Why I Left LastPass for 1Password

There are very simple reasons why password security is so important:

1) We can now access most of our private, confidential information online (bank accounts, email, and social networks), and

2) We’re lazy.

I’m not trying to make anyone feel bad with that last point. I’m really lazy, too. For years, I used only a few passwords and rarely changed them. It doesn’t take a long explanation to illustrate how dangerous that can be. If someone figures out your Facebook password and you use the same password for your email, the intruder can now log into your email and reset passwords for things like your online banking. And if you’ve ever wondered how embarrassing emails from politicians and celebrities end up getting exposed online, this is how it’s usually done.

A few years ago, I started using LastPass to manage my passwords, and it dramatically improved my online security. Password management software like LastPass lets you generate complicated, random passwords for each website you visit, and all you need to do is remember a single main password to access all of them.

While I love the idea behind LastPass, I haven’t been entirely comfortable with its execution. I made the switch to 1Password when it became available for Windows last year, and I’ll explain why it is a great idea, if you haven’t already done so.

1Password vs. LastPass

Although it wasn’t available for Windows until 2010, Mac users have been familiar with 1Password for quite a while. This award-winning password management lets you create strong, unique passwords, and locks them with a master password so you only need to remember a single password. Unlike LastPass, 1Password doesn’t have a free version, so why would I want to switch?

1Password lets me store my passwords locally

One of LastPass’s best features is that it stores your passwords online, so you can access them from anywhere by logging into your LastPass account. But even with amazing security, I could never feel completely secure leaving all my passwords in someone else’s hands, which is one of the biggest reasons why I switched to 1Password.

I’m braver than most technically inclined people I know, partly because I spend so much time using new technology that I have built up some sort of mental callus to its inherent risk, and party because I want to believe that most of these companies aren’t looking to screw over their users. But my paranoid tech-savvy friends aren’t wrong – we’ve seen countless examples of how companies have sold their customer’s private data for personal gain. And even if the company is 100% ethical, all it takes is for an unethical giant to buy them out and make dramatic changes to their privacy policies.

With 1Password, I can store my passwords locally on my computer so I never have to worry about a hacker breaking into a massive storage server somewhere in the world and potentially getting my information. This means I also need to be careful with how I store this information, but since 1Password encrypts everything it makes it pretty easy to keep your passwords safe. I love having total control over my data.

What if you need to access your passwords on multiple computers? This is a very realistic problem for almost all of us, and there are a few easy solutions with 1Password. You can use Dropbox, a super-easy file sharing program, to keep your passwords synced across multiple computers. And if you don’t feel comfortable doing that, you can simply save your 1Password files to a USB flash drive or portable hard drive to always have them handy.

Passwords stored with 1Password are already securely encrypted, but you can use a free application like TrueCrypt to ensure your passwords are inaccessible. The 1Password team wrote a great article about password security in cloud-based storage systems.

Great browser integration with hotkeys

This might seem a bit fickle, but I don’t think I could really get in the habit of using password management software that didn’t have an easy way to access my passwords and automatically insert them into my browser. 1Password has great browser plugins for Firefox, Chrome, and Internet Explorer, so I can log into my accounts effortlessly.

The best way to access your 1Password passwords in a browser is to use the hotkey CTRL + \.  When you press this key combination, a window will automatically appear prompting you to unlock your 1Password data, and after doing that you’ll see a list of any accounts available for the website you’re viewing.

1Password’s Chrome Plugin

When creating an account on any website, you should always use a unique, complex password. 1Password makes this very easy with their Generator option, where you can pick the password’s length and complexity. Since you don’t have to memorize it, why not make it as complicated as possible?

1Password’s Password Generator

One of my favorite features of 1Password’s password generator is its Pronounceable option. This lets you create a password that is easily pronounced phonetically (and thus easier to remember), which is great for using services like Twitter when you need to log into mobile apps.

If you accidentally reveal this to anybody, you can just convince them it’s the language you speak to your spirit animal in.

