Friday Humor

If you think engineers are difficult try talking with a mathematician…

An engineer, a lawyer, and a mathematician are traveling through England on a train.  The engineer looks out the window at a passing farm and says “Look, the sheep in England are black”.

The lawyer promptly replies, “we do not have enough evidence to support your statement, all we can say is there is one black sheep in England”.  The lawyer then leans back with a smug look on his face at finally having gotten back at the engineer for always using technical jargon and precise words.

The lawyer waited to see how his friend would respond.  The engineer calmly looked at the mathematician and said “I believe this is your department”.  To which the mathematician replied “strictly speaking you are both incorrect as all we can say is there exists at least one sheep that is black on at least one side in England”.

Friday Humor

They were using the same words but were not speaking the same language…

A computer programmer is wrapping up work for the day when his wife calls and asks him to stop at the store on the way home.  She says “I need a gallon of milk and if they have fresh eggs get a dozen”.

The programmer comes home with 12 gallons of milk; his wife looks at him like he is crazy and says “what are you thinking, why did you buy 12 gallons of milk?”.

He looks puzzled and says “because they had fresh eggs”.

Friday Humor

Engineers are natural born problem solvers…

During the French Revolution a priest, a merchant, and an engineer are to be executed for helping the aristocracy.

As the executioner leads the priest to the guillotine he asked if the priest has any final wishes.  The priest says rather than be placed face down in the guillotine he would like to face up toward heaven and his God when he dies.  The executioner agrees to this request.  The rope is released, the blade falls, and stops an inch above the priest’s throat.  The executioner says “I’ve never seen this happen before, it must be divine intervention” and declares the priest is free to go.

Next the merchant is led up to the guillotine and says he too would like to die facing heaven and God thinking the faith the priest had might spare him as well.  Again, the executioner agrees.  Again, the rope is released, the blade falls, and stops an inch above the man’s throat.  The executioner declares the merchant is free to go having been found innocent by God.

Lastly the engineer is led to the guillotine and he also wishes to be placed face up like the others.  While lying there considering this fate he suddenly exclaims “there’s your problem, there is a large knot in the rope”

Friday Humor

There is a lot of truth in humor…

I recently found this joke and wanted to share it with everyone.  I don’t know who originally wrote it to give proper credit.  To that anonymous person, thanks for giving me a laugh.

A man flying in a hot air balloon suddenly realizes he’s lost. He reduces height and spots a man down below. He lowers the balloon further and shouts to get directions, “Excuse me, can you tell me where I am?”

The man below says: “Yes. You’re in a hot air balloon, hovering 30 feet above this field.”

“You must work in Information Technology,” says the balloonist.

“I do” replies the man. “How did you know?”

“Well,” says the balloonist, “everything you have told me is technically correct, but It’s of no use to anyone.”

The man below replies, “You must work in management.”

“I do,” replies the balloonist, “But how’d you know?”

“Well”, says the man, “you don’t know where you are or where you’re going, but you expect me to be able to help. You’re in the same position you were before we met, but now it’s my fault.”

Beyond Passwords

The time has come to move beyond passwords for protecting our accounts.

As a final comment in the password security series I have been doing I thought I would share something called Two Factor Authentication (2FA) or more generically Multi-Factor Authentication (MFA).

What is 2FA/MFA?  In non-technical terms is simply means that you need to provide two or more forms of identification (the factors) to prove who you are (the authentication).  The factor typical fall into three categories:

  • Something you know (knowledge factors) – such as a password
  • Something you have (possession factors) – such as your phone
  • Something you are (inherence factors) – such as your fingerprint

While 2FA/MFA sounds complicated, it isn’t.  Most people have used a form of 2FA without realizing it.  When you check into a hotel you are given a room key (something you have) and a told a room number (something you know).  Without both factors you cannot get into the room.  This protects you if you lose or forget your room key at the pool.  Sure, a criminal could try the key on every room until they found the right one but it would slow them down – hopefully long enough for you to realize the key is missing and notify the hotel office.

2FA/MFA for websites works in a similar way.  When logging in you typically provide your password as you normally would, then the website will text a code to your phone (or call you with the code).  You must enter that code to complete the login.  The password is the something you know and the phone with the code is something you have.  It is unlikely that a criminal would know your password AND have your phone.

