Password Managers

Why use a password manager?

In an earlier post, I recommended strong unique passwords for all accounts, which is good advice, but hard to follow.

I made the decision to switch to a password manager about a decade ago.

Today, most people have hundreds of online accounts ranging from old hobby accounts they haven’t signed on to for years to financial accounts that control their life’s savings. Maintaining strong unique passwords on all those accounts can be a nightmare. The worst part is that some of those old accounts may have pitifully weak security. A criminal targeting a weak site could grab your password. If you happen to have reused that password for your savings account, you could fall into a real mess causing substantial loss or embarrassment.

As an aside, rather than manage the passwords of old, unused accounts, it’s easier and safer simply to close the accounts.

My evolving password management systems

Thirty years ago, I kept a list of passwords in a private notebook.

Those were the days when conscientious IT administrators forced new passwords on you every month and ordered you not to write them down. Yeah. Right. My limited memory for random facts has little room for passwords. It was either a notebook or never get any work done.

At that time, I was a contract software engineer at Boeing. Enough time has passed that I can tell you what happened in the epic password battle between the engineers and the IT admins. Programmers find ways around passwords. Not nearly as many ways now as thirty years ago, but given time and motivation, they find ways. The engineers had a workaround for every password in our division of Boeing Computer Services. Maybe there still is. When I moved on to a startup, secret workarounds remained in place.

This is the lesson that DSH and NIST took to heart when they relaxed best practices for passwords as I described in my Password Bliss post.

At home, the password notebook for my private desktop was soon cluttered with erased or crossed out passwords. As I added new accounts, finding them became more and more difficult. I switched to a box of 3×5 cards, which I could keep in alphabetical order and replace cards as they became illegible with changes. That worked, but the system was still took effort and iron discipline to keep current, and, I confess, my stock of iron discipline is smaller than my memory for random facts.

Switching to a manager

Password managers were available, but I resisted using them because I was afraid of putting all my password treasures into one basket vulnerable to a single criminal break in. Many of my colleagues in the software industry agreed, but now, almost all have changed their minds, as have I, because we have concluded that password managers are safer despite being a single point of failure.

Security is always relative. A password manager vendor’s database should at least as well protected from intrusion as your system. The password manager should easily provide strong unique passwords for all your accounts and offer easy and convenient access to those passwords to you, your designated agents, and no one else. Reputable password managers meet these criteria and, therefore, I am eager to use them.

Nothing is completely secure, but some situations are securer than others. If you have a system for managing passwords like my box of 3×5 cards that you can maintain and keep safe and not be tempted to use reuse passwords or create weak passwords and variants on multiple accounts, stick with what you have. But if you succumb to weak and duplicate password temptations, or you find yourself toting your system to libraries or coffee shops where it could be stolen, a password manager is a safer choice.

I made the decision to switch to a password manager about a decade ago.

Free password managers

There’s a saying “if the service is free, you are the product,” which is supposed to be a warning that free services target ads and outright sell information about you. This is true. But paid services do the same thing. Always check the privacy policy of any computing product you use.

In this age of ultracheap data storage and abundant computing capacity, a business can offer free services to entice you to purchase paid services and still rake in fat profits.

The European Union and some of the states have regulations that require vendors to inform users of some forms of information sharing and allow you to opt out. Because identifying where these laws apply is difficult, vendors almost always follow the most stringent regulations and treat all users the same. Paid does not equal private.

Since password managers hold some of your most private data, caution is required. Check their privacy policies and opt out of those you don’t like when you can.

I’m an insider. I’ve sat on corporate product committees that decided to offer free services to the public. In this age of ultracheap data storage and abundant computing capacity, a business can offer free services to entice you to purchase paid services and still rake in fat profits.

Vendors carefully consider offering free products or services. Generally, selling a service is preferable to selling a product because services are recurring revenue sources. The vendor’s goal is a mix of free features that hook the consumer and paid features that entice the user to upgrade to a profitable paid service. The consumer who can get by on the free subset of features wins big, although they must accept that the vendor will court like a lovesick swain to woo free riders to upgrade. And free riders are always subject to the threat that the free services will be curtailed or eliminated at the whim of the vendor.

