Tuesday, January 20, 2015

Words on Password Security


Picture of a locked blue lock on a background of what appears to be a blue circuit
Image by: geralt License: CC0
UPDATED March 18, 2017 - LastPass has changed their business model and the mobile app does not require a subscription. I have also become aware of the Diceware passphrase generation technique. This post has been updated to reflect that.

Two years I wrote an article about an Offline Password Creator inspired the xkcd comic "Password 
Strength". Many things have changed in those two years. Most notably are the hacker tools that now take into account this xkcd comic.

In early 2014, Bruce Schneier wrote an article on choosing secure passwords and specifically stated the xkcd correcthorsebatterystaple method of generating passwords in no longer good advice.

Skip forward to present day, 2015. A friend of mine on Facebook discovered the aforementioned xkcd comic and other friends thought this advice useful. As someone with a bit of security knowledge through a university course and an enjoyment of reading security blogs, I felt I should help inform them. After typing a couple of hundred words in a Facebook comment, I realized I should write a new blog post to update you, my readers.

Below I will give my recommendations on maintaining a reasonable amount of security with your passwords.

Use a Password Manager
As I've mentioned before, I recommend everyone using a password manager.

A password manager typically requires you to create a "master password" that will be used to encrypt the password vault where all your passwords are stored. The manager often integrates with your web browser, making it very convenient to have a secure (long, random, unique, and a mix of character types) password for every website/application you use.


Choosing a Password Manager
So you want to use a password manager, great! Now you may find the task of choosing one to use a bit daunting so I will outline the options I recommend briefly below:


1Password - Cost: Paid (Free Trial) ~$50 (on Mac/PC ~$40 for students) - Platforms: Mac, Win, iOS, Android

1Password was the first password manager I used. It has a good user interface, is fairly straightforward to use, and has a browser extension. The browser extension is important to most people because it (most of the time) allows for a single click to fill in your username and password.
The password vault can be synced across platforms with Dropbox. The password vault is encrypted so this is fairly secure (always be mindful this is a relative term) but if you don't trust Dropbox I would not use this option.

Depending on how many platforms you use it can get a bit pricey, I paid for a student license for my Windows desktop and found it well worthwhile! However, I also use Linux (which is unavailable currently) and the Android client (at the time) was unable to add new entries.

If your use case is only on one or two platforms it's definitely worthwhile and is a friendly way to begin using a password manager.

Keepass 2 Professional Edition - Cost: Free (despite its name) - Platforms: Windows, Mono (Linux, Mac, BSD, etc). Unofficially on: iOS, Windows Phone, Android, Blackberry

Keepass is my current password manager. I wanted a free alternative to 1Password that I could use to create new passwords on my phone (Android) and on Linux. I use Dropbox to sync my password vault. The user interface looks okay, and functions well. There is a browser extension which is quite useful.

On Android Keepass (via Keepass2Android Password Safe) I highly recommend using the Keepass2Android keyboard to enter passwords. The keyboard simply has a "user" and "Password" button. This is safer than using the copy/paste method because any application can read from the clipboard (where the copied word gets saved) without asking for permissions.

Keepass is also open source, which is something I value.

This combination of cross-platform use, open source, and free helped make this my current password manager. If you don't mind taking the time to set it up (plugins required for the browser extension for instance) then it's well worth it!

(The following info on LastPass has been modified as of March 18, 2017)
LastPass - Cost: Free or Subscription ($12 USD/year) - Platforms: Windows, Mac, Linux, iOS, Android, Windows Phone, BlackBerry, Firefox OS, Surface RT

I haven't actually used LastPass, but I've heard very good things about it from my peers and would recommend it based on their recommendations and from my readings on it. During the Heartbleed incident LastPass was able to inform you of what passwords to reset. It also will rank your passwords and tell you which ones are weak. The subscription adds a few features (noted on the website) including a shared family folder.

Know Two Passwords
My recommendation is to know two passwords.

Why?

1) You need to know the password for you password manager, otherwise you can't access. So this one is very important. In the event someone steals your computer or hacks your Dropbox (or wherever the password vault lives) you want it to be very very difficult for an attacker to crack your master password.

2) In the rare event of your password manager breaking, the loss of your password vault (Dropbox has lost files after all), or other catastrophic event that results in the loss access to your password you need someway to recover them.

First of all: You should always make backups of files. Preferably following the 3-2-1 rule, but most of the time a simple external hard drive will suffice. But that's a topic for another post.

Second: In the case you still can't access your passwords even with a backup you want to be able to reset them. That's why the second password you should know is your email password. Almost all services let you reset your password via email, so this is crucial.

How?
Now that you know why you need to know these two passwords, how will you remember them and how will you keep them secure?

