This post is the 7th in an ongoing series about passwords. You may want to check out the other parts by clicking on tag: passwords.

***

In my last post on passwords, I talked about some really good options for PC users: KeePass and LastPass. The latter also works well on Macs, but in my mind, there is only one choice for Mac users: 1Password.

Most of the brightest Mac users out there, including popular bloggers, podcasters, and other Mac gurus agree that 1Password is not only the best password manager for their Mac, it’s a must-have piece of productivity software that they can’t live without.

1Password, made by Agile Web Solutions, also consistently receives accolades from well-respected online sources like Macworld, CNET, and the Mac Power Users podcast.

Now, there are many, many great reviews of 1Password online. Just Google it, and you’ll see. In this post, I’m going to talk about 1Password from my point of view and focus on the features I use the most.

Here are a few features and benefits of 1Password at a glance…

• Store not only your passwords but also identities, notes, and other secure information
• Excellent web browser integration
• Excellent password generator
• “Go & Fill” option in web browser plugins saves you tons of time
• Great iPhone, iPod Touch, and iPad apps for accessing passwords on-the-go
• Excellent automatic backup protection
• Convenient syncing through Dropbox lets you get to your passwords anywhere

Web browser integration

To me, browser integration is probably the most important aspect of a modern password manager. Most of the passwords we juggle are for websites. The easier it is to create and fill passwords right in our browser, the more likely we are to utilize the password manager (and consequently increase the security of our online identities).

When you install 1Password, it automatically installs plugins for all the browsers you have installed on your Mac (Safari, Firefox, etc.). Note that you may have to restart your browser to see the plugin appear (first time only).

Once 1Password is installed and your browser plugins are in place, 1Password will prompt you to remember passwords any time you visit a site that asks for a username and password. The easiest way to begin filling 1Password up with your usernames and passwords is to simply visit sites as you normally would.

Once you save your information for a site, 1Password will remember it the next time you visit. And that next time, instead of having to type out everything, all you’ll have to do is 1) click the browser plugin button (the “1P” button), and 1Password will automatically display "Fill Site ABC" at the very top of the menu.

The “fill” feature has benefits beyond convenience. In order for 1Password to know which username/password to fill, it needs to also remember the site address. By simply using 1Password to fill passwords, you’re creating an additional safeguard. If you accidentally visit malicious site that has been made to look like a legitimate site, 1Password simply won’t display the “Fill Site ABC” option because there’s no address match. If this ever happens, flags should go up.

Go forth and fill your way to simplicity

One one of my favorite 1Password features is the “Go & Fill” option in the browser plugins. If I want to go to Bank ABC’s site, I can simply click the 1P button in my browser, select “Go & Fill Login,” and 1Password will take me straight to that site and fill my username and password instantly.

The Go & Fill menu lets you navigate to your passwords using the folders and tags you’ve assigned, or you can use the Search option. In the beginning, I was pretty diligent about organizing passwords with tags. But the more I’ve used 1Password, the more I rely on the search option. You can just starting typing any part of the name of the site you wish to go to, and 1Password will instantly begin showing you matches. In this example, I type “word” and it displays two matches for my WordPress logins:

Now, I can simply tab down, hit enter, or use my mouse to click the one I want. 1Password’s search is really good, and I find it extremely useful and convenient. For me, 1Password has essentially become a bookmark manager for sites that require passwords.

1Password can even handle the virtual keypads that some bank sites are beginning to use. While increasing security by avoiding the keyboard (keystrokes can be captured by key loggers), these virtual keypads can be a nuisance. 1Password makes them a non-issue by filling them for you.

Here’s a nice video of the Go & Fill feature made by Agile Web Solutions:

And don’t worry–1Password requires you to enter your master password before using the browser plugins if you’ve just booted up your Mac or if it’s been unattended for a while. So only you have access to your passwords–not just anyone who has your Mac. You can also lock it up manually anytime you want.

Generating passwords

Another important item in the browser plugin menu is the Strong Password Generator. As you can see, there are all kinds of options for creating passwords. It also lets you know how strong the password is.

Anytime you encounter a password field on the web, you can go to the Strong Password Generator to create a password for that field. It will even fill it in for you if you click the Fill button. Most of the time when you first sign up for a site or if you change your password, the site will require you to enter the password twice (to make sure you didn’t make a typo). 1Password will automatically fill both fields for you making this a snap.

As you begin adding existing passwords to 1Password, I highly recommend changing to more complex passwords using the Strong Password Generator. Remember that 1Password will keep up with them for you; it’s not necessary to remember them. Don’t worry–I’ll go over options for getting to your passwords when you’re away from your Mac later.

