Category Archives: Privacy

Computer security and privacy

Image of man on couch with laptop and two security cameras watching him from behind

Increasing Privacy and Security

Opera Browser with VPN
Signal text and voice for iOS and Android
Proton Mail for inside out email privacy

Piecing Together More Privacy

Privacy and security are closely tied in our digital world. Easy and complex ways to exist to protect or at least increase both. How and where you browse the web, your means of communication, and how you allow yourself to be tracked are areas of vulnerability that you can control, perhaps a little more than you are now. All of these options are free, and some offer paid upgrades. All accept donations.

Browsing the Web

The options here are many. Some are more cumbersome, and some are nearly invisible. Some on the list are redundant. If you have “accidentally” installed browser extension designed to help (aka hijack) your browsing experience, get rid of those first.

Opera Browser

In 2016, Opera, that other web browser, began including integrated VPN (virtual private network). It’s not complete privacy, but as your request travels through the ether lots of the information is obscured. Most of us don’t need to hide what web sites we are visiting, and if you can hide it, why not? It’s my new default.

A VPN is a private tunnel through the internet. It’s difficult, if not impossible, to track the origin point of the tunnel, so your privacy is increased.

Privacy Badger

The EFF (Electronic Frontier Foundation) offers an anti-tracking browser add-in called Privacy Badger. It keeps Amazon from knowing that you looked at plaid shoes at Zappos so that it can offer up plaid shoes.

HTTPS Everywhere

Another browser add-in that looks for secure web connections, again from EFF. The S in HTTPS stands for security. “The HTTPS Everywhere extension fixes these problems [ducking out of security] by using clever technology to rewrite requests to these [unencrypted] sites to HTTPS.”

Ghostery

I have not tried Ghostery, and have heard good things about it. “Make informed decisions about the personal data you share with the trackers on the sites you visit.”

Text Messages (SMS)

iMessage

If you own an iPhone and use iMessage, you have fairly robust privacy protection within the Apple ecosystem.

Signal

Signal for iOS and Android offers end-to-end encryption within its system. You have to give up some privacy to Signal by giving them access to your contacts. They use that information to let you know who else, by phone number, has Signal. “We cannot hear your conversations or see your messages, and no one else can either. Everything in Signal is always end-to-end encrypted, and painstakingly engineered in order to keep your communication safe.”

Signal also puts their privacy and security expertise in a system to make secure phone calls. Imagine that.

Email Communication

Email is a tough way to keep privacy. So many points of vulnerability exist that it’s difficult as an individual to know where to start and where to end in securing your communication. Again, most of your email could be shared with the world and it wouldn’t make a difference. And there are times that you may want secure, impenetrable email.

ProtonMail

ProtonMail is designed to be a closed system that can interact with all email systems. Within the ProtonMail system (sending from a ProtonMail address to another ProtonMail address), communications are about as secure as they can get. “Because data is encrypted at all steps, the risk of message interception is largely eliminated.” Not even the folks at ProtonMail can get to your data. They designed it that way, including basing themselves in Switzerland with all the privacy advantages that offers.

“When you send an encrypted message to a non-ProtonMail user, they receive a link which loads the encrypted message onto their browser, which they can decrypt using a passphrase that you have shared with them. You can also send unencrypted messages to Gmail, Yahoo, Outlook and others, just like regular email.”

There’s some overhead with ProtonMail. Users must sign into their account and then use an additional password to get into their email.

OMG Passwords are Killing Me!

The purpose of passwords is to protect your information. We all know a bit about passwords, and sometimes what we know becomes dated.  Here’s some information if you want to get in better shape. If a password is easy to remember, chances are it’s easy to guess. All passwords are crackable. It’s just a matter of time. Strong passwords would take centuries to crack with 2016 technology.

Basics about passwords:

  • Make them long, like 12-16 characters
  • Do not follow common patterns like alphabetic or numeric order
  • Do not follow keyboard patterns like consecutive keys “asdfg” or “uiop”
  • Don’t use names (human or pet) or words found in the dictionary
  • Don’t use numbers associated with you or those in your life, like your birthday, your house number, or any other set of numbers that might be easily guessed
  • Don’t substitute @ for a, 0 for O, 3 for E, 4 for A, etc. These are worthless in creating a stronger defense
  • Do add numbers, special characters and miXed cAse characters
  • Don’t reuse passwords
  • Don’t use numbers or special characters only at the beginning or end of a password

Impossible, right? Well if you are not perfect, here are some tips and links.  Some of your information is more valuable than others, and I’d like to suggest that some passwords are more important than others. Think of the places you use them as falling into three buckets: Critical, Important, and Simple.

