greyduck.net

Looking For Quacks In The Pavement

Category: Work (page 1 of 42)

Passwording In The Twenty Teens

(Disclaimer: I’m going to try to write this for a generally non-techie audience, but some techie stuff is inevitable. It’s an important topic anyway. Your mileage may vary. Etc.)

Identity theft. Banking fraud. Social media hacking. These are just a few of the worries we deal with nowadays. There’s no such thing as a perfectly secure system, and odds are good that any system or site that you use will experience some kind of security breach in its lifespan. Your best defense hinges on two actions: Controlling your level of risk exposure, and making it as difficult as reasonably possible for the bad guys to make your life miserable.

You don’t have many options for the first action. If you’re going to use Dropbox because that’s what your collaborators all use, you’re kind of stuck with the level of risk involved with being on Dropbox at all. Whatever service you use, be aware of how much of your stuff you’re sharing with that service. If you’re on social media, be aware of what you’re sharing and with whom. Consider what happens if the bad guys get access to that stuff. Doesn’t matter if they hack your password or the whole service, it’s still Your Stuff in Their Hands now.

This is particularly true for anything involving your money. Online banking. PayPal. Patreon. If you choose to use these services, make sure you become familiar with their security measures and get signed up for any alerts. (Unless you have unlimited money, of course, and love to share it with random people. In which case… hi! Be my friend?)

The second action is what brings me here today. Most normal, regular, decent people are terrible at dealing with passwords. Let’s be clear: I’m not saying people are somehow “stupid” on account of this fact. Passwords are a gigantic pain in the posterior! What a terrible way to have to interact with everything on the Internet that we need a login for! I do not blame anyone for being bad at passwording.

It gets worse when you try to learn how to be better. Over the course of the Internet’s lifespan password policies went from “policy? what policy?” through a series of increasingly arcane rules, some of which should be obsolete but folks hang onto them because dogma is everywhere. What do you do? Here are my guidelines:

The days of “letter replacement” passwords should be over and done. A password like “p@$$w0rd” is basically useless now. (Especially that example. Please, never use that.) Special characters are fine, but just using one or more does not a good password make all on its own.

I admit I’m speaking more to my fellow IT techs with that one than to regular folks. It’s still good to keep in mind!

Longer is better. (Yes, I’ll wait while you get the jokes out of the way. Done now? Good.) Look at the requirements for the service. When you create or change your password, does it give you a list of requirements? (If not… consider signing up for a different service.) Note the length requirement. It’s probably something like “8 to 15 characters.” You don’t need to use all 15, but get within a few characters of it. Why? Because if the bad guys try to get in to your account through the front door (as it were) the more characters you used the longer (much, much longer) it’ll take them to go through every combination of letters and numbers and such. Odds are they’ll get bored before they get in.

Let’s put it this way: If a password 8 characters long takes them a day to crack by trying every possible 8 character string, a 12 character password will take them months using the same computing power. (I’m simplifying this a whole lot. The principle is what’s important, not the actual math.) Past a certain point they will give up and move on to the next potential victim. You’ve become Not Worth Their Time, and that’s the best you can hope for.

To be frank, of course, if they’ve decided they really want your stuff? They’ll probably get your stuff, if they have the resources and time and a bit of luck. But still, make them work for it. The rat bastards don’t deserve your having made it easier for them.

The bad guys start with a list. Don’t be on that list. They use the list first, then they go through the “every combination of letters and numbers” I just mentioned. The list? It has stuff like “password” and “1234” and “4321” and “drowssap” and “rover” and “fluffy” and you get the idea. They’ve collaborated and built this list over the course of years of successfully getting into stuff belonging to people like you. The bad guys are smart, organized, and know that most people will pick the simplest password they can when given the choice (and no incentive/training otherwise).

Your password should never be just a string of numbers, should never be a variant on the word “password,” and should never be just a name. Especially not your own name.

“Okay,” I hear you ask, which should probably concern you about my mental state, “What should my password look like?” One of two options, here.

