How to ease your password hassles  | By Fred Langa Just as in 2006, one of 2007′s top themes is likely to be online security. So, let’s begin the New Year with some very useful password security tips and tools, and then look at an "update aggregator" service — and more! |
The way to use easier but safer passwords
My Dec. 14 story, "A free but high-powered password generator," yielded some great reader mail, such as this note from Eldin Leighton:
- "I’ve been using a free, very small, but effective program called Acerose Password Vault for over two years. The program includes a very strong password generator and it stores all password entries in one file that is also password protected and encrypted. I’ve had no problems with it whatsoever. If one is traveling, this program is small enough to fit on a memory stick, so it could be used on any computer, since nothing has to be installed in order to use it.
Editorial director Brian Livingston, for example, pointed out the technique recommended in Perfect Passwords, a book by Mark Burnett, our former contributing editor and a friend of well-known hacker Kevin Mitnick.
Brian says, “Mark spent years studying millions of passwords that ordinary people had created and analyzing the latest cracker tools that try thousands of passwords a second. He concludes in his book that the best passwords are 15 or 16 characters long, ideally 3 words separated by punctuation, with one or more of the words misspelled. The presence of meaningful word-like strings makes such passwords memorable without people having to write them on stickies pasted to their monitors. Both the length and the lack of dictionary words are what makes the password strong.”
That’s great advice, and indeed it may be the very best way to remember passwords without external aid. But my problem is password proliferation: I currently have separate passwords for over 450 Web sites and services.
While some of those sites (discussion boards, for example) are extremely low-risk and thus don’t require ultra-high security passwords, others (banks, PayPal, credit-card sites, my business-related sites, etc.) do need very safe passwords. I prefer not to use the same password over and over on different sites, and there are simply too many separate sites for me to remember all the passwords without assistance.
For me, the solution is RoboForm. This program is available in a free version that stores a limited number of logons/passwords, and a $29.95 "Pro" version without that limitation.
Figure 1. RoboForm not only generates high-security passwords, but also automatically fills in Web forms after you’ve entered them once.RoboForm works with your browser (including IE 7 and Firefox 2.0) to recognize Web-based forms (such as logon boxes).
If you’ve previously visited a site, and RoboForm was active, the software will automatically fill in the form with your correct user name and password (and any other information the site may require). If it’s your first visit to the site, RoboForm will automatically memorize whatever login, password and other information you provide to that site, and will automatically enter that information as needed on future visits.
RoboForm then deep-encrypts and stores your logins, passwords and related info on your hard drive (or on a thumb drive for portable use).
RoboForm also has an excellent, built-in password generator that can produce random passwords — letters, numbers and punctuation — of any specified length up to an incredible 512 characters.
At each day’s first use of RoboForm, you have to enter one master password to enable the software. It then takes over the task of managing all your logins and passwords from there. Thus, you only have to remember one high-security password (or passphrase, using Brian’s excellent method) to have access to all your other passwords, no matter how many you have.
Maybe I just need more ginkgo biloba. But barring a better memory, a tool like RoboForm is the only way I can keep all my passwords straight!
Are third-party update tools safe?
Reader and frequent contributor Steve Groginsky recently discovered AutoPatcher, an interesting free tool. But it’s of a class of tools that raises a yellow “caution” flag:
- “Have you seen AutoPatcher yet? I came across it in the MajorGeeks RSS just now. The program is apparently a compilation of Windows updates and a way to automatedly install the selected updates off-line without user input.
“I read all about it on the AutoPatcher site, and it looks good. It’s freeware, although unfortunately, adding all the new patches and components added to the size. For the full release of AutoPatcher XP, this means 330 megabytes and requires a high-speed connection to download. Another option is to order a CD or DVD on the site.
