Monthly Archives: August 2013

Why You Should Use a Password Manager

Update 1/18/2016: There is a security flaw in LastPass’ Google Chrome extension. Don’t be fooled! You can mitigate this attack by:

  1. using Firefox with the NoScript addon (which eliminates the cross-site scripting vulnerability), and
  2. using a two-factor authentication solution that’s routed through your phone instead of your computer, like Duo or Transakt. This eliminates the possibility of a man-in-the-middle picking off the two-factor code entered into the same compromised browser session.

Update 10/16/2016: LastPass has been acquired by LogMeIn! Congrats guys! Don’t get cocky.

Update 5/13/2015: Edited for clarity, and for the change introduced in iOS 8 that allows browser extensions in Safari.

Update 5/8/2014: The Wall Street Journal ran another review of password managers.

Update 1/16/2014: Apple now incorporates a password manager, iCloud Keychain, in iOS7 and OSX Mavericks that has many of the same features as LastPass. I’ll stick with LastPass (since it’s a platform-independent solution), but Apple’s solution is probably easier to use for most folks. Here’s ArsTechnica’s coverage of it’s pros and cons.


 

The Wall Street Journal recently ran a review of PasswordBox, an online password manager. Many people don’t understand why using a password manager is vitally important to maintaining online account security. Consider for example Charleen Larson, who made the following comment:

“OK, so how again is this superior to me keeping a small notebook at home with my passwords? My husband knows where it is and doesn’t have to sign up for yet another account at PasswordBox. We both have too many accounts (free and otherwise) already.”

It was clear from this tidbit, as well as her replies to the responses she received, that she still doesn’t get it.

Password cartoon

Charleen, this one’s for you…

First, a password manager randomly generates passwords for you when you create a new account, and it makes them as long as you want (I use 30 characters.) It can also, of course, generate random passwords on your old accounts if you bother to change them. If you don’t understand why this is important, see this article. Random passwords for each account are especially valuable because they discourage the use of a single password across multiple sites, even for accounts you don’t care about keeping secure. Using the same password across sites is like using the same key for your office, house, car, gym locker, etc. If you don’t understand why this is important, see this article.

Second, you can use password managers from more than one machine at more than one place; you don’t have to be at home. I use LastPass, and have its browser extensions on my computer in Safari and Firefox, and in Safari on my iPhone and iPad (the same company also make an iOS app.) This is like having a copy of my virtual key ring on each device, and makes it easy for me to access my accounts securely from all of those platforms. And if I’m really desperate, I can reach my LastPass vault directly online (though I won’t do so from an untrusted machine except in dire circumstances, such as being forced out-of-town by a natural disaster.)

Third, using a password manager means you don’t have to type the password in every time you access an online account, which helps defend against keylogger attacks. If you don’t understand why this is important, see this article. (If you’re really paranoid, you can copy-and-paste your master password to avoid it getting keylogged, but then you’d better really know what you’re doing as far as security by obfuscation goes, as your password will have to be accessible somewhere in plain text format.)

Fourth, best-in-class password managers offer an optional two-factor authentication mechanism that’s linked to a physical device that’s distinct from the computer itself. If you don’t understand why this is important, see this rather eye-opening article. Use it if it’s available.

And finally Charleen, now that everyone who reads the WSJ article comments knows you keep your passwords in a handy-dandy notebook at home (hint: it’s near the computer, probably in a desk drawer), you’ve got a security issue you can’t easily fix. If you don’t understand why this is important, see this site.

Tagged , ,

Why Socially Responsible Companies Should Have Legal Status

I’ve been giving a lot of thought to “socially responsible companies” lately. A socially responsible company (SRC) has more than a simple fiduciary responsibility to its shareholders (wall-street speak for “make as much money as possible so we can line the pockets of the owners“); it also must give due consideration to the social context in which it operates. The big idea behind SRCs is to give companies the freedom to protect not only their shareholder’s wallets, but also their stakeholder’s welfare.

If publicly-traded SRCs were certified and given official legal status as such, they would have the legal protection needed to consider options other than maximizing profits without regard to the social consequences. In other words, rather than waiting to be sued for having done something wrong, dragging it out through the courts for as long as possible, then settling for an undisclosed sum while not admitting guilt or responsibility, companies could actively pursue doing something right, even if it might cost the shareholders money.

Consider for example the gambling industry; in particular, casinos.

CasinoCasinos make money when people gamble; the more people gamble there, the more money the casino makes. But the tools now exist for a casino to identify likely gambling addicts by way of analyzing the data they collect on their customers. If a casino were a registered, legally-protected SRC, it would have the protection it needed to pursue the development and refinement of these tools, so as to get the customers who might otherwise spend themselves into financial oblivion the help they need, or at least cut them off, even if doing so resulted in financial losses for the casino. This makes an awful lot of sense to me. The way the system works now, the casinos either have to A) gamble that implementing these tools will give them a competitive advantage (“Worry-free gambling here! We’ll cut you off and kick you out if the computer says you have a problem!”), or B) hope the government or the communities in which they operate don’t protest or pass laws mandating these tools, while doing nothing and continue to screw a small percentage of their customers, who are gambling their way into bankruptcy. Guess which one they prefer? (Not sure? Read the article.)

 

Tagged , , ,