  1. Something utterly garbled and un-guessable, such as that created by a password manager (see below).
  2. Something long enough and just complicated enough to meet the requirements. Remember, length is more important than complexity as long as you don’t use easily guessed information. So, something like “Careful!4Focus” is valid because it’s 14 characters, has no identifying words that are specific to you as a person, and it meets the “you must use letters, numbers, and a special character” thing that the website probably insists upon. Play with this idea a bit! To a password system, an upper and lower case letter are completely different things. “careFul!4focuS” is technically speaking nothing at all like the previous example.

Passwords should be unique. Note the “should be” in there. If the bad guys get your Spotify password, that should absolutely not allow them to log into your online banking account. No account hack should let the bad guys into any other account with money attached! You can fudge this guideline a bit for truly unimportant stuff, but it’s up to you to decide what’s important and what isn’t. Be aware of the potential consequences.

As a side note: Consider carefully whether you want to have websites “remember” your debit/credit card info. It makes purchases easier for you, absolutely true. It also makes purchases easier for them if they get into your Amazon or Domino’s Pizza or other online shopping account.

So, now you have to maintain a bunch of passwords. Now what?

Consider a password manager. I’m a fan of KeePass but that’s not the only option available. What you’re looking for is a program which will keep your growing mess of passwords organized and available at your fingertips, but will keep them hidden from casual prying eyes. KeePass, like most of its competitors, will let you set a master password (you do have to remember that one) which unlocks access to all the other passwords. Then it will let you generate new super-complicated passwords or just let you hand-enter and store the ones you created yourself. Either way you prefer. A lot of password managers will even auto-type your username & password into websites for you.

This is a big complicated step! I’m fully aware of this. You don’t need to go this route…. but you need to do something. If you’re going to write them down, fine, but now you need to secure that piece of paper somehow, and in a way that lets you get at it when you need it. It’s up to you. Maybe you’ve got a system! Systems aren’t inherently bad, just be aware that the bad guys will be trying to figure out your system as well, so make it as non-obvious as you can.

(And there’s the even more complicated issue of having access to all these passwords across multiple devices & locations. Personally I use a secured KeePass file on a Dropbox share, though I’m considering ways to add more layers of security to the arrangement. The challenges never end, folks.)

Consider Two-Factor Authentication. Also known as “2FA” or “MFA”, the long-and-short of it is that instead of just an account name & password, now you have the account name & password & also some code, probably delivered via an app on your smartphone. The “factors” refer to the idea that your account is now protected by something you know (password, factor 1) and something you have (smartphone, factor 2). Sure, if the bad guys manage to get at your password and your smartphone, you’re out of luck… but that’s sure a lot of work, isn’t it? “2FA” is a bit of a hassle for you, yes. It’s a phenomenal hassle for the bad guys, though, so it’s generally a good idea for stuff you really need to have secured. Like, for instance, your bank account.

Last, and absolutely not least:

Ask your friendly neighborhood tech wiz. I guaran-damn-tee you, any techie worth anything at all will be delighted to hear something like, “Hey, I’ve been bad at passwords and I want to learn to do better, can you help?” The biggest hurdle we face in this battle is getting people to even care. Showing that the concern is real for you is going to go a long way toward making them happy to assist you.

In conclusion: Use the Internet carefully and wisely, and use the best password scheme you feel capable of handling. The identity and money you save may be your own.

Already Voted. Going On A Trip.

I love being an Oregonian. It means that I took care of my civic responsibility over a week ago. If you haven’t yet… please do.

No, today’s fun isn’t about voting. It’s about leaving on a business trip. I’m headed to IT Nation in Orlando FL for the rest of the week. Yay? I haven’t been through the airport/airline/hotel process since the Datto training a couple years back. My anxiety levels are, as you could probably guess, stratospheric.

I’m bringing the same duck as last time, though, so keep an eye on my (rubber duck) Twitter (and maybe Instagram) for some of that, won’t you?

Wish me luck.

Nothin’ On My Plate

On the day I started work with this company almost 10 years ago, I had no tickets assigned.

Once, late last Autumn, I got down to zero tickets.

Welp.