I’d rather pay for important software I’ll use every day

First off, LastPass does have a premium version that gives you access to mobile apps and better features. But it’s a subscription-based service, so this means you’ll have to keep paying for it as long as you want access to these features. If you ask me, I’m subscribed to way more services than I already want to be (Netflix, Audible, my mobile phone plan), and I really don’t feel like adding another monthly subscription.

1Password costs $49.99 (for Windows) which you pay once to completely own the software and receive all updates. And you know what? It’s completely worth it.

I use the same logic when explaining why it makes sense to pay for your operating system – this is software you’ll use every day, it will improve your life (I’m guessing you would be negatively affected if someone hacked your bank account because you were using insecure passwords), and its price is validated by 1Password’s high quality. I pride myself on supporting things I enjoy and improve my life, and I’d rather use the buy-it-once 1Password than a free version of LastPass.

1Password also has apps for Android, iPhone/iPod touch, and iPad, so you can always access your passwords on-the-go. The 1Password mobile apps also support Dropbox, making it easy to keep your passwords synchronized on your mobile device.

Image courtesy: mbrand

Why You Shouldn’t Talk to Strangers on Facebook

Facebook, for the most part, is a safe place to meet friends and talk to people. However, it’s good practice (and simply common sense) to stick to conversations with people you actually know.

Recently, I’ve been receiving messages from complete strangers asking seemingly-legitimate questions about my livelihood, such as programming or brewing, since both are listed on my (up until today) public profile. Of course, when you get random messages from people outside of the country, your mind detects that something is amiss.

Don’t ignore your instincts when it comes to the internet.

Before responding to any of these messages, I decided to trust my gut and do some investigating into possible scams that could be run through innocent message exchanges on Facebook. What I discovered is that if you respond to a message on Facebook, you grant the person receiving your message permission to view your profile as a friend would for one month.

Just for clarity, I’ll reiterate:  If you respond to a message on Facebook, the recipient can view your profile for ONE MONTH.

It doesn’t take a month for somebody to copy your photos, copy your information, and set up a fake account on Facebook under your name or otherwise steal your identity.

The other possibility is that you’ll be lured into a sorority house pillow fight. The risks are real!

Dramatization.

Maybe this comes across as paranoid, but play it safe and just ignore/block messages on Facebook from people you don’t know. Hopefully Facebook decides to change its policy on profile viewership by non-friends in the near future. In the meantime, you can change your visibility to be non-public (so that you cannot be searched and found), or you can simply not reply to suspicious emails.

Farewell Firesheep, Facebook Rolls Out Secure HTTPS Option

After the Firesheep  fiasco of last October, most people became keenly aware of how insecure they were on unencrypted websites like Facebook and Twitter. (In case you missed it, Firesheep is an add-on for Firefox that allows a malicious user to take control of your account on unsecure non-https websites when browsing on wi-fi)

Firesheep is very easy to block; all you need to do is access websites through their secure https connection (i.e. using https://www.google.com instead of http://www.google.com). Plugins like HTTPS Everywhere made this easy by automatically forcing your browser to use the https versions of popular websites.

Some websites started including an option to use the https version of the site by default. Gmail enabled this feature way back in 2008 (making it the default setting for everyone in January 2010), and even though it made the site a little slower, it was well worth it knowing your emails were safe from prying eyes.

Better late than never, Facebook recently announced that they too will include an option to browse the site via https by default. This option is gradually rolling out to all users starting today (I don’t have it yet at the time of this writing), with the full transition taking a few weeks.

To enable https connections by default on Facebook, expand the Account Security section of your Account Settings page. Click the check box under Secure Browsing (https) to enable the new feature.

facebook-security-https

As with all encrypted connections, there are a few things to know before making the switch. Https connections will probably be a little slower than standard unencrypted connections, and not all 3rd-party plugins will work right away. Facebook says they are working hard to resolve any issues with https connections.

Facebook is working to improve security in other ways as well. If Facebook detects suspicious activity on your account, they’ve started using a new feature called “Social Authentication” to confirm you are who you say you are. If you use Facebook in North Dakota at 8am and access it later that day from Moscow, a screen will appear asking you to identify a friends in a series of pictures. If you correctly identify your friends, Facebook has better certainty your account hasn’t been hacked.

facebook-social-auth

If you’re interested in other ways to keep your Facebook account secure (like preventing your friends from writing terrible status updates on your profile), check out my previous guide about enabling account security with login notifications.

