Category Archives: Tools

How good is your password?

There’s a new chart from Hive Systems that you can use to determine how resistant your password is to brute-force cracking.

Password strength chart

Keep in mind that this is a moving target. As processor power increases and new technology arrives, brute-force attacks get faster. So if you have a similar chart published a couple of years ago, it’s likely already out of date. That’s why they included the year at the top of the chart.

It’s easy to use: find the intersection of your password’s length with its character combination.

So, for example, ‘718462’ can be cracked instantly, as can ‘xgts’.

Note that this chart does not show the effect of dictionary attacks, which are typically tried before the brute-force approach. A dictionary attack tries to guess a password based on a list of common passwords.

If your password is in the red or purple areas, you should really think about making it longer and more complex. Longer, more complicated passwords are also more difficult to remember, especially when you use a different password for every site and service (and you really should), but there’s a simple solution to that: use a password database.

I use both Password Corral, which is a free, standalone Windows program, and 1Password, which is not free, but has some useful features.

Given that most of the web-based password managers have been hacked at one time or another, I still recommend using standalone software if possible.

ChatGPT: experiments in writing

As I’m sure you’ve noticed by now, I’m using ChatGPT to generate some posts defining computing terms. I’m labeling them all clearly as generated text, but I’m also checking them carefully before posting.

Checking ChatGPT’s output is extremely important, because one can be lulled into believing that the program knows what it’s talking about. The text it generates always sounds authoritative, even when it’s horribly wrong. And it’s wrong more often that you might imagine.

Note: I’m not going to call ChatGPT an Artificial Intelligence (AI), because it’s nothing of the kind. It’s just a program that is able to generate believable-sounding text, regardless of its accuracy, based on analysis of a crapload of content written by humans. True AI will include this particular skill, just as it will include the ability to play chess, to generate art, to drive cars, to make quick decisions based on unpredictable circumstances, and many thousands more specific skills that humans possess.

A recent post at Futurism does a nice job of providing real-world examples of a mainstream news site (CNET) using ChatGPT to generate articles that sound fine, but include serious errors. In this case, the publisher did not initially identify the generated articles as being from ChatGPT, and while I can understand their reluctance, I think that was a bad call.

The risks of depending on ChatGPT are enumerated in this post from KnowBe4:

  • A big downside to ChatGPT is that its sources are unknown, meaning the creators themselves may not even know where the answers it produces come from. This often leads to incorrect information being given.
  • The concerning thing about this flaw is that the inaccuracies are tough to notice, especially because it sounds confident but can really be utter nonsense.
  • You cannot use ChatGPT to find out if text has been written by ChatGPT. There is no antidote.
  • It cannot detect scams. ChatGpt is a natural language processing tool that can answer questions and generate text based on the input it receives, but it does not have the ability to detect scams or other fraudulent activities.

Meanwhile, when I asked ChatGPT “Can ChatGPT’s writing be relied upon as accurate?” it responded as follows:

ChatGPT is a machine learning model and its accuracy is based on the data it was trained on. It can provide accurate information and responses to a wide range of questions and prompts, but it may not always be completely accurate or up-to-date. It’s always a good idea to verify any information provided by ChatGPT with additional sources.

Update 2024Jul01: We should think of ChatGPT as a bullshit machine. To find out why, read the detailed analysis over at Springer.com (Michael Townsen Hicks, James Humphries & Joe Slater). Excerpt:

Calling their mistakes ‘hallucinations’ isn’t harmless: it lends itself to the confusion that the machines are in some way misperceiving but are nonetheless trying to convey something that they believe or have perceived. This, as we’ve argued, is the wrong metaphor. The machines are not trying to communicate something they believe or perceive. Their inaccuracy is not due to misperception or hallucination. As we have pointed out, they are not trying to convey information at all. They are bullshitting.

Another breach at a password storage service: LastPass

Using a password manager is still the best way to securely record all your passwords. This assumes that you are in fact using different passwords for every web site and service that require one. If you’re using the same password for everything, you are risking your privacy, financial security, and sanity.

So… which password manager should you use? Most of the major password management services (1Password, LastPass, etc.) store your passwords on their own servers, and there’s no question that this provides some benefits in terms of convenience, with the main one being that you can access your passwords from anywhere. You don’t have to back up your password data or copy it between devices; it’s maintained by the service provider and easily accessible via their web site.