You could:
  1. Create a Diceware password with a simple six-sided die (aka D6)
  2. Use a password manager to generate these two passwords
  3. Use something like the "Schneier scheme"

For a Dicware passphrase, roll a die 6 times and enter the number on this site which will create a word from a list. Do this for 6 or more words to create a strong password. Alternatively click the "6 Words" button.

Make them long, make them secure. Keep them secret, keep them safe. Bruce Schneier has suggested writing down your passwords and keeping them in your wallet, with your other small valuable pieces of paper (bills).

Wrap-up
With these precautions, you now have two secure passwords in case anything goes wrong, and the password managers make sure you have a strong, unique password for every website and app you make an account for.


Image Sources:
Header photo: geralt on pixabay - License: CC0

Monday, January 5, 2015

Nexus 9 - A Review of My First Tablet


Background Information

Ever since tablets had become popular I wanted one. The iPad looked great, but I wanted something running Android. The Nexus 10 was out of my price range at the time, and the Nexus 7 was too small of a screen, I wanted something closer to 10" for watching videos.

Having set aside money for a tablet, the Nexus 9's release was perfectly timed for me. After using it for a few months I felt it was time to post a full review.

I own an Android phone (HTC One m7), a desktop computer (using Chrome), and a Chromecast already and I am a regular user of Google's services, which may affect my views on the Nexus 9.

The Nexus 9 I purchased was pre-ordered from the Google Play Store and is a Black, Wi-Fi only, 32GB model, shipped to Canada.


Use Cases

I knew I wanted something I could easily watch videos on, I also wanted something to browse the web, read PDFs without awkwardly zoom/panning and play video games on. I wasn't entirely sure how my use would evolve, but I felt the Nexus 9 would become useful and I would figure out my exact use for it over time.



School Life
As a student I have been studying a lot this year and many of my professors post lecture notes online. Looking up reference materials and reading PDFs has been great on the Nexus 9. If you want to read documents without zooming (or without much zooming) it's a great device for that. I have also found Wikipedia scale nicely, as do many news sites.

A site's decision as to whether it's a "desktop" or "mobile" browser seems to vary, but generally is "mobile" in portrait and "desktop" in landscape.

The battery life has been more than adequate for going to class for a day, is great for showing things to friends, and feels more portable than even my 10" netbook.



Desktop Companion
The "origami cover" was out of stock for almost the entire time I've had my tablet, so I ended up using my Wii U gamepad stand (the non-charging one) as it holds the Nexus 9 at a decent angle in landscape orientation.

This has been great for scrolling through papers when working on a research document on my desktop (and my second monitor was in use).

The Wii U gamepad stand is also great for watching videos at a desk and generally propping it up.



Couch Potato
I'll often spend a good chunk of time on weekends or after school or work on my couch so I can put my feet up and spend time with family (both human and canine). The Nexus 9 has been a very nice size to hold while reclining and using to control my Chromecast.



Oh Lolli Lolli Lolli, Lollipop!
Software

My phone isn't due for an update in a while so the Nexus 9 has been my first experience with Lollipop (Android 5.0).

The new Material Design look and feel of Android 5.0 is appealing to me, and I like how everything looks with it.


Recent Apps
The new recent apps/Overview appearance is visually appealing, but can get quite cumbersome. Lollipop rarely (if ever) clears the recent apps so I have had dozens of apps open at once, which makes scrolling through them rather difficult. The new look is great for looking at the last few apps, but overall I prefer the HTC Sense version of the Recent Apps.

Another new addition to the Recent Apps/Overview area is the ability to "pin" apps. This is disabled by default but can be turned on in the Settings. When it's enabled you can "pin" the app you are currently on so the Home button (The circle in Lollipop) doesn't close your app. Instead you must press a key combo (with an optional PIN code afterwards). This is great for handing a device to friends, for children (who are apparently notorious for clicking the Home button and ads), or for simply preventing yourself from closing a game by accident.

The key combo they chose brings me to the next section.


OS Software Keys
This version of Android revamped the look of the UI in a number of ways, including the on-screen buttons. In previous versions you would see an arrow pointing to the left (Back), a house or physical button on Samsung phones (Home), and a stack windows/ stack of lines(Menu).


Lollipop switched these to simple geometric shapes: A triangle, a circle, and a square.

KitKat home screen and buttons Lollipop home screen and buttons
There's been a lot of debate over whether this was good or not in the Android community, the best argument (in my opinion) being it standardizes the buttons across devices and makes it easy to reference the buttons.

This would be great but Google completely ignores the shapes when referring to the buttons in my experience.