Exploring the insides of 1Password

Once you’ve got a password or two stored in 1Password, you might want to look inside it. 1Password is really a beautifully designed application. You can click the image below to see a bigger version.

Each account login you store has its own entry inside 1Password. If you ever want to manually copy the password, 1Password allows you to easily do that too.

For each account, you can click Edit to do all sorts of things like changing your password, adding attachments (e.g. files, photos), and even notes. You can also see and edit the various bits of information 1Password has collected for the account shown under “All Fields.”

In the simple example shown, only the username and password fields exist, but 1Password can record a number of other items automatically. If you click in a password field, the * symbols turn into your actual password allowing you to see and also edit it.

Other things

In screen shot of the full program above (3 photos up), notice the items in the left sidebar. The top item, Logins, contains all login information you store for websites, but there are 5 more categories of things you can store as well:

• Accounts - Use this to store passwords for items like routers, iTunes, and other items that reside on your computer, not on the web.
• Identities - 1Password lets you store form information like name, address, city, etc. 1Password will fill this information in forms online if you give it permission.
• Secure Notes - Use this to store various notes that you want to keep locked behind a password.
• Software - Use this to store software licenses. If your Mac is ever stolen, or if you need to reinstall software, you’ll have all your software licenses in one easy-to-find location.
• Wallet - 1Password will store credit card and other financial account numbers. It will even fill these for you when you buy items online. Use this if you want the extra convenience of not having to pull out your credit card when shopping online.

Ultimately, it’s up to you to decide how much information you want to store in 1Password. As you add information, I recommend considering the value of storing it in one place versus the unlikely chance that it falls into the wrong hands. As long as your master password is strong, you don’t have much to worry about. But there are some things like social security numbers that I have chosen not to put into 1Password. I made this decision simply because I don’t need a program to keep up with that for me. That’s one number I’ve definitely memorized.

Even in the very unlikely event that someone somehow got into my 1Password file, I can easily begin changing my passwords for all important sites. I can’t change my social security number, however.

But to emphasize again, as I have earlier in this series, putting online passwords in one secure file is far, far safer than maintaining a few simple passwords in your head. If you only decide to use the Logins section of 1Password, it’s well worth it.

1Password on the go

At this point, you may be thinking “1Password sounds great, but I’m worried that I’ll be locked out of my sites if I’m away from my Mac.” There are several great solutions to this problem.

In the screen shots above, you’ll notice a Sync section in the left sidebar. 1Password has great apps for the iPhone, iPod Touch, and iPad. I personally use 1Password on my iPod Touch and iPad. 1Password allows you to easily sync your passwords to these devices right over your wi-fi network at home. It automatically detects when the devices are online and syncs in seconds.

So when I’m away from my Mac, I have all my passwords with me since I usually carry my iPod Touch in my bag. 1Password’s mobile apps probably deserve a full post of their own. They are brilliantly designed and even will fill passwords for you on the device. Everything stays behind your master password, so even if your mobile device gets lost or stolen, your data is safe.

Don’t have an iPhone, iPod Touch, or iPad? There’s still another way to get to your passwords away from home.

1PasswordAnywhere is designed to let you access your 1Password information on any computer with an Internet connection. It sounds like a different program, but it’s not. The file that stores your 1Password information on your Mac is something called a package file. If you have access to this package file on any other computer (even a PC or Linux computer), it will appear as a zip file.

Inside the zip file, you’ll see an html file called 1Password.html. You can simply double click this file, and you’ll be presented with a web page that looks exactly like the main 1Password login screen on your Mac. After entering your master password, you’ll see all of your login information.

So how might you get access on another computer? One method would be to store a copy of your 1Password keychain file on a portable memory device like a USB stick. But the absolute best way is to store your 1Password keychain in Dropbox.

Dropbox truly deserves its own post, and I plan to write one at some point. But in short, Dropbox is a great (and free) way to synchronize files and folders of all kinds across different computers. It’s very easy and useful.

If you store your 1Password keychain in Dropbox, you don’t even have to download it to access it. You can simply log into your Dropbox account online (anywhere you have an Internet connection), and click the 1Password.html file there. It functions just like a normal web page right in your browser.

The Dropbox approach is the one recommended by the makers of 1Password, Agile Web Solutions. They provide a nice tutorial on using Dropbox and 1PasswordAnywhere here.

