Tuesday, January 17, 2012

Taking passwords seriously

I used to use the same password everywhere. In 1993, I crashed a Clinton inauguration party at a restaurant in DC, and for years my password was a derivative of that restaurant's name. I'd read somewhere that it was a good idea to include numbers in your passwords, so I picked a number and my "standard" password became "restaurant#name". Sometime a few years later, I read that symbols were good too - so the stand-by became "restaurant[number]name[symbol]". Every time I set that as my password, the password strength meters measured off the charts: it used a number and a symbol, wasn't in the dictionary, and I was probably the only person in the world with that particular password.

But things began to get messy. Some sites didn't allow symbols. Others had a max character limit. As sites got more serious about security, some required mixed cases (some capitals, some lower case). Inevitably, my "standard" password became more like a template, with a half dozen derivatives. And it became increasingly hard to remember which site had which derivative.

Several years ago, I realized that one password to rule them all was probably a bad idea. After all - if someone got ahold of my nytimes.com password, they'd probably be able to log into Amazon, Gmail, PayPal and any number of other sites. I resolved to use a pattern that was site-specific. That was marginally better, but anyone who got ahold of my password at one site could probably figure out my password on other sites.

Then in December of 2010, Gawker was compromised, and the hackers didn't just publicize that they'd breached Gawker's servers, they published a file of all usernames and passwords. I had an account at Gawker, and as a result my password - and the simple pattern used to construct it - was available for the world to see. I'd read about password managers at the time, but thought that since I'd been able to survive for 15 years without one, I'd be OK just hardening my "standard" password. My new pattern incorporated the year, but now I had an even worse mess on my hands: I had dozens of accounts, and depending on when I'd last accessed them, a password that followed one of three possible patterns (with any number of derivatives). My method was falling apart. When 2012 arrived, it was clear I was toast. I couldn't have a year-dependent password pattern - did I open that account in 2011? 2012? Did I update it in 2010?

This weekend, Zappos's 24 million customer accounts were compromised (I was one of them). Though we don't yet know how broad the breach was, or whether the attackers will publish an account list like the Gawker attackers did, I didn't need another reminder. It was time to get serious about my passwords.

I asked people on Google+ and Twitter what they used to manage their passwords, and people overwhelmingly recommended two services - LastPass and 1Password. LastPass had a few more recommendations overall, so I started there.

First off, a quick summary of what LastPass is: you create a username and password with LastPass, and as you log into websites it asks whether you'd like to store those in your LastPass "vault". Once stored, each username and password is available to you wherever you can access LastPass - whether on your computer, on a guest computer, on your mobile device, etc. If you're creating a new account, LastPass can generate a very secure password - it won't be memorable, it isn't guessable, and it'll be unique to that site and your username. (I just asked LastPass to generate a new password, here's what it came up with: "kkVUI8nZ".)

With that in mind, here's what I did to get serious about my passwords. I'll warn you: this took a fair amount of time - easily 6+ hours in total over a couple days, and I'm not actually done (I keep thinking of more accounts to upgrade). That said, I am much happier with my overall security than I was going into the weekend, and as an added benefit I have a master list of every account I use on the Internet.

1. Set up a LastPass account. This username will be your master login for LastPass, and the password should be very secure, but one you can remember - if you lose it, you'll regret it. (It's not necessarily an "abandon all hope"moment, but it's close.)

2. Download LastPass Chrome extension. I use Chrome exclusively as my browser, and often jump from my MacBook Air to my Chromebook. LastPass has a Chrome extension that makes LastPass completely integrated with the browser, which made the next several steps much easier. (LastPass has integrations with IE, Firefox, Safari and Opera, so you should be good to go regardless of which browser you use.)

3. Install the Android app. The core LastPass service is free, but the premium service - for a whopping $1/month - means I can use their Android app to access my password vault directly from the phone. That's handy - especially with a number of mobile apps I use for banking and the like - and well worth the minimal cost.

4. Clear cookies and saved passwords, set Chrome to never remember passwords. This avoids me automatically logging into any site I visit (which is a nice forcing function to upgrade the password as I'm prompted to log in) and avoids Chrome and LastPass fighting over who gets to save the username/password when entered (I want LastPass to do so).

5. Upgrade passwords. I started a Google Spreadsheet to list all the accounts I could think of. I got to 30 pretty quickly, and after a few more minutes added another 15. But I knew there were more. I've used Gmail for all e-mail for the last six years, so I headed over to Gmail to find all the accounts hidden within. Here are some Gmail searches I used to find little-used and long-forgotten accounts, some of which had saved credit cards stored in them and other data that I'd like to protect:
  • to:me "new account"
  • to:me "new login"
  • to:me password reset
  • to:me receipt
  • to:me account confirmation
  • to:me username
There were other searches that were useful; you get the idea (and can probably think of others that'd produce additional logins). As I found a new site that had a login for me, I added it to the Google Spreadsheet. Within an hour, my account list was well over 100 logins.