Therefore, I’ll readily accept free password managers, although I scrutinize the privacy policy of the service and realize that I may be persuaded to upgrade to a paid service after I start using the free service. This is exactly where I sit now. I started with a free manager and upgraded to paid. Also note that I always check the privacy policies of paid services as well as free services.

In a future post, I’ll go into more detail on how to evaluate password manager features.

Stop Using Software Built in Russia

The war in Ukraine that broke out in late February 2022 forces me to tell you to shut down, uninstall, and replace any software built in Russia that is on any computer you control. I am not the only one saying this. The caution applies especially to anti-virus and malware utilities and Virtual Private Network (VPN) tools.

Anti-virus and malware tools must have access to everything on a computer and they are remotely updated almost every day, which makes them dangerous if they are subject to unscrupulous interference. Virtual Private Networks are used to make network traffic harder to snoop on and more secure. They can be dangerous because their manufacturer may have access to all your network traffic. Most apps only access their own network traffic.

If you are sympathetic to the plight of the Ukraine, getting rid of Russian software is a way to place your own economic sanction on the invaders. Giving up Russian vodka and caviar is another way.

If you don’t care about Ukraine, you have still have another critical reason to act.

You must understand that your computing systems depend on the honesty and integrity of the manufacturers of the software running on your computer. Vulnerabilities, security weaknesses, are discovered in software from reputable software houses all the time. Most of these are mistakes, but some are software features, functionality that makes us want to buy software. But some of these features give manufacturers extraordinary power over systems.

This is not all bad. Software design frequently trades off between security and efficiency or convenience. A classic book on software design, Design Patterns, describes building blocks for designing reusable software modules, including patterns for making data and processes accessible throughout a system. These accessibility building blocks make a system more efficient, but less secure because a tiny breach can open up an entire system. The security of well-designed systems depends on the integrity and care taken by their manufacturers to strike the right balance. A careless or unscrupulous manufacturer can release scandalously insecure applications that the market will lap up, until the disastrous insecurity is discovered and a crisis ensues.

For example, a password reset provision in an application is a great convenience, and nearly a requirement for any commercial product. Yet password reset is a gaping security hole when the wrong hands are able to invite unauthorized actors into a system by changing passwords. Remote access for support is another required feature for most systems that becomes a weapon when a criminal uses it to take over.

Backdoors—routes into an application known only to developers—used to be common. Backdoors are now considered extremely bad practice, but some developers still use them to save time during development. But the last few weeks before release are often the most hectic of the entire software development cycle. Unless management insists, removing backdoors can be neglected by busy developers working long hours. The software user’s only protection from secret backdoor access is the integrity and honesty of the software manufacturer.

This is why I continually tell folks to be careful about what they install on their computers. Only install apps from reputable vendors. Don’t just assume a vendor is reputable; actively check them out.

Some, perhaps most, Russian software companies are honest and do not intend to exploit their customers. However, all businesses operating in Russia are subject to coercion by their government. That’s the way business now works in that country. If the Russian government wants a backdoor into an application, they can compel a Russian company to put one in. Since the war in Ukraine started, the pressures can only have increased.

Doing business in Russia differs from business in western countries like the United States, Canada, and the European Union. Government and private abuses do occur here, but we have a free press, whistle blower protection, and a tradition of following laws that are scrutinized by the public and changed when enough people oppose them. Maybe not fast enough, often enough, or exactly the way each of us might agree with, but the public eventually is heard in western governments.

With the Ukraine war, public oversight and rule of law in Russia has disappeared. You may argue that it was never present, but your computer is still in jeopardy if you are running Russia-built software. Your home computer could conceivably become an instrument in a cyberattack on western or Ukrainian infrastructure. Compromised home computers have played roles in criminal attempts to shut down servers by overwhelming them with traffic.

I don’t like blacklists and I will not publish a Russia blacklist here. I urge everyone to add checking for Russian involvement as part of their due diligence for installing software on their computer. As much as I admire Chinese traditional culture, I have also added the People’s Republic of China to my due diligence list. North Korea goes without saying, but I’ve never seen a North Korean software product.