Conclusion

1Password is great. It makes your life simpler by creating and storing strong, secure passwords for all your sites. The only password you have to remember is your master password. This master password should be very strong, and you need some way to remember it. If you forget your master password, you’ll have no way to get inside 1Password. There are no resets here.

The only possible downside to 1Password that I can think of is the lack of server storage in the cloud like LastPass. However, you can accomplish exactly the same thing by using a free Dropbox account–something I would recommend to anyone.

As I mentioned earlier in this password series, one of the benefits of using a password manager is that all of your passwords are kept in a secure location that family members can access if something happens to you, the primary password “keeper” in your home. I recommend keeping some simple instructions with your master password in a safe place like a locked safe in your home or a safe deposit box at a bank.

1Password costs $39.95. This one-time cost is well worth the security and simplicity it introduces into your digital life.

Like most Mac software, you can download and try 1Password for free for 30 days. Give a shot. I don’t think you’ll be disappointed.

Let me hear your thoughts on 1Password in the comments.

This post is the 6th in an ongoing series about passwords. You may want to check out the other parts by clicking on tag: passwords.

[Photo by Vagamundos via Flicker]

In my last post on passwords, I made the argument that the absolute best way to balance password security and practicality is to use a password manager program.

As I discussed in the last post, you’re much better off using different passwords for all of your sites and keeping them in one secure location (the password manager program). If someone gets any one of your passwords, they can only access the one site it unlocks. On the other hand, if you use the same password for all (or most) of your sites, and that one password falls into the wrong hands, you’ve got a big problem.

A good password manager makes your life simpler.

Rather than having to spend time coming up with a creative, unguessable passwords, you can simply let the password manager program generate random passwords. And you don’t even have to remember them either! If you need a password, you simply go to your password manager, get it, and move on.

An added benefit of a password manager is that all of your passwords are organized in one location. In most households, one person does most of the bill paying. Spouses or other family members likely don’t know passwords to every important site. If something happens to the primary password “keeper,” then it can be very difficult for others to get access to important sites–like banks, medical records, and even email, where important information often resides.

Again, with a password manager, only one password is needed to access your “vault.” That password should be very strong and also written down in a secure location. Spouses and/or other family members should know where it is. I keep mine in a safe with some simple instructions on how to use it.

Recommendations

There are many options for password managers. In this post, I’m going to focus on those that work with PCs (Windows). Since I personally like the Mac way of doing things, I’ll cover Mac options in the next post (and end with a review of my favorite password manager).

KeePass

If you use Windows, one highly-rated choice is KeePass, a free program that actually works on other operating systems too, like Mac OS X and Linux. An additional app called Mono is needed to make it work on non-Windows systems, however, so I think KeePass is best suited for Windows users only.

KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish).

In other words, it’s safe.

My good buddy, Andy (AKA The Digitante), recently wrote a nice review of KeePass at his blog. Andy walks you through the basics of setting up KeePass and provides clear illustrations.

In addition to the general benefits of any good password manager that I mentioned earlier, pros of KeePass are:

• It’s free
• It comes with built-in strong password generator that also indicates the strength of passwords

• It’s portable and can be carried on a USB stick and used on any other PC
• Password lists can be exported to various file formats (good if you wanted to print a master list to store in a safe)
• Files can be “attached” and stored in the KeePass database
• KeePass lets you copy passwords to your clipboard so that you can paste them into password fields in your browser. It also clears the clipboard immediately after you paste a password or after 10 seconds (if sooner) to increase security.
• A search field lets you quickly find passwords
• Plugins are available that extend KeePass’s functionality even more

The biggest downside to KeePass is that it doesn’t have the level of web browser integration that other password manager applications have. If you’re at a website that requires a password, you must open KeePass, copy your password, then paste it into the browser. It’s not a big deal, and it’s probably quicker and easier than manually typing out a long password. It’s definitely a small price to pay for the security you’re gaining.

LastPass

Another well-respected and lauded password manager is LastPass, which has received acclaim from PC Magazine and other reputable online tech sources.

LastPass comes in free and “pro” (paid) flavors. The free version’s feature set is plenty for most people, in my opinion. It has pretty much all of the benefits of KeePass that I outlined above.

