Sticky Password

I’d like to see the next security survey include a follow-up question to the ‘are you afraid of identity theft’ question. Something along the lines of: ‘do you know what identity theft is and how you can protect yourself?’

I’m not trying to belittle the issue of identity theft. But my own experience is that most people simply repeat the phrase because they’ve heard it so many times on TV and the radio. They don’t understand it and therefore they don’t take even the most basic of precautions to protect themselves.

It’s kind of like the idea of ‘panic rooms’. After the release of the Jodie Foster film (2002), it was all the rage to talk about ‘safe rooms’ and all sorts of new fangled security systems. But do you know anyone who actually did anything to increase the security of his or her home? Lots of talk and no action!

With identity theft, the situation is worse because identity theft is something that can impact each and every one of us. If you have a social security number (in the US, or the national ID in other countries), or credit card, or a bank account, or utility bills you are at risk. Each one of us who is living in modern society is a potential target.

Make sure you protect your personal data. As far as computer usage is concerned, at the very least make sure that your computer software is up to date, including security patches. Make sure you have the basic security programs installed and running: anti-virus software, firewall, anti-spam, and a password manager. With email: don’t open it or click on it unless you KNOW who sent it! Be jealous of your privacy!

Do you know what identity theft is? How are you protecting yourself?

What would your answers be?

Peter L

Share/Bookmark

I just ran across a little article about a school having its computer system compromised because of a password being swiped. It seems that a student in the 4^th grade got the password from a teacher’s desk and then used it to fiddle with the district-wide computer ‘blackboard’ system. No long-term harm was done, but I’m sure the IT folks were scrambling for a while before they figured out what had happened.

Luckily, the alleged child culprit wasn’t prosecuted! While the 9-year old surely misbehaved, in my estimation, the offense doesn’t warrant a criminal punishment. Instead, it should be a call to the school to figure out why passwords are accessible to curious 9-year olds. (Aren’t all 9-year olds curious!?!)

What is missing from the article is any mention of the security policy of the school. Is it standard policy for teachers to write their passwords on post-it notes and to leave them on their desks? Why did this teacher have a password with administrator rights? Do all of the teachers have admin rights? Did the teacher follow procedures for keeping the password safe? Were there any procedures to follow?

We aren’t given any details, but would we be going out on a limb to conclude that the fault or breach is the fault of the teacher, if not the school or district for failing to follow an appropriate security policy for passwords?!

Peter L

Share/Bookmark

You use Sticky Password because you appreciate the security and the elegant approach to password management and automatic form filling. Now you can add some of that pizzazz to your style. Show off with a cool Sticky Password t-shirt, or make everyone jealous while having a cup o’ joe in your handsome Sticky Password mug.

Visit the Sticky Password store on zazzle to order your very own Sticky Password t-shirts, mugs and other gifts – even doggie sweaters. New designs and merchandise will be added regularly, so make sure to check back to see what’s new.

Buy yours today and send us a picture of any Sticky Password product in your real life and we’ll post it on the Sticky Password facebook page.

Remember, it’s good to flaunt your Sticky Password, NOT your passwords!

Sticky Password securing your personal data in the big city!

Share/Bookmark

A bunch of you have already sent emails asking about the photos being posted on the Sticky Password facebook page. We’re starting a photo series on facebook that we’re calling ‘Sticky Password in real life’. The idea is for Sticky Password customers to submit pictures from all over the world showing how they use Sticky Password, or anything with the Sticky Password logo anywhere: near a landmark, under a waterfall, in your apartment or the local library, at your 2^nd cousin’s wedding – anywhere! Or, even something simple like writing Sticky Password in the snow with pine cones.

Join us by sending a photo showing YOUR real life with Sticky Password to photos@stickypassword.com. Don’t forget to include your name and where you took the picture so that we can toot your horn for you. (Legal stuff: by submitting your photo, you agree that Sticky Password can post the photo on facebook and use it in any way that we’d like to promote Sticky Password.)

We look forward to posting your photos!

Share/Bookmark

Not intentionally, I hope – but the IT guy (or gal) is usually under a lot of pressure to fix something quickly so that the business of doing business can move on. And that can lead to shortcuts and encouraging bad habits.

When you call the IT guy, you’re the one who wants it done quickly; when he comes knocking with some sort of update or network issue, he’s pushing all the more to get you set up – because he has to repeat the same thing for all of your colleagues. Either way, whatever he is doing usually requires a password – one of your passwords.

He starts working with you standing behind him as you explain the problem over his shoulder. He moves aside to let you enter your password.

You BOTH know that the password is a secret – your secret.

You bend over the keyboard to enter the password as he pretends to be interested in some pictures on the wall of your cubical.

He resumes working with you standing behind him. There’s a little small talk. He looks up at you because he needs the password again.

You BOTH know that the password is not supposed to be shared.

You awkwardly enter the password, again.