For example, Kaspersky Internet Security is a popular and powerful anti-virus tool. Run a Google Search on “Kaspersky Internet Security Russia” and see dozens of items on the dangers of Kaspersky. Wikipedia has a “Software companies of Russia” page. These provide useful hints.

Ultimately, in this age of misinformation, you have to rely on research and judgement.

I am a cautious person by nature and do a lot of research. Along with reading software reviews, I go to the website of software houses I suspect and check their corporate pages.

Is their stock publicly traded? I tend to be less suspicious of companies traded on the Nasdaq or New York stock exchanges. The Securities and Exchange Commission (SEC) and the Federal Trade Commission help keep them honest, although foreign investment is allowed. Privately held corporations and those on foreign exchanges get more scrutiny from me.

Where is their company headquarters? Where do their officers and members of their board of directors live? Where are their development labs? Most large software companies now have labs all over the world, but a company with most of their developers in Russia attracts my suspicion. Check their jobs listing. Where are they recruiting? What does the trade press say about the company?

Triangulate multiple sources. The fact-checker’s rule of thumb is that any point not supported by three independent sources requires more examination. Be extra cautious when a piece “just sounds right.” That may be your preconceived bias speaking to you, a frequent source of bad decisions.

When my suspicions are aroused, I must have a good reason to install or continue to use the company’s software on my systems.

Be careful, folks.

A note of thanks to my friend from the Whatcom County Library System, Neil McKay, for edits and useful comments.

Malware On Apple

Toto, I’ve a feeling we’re not in Kansas anymore

Mac fans and Apple marketing used to say Macs were immune to computer viruses. That was never entirely true, but it was mostly true. Users of Apple products really had fewer virus and malware issues.

But the landscape has evolved. Apple security incidents have gradually increased. In early February this year, 2022, the Microsoft 365 Defender Threat Intelligence Team, Microsoft’s crack computer security group, posted an analysis of a Mac trojan, a malicious software that looks innocent. The malware is surprisingly sophisticated. As it has grown in the wild, it has continually grown more malicious. This report on the Mac trojan signals the new world of Apple security.

Don’t be naïve. Everything in tech is touched by marketing. Microsoft fired this shot to convince system administrators that connecting Apple devices to Microsoft server systems can make Apples safer. You can take that claim for whatever a competitor’s claim is ever worth. The report is reliable, but it goes down best with a grain of salt.

Apple has left the farm in Kansas. It’s time to take Apple viruses and malware seriously.

History and Relationship with the Past

From the late 1980s on, Apple equipment was strong in niches like education and graphic design, but Microsoft was orders of magnitude more popular in typical homes and businesses, mostly because tons of Windows compatible software ran on cheap generic PCs from competing hardware manufacturers like Lenovo, Dell, and HP.

Apple focuses on user-friendly, high-end, premium products. They released the first commercial graphic all-in-on computer, the Macintosh, and followed it up with a string of top-shelf innovative products like the iPod, iPhone, and iPad as they continually improved their line of premium desk and laptop computers. This winning strategy eventually made them the most profitable company on earth.

Microsoft, on the other hand, has striven for a wide variety and high volume of useful products on competitive generic hardware. Clearly not a losing strategy: they became the second most profitable company on earth.

Security Through Obscurity

For years, choosing quality over quantity indirectly improved Apple’s reputation for security. Until recently, breaking into an Apple product was not an attractive project for most hackers.

Breaking into a computer system is easier than it ought to be, but it still requires time, effort, and risk. Given a choice between developing a technique for penetrating a Microsoft Windows system and an Apple system, hackers regularly chose Microsoft because the large Microsoft user base increased the chance of finding a juicy victim.

Security types call this “security by obscurity.” However, avoiding attention to avoid attack no longer helps after the victim engages an attacker’s attention.

In the last decade, Apple’s enormous success has blown away its obscurity. Now hackers see juicy Apple targets and are out to snag them.

Unix Roots

Microsoft has cleaned up its act considerably in the last decade, but early on, they had a dismissive attitude toward security. Windows developers and their predecessor DOS developers assumed that a personal computer was a standalone appliance like a toaster or a steam iron.