When I first tried pinning an app it told me to un-pin it to press and hold the "Back and Overview buttons", to which I said "The Back and what buttons?". A moment later I realized it was referring to the square "recent apps" or "menu" button. Speaking with another Android enthusiast, it seems I wasn't alone in that split second pause.

It appears on the phones it uses the term "Recents button".
Source: fossbytes.com


I expected this new design language to translate into simple directions for people such as "press and hold the triangle and square buttons". In my opinion the combination of switching the icons and using new terminology ("Overview button") is more likely to confuse people, especially those new to Android or those who have difficulty with technology to begin with.

Hopefully Google (and other developers) will adapt to the new buttons and use the shape names in their descriptions, making it easier for everyone to understand.



Launcher
Normally on my phone I use Nova Launcher for my homescreen. With the Nexus 9 I felt it was worth trying out the default, GEL (Google Experience Launcher), for a bit to see how it works these days.

I've been thoroughly enjoying the Google Now integration and have been making use of folders. The App Drawer simply looks like another folder now, which is interesting. There are two issues I have found with GEL though:

1) The app drawer (which looks more like a regular folder now) is white. During daylight hours this isn't an issue for me and I don't keep my tablet at my bedside. However, some have pointed out how blinding this can be late at night or in the morning.

2) I use folders for quick access to games and Chromecast apps. It seems that the new aspect ratio of the Nexus 9 has thrown off the stock launcher's landscape mode, as the folders cut off some icons (with no way to scroll) when I have too many in a folder.


Notifications
The new notifications are useful for being noticed, but can be awfully distracting when playing a game or watching a video. I noticed that some games will also display the heads up notifications but capture all the click inputs (or something), meaning I can't actually go directly to the app, but have to exit the game first.


Let's Get Physical
Hardware

I planned on playing lots of games so I purchased the 32GB model, and figured Wi-Fi will be available most places I use my tablet, so I went with the Wi-Fi only model. Finally I chose black as it wouldn't yellow or get dirty as fast as the white model.

The Front-facing speakers were a huge selling point to me but were initially disappointing. The HTC One (m7)'s front-facing speakers were fantastic for a phone, but it felt like they were just re-used in the tablet. Over time I don't notice it as much of an issue, though sometimes I will have to turn up the volume a bit more if the clarity isn't very high.

The "flex" on the back is noticeable as early reviewers pointed out. I don't play with it and it doesn't bother me.

The aspect ratio (4:3) is new to Android tablets, and in my opinion works great. The iPad has used this ratio for a while and has functioned well so I am glad HTC/Google took note of that and used a similar size. It feel comfortable in my hands, is easy to use in both portrait and landscape, and makes reading more comfortable. On the downside videos are framed with black or cut off, as they are designed for wide-screen primarily, but this doesn't bother me much. I've also noticed the default launcher doesn't handle the new ratio well, as folders with many items will cut off in landscape mode (a bug I will be reporting and should not be an issue in the future).

Playing games does cause the camera corner to heat up a fair bit, which bothers me a bit as I expected it to run a bit cooler, but no damage has been noticed yet so I assume it's just the games taxing the processor.

The size and weight are great and overall I love the feel.

Game On


Apps and Scaling
Overall apps have been scaling well on the device, the new Google Calendar looks fantastic. Reddit News (my reddit app of choice) works fantastically on my tablet, as does YouTube and Plex.

I'm disappointed with Twitter's tablet UI, so I mostly stick with Talon (which I compiled myself from the source code posted on Github).

Chrome makes use of visible tabs on tablets and foregoes the tabs-as-cards UI it uses on phones. This generally works well, but with many tabs it can get annoying. I haven't experimented with using tabs as their on activity in the Overview list, but have heard mixed reviews.

Games run very well on the Nexus 9, which was one reason I wanted a tablet. Hitman GO, Hearthstone, Scrolls, and Frozen Synapse are all great. However, I have run into some heat issues, nothing has overheated but it can get quite warm.

It should be noted that these games can take up a lot of space, so if you want to play a lot of games I highly recommend the 32GB model.

Results

Overall I enjoy my Nexus 9 very much as my first tablet.

The performance and availability of apps is great, the front facing speakers work well (though not as well as expected, still quite usable). The new aspect ratio is a delight after seeing Apple products use it for so long.

My complaints are minimal, the heat may only be an issue with the early production runs, but for the price of the tablet I would have expected better. 

The price being the other issue due to some build quality issues such as the heat, some texture on the plastic when I first received it, and the flexing back. Had the price been lower or these issues not existed I would have been perfectly happy.

If you have the money to spend, and want a higher performance tablet I would recommend the Nexus 9 as a tablet. For a cheaper, lower-end tablet I would recommend the Nexus 7 (2013) instead.



Typos? Disagree with me? Have questions or find this review useful? Let me know in the comments!