But this convenience comes at a huge cost: the risk that your passwords will be compromised when the service provider experiences a security breach.

A recent breach at LastPass is, sadly, only the most recent example. In this case, the LastPass servers were compromised and attackers gained access to user data. The company first reported the breach in August 2022, but downplayed the impact on users. Their latest announcement finally provides the full story, and acknowledges that the attackers gained full access to user data, including encrypted passwords.

More about the breach from Bruce Schneier.

Although LastPass is to blame for the breach and compromised user data, passwords in the user data obtained by the attackers are all encrypted, and there’s no way to magically decrypt them without knowing the master passwords of individual users. However, that just means that the people who have the data will be using brute-force techniques to crack those passwords. For users whose master password is long and complex, it would take years–if not centuries–to crack, but if your master password is simple or commonly-used, all of your passwords are now known by these attackers.

Something for your to-do list: if you use LastPass, and your master password is easy to crack (check it here), you should immediately change ALL of your passwords.

In my opinion, you’re much better off using password management software that stores its data locally, on your own computer. Then you only need to worry about someone getting access to your computer, which you can actually control.

I’ve long recommended Password Corral for Windows users. It’s simple, secure, and free, and it stores its data locally only.

Other password managers that use only local storage include PasswordSafe, KeePassXC, and KeeWeb. Password managers that can be used with local storage include Roboform, and Sticky Password.

And remember that when you use a ‘cloud’ service, you’re just storing your data on a total stranger’s computer, which may or may not be managed and secured competently, and which you have basically no control over. Cloud stuff is convenient, but the risks of using it indiscriminantly are enormous.

Update 2023Sep11: Brian Krebs reports that password information obtained during this breach is being actively used by criminals to gain unauthorized access to various systems and services.

Dark Mode Rant

What you see above is what I see after a few seconds of viewing a web site in ‘dark mode’.

Web sites are traditionally shown with dark text on a light background. Which is reminiscent of something… (checks notes)… that’s right, books! Why change something that’s worked fine for literally millennia? Apparently because a lot of people think light text on a dark background looks cool. And, to be fair, some people claim that using dark view is easier on their eyes.

So now we have a ton of web sites, apps, and other assorted crap showing up on our computer screens that is almost entirely illegible to a large proportion of the population (well, me for sure, and I’m guessing I’m not the only one).

When I look at white text on a dark background, after about five seconds, all the lines start to blur together (see image above), and I’m unable to continue. If I persist, I just end up with a headache. For the record, I’ve had my eyes checked, and aside from needing to update the prescription for my reading glasses, my eyes are fine.

Here are a few links to web sites that default to dark mode:

A request to web designers and developers: if you can’t resist making your web site dark mode by default, please, please at least provide some method for viewing it in light mode.

Some browsers have built-in features that allow viewing dark sites in light mode. But they’re inconsistent. Firefox has Reader View, which reformats a web page to show it like a book, with less clutter and — more importantly — dark text on a light background. Sadly, the Reader View button, which normally appears at the right end of the address bar, doesn’t always show up. That’s apparently because it’s only able to handle individual posts/articles, not other types of pages.

There are many Firefox plugins for showing web pages in dark mode, but initially I wasn’t able to find one that does the opposite. I had been struggling with a plugin called Dark Reader, which sort of worked, but only with a lot of fiddling, presumably because it was designed to do the opposite of what I want.

Recently, however, I discovered a Firefox plugin called Tranquility Reader. This one does exactly what I want, forcing page text to black and page background to white. So far, it’s worked perfectly on every page I’ve tried.

When installed in Firefox, Tranquility Reader adds an icon to Firefox’s toolbar. Click it once to view the current page as black text on a white background. Click it again to go back to the page’s default colour scheme. Simple!

If you ever find yourself struggling to read dark mode web pages, try Firefox with Tranquility Reader. It may save you from a headache or two.

Related:

Cisco Immunet anti-malware software

In brief: stay away from this software.

I’m always interested in evaluating anti-malware/antivirus software, especially when it claims to be ‘lightweight’. All too often, anti-malware software that’s configured to run in the background has a very noticeable effect on performance.

So I installed Cisco’s Immunet on my main Windows computer. About ten minutes later, I removed it.