Once I had the full list, I then opened a new tab and tried to log in to each site, one at a time. (I often couldn't remember which pattern derivative my password was for that particular site; if that was the case, I just clicked 'forgot password' and used that feature to reset my login.) Once in, I then chose the "change password" option, and used LastPass to generate a new, secure password. Upon confirmation of the new password being set, LastPass would ask if I'd like to save the new password in my vault - which of course I did.

6. Rinse, lather, repeat. As diligent as I was, I thought of another dozen accounts (college and law school alumni sites, couple other news sites, etc.) last night that I've added to the Google Spreadsheet and will tackle shortly. Though LastPass is now managing over 100 logins for me, I expect there are another 50-75 I have forgotten about that I will accumulate in the next month or two. (Update: since starting this blog post, I've found another 30. It never ends!)

7.  Turn on Google Authenticator support in LastPass. Last year, I wrote about best practices for keeping your Google Account secure , and spent a bit of time talking about 2-step verification. The premise is simple: with 2-step verification enabled, your username and password alone do not grant you access to your account. You need something else - in this case, a code that is visible only on your mobile phone - to get access. The idea behind this is that your phone is likely to be in your possession - and only yours - so that a bad actor who might have found a way to get your username and password would still be unable to get access to your account. LastPass works with Google Authenticator, which means that you'll only be able to unlock your password vault if you physically have possession of your phone - yet another layer of security that all but guarantees that you will keep prying eyes out of your private info.

As I got to accounts that I hadn't used in years, I thought hard about deleting the account - and in several cases did just that. If I kept the account, obviously it's ideal to upgrade the password to something more secure than my previous password. But removing the account altogether was an even more secure alternative - and I'll remember those services that make removing accounts easy for when I need a service like that again. Services that don't make it easy to delete your account shouldn't expect to see me ever again.

One final LastPass feature that I adore: sharing. Not all passwords that are in my name/e-mail address are mine alone. Our utilities, for instance, all have the ability to log in and review past invoices, pay bills, etc. but they require a single username/password to manage. Rather than make my wife remember one of these LastPass-generated passwords or rely on an insecure, memorable password, LastPass allows me to share a password with her through LastPass. This is no less secure, but far more convenient - and if we ever need to update the password, LastPass will manage the updates and ensure that we both have the current version.

Thanks to the many people who responded on Google+ and Twitter - I'm really happy with the outcome and only annoyed that I didn't do this years ago!

Wednesday, January 4, 2012

New year's resolution: get a job!

Welcome to the new year. If your current job isn't thrilling you and you resolved to find a job you love in 2012, be sure to visit the Google Ventures job board. Our growing portfolio of start-ups are hiring - as of this writing, there are 371 jobs waiting to be filled.

Whether you're looking for a job in California, Colorado, DC, Florida, Illinois, Massachusetts, New Hampshire, New York, Texas, or Washington, there are engineering, HR, bizdev, marketing, sales, design and ops roles that need to be filled. (Not in the US? Our portfolio companies are hiring in Germany, China, Brazil, Switzerland, Spain, and Hong Kong too.)

Rather work at Google? Google's hiring too.

Tuesday, January 3, 2012

Businesses who don't trust customers

Comcastic image from barbariangroup.com.
Last month I contemplated something unthinkable (for me): I thought about breaking up with TiVo. I started my relationship with TiVo 11 years ago, with a Sony DirecTiVo box that I still consider among the best consumer electronics purchases I've ever made. Since then, I've gone through several TiVo boxes, as we moved from DirecTV to Comcast, from standard def to HD.

So why consider leaving? In short, my wife and I (not to mention our kids) are watching less and less broadcast TV, opting instead for what we can get on demand. Netflix Instant is great for tv series and some diamond-in-the-rough films, and Amazon VOD (both the free-to-Prime subscribers as well as the on-demand rentals) has been great. Though both services technically work with our TiVo boxes, the interface for both on our GoogleTV is much better, and has been how we consume both services. As a result, we found we were watching fewer and fewer recorded shows from the TiVo, and we were watching the on-demand services through GoogleTV, bypassing TiVo altogether. By moving to the Comcast boxes, we'd also get access to Comcast's On Demand programming, which we pay for through our monthly subscription but have no way to access (TiVo and Comcast have been claiming On Demand support is coming for years, but even if/when it does come, it'll likely be on TiVo equipment I don't own).

Off I went to Comcast to pick up a couple Comcast HD DVRs. I'd conveniently suppressed my last experience with Comcast equipment (that post is worth a read, btw), came home and hooked the first box up. It should have been simple, plugging the HDMI cable that had previously been connected to the TiVo into the Comcast box. (That HDMI cable is plugged into the GoogleTV box, which sends an HDMI signal to our receiver, which sends an HDMI signal to our TV.) Try as I might, I couldn't get anything to display on the television. The front of the Comcast box seemed to read "dU1", and I could only see a blue screen on the TV.