You discover that standing behind him is boring and that you don’t want to chat with him anymore. You hope that it’ll be over soon. It doesn’t look like it: he needs the password again. You seize the opportunity and write your secret password on a post it note and tape it to the desk next to your keyboard. You leave your cubical in search of something better to do – like getting grilled by your manager about a missed deadline.

This ritual happens over and over in almost every company. It doesn’t matter whether you have an in-house IT team or outsource your IT support. The IT guys and gals have it tough: they’ve got a job to do and they know better than anyone the company password rules. Yet, they bend the rules so that you can get back to work and they can get to the next customer.

This is bad news for at least a couple of reasons. First, your password isn’t a secret anymore. The person to whom you’ve revealed your ‘princess1’ password has access not only to the specific account or application, but also has an idea of your password philosophy, which makes it a lot easier to crack other accounts. Second, and maybe even more important, is that this type of behavior reinforces the idea that passwords and security aren’t important. Somewhere, deep in your subconscious, you slowly start getting used to the idea that sharing passwords isn’t a big deal; you may start to reconsider whether it is even worth it to have different password for different accounts and websites, and pretty soon, you’re using ‘password’ as your password. It’s a slippery slope!

This is a call to IT guys – come on, make it hard on us! Don’t let us tell you our passwords. Make sure we know that that’s not acceptable.

Peter L

PS Check out IT Crowd for a great look at life on the IT rung of the corporate ladder.

Share/Bookmark

I ran across an interesting password survey conducted by Kevin Haley at Symantec. About 450 people answered his 9 straightforward questions. When thought about a bit, some of the results are pretty interesting.

The first question asked about the number of passwords. 33% of all respondents said that they have 10 or fewer password-protected accounts (networks, websites, etc.). Mind you that these folks took an online survey. As best as I can tell, they had to login to participate in the survey, which is entirely appropriate, but that would mean that that was one of their passwords – right?! My point is that most people severely underestimate the number of password-protected accounts they have. I’ve mentioned it in earlier blogs – stop someone on the street and ask how many accounts someone has and you’ll get an answer like ‘just a few’, ’maybe 10, or so’, or some small number. But when you think about most people (not technology geeks), you quickly see that even a basic Internet user will easily have 10 accounts, and probably more. Average users will likely have 20, 30 and more. Think about your own password-protected accounts:

1 free webmail (yahoo, gmail, hotmail, etc.)

2 email from your service provider (aol, comcast, earthlink, …)

3 facebook or other social network, maybe multiple networks

4 work

5 Amazon and other online shopping sites

6 Travelocity and other travel sites

7 online subscriptions (newspapers, magazines, newsletters, …)

8 just about any online blog to which contributions are made

That’s not to mention banks, credit cards and other financial stuff like retirement and investment accounts, government sites, libraries and local services, airlines, as well as cell phone accounts, utilities, and so on. This is interesting because a result of this underestimation is likely to be that many people entirely misunderstand the threat to their data, which should be protected by their passwords. If there’s no threat, then you don’t need to manage anything – right!?

The response to question 6 flows from the first: if you don’t think there’s a lot to remember (i.e. that you have only a few passwords), then you’re bound to think you can do it all in your head. 60% of people responding said that their ‘memory’ was their method for remembering passwords. I’ll bet a dollar to a donut that these folks’ passwords aren’t the strongest on the block. Still, quite a few (7%) admitted to storing theirs on post-it notes next to the computer.

Questions 2 and 3 were about choosing passwords. Just over eighty percent (80%) indicated that they recycled or duplicated their password to some extent. This would seem to contradict the 71% of respondents who selected ‘strength’ as one of the most important factors when selecting a new password. I thought the 9% who selected passwords because they were ‘fun or interesting’ were at least a little more aware of what was going on. (In general, this isn’t a good attribute in a strong password.) This is a big aid in remembering your password, but that also creates the temptation to share it with others. And then there’s the risk that others also know that your cat’s name is ‘Precious’.

The detailed results of the survey are worthwhile and so is Kevin’s commentary.

The failure of passwords is because of human nature: we are driven to make things easy for ourselves. Good passwords require the opposite.

Peter L

Share/Bookmark

Recently, I was in a meeting where several people gave presentations via a projector. As almost always happens, there were minor glitches in transitioning the projector connection from one notebook computer to the next. As part of her presentation, one unsuspecting person needed to log in to a site. Without looking at the screen to see what was actually being displayed, she ran through her login and password and clicked ‘ENTER’. She then looked up and saw that she had accidentally entered her password in the ‘NAME’ field. The result was that for several seconds, 9 strangers saw her full access credentials for the site. Nobody said anything. She cleared the fields and ran through the process again – this time successfully.

At the break, after talking about the material she presented, I quietly suggested that she change her password. “What do you mean?” When I explained that there were 9 additional people who now knew her information, she looked surprise. “Oh, that little slip when I started! I’m sure that no one here has any reason to do anything funny.”

We humans are a trusting species, especially when face-to-face contact is involved. Unless we have a specific reason to be suspicious of someone, we usually give people the benefit of the doubt about possible bad intentions. That’s fine and necessary for our daily lives: the local grocer and paperboy don’t want to rip us off; if we didn’t trust the other drivers on the road, then we would never be able to get anywhere. But we still have keys to lock up our stuff.