I recently downloaded and experimented with LastPass myself in Windows. Overall I was pleased with the setup process and its ease of use. The biggest selling point for LastPass is that you can access it anywhere you have an Internet connection. To make this possible, LastPass stores your passwords on its servers. They take great lengths to assure you this is safe on their FAQ page. LastPass uses a very strong encryption process to lock up your data:

AES utilizing 256-bit keys.AES-256 is accepted by the US Government for protecting TOP SECRET data. AES is implemented in JavaScript for the LastPass.com website, and in C++ for speed in the Internet Explorer and Firefox plug-ins. This is important because your sensitive data is always encrypted and decrypted locally on your computer before being synchronized. Your master password never leaves your computer and your key never leaves your computer. No one at LastPass (or anywhere else) can decrypt your data without you giving up your password (we will never ask you for it). Your key is created by taking a SHA-256 hash of your password. When you login, we make a hash of your username concatenated with your password, and that hash is what’s sent to verify if you can download your encrypted data.

The part in bold is the kicker. I personally like this approach. Let me attempt to put it in plain English. Just before LastPass synchronizes the password file on your computer with the info on LastPass’s servers, it makes a special “key” that it sends encrypted to lastpass.com. This key is not actually your master password, but rather a special key created from your master password.

Even if someone captured this special key in transit, it wouldn’t be of value to them.

On receiving this special key, the LastPass servers send your encrypted password file back to your computer, where it is unlocked and synchronized with the other password data stored on your computer.

The other benefit of this approach is that even if someone got a hold of LastPass’s servers and found your data file, they wouldn’t be able to do anything with it until they figured out your master password.

The only burden placed on you is to create a single, very strong master password (perhaps using one of the techniques I outlined in earlier posts in my password series.

As long as your master password is strong, you’re A-OK.

In my opinion, the biggest advantage LastPast can boast is its web browser integration. Unlike KeePass, which requires you to manually fetch your password when you want to log into a site, LastPass can auto-fill web forms. This means that once you log into LastPass on your computer, you can simply visit a site, and if you’ve told LastPass to remember that password, it fills it in automatically. I personally tested the form fill with LastPass in Firefox in Windows. I was pleased overall. LastPass also supports other popular browsers including Internet Explorer, Chrome, and Safari.

I’m a big fan of password managers that auto-fill passwords. For one thing, it’s really convenient. More importantly, it encourages you to create really strong, long, unguessable passwords by removing the burden to type them out each time you visit a site. Like KeePass, LastPass has a built-in strong password generator that tells you how weak or strong the password is.

If you use LastPass, feel free to let it create passwords as long as the web form will allow. I mean, who really cares how long a password is if you never have to type it in yourself?

LastPass also offers some nice options for accessing your passwords on-the-go with apps for iPhone, Blackberry, and Android devices. However, use of the mobile apps requires you to step up to the the paid version of LastPass. The pro version is only $1 per month, which is really not a lot to pay for the extra convenience offered by the mobile apps (if you use them).

So, the difference between LastPass and KeePass boils down to convenience. LastPass allows you easy access to your passwords anywhere you have an Internet connection, and it provides easy options for auto-filling web forms. In exchange for this convenience, you have to agree to store your data on LastPass’s servers.

Other options

KeePass and LastPass are certainly not the only choices for password management on Windows. Two other noteworthy options are Roboform and eWallet. Both of these come in paid-only flavors. They both have a fairly big online presence and have gotten good reviews online, but I have not personally used either.

Some people choose to let their browser remember passwords for sites. Many browsers, including Internet Explorer and Firefox, prompt you for this unless you turn it off. I would caution against letter your browser remember passwords because it makes it too easy for someone to access your sites if they ever got your computer. There is nothing locking down your passwords unless you secure them with a master password, but I just don’t think it’s worth the trouble or security risk to let a browser manage your passwords.

Next up

In the next post, I will write a full review of the password manager that I use and outline the features I like most about it.

Please let me know if you’re using a password manager in the comments or if you have any questions/comments on anything in my password series so far. I hope I’m helping you increase the security around your personal data a bit. But if I’m not, let me have it!

This post is the 5th in an ongoing series about passwords. You may want to check out the other parts by clicking on tag: passwords.

Where we’ve been so far

I’ve been talking a lot about passwords around here lately. In previous posts, I’ve gone over the perils of

• using simple passwords,
• using the same password for every site,
• using the same password for social networking sites and banking sites,
• entering passwords on networks that aren’t secure, and
• entering passwords for sites that don’t start with https

I also pointed out that it is unreasonable to expect people to remember many, many different passwords. Our minds just don’t work like that–and they never will.

To combat the tendency to create simple passwords, I pointed out a few tricks that can be used to create complex but memorable passwords. These tricks included using fake words, acronyms from phrases, and shifting your fingers on the keyboard.

These tricks work well, but they still take effort. It's also all too easy to fall victim to laziness and complacency. We’ve all been there–me included. Unfortunately, it’s when we let our guard down that we’re most vulnerable.