“The author emphasizes the efficacy of using AutoPatcher to install updates on several computers, but I think that it makes a perfect companion to a slipstreamed install disk [as I describe in an InformationWeek column —Fred] in case it is needed after reinstalling Windows. There are ‘Full’ and ‘Lite’ updates issued periodically, so you only need to get a bigger one once, and there are separate versions for different versions of Windows.”
My concern with third-party update sites is that you’re tinkering with the core software. Some low-level patches require a reboot or that you temporarily disable your antivirus tools. It’s unlikely, but these actions can subvert a third-party updater into a medium for malicious Trojan software.
More pertinent is the fact that AutoPatcher doesn’t support new Microsoft patches until several days after they’ve been released. For example, Microsoft released new patches on Dec. 12 last month, but the update package from AutoPatcher wasn’t available until Dec. 21, as explained at its site. Many people don’t wish to wait this long to install critical patches.
Plus, programming errors in the update-bundling software itself can introduce new problems that are absent from Microsoft’s official updates. (Lord knows, Microsoft’s updates have enough problems on their own!) The AutoPatcher December release contained just such a programmatic error — sort of a bonus bug — a fact explained by the developers in the post linked to in the previous paragraph. A fix must be downloaded separately, until the site releases its January 2007 update package.
AutoPatcher has a long and honorable track record, and I believe it to be an above-board operation. Still, you should be aware of the potential dangers of using any third-party update aggregator, and use all such services with caution.
How to quickly drain your capacitors
In my Dec. 14 article, reader Michael Thomas recommended that you wait at least 10 seconds before turning your computer back on when performing a full power-down. That short delay allows the system’s capacitors to lose their charge. This, in turn, completely resets any status information that may be held in your PC’s components.
Several readers, including Darryl Howerton, offered a small speed-up tip:
- “An easier way is to simply press the power button after unplugging the computer or turning the power supply switch off.
“This will cause the capacitors to drain almost immediately, eliminating the wait.”
Remote options to help you support friends
As a Windows Secrets reader, you’re probably the one that co-workers, family and friends turn to for help with their PCs. Perhaps Andrew Miller’s question will relate to your situation, too:
- “I recently spend an hour on the phone with my mother trying to explain how to copy a couple of files from a CD-ROM to her computer. I wished I’d taped the conversation. It was like all the funny help desk stories you hear.
“I first had to explain that the mouse was not a something that would bite her, and that the cup holder had another purpose.
“Anyway, my question is what is the best, easiest, and cheapest way to setup remote access to her PC, so I don’t have to go through this again.”
XP’s tools may be worth trying, because you probably already have them in some form — but there are limitations.
For example, only XP Pro can be a full “host” or server for Remote Desktop. XP Home can only be the “client” that logs into the server. And you can run into problems with some firewalls, too.
Fortunately, there are other excellent (and free!) tools available if the XP tools won’t cut it.
There’s LogMeIn, for example. It’s a free, Web-based tool that gives you basic remote control over any PC to which you have access. (A Pro version of the service offers more options, but costs $20 per month for a two-PC setup.)
TightVNC and UltraVNC are well-regarded free, open-source, remote-control tools.
Finally, Paul Thurrott’s column in the paid section of the Mar. 24, 2005, newsletter reviews even more remote-control options, both free and commercial. (He recommends LogMeIn for users who don’t need heavy file-transfer capabilities.)
One of those tools will certainly do the trick for you — and your Mom!
Fred Langa edited the LangaList e-mail newsletter from 1997 to 2006, when it merged with Windows Secrets. Prior to that, he was editor of Byte Magazine and editorial director of CMP Media, overseeing Windows Magazine and others.
The following LangaList Plus tips are in today’s paid newsletter:
• Tame those annoying Outlook prompts
• Firefox requires upgrade to be Vista default
• How to protect your privacy in a Flash!
• The right way to update Windows XP
• Taming your PC’s boot sequence
• Turn your “My COmputer” icon into a toolbar
• Restore a missing “Send To” shortcut in Explorer
• Are rewriteable CDs safe for backups?