Securing a standalone PC meant locking the door to the office, chaining PCs to desks, and locking their cases. In those days, a physical hard drive was thought more valuable than the data it contained.

Microsoft took a long time to recognize that a PC connected to a network requires a different kind of security.

Meanwhile, the rising tide of hackers grew into a dark industry devoted to raping and pillaging Windows installations. Eventually, Microsoft realized they had to do something, and they have, but they’ve played a lot of catch-up.

Apple developers may have been slightly more aware of the dangers, but their “security by obscurity” cloak obscured impending threats.

Even so, Apple made a sound engineering decision a few years ago: instead of continuing to develop their proprietary standalone operating system, they adopted a variant of Unix, the open-source operating system long favored by academic, engineering, and enterprise developers. The popular open-source operating system, Linux, is also a Unix variant.

Disclosure: I am a dyed-in-wool and unreconstructed Unix programmer.

Unlike Windows, whose roots are in stand-alone PCs, Unix was designed for multiuser computers, and, more significantly, heavily used in colleges and universities as a teaching tool. AT&T developed Unix and then offered it as a royalty-free product to educational institutions for a small administrative fee. In those days, almost all software included source code. Universities were not allowed to distribute the source code or their work built on Unix, but they retained rights. Consequently, Unix was widely adopted by university computer science departments. This was a boon to Unix security.

I was one of the computer rats who hung out in the Western Washington University computer center in the middle of the night studying Unix and trying to break into the university multiuser system. We weren’t criminals, just inquisitive and rambunctious college students. While Windows and DOS basked in single user isolation, my cohort in university computer science programs all over the world pored over source code and beat the hell out of Unix. We learned a lot, and our archenemies, the sys admins, often other students, also learned. The upshot was Unix security systems, both code and administrative practices, were scrutinized and hardened.

When Apple made the momentous decision to replace their proprietary operating system, they became the beneficiary of all the prodding and testing my friends did in the 1980s and 90s. By adopting Unix, Apple acquired an operating system that had security pounded into its foundations—a much better position than the Windows security features bolted onto a gradually hardening insecure foundation.

So. Yes. Apple products are inherently more secure than Windows. But not much. And possibly not any longer. Microsoft, by no means a cluster of idiots, has worked hard to secure their products.

Keep in mind that secure is always a relative statement. When a professional says a system is secure, it’s a form of bluster that braces their self-confidence. A system may be more secure than others, but it’s only harder to break, not unbreakable.

Apple’s operating system is harder to hack into than older versions of Windows, but Windows today is orders of magnitude more secure than Windows of a few years ago. At the same time, Apple’s sharp engineers have only recently stepped into the target zone. They have their own catch-up game to play.

Scope

The Mac trojan Microsoft reported on began as a basic data theft exploit in late 2020. Apparently, the exploit begins like most hacking ventures: with an email that tricks an insider into letting a miscreant in. The exploit became more sophisticated over time. When the malware was first installed, it only transmitted basic system information to a master server. Over the next year, new capabilities were gradually added to the basic exploit and the malicious bot (the trojan acting as a robot under hacker remote control) started downloading installable applications.

Macs have mechanisms for preventing installation of untrusted software. The bot gained the capability to circumvent the protection. Then it began collecting and exporting more information and running code with root privilege, which is the highest level of privilege in a Unix system. For self-defense, the bot began removing and renaming the files it installed to thwart antimalware utilities that search for characteristic files to detect malware. It also started injecting ads into webpages.

I’m not going further into the details of the Mac trojan. Go to the Microsoft site, or take a look at this list of macOS malwares.

Counter Moves

I recommend that all Apple users begin to follow the basic rules of computer hygiene if they don’t already. Follow them carefully and the chances that you will run into trouble will shrink drastically. These are the rules I follow for myself. The last time I was hacked, knock on wood, I was running Windows XP.