A better way to manage passwords

I remember when the only “passwords” I had to remember in life were my 4-digit ATM PIN code and gym lock combination. Those days are ancient history. My “on board” memory worked fine in that simple world, but the key chain between my ears can only hold so many keys. Today, there are well over 100 websites, computers, networks, software systems, etc. that require me to enter a password.

How in the world can I expand the key chain in my head? I can’t.

In my mind, the only viable solution to our modern day password conundrum is to use a program to manage your passwords. Using a password manager, no matter which one, should at least have the following benefits:

• All (or almost all) of your passwords are kept in one, secure place
• All of your passwords are protected by one, very secure password (the only one you have to remember!)
• Most password managers have built-in tools to generate random passwords for you; this takes the burden off you to come up with creative tricks to remember your passwords

Don't run away

Some people are initially skeptical of password managers. The common fear expressed goes something like “if someone gets into my password file, they have all my passwords.”

True, but aren’t you already exposed to that risk if you’re using the same password for multiple sites? If any one of the thousands of web servers holding your single password is compromised, someone will have access to all your sites. I can remember at least five times over the last few years that my credit card company has sent me a letter saying that they are issuing me a new credit card because my account information "may have been stolen."  These things happen and are absolutely inevitable.

What's even more likely is that your password will be intercepted over a public wi-fi network, as I discussed in previous posts on passwords.

I contend that the absolute best approach to minimize the chance of someone doing widespread damage to your online finances and private information is to use a single password manager. It also allows you to give up on the idea of remembering passwords for sites. You simply generate an unmemorable password for each site, and go to your password manager when you need that password. This probably sounds like way more work than it is. Trust me–it’s really simple.

By using one, very secure password to protect all of your passwords, you’ve reduced your risk exposure from many, many points of attack online to a single, encrypted file. So even if Bank ABC’s web server gets hacked and the thieves get that password, that’s all the damage they can do. The only have one key; all your other doors have different locks.

In the next few posts, I’m going to provide more details on which password managers I recommend–for both PCs and Macs. I will also reveal which one I think is the king of them all–and tell you exactly why I feel that way (and why many others agree with me).

Believe me, I’m trying to simply your life, not complicate it. This is one case where security and simplicity can coexist.

[Photo by mbrand via Flicker]

This post is the 4th in an ongoing series about passwords. You may want to check out the other parts by clicking on tag: passwords.

***

Some of the most popular sites today are social media sites like Facebook. For whatever reason, Facebook does not encrypt your password like a banking site would. How would you know?

Well, the giveaway is in the URL, or web address. Secure sites begin with https, not just http.

The “s” stands for secure, and it’s very much absent from Facebook’s sign-in page. This means that your password is sent unencrypted to Facebook’s servers after you click the Login button. Such a transmission is subject to a man-in-the-middle attack, meaning that if someone is “watching” network data coming from your computer, they can see your password. Secure connections encrypt the information you submit, so even if it is intercepted, it’s of no use to the interceptor.

It's not just Facebook either. Many, many sites require or "encourage" you to create a username and password to make use of the site.  Even some web-based email programs like Gmail used http as the default protocol until recently.

If getting your password intercepted sounds unlikely, I assure you it isn’t. You can find free software online that would enable the 16-year-old sitting across from you at your favorite coffee shop to see everything you send unencrypted.

The biggest problem? If you use the same password for all your sites, you may be giving away your bank password when you sign into an non-secure site like Facebook even though it seems like you’ve done nothing wrong. You wouldn’t want to shout out your password to everyone in the coffee shop as you log into Facebook, but that may be what you’re doing.

Another way that hackers prey on folks is through the use of key loggers, which are a type of malware that sometimes sneak its way onto people’s computers. A key logger can record everything you type and sends the information to someone else. The more you type a password on a computer with a key logger, the more likely it will come to the attention of someone who wants to access your accounts. By the time you find out, it may be too late.

Additionally, if you use public computers a lot, the chance of a key logger being on the computer is greater. You really have no way of knowing who has used the computer and what their intentions were.

These are just a few reasons why using the same password for all of your sites is a bad idea. Once your password is in the hands of the bad guys, all of your accounts are vulnerable–email, banking sites, brokerage sites, and much more.

Picture the various websites that make up your online “life” as a bunch of rooms in a long, narrow building. Each room has a door to the outside and also a door to the adjacent room. If a thief figures out which key unlocks any of the outside doors, and you use the same key for each lock, he can go anywhere.

