Insights For Success

Strategy, Innovation, Leadership and Security

password

5 best Random Password Generators

GeneralEdward Kiledjian1 Comment

1 - Random.org

Random.org has been one of my favorite sites for a long time. It uses atmospheric noise to generate its randomness which is much better than the logical pseudo-random generators used by many sites and service.

You choose the password parameters you need and it generates wonderfully random passwords to use with your password manager of choice.

Link

2 - Symantec Identity Safe

Symantec has been a mainstay of the security market since the 90s and they bought a company called PCTools (and its Secure Password Generator). As a PC Tool vendor, they will try to make you download their privacy tools but I wouldn't recommend their password vault.

Use the password generator on the right side of their site to generate high quality complicated passwords with the required complications. As an example, the above complications generated this password for me : dr-cr+wreF5p.

Link

3 - Wolfram Alpha

Wolfram Alpha is a powerful knowledge engine created by the brainiacs behind mathematica, It is a superb tool I use regularly for problem solving but it also generate random passwords. Head over to their knowledge engine and enter Generate Strong Password. Then press the equal sign. 

Then choose the complications you want and press the equal sign again to generate you password.

then it generates your wonderful password

you press on Plaintext and copy it into your favorite website or password manager.

Link

4 - Lastpass password generator

My 2 favourite password managers are Lastpass and 1Password. Both have the capbility to generate strong passwords and you should use that functionality if you have those those. Considering most of Lastpass is now free to use, you really have no excuse.

But Lastpass also offers a web based secure password generator which is clean, easy to use and efficient. 

When you scoll up on that page after choosing your complications, you get a wonderfully generated password of your can click the button and have another one created for you.

5 - GRC Ultra High Security Password Generator

GRC is the home of Gibson Research Corporation. It is owned by Steve Gibson the Grand Poobah of internet security. He found the first spyware and wrote the first anti-spyware app. He is considered one of the most prominent security professionals and makes tones of tools available on his site. 

His site generates perfectly random long complex 64/63 character passwords and he then explains why his passwords are high quality. If you are interested in geeking out, its a wonderful read. 

Protect your online accounts from compromise before its too late

General, technologyEdward KiledjianComment
Image by  David Goehring  used under Creative Commons License

Image by David Goehring used under Creative Commons License

As more and more of our services are delivered through cloud services, it becomes increasingly important to protect our accounts. As a security professional there are a handful of steps I perform regularly that many of you don't so here they are:

  • Install a well respected antivirus/antimalware software on your PC with real-time protection enabled and regular automatic updating of its database. There are hundreds of online posts discussing which one is "the best" but keep it simple and pick one of the products from the big manufacturers.
  • At least once a month, scan your computer with an online antivirus scanner (different from the one installed on your PC). Here are some examples
    • ESET Online Scanner (link)
    • Kaspersky Security Scan (link)
    • TrendMicro Free Online Scanner (link)
    • Bitdefender QuickScan (link)
    • F-Secure Online Scanner (link)
    • Norton Security Scan (link)
  • Regularly update your Operating System and installed applications. Virus' and malware often use known vulnerabilities in existing commercial off the shelf software to compromise machines. 
  • Update your account recovery options regularly (monthly if possible)
    • Google Account recovery options page (link)
    • Microsoft Account recovery code\
      • Sign in to your Microsoft account.

      • Under Recovery Code, tap or click Set up.

      • If you've created a recovery code before, your screen will say Replace instead. Tap or click Replace.

      • Tap or click Print

  • Use 2-factor authentication for any online services that allow for it. There is a good list of sites that support it here (link)

  • Never reuse an online password on more than one site

  • Use complex random passwords. A good site that generates true random passwords online for free can be found here (link). Just take as many characters as the site allows

  • Use a password manager. Once you start using unique complex passwords for each site, you can no longer remember them so use a trustworthy password manager. A password manager stores all of your passwords for you and all you have to remember is one complex password to unlock the password vault. My personal password manager of choice is LastPass (link).

  • Clean up your social media permissions (link). Over time, you give various apps access to your social media accounts and most people just forget about it. It is a good idea to review everything that has access to your accounts and revoke the permissions from apps you no longer use.

What should users do about heartbleed

technologyEdward KiledjianComment
Image by  Travelhack  under creative commons license

Image by Travelhack under creative commons license

Since this is a user oriented article I won't get into the technical details about what the heartbleed bug is but in simple terms it is a vulnerability in a very commonly used security protocol that could allow an attacker to "steal" 64 KB of server data (from memory) at a time.

Current estimates peg the impact of this bug at about 500,000 sites or ~20 of secured SSL sites on the internet. This bug has gone undetected by mainstream researchers for 2 years and could allow a technically savvy attacker to continually exploit a server in the hope of finding passwords, credit card or other valuable user information.

At this point I am not aware of this bug being exploited in the wild.

I'm a user and I'm panicking

First thing you need to do is calm down. It is a major vulnerability but the fix can only be applied by the operators of the affected sites (Google, Yahoo, etc). 

There is nothing for the user to fix or change on their on PCs. Users have to wait until websites update the software on the servers to a non-vulnerable version

Know that once the issue is fixed on a server, the server operator will invalidate the old (potentially) compromised security certificate and add it to a revocation list. The first thing you should do is

ensure your browser checks all SSL certificates against that revocation list. In chrome do this:

- Open a new tab

- In the URL address bar, type  chrome://settings/

- Click on show advanced settings

- Scroll down until you see the SSL/TLS section 

- Make sure this checkbox is ticked

Once a website upgrades the software, you should change your password on that site. Changing it before the bug is fixed is useless since it could potential be exploited and stollen again. Some sites (like Facebook and Yahoo) have admitted to using the vulnerable product and have confirmed their software is now upgraded. This means you can go ahead and change your password for those sites.

Other sites (like banking) will likely never admit to having the vulnerability (and not all versions are vulnerable) so you'll have to use the heartbleed site checker tool on sites like Lastpass (link).

What if the site doesn't notify you? Maybe change your password now anyway and change it again once a week for the next 2-3 weeks. Sometimes they won't admit to being vulnerable to hearbleed but may say "your account has been locked for security reasons please change your password."

You should be using a password manager so that you can protect each website with a long unique password. I use WolframAlpha to generate strong long unique passwords for each site (wrote an article about it LINK) and store them in Lastpass (since remembering them is impossible.) 

WolframAlpha can generate strong passwords

InfoSecEdward Kiledjian2 Comments

With all the hacking reports we saw in 2012, I hope all of you understand how important it is to generate a strong and unique password for each of the online services you use. You can create a strong password yourself or you can use one of my favorite websites, WolframAplha, to create one for you.

Go to Wolfram Alpha

In the query box, enter Generate Password

Click on the first option and press enter

It then generates an 8 character strong password

If you want a longer password, click on this box and change the number from 8 to whatever you want

And then press the little orange execute box on the right hand side

It will now generate a new password with the requested length

This is another way I could use my favorite computational engine.

 

Some Twitter accounts hacked. Time to change your password!

technologyEdward KiledjianComment

It seems some Twitter accounts may have been hacked. A quick search on Twitter reveals an interesting number of people complaining about issues with their account or tweets being sent from their account without their knowledge.

No official statement has been made by Twitter but it may be a good time to change your password and revoke Twitter access from unused third party apps. If you don’t know how, read my article here.