The user interface is horrible, seeming more like a first-time coder might have produced it, rather than an organization with the resources of Cisco.

I was very careful to configure Immunet before I ran any scans. In particular, I configured it to ask me before quarantining any files. Imagine my surprise when on its initial scan, it went ahead and quarantined three executables, none of which were actually malware.

Of the three quarantined files, I was able to use Immunet to restore one. The others were irretrievable, and I had to reinstall the associated software. For one of them, I lost its settings as well.

Normally I would persist with an evaluation like this, to give it a thorough test. But really, having suffered this much in such a short space of time, why bother?

This is crappy software. Avoid at all costs.

CloudBerry Backup

Backups are important. I tell people that they should think about how much work would be involved if they lost all their data, and had to create or gather it all again. Considering that work is usually enough to get people talking seriously about backups.

This consideration informs decisions about the backup process to be used: what should be backed up, how often backups should run, where backups will be stored, and how many backup versions will be kept.

My own backup requirements are like those of anyone who has done any amount of work that they would hate to lose: documents, email, financial records, pictures, artwork, and even browser bookmarks. The only difference is that I also provide full or partial backup services to my clients.

A few years ago, I realized that I needed an off-site backup system to complement my local backups. In the nightmare scenario involving total loss of all computers and storage devices resulting from a house or office fire, all local backups would also be lost.

And so I started looking at backup software that would allow me to maintain backups of critical data somewhere besides my home/office.

Storage required

Off-site backup storage takes many forms, including taking physical backup media off-site daily. These days it most often involves a paid service such as Amazon S3.

Remote services are often referred to as ‘cloud’ services, but they mean the same thing: the service runs on someone else’s computer. Of course, storing your irreplacable, private data on someone else’s computer sounds scarier than storing it ‘in the cloud’ so that’s the term we hear most often.

There are some special considerations when you start looking at using cloud storage for backups: additional costs, network bandwidth, vendor trustworthiness, privacy, and encryption.

The encryption issue alone requires careful consideration. Is your data encrypted in transit? Is it stored in encrypted form on the cloud service? Who has the keys to decrypt your data?

For my own backups, I settled on the DreamObjects storage service provided by Dreamhost. I’ve been using Dreamhost for client web sites and related services for years, and I’ve always found their support to be first rate. I have had a few problems with the DreamObjects service, including some reliability issues, but these were resolved quickly and satisfactorily by Dreamhost support.

My requirements

In my recent search for an off-site backup solution, I settled on the following requirements:

  • Runs on my main PC (Windows 8.1).
  • Stable and reliable.
  • Reasonably fast.
  • Incremental backups (back up only changed files).
  • Transmit only changed data (to save bandwidth).
  • A built-in scheduler, or compatibility with Windows Task Scheduler.
  • Compatible with DreamObjects, itself an S3-compatible service.
  • Data is encrypted in transit and when stored.
  • Storage provider does not possess encryption keys.
  • Ability to limit bandwidth used during backup operations.
  • Ability to limit the amount of storage used.
  • Backup storage pruning based on number of copies and/or storage used.
  • Straightforward restore process and tools.
  • Useful logging.
  • Does not use excessive computing resources (memory, processor, local storage, handles, and disk I/O).
  • The ability to include and exclude files and folders based on various criteria.

Enter CloudBerry

I looked at numerous possible solutions, and even purchased a few that looked promising but ultimately failed to meet my requirements, including qBackup, Arq5, Arq7, and GoodSync. I also looked again at Cobian Backup, which I still use for local backups, and Allway Sync, which I use for fast syncing of critical data to thumb drives, but they also failed to meet my needs for off-site backup.

CloudBerry was just the next solution on my list. I had never even heard of it before reading about it in this Reddit thread.

CloudBerry Backup can be downloaded and installed on a trial basis for two weeks. That was plenty long enough for me to learn what I needed.

CloudBerry Backup Features

See that list of requirements a few paragraphs back? Well, CloudBerry Backup checks all those boxes, and then some. CBB works with many storage services, including Amazon S3, Amazon S3 Glacier, Microsoft Azure, Google Cloud, Backblaze B2, Wasabi, OpenStack, various S3-compatible storage and others.