In the first post of this series, we established 3 basic criteria for passwords:

1. My password can’t be simple and popular
2. My password can’t say anything about me
3. My password can’t be a real word

I strongly encourage you to add a 4th rule: at a minimum, do not use the same password for financial sites and email or social media sites. The risk is way too high. Just think about how often you see people posting on Facebook that their account has been hacked. Having some hacker write silly things on your Facebook wall is bad enough; giving him access to your savings account is worse.

If you’re feeling concerned, that’s good. A little paranoia goes a long way on the web. But I don’t want you to be too worried because I’m going to offer some solutions to these problems.

And it’s also important to remember that nothing is foolproof. As long as people are people, there were be good ones and bad ones. And we all make mistakes. The key is to find the right balance between security and ease of use.

Leaving your house keys hanging by the door step would ensure that you’d never get locked out, but it doesn’t keep you very safe. In a perfect world, we wouldn’t need keys or passwords, but the world isn’t perfect, so we must sacrifice a little convenience to keep ourselves and our families safe.

Stay tuned for more upbeat posts on passwords.

[Photo by anyjazz65 via Flicker]

I wanted to share a tip I recently read at Lifehacker. Apparently one of Lifehacker’s readers submitted this idea in a comment on one of Lifehacker’s posts. The idea is shift your fingers to the left or right when you type your easy-to-remember password. So let’s say you want your password to be something really common like “florida.” If you shift each finger to the right one key, it becomes g;ptofs, which is a pretty decent, meaningless password.

Read the full Lifehacker post here.

Other posts in my series on passwords

• Start caring about passwords
• Continuing our quest for a better password

Because of some other writing projects, I've fallen a bit behind on this blog. But fear not. I recently wrote a post on one of my other blogs that you may be interested in. Do you want a better way to keep up with blogs and other sites that change frequently? Are you tired of having to manually go to individual sites to see if they've been updated?

If so, take a look at my recent post "A simpler way to keep up with the dynamic web" at Risk + 2.0.

In the first post of this series, I discussed why you should care about having a better password to keep your sensitive data secure online. In this post, I’ll cover a few tricks that you can use to create a memorable password that passes the 3 criteria we established in the first post:

1. My password can’t be simple and popular
2. My password can’t say anything about me
3. My password can’t be a real word

Before we go further

It’s important to understand that our 3 criteria are good, but they are not an exhaustive list of conditions that the “ideal” password should meet. We’ll get to that.

And you may be thinking that I’m being too basic. My philosophy on passwords is this: If people were robots, they would all have perfect passwords, but people are not robots, and they are often intimidated by the laundry list of conditions that strong passwords must meet. We can’t be perfect, but we can get better than we were yesterday. That’s what this series is about.

So let’s get back to it…

Use a non-word

One way of the easiest ways to make a password memorable is to make it pronounceable. However, we established that a password should not be a real word, so whatever you choose should not be a word that would be found in a dictionary (of any language).

Do you have a goofy word (that’s not a word) in your head that you can remember easily? Words “invented” by you are often inherently memorable because of their funny sound. Let’s give it a shot… how about shloraform? I have no idea where shloraform came from, by the way, but according to Google, it’s nowhere to be found online; however, it probably will not take Google long to find it in this post.

I should also emphasize that you should NOT use it as your password–or use any password that I come up with for illustrative purposes.

Now, you could go a step further and add a number or symbol… or both. This makes your password much, much stronger. So sh!0raform is even better. Adding a capital letter or two (preferably not at the beginning) is even better… sh!0raForM. Now we have a pretty strong password that looks like complete nonsense to anyone but us. The other thing our illustrative password has going for it is its length. Most experts agree that a password should be at least 8 characters in length.

But we can still do better because, ideally, your password should not be pronounceable or contain letters that appear together in real words (e.g. the “form” in our illustrative password).

You may be thinking “geez, are hackers really that good?” Yes, they are, and the programs they use are very smart. You should be smart too.

Phrases are your friends

One of the top mnemonic devices for creating a secure password involves using a memorable phrase to create a non-sensical acronym. Ideally, the phrase is something meaningful to you. The idea is to remember the phrase, which then leads you to your password.

Suppose you like to travel to California in the summertime. Your phrase might be “I love traveling to California in the summertime, especially in July.” From this phrase, you can create an acronym: ilttcitseij. On the surface, that sequence looks meaningless, but as long as you remember your phrase, you can remember ilttcitseij. Like we did with our non-word, we could start adding symbols, numbers, and capital letters to make it even stronger. The longer your phrase, the more characters your password will contain–generally a good thing.