Ask Techerator: I Think I’m Being Spied on with Dynamic DNS, What Should I Do?

Techerator team:

My (techie) husband mentioned that he can track the location of our laptop with a “dynamic DNS”.  He also said something about being able to remotely connect to it with this tool.  Should I be worried? Is this spyware?

The service he is referring to is indeed called dynamic DNS.  This service can tell you a computer’s IP address wherever it goes (as long as it is connected to the internet), but it doesn’t necessarily mean somebody knows where you are geographically.  You can only tell so much from an IP address, and even less if the person is behind a router (i.e. if they’re on a wireless connection in a public place).

So why use dynamic DNS?

Every time you connect to the internet, your computer gets assigned unique IP address.  If I’m at home, my address might be 218.20.34.10, and if I’m at a coffee shop it could be something completely random – so I have no idea what it is for sure.  IP addresses can also change over time, so you can’t assume your home IP address will remain the same.

The solution to this ever-changing IP address problem is to use a Dynamic DNS.  In common terms, it’s a special domain name that you can assign to a computer, and the computer will tell that domain name what its IP address is on a regular basis. For example, I could make a custom address like myhomecomputer.dnsalias.org, which I could set my computer to update.  If I was at work and wanted to connect to my home computer, I could just connect to “myhomecomputer.dnsalias.org” instead of trying to figure out its unique IP address.

So is it harmful?

Dynamic DNS isn’t exactly what I’d call spyware, but if somebody is using it for deliberate tracking or monitoring then yes, it could be.  I harmlessly use Dynamic DNS all the time to manage my computers – I have it installed on my laptops, desktops, and even my mom’s computer for when she needs remote computer assistance.

Knowing the Dynamic DNS/IP address doesn’t exactly tell you personal information about a person, but if a remote support application was installed (like VNC, which is free remote desktop software), you could easily log into, monitor, and control the computer.

What should I do?

If Dynamic DNS is installed, it should be easy to remove because it isn’t intended to be a virus.  You could look in the Start Menu for anything that says “Dynamic DNS” to see if it is present, or check the Control Panel under Add/Remove Programs.  It is also a possibility to install Dynamic DNS as a Windows Service (meaning it doesn’t necessarily have an application entry you can find in the Start Menu, it’s a utility that runs in the background of Windows) but that is fairly easy to remove as well.

DynDNS is one of the most popular dynamic DNS services, so check their site if you want to verify an application you found.

There are lots of ways your privacy can be compromised on a computer, especially with “key logger” programs.  These program simply monitor all input from a keyboard and save it in a file – this file can also be uploaded to a server so somebody else can watch it.  This makes it very difficult to protect yourself by changing your passwords, because they’ll know the new password as soon as you create it.

If the goal is to protect yourself from eavesdropping, these are the things I would do:

  1. Try to find any Dynamic DNS software and remove it.  Like I said, these typically aren’t viruses, so they can be easily removed.
  2. Install and run Malwarebytes which might pick up any malicious software, and remove anything it finds.
  3. Install and run Microsoft Security Essentials.  This is free security software from Microsoft and will scan your computer for malicious software.
  4. Install ZoneAlarm, this is a firewall with a free personal edition.  A firewall basically blocks almost all connections made to your computer, allowing you to only let in connections you truly trust.  This can be a HUGE pain because you’ll have to manually allow a lot of normal, benign connections access to your computer, but if you’re concerned about somebody else accessing your computer, this is the best way to block them.
  5. Change all passwords. Why last? Because you want to make sure an intruder has no access to your computer when you re-secure your accounts.

Final Thoughts

Aside from all those things, it never hurts to have a little old fashioned verbal communication if you think your privacy is being compromised.  If somebody you know is purposefully spying on you, it might be best to sit down and discuss why that is and perhaps find a compromise that works best for everyone.  In my opinion, doing things like spying on people just undermines their trust in you, which is more damaging than anything they were probably doing in the first place.

