Design Tutorials

Rethinking strong passwords

Here is a great xkcd comic about strong passwords. I have tended to go for the longer, random passwords which I store in LastPass. I usually pick 20 random characters with text, numbers and special characters. I then update them now and then to keep things interesting.

Password Strength by xkcd

If I understand this comic, it looks like I may be safer with a couple random words instead. Or, a couple random words with mixed characters within them!

Remembering strong passwords is challenging because they need to be considerably more complex than “1234” (if you are using that as your password, you really need to change it). Like I said earlier, I use LastPass to manage my passwords.

There are other options if LastPass isn’t for you and you should investigate if you aren’t already using a password manager. I don’t know how people manage multiple passwords securely without a password manager these days.


Dropbox is convenient but how secure is it?

This question is driving me a little nuts lately:

A potential security lapse and possibly misleading statements are plaguing Dropbox, a hugely popular file-syncing app. What are the issues and is concern justified?

I migrated all my client data off Dropbox and into SpiderOak but it seems SpiderOak doesn’t offer Dropbox-like sync between my team members.

I’ve been testing out BitTorrent Sync but it also have a few challenges and probably isn’t feasible for now (no remote wipe is a problem). I have been using JungleDisk for secure backup to Amazon S3. It has a sync function which works a bit like Dropbox but it could be a real pain to implement.

I am wondering if I am being a teensy bit too paranoid about Dropbox so I am looking forward to reading this article. My concerns about Dropbox are that I don’t control the encryption keys; that there have been a couple really bad security exploits lately and I will never know if some government agency wants access to the data we hold.

One option, I imagine, is an OwnCloud installation but I’m not too sure what the security implications of that are. Is OwnCloud inherently secure or does it depend entirely on the server capabilities?

Useful stuff Web/Tech

Pretty impressive two-factor authentication in the @Twitter iPhone and Android apps

Twitter rolled out updates to its iOS and Android apps at the beginning of August which included a new two-factor authentication method for verifying logins (and possibly other stuff). It is worth reading the blog post describing the solution. It begins with this explanation why Twitter opted not to go with the more common two-factor authentication model:

Traditional two-factor authentication protocols require a shared secret between the user and the service. For instance, OTP protocols use a shared secret modulated by a counter (HOTP) or timer (TOTP). A weakness of these protocols is that the shared secret can be compromised if the server is compromised. We chose a design that is resilient to a compromise of the server-side data’s confidentiality: Twitter doesn’t persistently store secrets, and the private key material needed for approving login requests never leaves your phone.

Other previous attacks against two-factor authentication have taken advantage of compromised SMS delivery channels. This solution avoids that because the key necessary to approve requests never leaves your phone. Also, our updated login verification feature provides additional information about the request to help you determine if the login request you see is the one you’re making.

I noticed this and enabled it (who doesn’t want to secure his or her Twitter account, right?) although I only found out just how impressive the technology is in a recent episode of Security Now with Steve Gibson and Leo Laporte. The whole episode is worth watching (you can also listen to the audio version or read the terrific show transcription) but the discussion about the Twitter model starts at about 29 minutes in:

Bruce Schneier also seems to approve of the technique although he doesn’t go into much detail in his post I found on his site.

Twitter has been doing some pretty interesting stuff when it comes to user privacy and this security model sounds really carefully thought out and designed to protect users even more than the more common options. The explanation Steve Gibson gave about how Twitter leverages the idea that you can only hash passwords one way to make sure it can only authenticate and not impersonate users just points to that (at least, to me). I just had to share.


A quick question for IT security professionals

I just read this paragraph in the Evernote security and privacy information page. Does this point to a good data security infrastructure?

Operational security is equally important, and physical infrastructure and operations procedures reflect that. The data center where the Evernote service operates is SAS 70 (Type II) and SSAE16 SOC–1 (Type 2) certified and requires two-factor authentication for admittance. All access to the data center is limited in scope of personnel and regular audit reviews are conducted.

As I understand it, their recent move to 2048 bit SSL keys is really good and exponentially strengthens the encryption used to secure data transmission to and from their servers but what about the rest?


Why "if you've done nothing wrong, you have nothing to fear" argument is flawed

Today’s encryption may be easy to break in years to come but that doesn’t mean tomorrow’s encryption won’t be stronger. This idea of “we’ll if you haven’t done anything wrong, you shouldn’t have anything to hide” is flawed for so many reasons.

It assumes we shouldn’t be entitled to a degree of secrecy based on our personal preferences. It also assumes whoever is monitoring our communications has a sense of right and wrong that aligns with ours and is consistent with whichever law governs that surveillance (in itself a challenging baseline).

We shouldn’t need to surrender our privacy, particularly where I suspect the real targets of this surveillance (assuming the authorities are being totally open with us on that one) are probably using pretty secure channels to communicate and develop their nefarious plans.