The primary weakness of this approach is that it will typically lead to passwords that contain common letters. Hackers know this, so they have techniques where they focus on the most common letters of the alphabet when trying to guess your password. Letters like a, e, o, and r will appear frequently. In fact, one study analyzed 3 million 8-character passwords and found that half of them contained the letter e.

We’re not done

If you can adopt one of the two approaches above, you’re already doing much better than the average person. But as I noted above, these approaches are still not as good as you can do.

And unfortunately, what I think most people do–even those that use these methods–is that they do it once, and then use the same password for all of their sites. A few years ago, that wasn’t such a big deal. Today is much, much different, however.

Our world is increasingly digital, and we have an ever-expanding list of websites that we frequent. Many of these sites require us to enter a username and password. As the Internet ages, the number of sites that we visit can only increase. You’ve been leaving a password trail through cyberspace since the first time you signed up for email.

Do you have any idea how many sites you’ve visited where a password was required? It’s likely to be hundreds. And do you know how many opportunities there have been in that time for someone to find your passwords–perhaps on some server that was left unattended or disposed of improperly? And what incentive do all those free sites–some of which no longer exist–have to keep your data secure? Very little.

What’s more, we’re much more likely to use multiple computers or devices to access our sites today. The more we have to enter our passwords, the greater the chance of someone else getting them.

I’ll be back shortly with more information on the security perils of modern-day computing, but don’t worry… I’ll eventually arrive at what I believe to be the ideal solution–one that balances security and ease of use.

[Photo by mag3737 via Flickr]

You could use your car to transport you in a round of golf, but why the hell would you? I think this is the sort of statement we'll soon make about so many "computing" activities that don't require typing. "Consuming" information via the Web, something most of us do daily now, does not require a full keyboard. Rather, we're hindered by a full-sized computer when it comes to the consumption of information like text because it's not natural to read one long electronic column of words framed by flashy ads and other noise.

Those that think there is no room between the handheld phone and a full sized computer probably descend from those who thought the automobile was worthless because it couldn't go everywhere a horse could.

Technology just changes things, and the big breakthroughs always look good in hindsight, not so much because of the needs they met at their inception, but because of the way they changed our approach to life.

There were no paved roads when the first automobile set out; no nighttime football games when the lightbulb debuted; no Facebook when the first computers were networked. None of these things, which we take for granted today, were even imaginable at the time their enabling technologies were born.

I think we're now in a time when "technology" is beginning to feel even more natural and taken-for-granted. This is a good thing because the more natural it feels, the more useful it is, and the more it can allow people to be people.

This is the first post in an ongoing series about passwords. Boring huh? Well, the fact is that most of our financial and sensitive data–despite the billions of dollars invested by banks, governments, and other institutions–is only protected by a thin barrier constructed by you: the password. Your bank may have designed the ultimate shark cage, but it’s up to you to close the hatch and keep your arms inside.

If you’re still reading, great… I haven’t lost you yet, or maybe you're just hanging around to look at that cool shark picture.

Common passwords

Most people use simple passwords. Why? Because picking “strong” passwords seemingly comes with a bad consequence: we can’t remember them. We’d rather use a simple password that we can remember. We can’t change that about ourselves. It’s just who we are as people. What’s more, the human brain was NOT designed to remember a gazillion different passwords for the countless online profiles we have to maintain in today’s world. Telling people to do that is unreasonable and silly.

In January 2010, SmartPlanet published a list of the top 20 most common passwords. Here are the top 5 from that list:

1. 123456
2. 12345
3. 123456789
4. Password
5. iloveyou

If you’re in that group, don’t worry. I’m going to tell you how to fix it, and I’m going to give you some easy options for doing it.

But first, I want to make sure you understand the consequences of using a simple password. To understand, pretend you’re a hacker and you want to get access to someone’s account online. Which passwords will you try first? If you said “the most common passwords,” you’d be correct.

So for starters, just by getting out of the most common group, you’ve done something to protect yourself. Unfortunately that may not be enough. Hackers are a savvy, motivated group, and the Web itself makes it easier than ever for hackers to make really good guesses about your passwords.

More pitfalls

So if you’re thinking to yourself “I’m not in the top 20… I use lovetogolf as my password,” I’d have to say “not so fast.” Do you like to talk about golf on your Facebook page, Twitter, or other public sites? Do you tweet during golf events? Do you talk about Tiger Woods? If so, you’ve already told the world you “lovetogolf.” I bet it didn’t occur to you that you gave out your brokerage account password last Friday when you posted “I’d so rather be on the golf course today.”