P.S. I should say that if you aren’t sure if something “spyware-ish” is installed, you could always press CTRL + SHIFT + ESC to bring up your task manager and take a screen shot (or write down) the applications that are currently running in the Processes tab.  That list will contain every application that is currently in memory.  You could then search Google for anything you found or ask someone who is familiar with these types of things.

Images courtesy: kodomut, Jose Goulao, Tam Tam

How To Remove Saved Usernames and Passwords from Firefox

One commonly used feature in Firefox is the ability to store usernames and passwords for websites you frequently visit. Saving login information removes the needs to enter it every time you visit a site.

A feature that was added in the Firefox 3 release is the ability to update saved passwords for sites you visit.  This removed the problem of having duplicate usernames with different passwords.

But what if your username for a site changes? Without the ability to update the saved username, multiple entries are shown when logging in to a site.

Only one of these usernames is valid.

Removing this old login information is easily done by following the guide below.

Instructions

Step 1: Open Firefox and navigate to Tools > Options.

Step 2: Click the Security icon.

Step 3: Click Saved Passwords… to open the Saved Passwords dialog box.

Step 4: Find the site you wish to remove by using the search bar at the top of the dialog or by using the scroll bar on the right side.

Step 5: Once you have found the site username and password you wish to remove, select it and click the Remove button.

Step 6 (Optional): In the event that you wish to remove all saved usernames and passwords, you can click the Remove All button to do so.

Step 7: Close the Saved Passwords dialog and click OK.

The removed username and password is not shown the next time you visit the site it was removed from.

Invalid username removed!

Be sure to checkout the rest of our articles about Firefox!

Forget to Log Out? New Facebook Security Features Will Save Your Reputation

social-networkPrepare to be impressed: Facebook is rolling out some great new features that will help protect your account from unauthorized access.  They might not have the whole information privacy thing figured out yet, but they are definitely taking the right steps when it comes to keeping your account safe.

Generate Temporary Random Passwords via SMS

First up is the ability to generate a temporary, random password that you can use if you don’t feel safe using your regular password.  If you want to access Facebook at an insecure public area like an airport or library, you can text the message otp (this stands for “one time password”) to 32665 (or FBOOK).  You’ll instantly receive a reply from Facebook with a temporary password that will only work for 20 minutes, so even if somebody finds the temporary password it would be completely useless.

To use the the temporary random password feature, you’ll need to have a mobile phone associated with your account.  This feature is being rolled out gradually to Facebook users throughout the next few weeks (but it worked for me today, hooray!).

Remotely Log Out of Facebook

Just about every time I see a horrifying status on one of my friends’ Facebook profiles, it’s because they didn’t log out of their account after leaving someone’s house or left their computer unattended. I previously showed you how you can get alerts if somebody accesses your Facebook account, but that only helps if an unauthorized user logs into your account and won’t be helpful if you left your account wide open on your own computer.

facebook-statuses

If you think you left your account open somewhere, you can go to your Account Settings and click Account Security to see any Facebook sessions that are currently open.  This will show any computers currently accessing your account, their approximate location, how they’re accessing the account (browser, operating system, or device type), and will give you the option to terminate the session with “end activity”.

These new features are a great way to protect your Facebook account.  Even though your Facebook account might not seem like something that needs protecting, don’t forget that an intruder can get access to your friends, private messages, and a lot of personal information if they get into your account.

If you enjoyed this article, be sure to check out the rest of our articles about Facebook and social networks.

Image courtesy: Spencer E Holtaway

How Secure is Your Password?

Never before has a website been so blatantly obvious and honest in it’s function.  HowSecureIsMyPassword.net asks that very simple question;  it’s response is something more or less dramatic, depending on what you type in.  The capital letters are kind of goofy, but it definitely works with the site’s straight-forward approach to telling you how secure (or insecure) your password may be.

“This seems far too simple…something’s not right.”

Wrong.  The website is entirely safe to use, for your personal benefit only.  The creator, Mark Wales, assures you won’t be in any trouble in using the site – and he confirms your safety with the same light humor that the base page gives off.

It’s not hard to find anything you might be concerned about, it’s all below the text box when the field is empty.  The source code is also provided as a little bonus, so feel free to check it out! (Also notice how similar his favicon is to Techerator’s. Great minds think alike?)