There are variations on how this works where the “something you have” is a Smart Card or token provided by the website rather than your phone but these are typically not used for consumers due to the cost.  High security environments may use biometric scanners (fingerprint, retina scanners) in place of something you have or something you know or as a third factor – a fingerprint reader that requires a password and a code sent to your phone.

For more details on MFA please see: https://en.wikipedia.org/wiki/Multi-factor_authentication

A number of websites have started offering 2FA/MFA as an additional protection for your accounts.  If you are interested in using 2FA/MFA to protect your accounts see https://twofactorauth.org/ for a list of websites that support 2FA/MFA.  You can search by name or by category.  If the site you use doesn’t currently support 2FA/MFA you can click a button asking them to support it.

Give 2FA/MFA a try on few accounts and see if it is right for you.  Strong passwords, non-standard security questions, and 2FA/MFA are the foundation of on-line account / identity protection.

 

I forgot my password

The best password in the world can be defeated with the information you post on Facebook.

It happens.  It is hard to remember everywhere you have passwords not to mention remembering the passwords themselves.  This is why many people use a single password for everything.  If you missed it, see my previous post for why this is a bad idea.

Most sites have a “I forgot my password” link you can use to reset your password if you forget it.  Many sites require you to answer security questions before they will reset your password.  By answering these questions correctly you prove your identity.  These are questions you provided answers for when you created your account.  Common security questions are:

  • Who is your favorite actor, musician, or artist?
  • What is the name of your favorite pet?
  • In what city were you born?
  • What high school did you attend?
  • What is the name of your first school?
  • What is your favorite movie?
  • What is your mother’s maiden name?
  • What street did you grow up on?
  • What was the make of your first car?
  • When is your anniversary?
  • What is your favorite color?
  • What is your father’s middle name?
  • What was your high school mascot?

These questions allow you to gain access to your account the same as the password so you need to protect them as you would your password.  The idea behind these questions is that you are likely to remember the answer but someone else would have a hard time guessing the answer.

Unfortunately, that is not always the case.  According to the FTC 8.3 million people were victims of identity theft in 2005; 16% of those people reported that they knew the person who used their identity without permission.  The problem has only gotten worse since then.  Family members, friends, roommates are all likely to know the answers to at least some of these questions.

As bad as that is, complete strangers may be able to guess the answers to these questions.  People share a lot of personal information on social media.  Read the list of questions again and think about what you have shared.  Do you follow your favorite actor or musician on Facebook or Twitter?  Have you “liked” them?  Did you list where you went to school?  If you listed your home town a simple search will find the names of all the schools and their mascots in the area.  Have you listed your birthday or anniversary?  Are you friends with your parents?  If so, someone may find maiden or middle names easily.  What about posting a picture with your pet and including their name?

You get the idea.  Very little is truly private anymore.  It is either a public record that can be searched or we share it without thinking about the possible consequences.  By guessing the answers to your security questions criminals can hijack your account without knowing your password.

So, what can you do?  If the site lets you create your own security question consider doing that.  Think of a question that only you would know and is it not something you would post online.  For example:

Q: What color shirt was I wearing when I fell in the river?

A: White

If you are limited to pre-determined listed of questions you can do any of the following (assume the question was “What was your high school mascot”):

  • Add punctuation to the answer – Tiger!
  • Add numbers to the answer – Tiger88
  • Misspell the answer – Tyger
  • Spell the answer backwards – Regit
  • Do all the above – Regyt88!
  • Make up an answer – Green Mustache

Remember, the computer has no idea what the “right” answer is.  Whatever you provide is the “right” answer.  There is no rule that says it has be the real answer.  As long as the answer you give when you forget your password matches then answer you gave when you created the account you are good.

If you follow this approach you need to remember which method you used so you can reproduce it later; just what you needed, something else to remember.  You could use the same answer for every question so you can remember it but this is as bad as using the same password everywhere.  You could just make sure you use the same method, that would be more secure than giving the standard answer each time.  The best solution is to record the security question and your answer in the notes field of your password manager.  This gives you the best security without having to remember anything.

You may think this being paranoid or overkill.  First, I would remind you of one of my favorite sayings “Just because you are paranoid doesn’t mean they aren’t out to get you”.  Second, you need to think about this from the criminal’s mindset not yours.  Most people see a locked door and a sign that says “Authorized Persons Only” and move on, criminals see that and start thinking about how to get around it.  You need to protect yourself.

