How to stay safe on the Internet – trust no-one

key
Working close to the IT industry as I do, it’s hard to avoid the blizzard of announcements and general excitement around the growth of the Internet of things allied to location-based services. This, we are told, will be a great new way to market your goods and services to consumers.

You can get your sales assistants to greet shoppers by name! You can tell them about bargains by text as they walk past your store! You might even ring them up! Exclamation marks added for general effect.

But here’s the thing. Most people don’t trust big corporations any more, according to the recently published 2013 IT Risk/Reward Barometer report. Instead, finds this international study: “Across all markets surveyed, the vast majority of consumers worry that their information will be stolen (US: 90%, Mexico: 91%, India: 88%, UK: 86%).”

As a result, blizzard marketing of the kind that triangulation technologies now permits makes people feel uneasy at best and downright annoyed at worst. People ask themselves questions about who has their data, how they got it, and what control they have over that data once it’s escaped into the ether.

From ICASA’s point of view, this is largely the fault of individuals who don’t control their passwords properly or otherwise secure their systems. It’s an auditing organisation, so that’s not an unusual position to adopt. But I think it goes further than that.

As the study also points out: “Institutional trust is a critical success factor in an increasingly connected world. […] Organisations have much work to do to increase consumer (and employee) trust in how personal information is used.”

In other words, companies need to work harder at winning your trust. Does that make you feel any better?

This is clearly not an issue that will be solved – ever. For every ten organisations that are trustworthy and manage personal data responsibly – you do read that text-wall of privacy policy each time you log onto a new site, don’t you? – there will be one that doesn’t. Even if all companies were trustworthy, people will still make mistakes and hackers will win the security battle from time to time, resulting in compromised personal data.

The only rational policy for the rest of us to adopt is to trust none of them, and that is what this study shows most people tend to do.

The least you should do is to use long, complex passwords and change them regularly, using a password safe (eg KeePass) so you don’t have commit them to memory – or worse, bits of paper.

FYI, the study was conducted by ICASA, which describes itself “an independent, nonprofit, global association, ISACA engages in the development, adoption and use of globally accepted, industry-leading knowledge and practices for information systems.”

Solving the ‘too many passwords’ problem

Recent events at Evernote, which was hacked and whose file containing users’ passwords could have been stolen, reminds us that, despite the insistence of the IT security industry that passwords offer poor security, that’s what we all continue to use. But there is a way to make remembering passwords easier.

As ever, there’s a trade-off between convenience and security and, it would appear that most of us, especially at the small business and consumer level, don’t want the hassle that stronger security involves. Usually, it involves some form of two-part authentication – something know and something you have – and the banks have gone furthest in implementing this. You know the drill: give us a number and then tell us something else you know.

I reckon most people can cope with this – even I, with my appalling memory, can handle it.

And then there are the burgeoning numbers of passwords we need to remember for the rest of our lives which, whether we like it or not, we are increasingly being forced to conduct online. And this is my point.

I’ve been accessing online services since 1992, so I’ve used a lot of passwords. To start with, there weren’t that many, and it was easy to remember them. The numbers of services grew and I started using the same or similar passwords for services that fell into the same category.

That’s not great security – so after hunting for a solution, I discovered a free, lightweight password generator which I used for over 10 years – until about three years ago.

What happened? The generator worked fine and produced unique passwords tied to the name of the service, but it had a number of limitations.

First of these was its inability to tune passwords to the requirements of some sites – the ones that demand a specific password length and/or format – so many digits and capitals, and no repetitions, for example.

The second was more serious: it was Windows-only. That was fine at first as I still run mainly Windows, but as mobile devices have become more capable, I now access multiple services on tablets and smartphones too – they don’t run Windows.

At that point, the answer was clearly a password safe. After some research I lit on KeePass. As the product’s website says: “KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish).”

Even better, it’s cross-platform – as well as Windows, there are versions for iOS, Android, MacOS, J2ME, BlackBerry and Windows Phone 7 – and it works. You can drive it using hotkeys so, for example, Ctrl-Alt-K brings up the database containing your passwords, which you can import from pretty much any file format you like. Other hotkeys will auto-type passwords and/or usernames into your web browser, or you can cut and paste them, in which case the software removes them from memory after a short while to enhance security.

There’s a host of other features but it’s a very easy application to set up and to use – you can get into the more advanced stuff when you’re good and ready. For example, Evernote asked all users to reset their passwords as a following the hack. KeePass generated a new password for Evernote to a security standard I’m happy with, and that was it – no dramas.

So if you ever find that you have too many passwords to remember, take a look at KeePass: free, easy to use, and does the job superbly, in my view.

UPDATE 7 June 2017
Since writing this blog post, I’ve continued to use KeePass and have not changed by positive opinion of it. I’d say though that it remains head and shoulders above an oft-touted alternative, LastPass, which is cloud-based. This means that your password and other data are not always under your personal control – and that if the company is hacked, (as almost all large targets at some point are more likely to be), then your database could be vulnerable.

Far better to stay in full control, using your own resources and two-factor authentication (2FA) to sync the password database: the combination of 2FA and encryption is mighty tough (you can never say impossible but it’s as good as in practical terms) to break.

On the other hand, I’ve stopped using Evernote, having found that Microsoft’s OneNote does it better – and remains free to use.