I called Comcast, which produced nothing actionable - the best they could offer was that I should try a different box. (I already had.)

After some Googling, I figured out what was up. It's called High-bandwidth Digital Content Protection (or HDCP), and it's been in place for years. Turns out, Comcast doesn't trust me! Though I pay Comcast several hundred dollars per month - and was actually contemplating paying another $25/month for the two boxes - if I wanted to plug that HDMI cable into anything other than directly into my television, they consider me a pirate and forbid me from using my equipment at all. (That "dU1" error was actually saying "DVI", but given the limitations of the 1980s-era display on the cable box, that was the best they could come up with. To use the box, I'd need to revert to non-HDMI cabling, separating the video signal from the audio signal.)

I immediately unplugged the Comcast box and returned both. Re-connected the TiVos, and went back to using my equipment exactly how I wanted (which, by the way, is entirely legal).

So here's a 2012 resolution I intend to keep: companies who trust me get more of my money. Companies who don't trust me, or who implement unnecessary technical limitations on equipment I pay for and intend to use legally? Not so much.

BTW, Fred Wilson has a related rant up today titled #screwcable:
I've long believed that piracy is largely a business model problem not a human behavior problem. If you give people a legal way to consume the content they want, they will pay for it.

Interestingly enough, this same attitude - restricting innovation to protect legacy business models - is the very issue at the heart of the SOPA debate going on in Washington, DC as I write this. Though those of us opposing SOPA made progress last month, the fight is by no means over. Please visit Engine Advocacy (today!) and call Congress today to let your representatives know that you do not want to let the US government censor the web and further restrict users' legitimate uses of new technologies.

Sunday, January 1, 2012

Becoming a better photographer

In keeping with my 2012 information diet, I've resolved to both blog more and take more photographs. Late last year I upgraded my camera - from a Nikon D80 to a Nikon D7000. Thought I'd document a bit about the gear I'm using and how I'm committing more to my photography hobby.

My primary lens is a Nikkor 18-200mm f/3.5-5.6 VR II lens; I waffled a bit between this lens and a better zoom (had my eye on the Nikkor 80-200mm f/2.8), but ultimately opted for the greater flexibility of the 18-200, along with the VR capabilities in the lens that should make hand-held shooting better. (For good reviews of the 18-200 that helped me make up my mind, see Thom Hogan and Ken Rockwell.) It also didn't hurt that the 18-200, while not inexpensive, was quite a bit less than the 80-200.

I put a 72mm Hoya UV filter on the lens, and will probably pick up a polarizing filter before our summer trip to Alaska.

Ade Oshineye echoed a recommendation I'd heard from several photographers: keep the camera with me at all times. To make that a bit easier, I picked up the Kata 3n1-33 backpack that will carry my camera and gear, as well as my laptop, power cords and books. I've really liked the bag, which can be a backpack or a sling, and features a nice easy-access compartment that makes getting to the camera really fast. Thanks to Chris White for the recommendation on Google+ - it's been a great bag so far.

After I upgraded the camera body, I asked for some recommendations on books that'd help me improve, and have picked up several of the books that were suggested:
  • Understanding Exposure by Bryan Peterson. This book does a great job explaining the 3 critical parts of a photo: ISO, aperture and shutter speed. Great illustrations and very readable copy make this a very solid explanation of how pictures are composed and how to get the right exposure every time.
  • David Busch's Nikon D7000. I read through the Nikon manual - it does a great job explaining how to do things with the D7000's incredibly sophisticated controls. But what's missing is the why you'd do certain things - why you'd use one auto-focus option over another, why you'd tweak that noise reduction setting, why you'd choose one option over another. Busch's guide is a veritable bible for the camera, and is giving me much more appreciation for what the camera can do (and how I can take control of it).
  • David Busch's Nikon D7000 field guide. This stays in the Kata bag, and is a condensed version of the D7000 bible mentioned above.
BTW, many thanks to some great photographers/friends for their advice on Google+: Erica Joy, Chris Chabot, Bud Gibson, Ade Oshineye, David Hobby, and Thomas Hawk. You should follow them!

Finally, I've switched from Picasa to Adobe Lightroom for managing my photos. While I was generally happy with Picasa, I've found Lightroom to be a more fully-featured app - both for managing photos shot in RAW and for the large volume of photos I'm shooting. I'm still getting the hang of it, but have found Adobe's Lightroom TV a great collection of tutorials to get more out of the app.

Of course, none of this is any good without developing a better eye, and lots of practice. To that end, I'm following a lot of photographers on Google+ and observing what I like (and what I can understand!), and am trying to take a lot more pictures. I've had the camera less than a month and have taken well over 1,000 pictures. We took some family down to Monterey right before Christmas, and I took a couple shots I'm really happy with:

Really looking forward to taking many more thousands of pictures in 2012. Stay tuned!