Critical Passwords

Anywhere you would use a critical password could have significant consequences if the password is hacked. Passwords associated with your finances or deeply personal information should use critical passwords.

Critical passwords are:

  • Unique: They get used only in one place
  • Particularly Long: The longer the password, the harder it is to crack

Keeping critical passwords unique is important so there’s not a cascade of breaches. If one is hacked, but absolutely unique, it can’t be used to compromise other important sites.

Unfortunately, critical passwords are likely to be passwords you use frequently, so there’s a temptation to cheat. You might reuse a critical password, use a common mnemonic, or develop a pattern in the password that’s easy to compromise.  See below for tips on dealing with this.

Important Passwords

Use important passwords in places where a moderate amount of security is advisable. These can have a pattern of your choosing (that’s not too obvious) that changes per site. Mnemonics can help, but don’t make it guessable.

Simple Passwords

Use simple passwords where the consequence of a breach are fairly insubstantial. If your primary online reputation is not at stake, or you have no stored credit card information, use a simpler password. This is the one place you might allow yourself to repeat passwords. Always consider that once someone has the repeated password, what would be the consequences if they use it everywhere else.

I also advise that it’s OK to have a shorter password/PIN when logging into your computer. Don’t have one? You should, especially laptops.

Tools

The biggest tip is that you can not keep passwords in your head. What many people lack are the right tools to keep track of all these passwords. Here are two basic tools.

Pen and Paper

I know lots of people who have scraps of papers and scribblings in notebooks. They seem like a good idea, but how does the system work when you have to reset your password, or when you write it down, but don’t tie that note to a particular account?

There’s some thought that an ordered notebook (yes, paper) in an inconspicuous spot is a good system. It’s only in one spot and may be difficult for a thief to find. Of course, there are downsides to having it only in one spot, primarily that only a single copy exists. And what if the notebook is not with you?

Password Manager

The solution I like the best is a password program. I like 1Password, which I have on my iPhone, iPad, Windows computer, and OSX computers. The program is designed to sync across devices, overcoming the limitation of the paper notebook.

Other programs include LastPass, KeePass and Dashlane. When making a decision on what’s right for you, make sure they are cross-compatible with all your electronics.

Most password program managers will help you generate strong passwords.

Strategy

Random

The best strategy is to let a program create a seemingly random password for you, something that might look like: 0QnjqXJqgP3KNwgh. This password is 16 characters and has upper and lower-case letters as well as numbers. It’s lacking special characters, but still rated as Excellent. The only real way to use such effective passwords is to record them in some way. See above.

Passphrase

For a period, passphrases were considered an improvement because of their length. Stringing together 4 or 5 three or more letter words would be easier to remember and long. Current thinking is that it’s too difficult to choose five random words, and if they are all in the dictionary, that doesn’t help. Add punctuation to help remember and to add complexity.

Here’s a well-circulated cartoon from xkdc: Password Strength. Again, this is a better strategy, but not the best. If you go this route, add some special characters that are not common substitutions.

Personal Mnemonic

One way to get a unique password is to  use the first letters from a phrase, sentence, song lyric, or poem that you know or love. Perhaps it is an affirmation. All the other rules should apply though. ILTom (for I Love Tom) is easily guessable, too short, doesn’t have any numbers or special characters, etc. If a whole word is embedded, it can add length while not significantly reducing increasing risk.

Examples

InnP,dImdphaa
(I need no permission, did I mention Don’t pay him any attention) That’s 13 characters and has one symbol and three capital letters.

O,iatcwamwfaw!Iwnstabantpof!
(Oh, if a tree could wander and move with foot and wings! It would not suffer the axe blows and not the pain of saws!) That’s long and cumbersome, but serves an example.

Mpllowfgt
(My plants love lots of water for growing tall) This password is too short to be really good without modification. However, it could be a good base to make something better: Mpllow4gt, Mpllowater4gt, MpLlotsow4^t, etc.

Review Common Passwords

Reviewing a list of the most common passwords can provide examples of what not to do. When analysts get ahold of lists, they produce some amazing lists. Sometimes these get summarized in short articles. The articles also provide tips like the ones here.
Pay attention and don’t be embarrassed if you thought you had the best system. Use these lists and articles to improve your passwords.

Links