The Rules

One

Don’t be tricked into trouble. Most victims of online attacks were, at some point, tricked in a non-technical way with the skills of a con artist, not computer skills or knowledge. For example, some clever hacker impersonates your boss on the phone and asks you to email a list of employee usernames and passwords to an odd address. Clearly a dangerous request. Check it out before you comply.

Or someone claiming to be your favorite niece calls from Waco asking you to give her access to your Amazon account because she’s in a jam. Or you get a phone call from Apple asking for your account password. Don’t get rooked by liars and imposters.

These cons are called “social engineering.” Their intent is to trick you into opening the door to a hacker.

Two

Avoid dodgy websites. You know which sites. The ones that appeal to base instincts or offer something too good to be true. Super gadgets for $19.99. Unbelievable cures that doctors keep secret for fear of losing patients. Inside financial tips. Salacious celebrity pics.

Click on one of those kind of web sites and you can lose more than your time and money; you could also infect your computer with nasty malware that will hurt for months to come if the infection is not promptly detected and removed.

Three

Be careful with downloads and installs. The simplest and most effective way to compromise your computer, laptop, tablet, or phone is to install an application that promises to entertain or perform useful work, but also opens your device to exploitation. During an install, your computer is a patient on the operating table whose heart is in the hands of a surgeon. If the surgeon is a crook, your computer is defenseless.

To protect yourself, get your apps from reputable sources. The Apple, Microsoft, and Google app stores vet the applications they offer. That’s a big help, but they are not perfect. Some nastiness gets through. Before you install, check the reviews and the reputation of the developer on the network. Avoid being the first to install a new app. Always download from secure (HTTPS) sites.

Get your hardware drivers directly from your operating system and device manufacturer sites. If you can’t avoid a third party site, research them thoroughly. I often go to Toms Hardware for driver information.

Four

Scan regularly for malware. Apple now has malware scanning (antivirus) built in. In addition, third party anti-malware tools are available for Apple. Almost all are effective when used properly.

Anti-malware tools are fiercely competitive, and the malware landscape changes daily. The tool that is the best today may be second rate tomorrow and best again next week. The brand of tool is not as important as regular updates and frequent scans.

Choose a malware scanner with a solid reputation. These scanners are uniquely well-positioned to mess with your device and steal data. Choose a well-reviewed scanner from a reliable source. Some popular scanners have been accused of questionable practices.

When you have chosen a scanner you trust, accept updates and run scans often.

Five

Keep your operating system and apps patched. Hackers are always looking for new vulnerabilities. They find the holes and exploit them quickly. The industry battles hackers continually with patches that stop up the holes in defenses. Turn away the invaders before they get in.

Automatic updates may be annoying, but the benefits outweigh the trouble. Sign up for automatic maintenance from reputable sources whenever you can. Automatic updates occasionally mess up, but that happens less as the sources get better at patching, and a botched patch is usually far less damaging than a successful attack.

Six

Use strong passwords. Password cracking is more sophisticated today than when the old rules were written. Long (sixteen characters or more) random passwords are still difficult to crack, but hackers have ways of cracking commonly used passwords. Any single word that appears in any dictionary, any common sequence of characters (like ‘123456789’ or ‘qwerty’) is a breeze. I like memorable nonsense phrases like ‘MyPetRockSaysHi!’.

A password manager utility that generates long random passwords is useful. Never duplicate a password. Some of the worst breaches in recent years have been based on duplicated passwords.

Current opinion is now that changing passwords frequently is counterproductive because it leads to weaker and duplicated passwords. A strong password that has never been revealed or compromised does not ever need to be changed.

Multi-factor authentication (MFA) is now common. Use it in addition to a password. Multi-factor authentication is harder to hack than the strongest password. For example, sites and devices that request a fingerprint or a face scan after entering a correct password are safer than a password alone because the chances that a hacker can get both are low.

The strongest multi-factor systems use an app generated token, like a 5-character code, or require a special USB device (key) that you have to plug in. Critical accounts, such as your bank or your brokerage account should always use multi-factor authentication.

The Future

More secure platforms are possible in the future because the many platforms of today were naively designed without much thought to the potential for abuse.

Bitter experience has burned off the naiveté. Computer security will always be a challenge because computing systems are maddeningly complex. Developers and designers will never be able to foresee every security flaw.

