Category Archives: Internet

A clever bit on passwords and phishing.

I listen to the podcast “Naked Security” from Sophos.com.

Today they had a(nother) great reason to start using a password manager.

Password managers

These are programs to manage your passwords. Yes, duh. But they do that in a clever way. They generate big, complex passwords that you can’t remember, like 3jGrkVvaVNJ$Kv*JRCZsg (note, you will be quizzed on this one later on haha).

You just remember 1 main password to unlock the password manager (and optionally use a Multi Factor code to open it) and the manager does the rest of the heavy lifting.

1Password unlock screen

This is one password manager, 1Password. Because that 1 password is all you remember.

1Password will set you back about $3 / month.

Bitwarden unlock screen

This is Bitwarden. Bitwarden is free and open source, and delivers a lot of good stuff. There is a paid option which will help you keep MFA tokens alive, that costs around €10 / year.

MFA

MFA

You probably know about MFA. Otherwise you should learn it, fast. It is a second login security. If someone has your password (which is something you know) and you enabled the second login safety, there is no way a hacker can break into your account without that second option, which usually is something you own. There are apps for that, like Google Authenticator, Okta Verify or Microsoft Authenticator. A good password manager can handle that as well. You go to a website, the password manager sees you have a login for that, and it will fill in the name and password, and also the MFA code for that site. No need to open another app on your phone and copy the numbers by hand.

Link recognition

Following up on that, as I said, a password manager sees that you have a login for a site.

Suppose you get a mail that sends you to https://your.very.trusted.bank.com. You’ve seen that link a gazillion times, so yep, you know it, you click it. The password manager will handle the login. But then there is no login filled out! What the fork?

The clever bit here is (check the bank link) that the link on the screen looks legit, but the actual link isn’t. The password manager doesn’t recognise the link and so it won’t help you log in. After all, this is a strange place and there might be dragons.

So….

Not yet convinced that a password manager is a good idea? In that case you wasted time in reading this.

If you feel this could be something, check out Bitwarden or 1Password.

No peeking; do you remember the password from up above?

When using Register.com for domain registrations.

I have registered one of my domains at register.com.

Usually that’s nothing special, but there is something peculiar about their system that keeps annoying me. Even though I’ve switched “Auto-Renew” on since forever, their mailing system keeps bombing me with mails about the domain being close to deactivation because the expiration date of the registration comes closer.

That’s not needed of course, because auto-renew is on.

The past few weeks I got those mails again. Yes, I know the domain renewal is coming up. Yes, I know it will renew itself. Today I was sick of yet another one.

Note: Register.com isn’t cheap with their domain registrations if you don’t know some ropes. A .com registration will set you back $37.50, which is pretty steep.

Last year I requested a transfer code to move the domain name somewhere else, and a support person offered me a discount for renewal: $17.50. Now that is nice as most places charge at least $20.

Today I went about moving the domain name again. Lo and behold: there was no support person involved. Instead I got a message that I could renew the domain for a year for $10!! All I had to do was enter a promo code at check-out, and indeed, the domain is renewed for a year, for $10. Instead of $37.50.

So that is an even bigger saving than last year.

Politeness and the Internet

Something surprising happened to me a few days ago.

It started with what looked like a spam mail that somehow had made it through the entanglements of the filtering.

It was from “Bernie Jones” (name altered for privacy reasons) who had a question.

I thought I had something of an answer so I wrote back to him, starting my reply with “Dear Mr Jones…”

There we had it. Mr Jones, a.k.a. Bernie, took a LONG time to respond.

When finally he did, his first words were:

Hi Paul. Why did you write ‘Dear Mr Jones’?

For me, that was quite obvious. Bernie is a man’s name, Jones is his last name according to his own mail, so why wouldn’t I?

Apparently, it’s not very common on the internet to be polite. (Proof was already clear because he started with ‘hi Paul’.)

Am I the only one who notices this?

Creating the impatient consumer

I’m sure you’ve all noticed how people want to have things faster and faster.

You go on the Internet, hit your favourite outlet website, you click buy, and by the time the confirmation mail has reached you, you want it in your hand.

Companies are catering to that. Amazon, for instance, is using drones to get stuff to the eager customer as soon as possible. After couriers for same day delivery, they now aim for same hour delivery.

I think this what (in part) is to blame for the increasing impatience of people: “I want it all and I want it now.” Especially the ‘now’.

The weird thing is that opportunities to ‘have it now’ still exist. Fewer and fewer, I know, as they are remnants of the pre-Internet era. They are called brick-and-mortar shops. You go there, pick from a shelf what you want, you pay for it, and… whoa… you have it. Now.

That’s probably a wild idea, because this isn’t in line with the ease of the Internet, where people don’t have to get up and go somewhere. Which is perhaps part of the obesity problem the ‘civilised’ world faces in many places. Why move if you can go online and order a pill that helps you get thinner.

Which you want now, of course.

Keeping your passwords safe in a safe safe.

Passwords.

Keepass logo

I’m a huge fan of Keepass. Keepass is a free program that will remember your passwords for you.

It is very easy to use and it features ‘auto-type’ so you don’t even have to copy your usernames and passwords, Keepass handles that for you.

Lastpass logo

A little while ago I heard of Lastpass. It basically does the same thing and nicely integrates with your browser, Android and IOS devices. I installed it, imported the Keepass data (which works quite well but not 100% accurately) and I used it. It’s good. It does what you should expect of it.

Then however I started wondering where Lastpass stores its data. With Keepass you have an encrypted file on your computer that holds your passwords. You can synchronise that to all your other devices by sticking it in Dropbox, Google Drive or any other file sharing system you prefer. Not so with Lastpass. I couldn’t find where that file is stored so I went looking.

It turns out that your password file is stored on the Internet, on the Lastpass servers. Each time you connect to the Internet, Lastpass will synchronise the file on the device you’re currently using.

Cloud.

Internet Cloud

So here’s the deal. You use Lastpass and you’re a happy camper. Understand that your passwords are not only on your system (in a spot that’s hard to locate; I tried and didn’t find it) but it’s also on a machine that’s outside your control. I can imagine that’s fine for vacation pictures and your collection of recipes for lasagna and hot tamales, but I didn’t feel very good about that. It’s my collection of usernames and passwords. Of course, you may argue that I’m paranoid, that Lastpass will treat your file with care and loving attention, but…

How many loving, caring systems that contain your files have been hacked lately? Yahoo for instance has a great track record of being hacked. Imagine that a hacker gets access to the file that contains your passwords, slaps some ransomware over it and next time you sync your Lastpass – kazaam, there you are with nothing left to show except a kind note from a hacker to hand over a lot of money for your files. Okay, okay, hackers can also do that to Google Drive and Dropbox (which is why I don’t keep those files there).

Control.

I like to keep things that are mine in my own hands. I’m one of the lucky people with a Synology NAS which gives me my personal cloud system (google ‘Synology Cloud Station‘). There are other ways to set up your personal cloud, I’m sure. Worst case you can always e-mail the file to yourself and download it to your device.

The potential security issue I just described made me go back to Keepass. Because I like my passwords in a safe place, one that I can decide on.

Control freak? Perhaps. But for my entire collection of credentials for online access I am happy with that title.