As for accidentally revealing all or part of a password, I’ve had it happen to me at inopportune moments in the past, and it’s not that uncommon to see it when working with people at a projector or a monitor. The people sitting around may or may not notice what happened, and they probably aren’t interested in your passwords. But you never know. And why would you take the risk? Next time something like that happens to you, make sure you double back at the first opportunity to change that password.

Peter L

Share/Bookmark

A site called Please Rob Me has been created to highlight the problem that most people don’t make the connection between personal information and security. People are putting way too much information online through twitter and social networks. Note that I said ‘information’ – not just stuff like credit card numbers and other private data. Announcing to the public that you are not at home is like having a ‘kick me’ sign on your back. It’s even worse, because you put the sign on back yourself!

A few years ago, there was a rash of burglaries in the Washington D.C. area. All of the burglaries happened in the fall during football season. It was discovered that all the homes that had been burglarized had received anonymous tickets to watch the Redskins play. Redskins tickets were really hard to get, so many of the people who got the tickets went to the game. The bad guys then watched the homes that had received tickets and waited as the homes cleared out for the afternoon. The bad guys figured out that paying even hundreds of dollars for each ticket was a cheap investment compared to what they could steal from the homes. Many people who should have thought twice about the free tickets, didn’t give it a second thought and opened themselves to being violated by the burglars.

Online security is about more than passwords and secure online ordering. YOU are responsible for your security. Pattern your online behavior after your face-to-face interactions and you’ll be safer.

Check out this article in the BBC.

Peter L

Share/Bookmark

More and more, we’re seeing attention being given to passwords and personal security. It seems obvious that passwords are an integral part of securing your personal data, but that part of the security message seems to have been glossed over until recently. Ever notice the strange looks you get from your friends or even the IT guy when they see you taking precautions to not reveal your passwords? If so, congratulations, you’re ahead of the curve on this one.

A lot of the recent articles and blogs are about creating really good passwords. Many of the ideas are sound: create a string of characters and numbers that you will remember but that can’t be easily guessed – not even by people who know you. Your password shouldn’t be a word or a set of consecutive numbers or letters, or a date, like your birth date or anniversary. (Since your pet’s name is presumably a word, it’s ruled out by default!)

So, now you have a great password – great! But what about the rest of the passwords you need for all those online accounts and applications? What’s that? You only have a couple. Really?

When I ask people about the number of passwords they have, most folks say something like ‘only a couple’, or ‘around 10’. No one ever says 30 or 50 – BUT when you ask them to really think about the number of email accounts (hotmail, yahoo, gmail, etc.), banks, e-commerce sites (amazon, zappos, Barnes & Noble, online department stores, and on and on), travel sites (Travelocity, orbitz, priceline, expedia, etc.) local and other government sites, not to mention blogs and other special interest sites, people are surprised to discover that they really have quite a few. Even your list just keeps getting longer and longer.

Keeping them all straight is a big part of safe password usage. That’s where the password manager comes in. It is very difficult to manage in your head all of the good and unique passwords that you’ll need for all of the sites you visit. If you are stressing and spending lots of energy hiding passwords in your datebook or in spreadsheets, you should consider Sticky Password. You’ll have a strong, unique password for each site and you’ll have access to them wherever you go.

Follow sound rules and create a strong password that you won’t forget and that no one is likely to guess: use that as your Master Password in Sticky Password. Let Sticky Password create and manage all your other passwords.

Peter L

Share/Bookmark

I hope you all enjoyed Valentine’s Day! After reading the previous post, I hope that you all included a note to your beloved in that box of chocolates in which you announced that you’ve changed your shared gmail password. Here are a couple of articles that came out recently that highlight the fact that feelings and security often don’t mix.

In Broken hearts put holes in wallets – the author stresses that “[f]raudsters know that trust is the key to profiting from love”. The bad guys know that people are very likely to share private info including passwords and other data once a ‘relationship’ is built. It’s a game that takes time, but the bad guys have all the time it takes to use social networks to build a sense of trust and then to get your data. (I picture the bad guys sitting at computers with all sorts of chats going on simultaneously like the guys in the park who play several games of chess at once with the punch clock.) Make it your policy to not share your personal data with anyone and you’ll be much safer.

Black hat hackers on demand is scarier. Here we find out just how easy it is for someone you know to pay someone to do the dirty work: your ‘ex‘ pays a few bucks and soon you receive an invitation where you have to enter your password yourself. They pay the money and get your password and access information. Here’s where your diligence comes into play. It takes discipline, but it’s up to you to make sure that before you click on anything or enter your access data anywhere that you know who it’s from. The bad guys in this scenario pretend to be someone you know. This makes it harder to resist the immediate click, but it’s worth waiting a few minutes to confirm who sent it. So much for instant gratification… but you’ll be safer for it!

Peter L

Share/Bookmark