening to the security experts, you’ve started using a different password for every site and service. You may even be using a password store like Password Corral.

And, after doing all that, you may actually feel somewhat secure in your online activities. Unfortunately, you’re not. Advances in password cracking techniques, the availability of powerful graphics hardware that can be used to speed up password cracking, and the failure of many web sites and services to use the latest security techniques make your security online weaker than ever.

Ars Technica has an excellent (although scary) post about the current state of online security and passwords.

The upshot is that you should do all of the things that security experts have been telling us for years: use long (11 characters plus), complex passwords with upper and lower case letters, numbers and punctuation; avoid using words in passwords; don’t re-use passwords; don’t use ‘stringdigit’ passwords (a string of letters followed by digits); and use a password store to help remember all those passwords. Do all of those things, but also ask your service providers to use current security technologies.

For example, if you track your finances with the fictional site myspendingxyz.com, you clearly don’t want that site to use anything but the latest security. Look for a statement regarding security on the web site. If you can’t find one, contact the site operators and ask what they use to ensure the security of user accounts. The list below shows a few of the technologies commonly used and indicates whether those technologies are actually helpful.

  • Password hashing – absolutely required
  • Cleartext passwords – utterly unsecure
  • One-way hashing – much safer than reversible hashing
  • Reversible hashing – dangerous
  • MD5 hashing – ancient, easy-to-crack crypto
  • Microsoft NTLM crypto – easy to crack
  • SHA1, SHA2 – much harder to crack than MD5 but still not secure enough to use for passwords
  • bcrypt, scrypt, PBKDF2, and SHA512crypt – current best crypto for use in hashing passwords
  • Password salting – a good way to boost security
  • Password complexity requirements – another good way to improve security
  • Corporate data protection policies – any company that handles user passwords should have policies in place that preclude such dangerous activities as copying password data to a laptop or removable drive

Some companies may be reluctant to go into details, and may even suspect your motive. However, they should at least be able to state that they do not use any out of date technologies and have effective data protection policies in place.

Update: A followup article from Ars Technica digs deeper into what makes a secure password, and the use of password manager software. They examine several of these programs in detail.

Windows 8.1: Start button is back, but useless

Microsoft heard the complaints, and is bringing the Start button back in Windows 8.1. The problem? They heard, but they didn’t listen.

The Start button itself isn’t really all that useful. What’s useful about the Start button in previous versions of Windows is what happens when you click it: a menu appears. Of course, that menu has been criticized for years, but it’s still the only practical way to see a list of what’s possible on your computer.

With Windows 8.1, Microsoft has brought back the Start button, but pressing it just takes the user to the new Start screen (the one with the tiles). Useless. Apparently the Start screen has an “All apps” section that can be configured to look somewhat similar to a traditional menu, but this menu would be incomplete at best.

In public discussion on this subject, Microsoft spends a lot of time talking about branding, desktop wallpaper on the Start screen, and the ability to boot to the desktop. They also apparently realized that on a computer with no menu, searching is the only way to find anything, so search has been ‘improved’ to Windows 7 functionality.

On the positive side, it will once again be possible to have more than one program or window visible on the screen simultaneously, although that feature will also be limited.

Here’s a roundup of related articles from around the web:

Update 2012Jun03: Peter Bright over at Ars Technica also noticed that the Start menu won’t be back in Windows 8.1, although I disagree with his conclusions.

Google’s rug-pulling frenzy continues

The latest victim of Google’s recent spate of service-killing is Google Code. While the service itself is still running, its usefulness is being dramatically reduced: downloads are being phased out.

The reason? Abuse, according to Google. Apparently nefarious types are using the service to distribute [insert something bad here]. Instead of allowing the (technically-savvy) user community to get involved and suggest solutions, Google unilaterally shut it down.

Sure, I get that this is a free service, and as such, Google has no legal obligation to leave it intact. But stranding users like this is no way to make people love you. I’m already re-thinking my current use of Google services, and I’ve altogether stopped using new Google services. What’s the point of switching to a new service – no matter how good it is – if it’s going to disappear in a few months?

Google is a rarity among modern tech corporations: it’s run by engineers instead of accountants, lawyers and MBAs. That has worked well for Google in the past, but I can’t help wondering if those bottom-line numbers are starting to sway Google’s head honchos. The power of those numbers is seductive. Once we lose Larry and Sergey to the dark side, Google’s days as one of the good guys are numbered.

Microsoft confirms name and price for next version of Windows

After much speculation, Microsoft has finally announced a name for the next version of Windows: Windows 8.1. Up until now, the working name for the new version was Windows Blue.

Anyone currently using Windows 8 will be able to install the new version as an update for free. This sounds a lot like what Microsoft used to call a Service Pack. Well, whatever they want to call it, as long as it’s free, I’m all for it.

The new version is expected to bring back some aspects of the Start button, the Start menu and the traditional desktop, but the details remain unclear.

Firefox version 21 released

Another new version of Firefox was released today. Version 21.0 fixes several security vulnerabilities and other bugs.

As usual, the release notes for version 21 don’t mention the version except in a note about contributors, but the list of fixes seems to be relevant to the new version.

Clicking the ‘complete list of changes‘ link on the release notes page now goes to the Firefox bug tracking site, but the list of bugs shown includes issues that were resolved long before version 21 appeared, which is still very confusing.

On a brighter note, the release notes page now includes this entry:
21.0: Security fixes can be found here
Clicking the associated link shows a page titled “Known Vulnerabilities”, which clearly shows the version in which particular security vulnerabilities were fixed.

Update for Adobe Flash

Adobe just announced an update for Flash, version 11.7.700.202. As usual, the update fixes vulnerabilities in Flash that could cause instability or allow remote control of affected computers.

Microsoft, which maintains Flash separately for Internet Explorer 10, released an update for that browser with the latest fixes. The patch is available from Windows Update.

Likewise for Google, which released a corresponding patch for its Chrome browser. Chrome will update itself automatically.

Patch Tuesday for May 2013

The month’s updates include fixes for vulnerabilities in Windows, Internet Explorer, .NET and Office. The main bulletin has all the technical details, and the Microsoft Security Response Center has a more reader-friendly summary, entitled “Microsoft Customer Protections for May 2013”.

The expected patch for recently-discovered vulnerabilities in Internet Explorer 8 is included in this month’s patches as MS13-038. According to Microsoft, you can install this patch whether or not you previously installed the emergency “Fix-It” released by Microsoft.