Other notable CloudBerry Backup features:

  • Grandfather-Father-Son (GFS) retention policy support
  • Backups to local drives and NAS-like storage devices
  • Microsoft SQL Server backups
  • Microsoft Exchange backups
  • Synthetic Backup for File, Image-based, VMware backups
  • Bare-metal recovery (create recovery disks and USB drives)
  • Cloud Backups (cloud-to-cloud, and cloud-to-local)
  • Image-based backups (physical or virtual machine image)
  • Modified Block Tracking for Image-based backups
  • Support for various virtual machine formats (Hyper-V, VMware, VirtualBox, and RAW)
  • Restoring image-based backups as Amazon EC2, Microsoft Azure VM, and Google Compute Engine instances
  • Hybrid (two-step) backup (applies to the legacy format only)
  • Client-side Deduplication
  • Mandatory and Full Consistency Checks
  • Backup Chains and Custom Scripts Support

One huge bonus CloudBerry provides is a clean, well thought-out user interface. This wasn’t on my requirements list, because although UI is important, backup software is typically set up once and then runs in the background. So I can live with a crappy UI in backup software, as long as it’s otherwise good. That’s unlike software I use every day, such as my email client, web browser, and document-based office applications.

A well thought-out user interface also makes CloudBerry Backup a legitimate solution for the less technically-inclined among us. In using CBB, I frequently discovered what I was looking for without any searching for functions or settings. Preset defaults made sense, and the backup plan creation wizard is excellent. CBB even creates several backup plans automatically, for documents, web browser bookmarks, and pictures; these need only a destination to be configured before they can be used.

CloudBerry Backup Pricing and Licensing

CloudBerry Lab was founded in 2011, but is in the process of rebranding itself as MSP360, so the company web site refers to both names. For now, the product I’m interested in is MSP360’s CloudBerry Backup Desktop Edition, which sells for $49.99 USD. The company provides other backup software and services aimed at business, corporate, and educational customers. There’s also a free version of CloudBerry Backup, but it has some limitations that make it unsuitable for my purposes.

When you purchase CloudBerry Backup Desktop Edition, you have the option of paying an extra $10 USD for a year of annual maintenance. The MSP360 web site isn’t exactly clear about what this provides, but it does include support, and may be the only way to obtain software updates. If you want and/or need support, the $10/year price seems reasonable.

Conclusions

Great software makes me happy. CloudBerry Backup qualifies, and my search for an off-site backup solution is over for now.

If you or anyone you know could use an excellent backup solution, whether or not they need off-site storage, you won’t go wrong recommending CloudBerry Backup.

EdgeDeflector prevents Windows 10 from using Edge

The battle for web browser dominance on the Windows desktop continues, although Google is currently winning. “Google recommends using Chrome” messages seem to appear on every Google-managed web page even if you’re already using Chrome. But while annoying, those messages are arguably reasonable compared with some of Microsoft’s recent tactics.

Microsoft likes to reset certain settings back to their defaults when Windows updates are installed. They’ve been doing this for years, reverting user browser preference to Internet Explorer at every opportunity.

As a result, power users and software developers have been engaged in a tug of war with Microsoft over the default web browser in Windows. In recent years, Microsoft has made it impossible for the default browser to be changed by software, forcing browser makers to instead provide instructions to users on how to make that change. Microsoft can of course claim that this change was made to improve security, and given the prevalance of browser hijackers in past years, it’s difficult to disagree.

With Edge in Windows 10, Microsoft has taken this battle to new extremes. Even if you have another browser selected as the default, some sites and services will always be opened in Edge. To see this in action, click on the taskbar search box. A large panel will open, showing news and weather links. Anything you click here will open in Edge, not in your default browser.

That’s because internally, Windows is using a special protocol called URL:microsoft-edge, which forces the use of Edge for opening web pages that Microsoft has designated as special in some way, despite being ordinary web pages in every sense.

This is of course exactly the sort of behaviour that got Microsoft in trouble in the 1990s: using their dominance in the desktop O/S market to push their own web browser. But these days everyone’s attention seems to be on Google and Facebook, and Microsoft’s browser pushback is being largely ignored.

EdgeDeflector to the rescue

Daniel Aleksandersen’s EdgeDeflector is a small tool that overrides the URL:microsoft-edge protocol’s normal behaviour, forcing it to actually use the web browser you’ve chosen as the default. EdgeDeflector was recently updated to make it more palatable to anti-malware software, which previously flagged the tool as suspicious because of its behaviour.