 

Password Please

You have enough to remember, passwords don’t have to be one of them. Free yourself AND be more secure by using a password manager.

In my previous post I talked about how to identify phishing attempts so you can avoid being a victim.  In that post I mentioned that one of the risks associated with phishing is since most people use the same password on multiple accounts a single phishing attempt can put all your accounts at risk.

The best way to prevent that risk is to use a different password for each account you have.  That is a lot of passwords, I get it.  Later I’ll talk about tools you can use to make it easier to maintain separate passwords but first I want to talk about passwords in general.

Do you have a “good” or “strong” password?  What makes a password “good”?  My definition of good is a password that is easy for you to remember but hard for someone else to guess.  There are a number of tools available on the Internet to guess or “crack” passwords.  If your password is based on word, a name, a date, etc. one of these passwords crackers will be able to guess your password in a few seconds.

In general, you want to use as long of a password as the site will allow up to 20 characters.  You should use both upper and lower case letters, numbers, and special characters (punctuation, shifted number keys, etc.).  You also want to avoid common passwords such as “password”, “letmein”, or “abc123”.  You can see a list of the 1000 most common passwords at http://www.passwordrandom.com/most-popular-passwords.

You test the strength of your password at https://howsecureismypassword.net/.  Disclaimer: While I believe this site is safe to use if you enter your real password into this site you may exposure yourself to identify theft or other forms of fraud.  Use it at your own risk.

Here are some sample results from https://howsecureismypassword.net/ of various passwords:

Password Time to Crack Comments
railroad Instantly Top 3175 most used passwords, based on a word, too short, only has letters
Railroad Instantly Top 3175 most used passwords, based on a word, too short, only has letters
Railroad1 4 days Based on a word and number, too short, no special characters.  Depending on the tool used this could be guessed in a few seconds.
Rail-road1 6 years Better, but depending on the tool used this could be guessed in a few minutes
Ride-the-Rails 29 million years Now we are getting somewhere, but if I know you are interested in trains or railroad history I might be able to guess it in hours or days.  How would I know you are interested in trains?  Your social media history (Facebook, Twitter, etc.) reveals a lot about your interests and hobbies.
Iahitgtlah:1937

 

34 billion years The first letter of each word in the first sentence of “The Hobbit” which was published in 1937.  Easy to remember very hard to guess.
rV9FfswCP9kLSmNSolRs

 

558 quadrillion years I know what you are saying, how in the world can I remember that?  Keep reading.

 

OK, so the last two are looking good.  They are essentially impossible for someone to guess.  Unfortunately, the last one is also impossible for most people to remember.  Also, I suggested that you use different passwords for every site: Facebook, Apple, Amazon, your bank, your email… that could be dozens of passwords.

That is where password managers come in.  Password managers are tools for SECURELY storing your passwords – please don’t create a Word document and put all your passwords in it; especially if you name it “passwords”.  There are many password managers available with many free options available.  I have used Keepass for years but you may want to check out others – here is a good starting point https://www.cnet.com/news/best-password-managers/.

Here are a few things to look for in a password manager:

  • It should encrypt your stored passwords with a master password (you will need to remember the master password but this is the only password you need to remember)
  • It will work on all the computers and devices you use (Windows, Mac, Android, iPhone, etc.)
  • It does not limit the number of passwords you can store (or least a very large limit)
  • It will allow you to store the web site URL and some notes about the account (such as security questions).
  • It will allow you to copy and paste the URL, username, and password so you don’t have to type them (very useful feature, I wouldn’t use a password manager without)
  • It will maintain a password history of past passwords
  • It will let you print a copy of your passwords – this is helpful for storing in a safety deposit box or with a family member in case of an emergency

After you put all your passwords into a password manager make sure you back it up regularly.  If you accidentally delete your password file you don’t want to have to click “I forgot my password” on every website you use.  Lastly, only use a well-known password manager from a reputable site; you don’t want your password manager to secretly send all your passwords to the software developer.  Research whatever password manager you are thinking of using before downloading it.

It is an adjustment to start using a password manager and trusting it to remember your passwords for you but once you try it you won’t want to go back.