Friday, January 17, 2014

Windows 8 Microsoft Account Login Complaints

I think that using a Microsoft Account as the method to login to a computer is bad security.

I have been trying to shore up the security of my online accounts recently.  The way I've been doing it is to use my password manager, Easy Password Storage, to create random passwords for each of my website accounts.

Then, when I need to visit a website, I open Easy Password Storage and copy my password to the clipboard so that I can paste it into the website I'm visiting (I try to use at least 36 random characters to prevent brute force attacks, which means I don't know my passwords by memory any more).  The app makes this easy by launching the appropriate URL and copying my password to the clipboard so that I can paste it into the website's login form.

Window 8 allows me to set up my PC login using my Microsoft Account.  The problem is that when I'm logging into a computer I need a password that I can remember because I can't access my app to copy and paste my password when logging in to my PC.

My Microsoft Account protects much more than just my PC login: it protects my apps, my financial data, email and more.  I want a secure password, but there's no way I can remember 36 random characters each time I launch Windows.

I think the solution here would be to have a separate PC login password when using your Microsoft Account to log into your PC.  The chances of anyone at Microsoft reading this blog are slim, but I suppose it could happen....

Until then I think there are some alternatives, like using a PIN or a picture password...  they don't seem very secure to me either but I guess it's the only option if I want a very secure password for my Microsoft Account.  Maybe someone can recommend a more secure method in the comments?

Easy Password Storage, by Rebrand Software, LLC is currently available at the following locations:

Thursday, January 16, 2014

Securing Your Online Identity After Being Hacked

The other day my Twitter account @MikeKGibson was hacked.  The attacker sent out messages to everyone who follows me with URLs to other twitter users' status updates, which in turn were links to suspicious websites.

Luckily, I caught it within an hour before the hackers had a chance to tweet something like "I like to #SniffMyOwnButt" on my behalf.  I tweeted my followers warning them not to click on the links.

But, worst of all, the attackers now have access to my password, giving them easy access to any other website where I used the same password.  Let's be honest, many of us use the same or similar passwords on all our website accounts.

If your own passwords are ever compromised ("before your own passwords are compromised" may be more accurate) here are steps you can take to minimize the damage by using a password manager app like my own Easy Password Storage.

The idea is not only to create strong passwords that cannot be brute forced, but to use a unique password for every website you visit.  That way one stolen password cannot be used to access any account but the one that is hacked.  You never know which big company is going to be hacked, or which website stores your passwords in plain-text.

Here is how I use Easy Password Storage to deal with this:

  1. Each time I create an account on a website I open my password manager, Easy Password Storage
  2. I add the account to my list and use the password generator to generate a random password with as many characters as possible.  I aim for at least 36 random characters if it is allowed by the website.
  3. I turn off "Save password" features of the browser.  It's a pain to lose this feature, but it's so easy for a hacker to gain access to them (have you ever tried typing "chrome://settings/passwords" in Chrome, for example?)
  4. When I know I'm going to visit a website that will require a password, like my bank, I tab over to Easy Password Storage, select my bank entry, and click the Launch button.  This copies my long, random password to my clipboard and opens my bank's URL.  Now I can simply paste my password in.
  5. I have Easy Password Storage set to erase my clipboard 30 seconds after I copy my password for extra security.
I won't lie, it's more time consuming to create random passwords for each website, but I suspect it's nothing compared to the time I would have to spend changing passwords and recovering accounts after a major hack.

Once you have put a system like this in place it means you no longer know your own passwords from memory.  It's important that you have access to your passwords on all your devices.  That's why Easy Password Storage has cloud sync as well as offline import/export ability.  

As a developer I have all sorts of computers (Mac, Windows, iPad, Android Tablet, Android phone) where I need to have access to my passwords, and Easy Password Storage keeps them encrypted and synchronized automatically in the Cloud.  For more information, here is an article I wrote on Using Easy Password Storage in the Cloud.

Luckily, my Twitter password was unique and can't be used to hack my other accounts. I recommend you put a similar process in place with your own accounts now: it's much easier to deal with hackers now, before they have a chance to get into your bank account or trick people into thinking you #SniffYourOwnButt.

Easy Password Storage, by Rebrand Software, LLC is currently available at the following locations:

Tuesday, January 14, 2014

Using Easy Password Storage in the Cloud

Easy Password Storage is my password management app which has been receiving great reviews like:
"This is the best password app at the app store. You have to have it!" -The Bold Man, Mac App Store

"It’s simple, easy to use, high level of encryption and is fast, so not waiting ages for logins or anything. Very handy, I’d be lost without it." -dbirch, Mac App Store

Version 4 recently unveiled cloud support and mobile companion apps for the following platforms:

iOS / Android / Kindle / Windows Phone / Mac OS X / Windows (links to app stores below)

This version comes with the ability to synchronize passwords between all of your devices in the cloud. I want to touch on some of the ways you can benefit from using the free cloud service on your devices.

  • Backup: Even if you don't have multiple devices to synchronize you can still benefit form having an encrypted backup of your passwords in the cloud.  If you drop your phone in the toilet and replace it with a new one, just install the app and your passwords will be restored.
  • Similar Device Sync: One copy of the iOS app will work your iPhone, iPad and iPod as long as you're using the same apple account.  Add a password on one and it shows up instantly on the others.
  • Sync cross-platform: Add passwords on your iPhone, they show up on your Kindle Fire and your Windows Desktop versions of the app.
  • Easily switch phones: If you decide to switch from your Android phone to an iPhone in the future, no problem, your passwords will come with you.
Security is our number on concern.  Here is how the app handles your data before sending it to the cloud:
  1. Your passwords are encrypted by the app with your private Master Password with your choice of either Blowfish 448 bit or Advanced Encryption Standard (AES) 256 bit encryption. 
  2. Next, the app encrypts that data with our developer key using 448 bit encryption.  Now your data is doubly encrypted.  
  3. That data is encoded for extra security and ease of transfer
  4. A connection to the cloud server is established over an HTTPS connection
  5. The data is encrypted in transit to our cloud server using SSL
  6. Your private Master Password is never sent to the cloud or stored anywhere.  That means we can't access your passwords (and unfortunately means we can't recover them either, so remember your Master Password!)
  7. All that is done in reverse when the data is sent back to your devices.  Only an app with the same username, master password and encryption type can decrypt your data, and the user must be signed into your cloud account as well.
Even with that level of security you may still decide you want to backup or sync your data offline, which is why we have included the ability to import/export passwords encrypted in file or text format. The app can run completely offline and still keep your passwords synchronized.

Here are all the devices and app stores where Easy Password Storage is currently available:

iPhone/iPad/iPod - iTunes

Mac OS X - Mac App Store

Windows/Mac OS X -  Direct from

Windows Phone

Android - AppsLib