You’ll have to change this Windows 10 setting manually to make EdgeDeflector work.

Once you install EdgeDeflector, you need to complete its setup with some manual steps. I can confirm that the end result is exactly as advertised: even when clicking news links from the Windows 10 search panel, those links will open in your default browser, not in Edge.

Of course, Microsoft will probably take steps to defeat this useful tool, with the most obvious step being to revert the changes EdgeDeflector has made when Windows 10 is next updated. And so there are no winners in this stupid, never-ending battle.

Deciding whether to install a web ad blocker

I just discovered an interesting and useful web site: Should I Block Ads?

Created by Michael Howell, it’s collection of information that can be helpful in deciding whether to install an ad blocker in your web browser. It also provides ad-blocker recommendations for various platforms and browsers.

Michael’s analysis addresses all of the concerns I’ve had with web-based advertising, and confirms my choice to install and use uBlock Origin in Firefox, my primary web browser.

If you’re considering installing an ad blocker in your web browser, keep in mind that there can be a bit of a learning curve, and that blocking ads can cause some web sites to stop working. Blocking web ads usually ends up being an ongoing process; don’t expect it to be a magic bullet.

There are of course arguments against ad-blocking. Just keep in mind that a site owner always has the option of placing hand-crafted advertisements on their site; as long as they don’t use Javascript and are not associated with known advertising networks, they will not be blocked.

Hook: find without searching

A new software tool from CogSci Apps called Hook lets you link together web sites, emails, documents, and many other resoures, making it a simple matter to find those resources again later. Open one resource, then use Hook to open any or all of the related resources.

Here’s an exerpt from the Hook web site:

Hook for macOS
Find without searching.
Instantly access the information you need, without searching. Whether it’s in the Finder, email, on the web, in the cloud, a version-control system, … almost anywhere.

Currently available only for Mac, a Windows version is in the early planning stages.

If you have a Mac and want to try Hook, you can download the free version from the Hook Download page.

Paid versions of Hook include more features. You can see how the different versions compare on the Hook Buy page.

JRC is a CogSci Apps affiliate. If you purchase a paid version of Hook within 30 days after visiting the Hook Buy page using any Hook Buy page link on this page, Jeff Rivett Consulting will receive 15% of the purchase price.

It’s probably a good idea to stop using LastPass right now

Password management tools are generally a good thing. Most of us have so many passwords now that remembering them all is difficult. While it’s tempting to use one or two passwords everywhere, this is generally viewed as a bad idea. Same goes for short or easy-to-guess passwords: bad idea.

I recommend using password management software that runs natively, on your computer. I personally use Password Corral, and have used Bruce Schneier’s Password Safe. Both store your password data on your computer, not on someone else’s computer (aka ‘the cloud’). Both are relatively basic in terms of functionality: they allow you to store all of your passwords securely; password data is encrypted and protected by a master password. They can also generate new, random passwords.

There are plenty of other password management solutions out there. Some of the most popular ones, like LastPass, provide more features and are easier to use, but there’s typically a cost. For instance, it would definitely be convenient if I could access my passwords from any computer. But if that means my password data is stored on the cloud somewhere, well, no thanks. The same goes for browser extensions that enter passwords automatically.

Which brings us to yesterday, when a Google Project Zero security researcher reported a serious vulnerability in the LastPass browser extension. With the extension enabled in your browser, a malicious web site could steal all of your passwords from the LastPass data files. Yikes. But wait, there’s more! If you’re also running the main LastPass software on your computer, a malicious web site could execute arbitrary code on your computer.

LastPass issued a response to this report, confirming the problem. Their advice to users is vague, but that’s actually a good thing: if they said too much, it could provide clues about the vulnerability to malicious hackers. But the message is clear: if you have to use LastPass, disable the Lastpass browser plugin:

Use the LastPass Vault as a launch pad – Launch sites directly from the LastPass vault. This is the safest way to access your credentials and sites until this vulnerability is resolved.

Interestingly, of the three recommendations provided, two are standard advice for anyone who uses the web: enable and use Two-Factor Authentication for sites and services that offer it; and be wary of phishing attempts.