Click here to read his rather funny FAQ.  And please, use his link below (or here) for Choosing A Secure Password if you’re given this notice:

Time to Upgrade: Microsoft Ending Support of Windows XP SP2 July 13th

Windows XP, our beloved operating system of the last decade and a savior from previous operating systems such as Windows 2000 and ME, will no longer be supported by Microsoft on July 13th, 2010.  This doesn’t mean that your computer will suddenly stop working that day or you’ll immediately be swarmed by viruses, but it does mean Microsoft will no longer be testing SP2 for vulnerabilities or releasing patches or updates.

What does this mean, exactly?  Well, if a major security flaw is discovered in Windows XP SP2 and a virus is released to exploit it, you’ll no longer have a nagging critical update in your task bar telling you to update your OS.

If you’re already using Windows Vista or Windows 7, you don’t have to worry.  But if you’re part of the surprisingly high 62% of computer users still using Windows XP, you should first check to see what Service Pack (SP) you have installed.  To do this, go to your Start menu, right click My Computer, and select Properties.  Your service pack will be listed under your operating system.

If you’re using SP3, give yourself a high five and continue frolicking on the internet, there’s nothing you need to do.  If you’re running SP2, however, it’s time to consider updating.  Soon.

Upgrading to Windows XP SP3 is easy and free.  Once you’ve installed SP3 you won’t notice many changes from a usability standpoint, but now you’ll have a more secure version of Windows XP with over 1,000 bug fixes.  To install Windows XP SP3, check out Microsoft’s SP3 upgrade page or visit Windows Update.

Obviously, upgrading to SP3 isn’t the best option because that too will expire eventually.  If your computer is capable of running Windows 7, I’d recommend upgrading to that instead and saving yourself some trouble in the long run.

Important Adobe Update Available, But There’s a Catch – You Might Need to Update Manually

It’s only been a few weeks since I wrote my last article about an update that patched 32 critical security holes in Adobe software, but here I am again.  Since you’re all my internet buddies, I’d like to let you know that Adobe just released a new patch for their software but it might only notify you if you manually check for updates.

Sure, it seems odd to me that they would say things like “This update addresses customer issues and security vulnerabilities” but make you find the update for yourself.  You know, because you’re always opening Adobe Reader, clicking Help, then selecting Check for Updates for fun.

This specific update addresses a few vague issues, but I’d still recommend doing it right away.  For more information, check out Adobe’s Release Notes or read the specific update information below.

Enhancements for security (including a zero-day fix), performance enhancements, bug fixes, improved browser support, and Updater improvements.

Internet high-five goes to Steve Gibson for this tip.

Time To Update! Adobe Flash Player Patch Fixes 32 Security Holes

Do you like websites that utilize Adobe Flash Player technology like Hulu and YouTube?  Do you simultaneously dislike having your computer hacked without your knowledge?  Well, do I have some important information for you!

A patch for Adobe Flash Player was recently released which patches 32 security vulnerabilities in a recent version of the application, version 10.0.45.2.  I’ll allow Adobe to explain it to you:

Critical vulnerabilities have been identified in Adobe Flash Player version 10.0.45.2 and earlier. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.\

And what does “critical” mean, you may ask?

A vulnerability, which, if exploited would allow malicious native-code to execute, potentially without a user being aware.

So if this information has you relatively concerned, I’ll go ahead and give you the information to secure your computer.

Updating Adobe Flash Player

Step 1: First of all, you can check what version of Flash Player you are currently using here.  If you’re using version 10.0.45.2 (or anything earlier than that), you should install the patch.  If you’ve already updated to the release candidate of Flash Player 10.1, Adobe says there appear to be no vulnerabilities with that version.

Step 2: You can download the newest version of Flash Player straight from Adobe.  Simply click the yellow Agree and install now button to start the download.

Conclusion

Besides fixing a bunch of security holes, the newest version of Flash Player has many great new features such as better performance and power management, better video playback (including hardware acceleration), and multi-touch support.  For more information about the security holes in Flash Player version 10.0.45.2, check out Adobe’s security bulletin.

Image credit: dullhunk