NoTickets4KKMind you: I have projects to work on, so I’m not bored by any stretch of the imagination. But still, the Spring Break doldrums seem to be rolling on into early April for some reason…

4200 minus 2700 equals Headache

For most of the calendar year so far we at work have been plowing through a massive reorganization, upgrade, and consolidation of our servers. One of the last stages of this consolidation & upgrade process involved upgrading our Kaseya environment. During the shuffle I found some quirks. For instance, the UserProfiles directory contains roughly 4200 subdirectories, one per agent in the system.

Problem is, we only have about 2700 agents. The other 1500? Old agents.

I asked vendor support about this, as the impression I had was that there was an agent archive process. I mean, there’s an archive directory configured in the system, what else is it for if not to archive these agent directories? Heck, the archive directory has agent directories in it.

Apparently, nope. This isn’t something Kaseya does. I must archive those 1500 directories manually. How did the previous archive directory become populated? No idea at all.

“Okay,” you might be saying right now, “Just look for the oldest directories.”

Problem! We just migrated the front-end and database back-end parts of Kaseya to new servers over the last couple weeks! All the directories have brand new dates, all in numerical order, dating from when they were copied off of the old server.

4100minus2700So this is my life now. Comparing the list of directory names with a list of agent IDs from a report, moving anything not in the report into an archive directory, by hand, one by one. Lather, rinse, repeat.

Fun.

It’s a Very Monday Monday

This week is getting an early start on kicking my ass:

  • Sunday Night Insomnia with a vengeance.
  • Remembered to do dishes and take out garbage this morning, forgot to grab lunch.
  • MAX train broke down one stop away from where I needed to go. (The operator had to be talked through cycling the breakers. That’s right: They rebooted the light-trail train.)
  • BurgerVille’s closed today, so no high-octane breakfast to boost my energy levels.
  • Half the office is on vacation or out sick.
  • The link between two of our key work systems is broken for no reason I can determine.

Is it too late to throw my hands up and head back to bed? (Yes. Yes, it is.)

Standard Support Screwup

The script you’re about to read doesn’t detail how every interaction with a particular vendor’s tech support staff goes, but it’s very, very indicative and common…

 

Me: Hello! A problem has occurred with your product. Now, having worked with this product nigh onto a decade now, I’m aware of the usual issues and have gone through the knowledge base articles numbered Such and Such. I can confirm that the state of the usual problem-causing factors is nominal. I am looking for alternative avenues to pursue to remedy the problem.

Ticket: *remains unassigned for hours*

Me: Hello, Support Manager! I can’t help but notice that the High Priority ticket I submitted has gone unassigned. We, ah, kind of need this problem resolved ASAP.

Support Manager: I have assigned your ticket. Please be aware that we do not post support SLAs.

Me: That’s nice, but five hours without assigning a ticket isn’t about SLAs, it’s about “if we treated our clients like that, we’d be put out of business.” But whatever.

Tech: Hello, I have been assigned to your ticket. Judging by the environment, you should read knowledge base article numbered Such. It will resolve your problem.

Me: Had you actually read my ticket (*), you’d know that I already referenced and followed the instructions in that article. Next?

Tech: Have you tried rebooting the system?

Me: …yes. The system has been rebooted. Next?

Tech: You are using the wrong kind of credential (**). Change that and you’ll probably be all set.

Me: Tried that. Tried two variants of that, actually. Still not working. Next?

Time: *passes*

NewTech: I see that you are trying to use the product in a particular environment. Please see knowledge base article Such, it will remedy the problem.

Me: Hello, NewTech! If you’d read my ticket notes, you would know that I have already addressed the possibility detailed in the second article. Next?

Time: *passes*

Me: *sighs*

And that’s where things stand.

 

(* – If I had a dollar for every time this vendor’s techs utterly failed to read the text of my ticket submission, I could treat both of my girlfriends and their families, all together, to a very nice dinner out.)

(** – This is a domain controller. The credential account was technically shown as a “local” account but since it’s a domain controller, its local accounts are domain accounts. Idiots.)

Older posts

© 2017 greyduck.net

Theme by Anders NorenUp ↑