In the early days of our current computing platforms, software developers did not think much about security. The goal was to build a network to interconnect systems and make them reachable, not put up barriers to access. In retrospect, that was jaw-droppingly naive. The hackers of today still take advantage of that naiveté.

Fortunately, the industry is wiser now.  With new attitudes, improvement is possible.


I must credit my Whatcom County Library System friend, Neil McKay and computer communications expert, Steve Stroh, for their substantial help.

Frustrate Phone Hackers

The NSA mobile device best practices contains the easiest and best tip for cellphone cybersafety I have heard in years. I’m surprised I had not thought of mentioning it. I regularly tell folks to turn off their computers when they are not using them because it discourages hackers. The same applies to cellphones.

The NSA suggests powering down once a week. I say, more often is better if you can swing it.

Here’s why. Everyone, including criminal hackers, likes a regular work week and hates to waste effort. Just like the rest of us, criminals want a regular, productive five-day, nine-to-five work week. When law enforcement tries to discover the source of a hack, they often identify the time zone of the hacker by looking at file and event dates and times. They know when hackers in China, for one example, like to start and end their day, even when they knock off for lunch.

Now, suppose some ordinary nine-to-five criminal has succeeded in pwning (taken over) your computer or cellphone. They come back from their borsch, pelmeni, and sour cream, raring to resume stripping you bare. They discover your computer has disappeared. Nasty words follow in foreign languages. Do you suppose they will wait patiently for you to power up? Not a chance. Most likely, after having lost a morning’s work getting ready to knock you over, they will not make the same mistake twice. They will move on to easier pickings. If you are lucky, your unreliable habits will annoy the hinks to the point that they throw you on their private “do not hack list.”

Recent trends in hacking make shutting down and restarting even more desirable. For decades, anti-virus and malware tools have relied on file signatures for detecting attacks. The tools scan computer file systems for files with characteristics (names, sizes, time stamps, and embedded sequences of characters) that signify infection. Having identified an infection, the tool moves or removes files and takes other steps to kill the infection.

Hackers know all about the way these tools work and they have responded with more subtle ways of infecting computers. Most of these involve avoiding detectable file changes by injecting nasty stuff into memory— the high-speed short-term information storage that disappears when a computer is rebooted.

And there you have it: power down a computer or phone with that kind of infection and the infection is gone. All that lovely hacking work destroyed. What a shame. Not.

I have regular irregular habits. I have a tablet in our living room that I use occasionally. I regularly shut it off when I’m not using it. Some days, it’s up all day and until late at night. Other days, it’s never up. I have several computers in my office. When the witching hour arrives and I decide to turn in for the night, I power them off. My last act of the day is to shut down and restart my phone. Midnight on the U.S. west coast is 10am in Moscow, a location where a lot of hacking goes on.

The next day, I power up the computers in my office as needed. On days I spend working in the yard or running errands, they may be up only for an hour or two. The point is to include irregularity for hackers into your regular habits.

I’ll end this post with a few other good habits for using smart cellphones:

  • Enable automatic updates whenever possible. Operating system and app vendors discover security vulnerabilities and fix them all the time. Let them help you be safe.
  • Going through the Google, Apple, and Microsoft app stores decreases vulnerability, but does not guarantee that an app will be safe. Frequently installed and favorably reviewed apps are the safest. If you must go outside the app store walled garden, be very very careful.
  • Minimize the number of apps you have installed. If you don’t use an app, remove it. Every app you have installed is a potential security vulnerability. If you don’t use it, why let an app increase the possibility that you will be hacked?
  • Secure your phone. Entering a PIN is a pain but leaving your unsecured phone next to a coffee shop cream pitcher or among the half inch copper elbow fittings at Home Depot could be the prelude to a disaster. I have concerns with biometrics like facial and fingerprint scans, but they are better than nothing if you can’t be bothered with anything more secure. Some phones will unlock your phone when it is at certain locations, like home and work. Consider using that feature.

Periodically restarting your phone is the simplest step you can take. Do it. Wait a day or two. Do it again.