Maybe you’ve already thought of all that. Maybe you use an arcane password like… “arcane.” Most people don’t know what arcane means, so it’s safe, right? Unfortunately, ANY word that can be found in a dictionary is low-hanging fruit for a hacker. There are publicly available programs that simply guess their way through the dictionary until they hear the safe “click.” Then, they’re in.

So, let’s see where we are now…

1. My password can’t be simple and popular
2. My password can’t say anything about me
3. My password can’t be a real word

It’s at this point that most people give up and keep doing the same thing because they think they have to remember ijtEy^*32!#@fkg4LS. That’s not what I’m going to tell you to do, so don’t be that person that gives up. You and your family have too much at stake to leave the shark cage hatch open.

Going forward

In the posts that follow, I plan to discuss how you can create strong passwords that are actually memorable and also talk about some software programs that can help. Stay tuned!

Shark picture by hermanusbackpackers via Flickr Safe picture by squacco via Flickr

By now you’ve probably at least heard of Apple’s latest product, the iPad, along with all the crude jokes, criticism, and excitement perpetuated by the media.

I’m in the group that thinks the iPad is just the latest sign that the pace of technological innovation and the way it impacts our mainstream lives is accelerating even more. The iPad is bigger than Apple. Apple just happens to be creating it.

The era we’re entering now arguably started with the iPod, which ultimately paved the way for the iPhone. As amazing as the iPhone is, it’s really just a mini prototype of the future of computing, a future that most of us will live to see in the not-too-distant future.

If you own an iPhone or iPod Touch, you’ll probably agree that when you use it, you don’t feel like you’re “computing.” You don’t have the same experience that you have when sitting at a full computer equipped with a keyboard and mouse. But you are computing. It just feels more natural. Why? Because the touch interface fits our tactile propensities, and the lack of cord doesn’t chain us to static locations like offices and bedrooms. We don’t even have to be indoors to use it.

Before the iPhone, computers had already firmly penetrated our lives, but they had much less mainstream appeal, and they had far less reach. Today, computers neighbor forks and spoons on tables. Computers are everywhere, but we don’t think of them as computers, and for some reason we still call them “phones.”

The iPad very likely represents the next step in the convergence of “mobile” with conventional computing. The increase in the size of the device is symbolic of the fact that mobile technology is expanding into a space previously occupied by conventional computers, and I believe it will ultimately expand into spaces we can’t even see right now.

John Gruber of Daring Fireball provides a great observation of what’s happening:

Used to be that to drive a car, you, the driver, needed to operate a clutch pedal and gear shifter and manually change gears for the transmission as you accelerated and decelerated. Then came the automatic transmission. With an automatic, the transmission is entirely abstracted away. The clutch is gone. To go faster, you just press harder on the gas pedal.

That’s where Apple is taking computing. A car with an automatic transmission still shifts gears; the driver just doesn’t need to know about it.

And I fully expect us to press the gas pedal to the floor. As computers become even easier to use, more people will use them. This has the effect of bringing more ideas “online” than ever before.

Some argue that “tablets have been around and have already failed.” But the iPad is being born in a different time–one marked by unprecedented connectivity and information equity.

The only thing more exciting than the iPad are the breakthroughs that are sure to follow.

In an earlier post, I commented on the security hazards associated with using popular web browsers like Microsoft's Internet Explorer. One of the alternative browsers I mentioned was Chrome, a web browser made by Google. Chrome has a lot going for it right now, and security is increasingly moving to the top of the list of reasons why you should try Chrome for yourself. An annual event called Pwn2Own draws hackers to compete for cash prizes.  Up to $10,000 is awarded to the first person to hack into the various web browsers put on the chopping block.

After two days of the event, Chrome was the only browser not compromised.  All other browsers, including Internet Explorer, Firefox, and Safari were hacked day 1.  Internet Explorer was hacked in less than 2 minutes on Windows 7, which is the newest and most secure version of Windows available in the market.

In case you're interested in knowing more, Lifehacker explains what makes Chrome unique with respect to security:

Perhaps the best indicator of Chrome's security is the fact that competitors haven't even attempted to crack Chrome's "sandbox" despite a $10,000 prize. Chrome gives every process started within the browser very limited privileges to get the job done, keeping it essentially in the sandbox, so while it's possible to get in the sandbox, you can't do very much while you're there. It seems like this bodes extremely well for Chrome's security system, especially compared to its competition. . .

You don't need to know what a browser sandbox is. You just need to know that, for now, Chrome does a really good job of keeping the bad guys out of your computer.

I recently discovered a great new tool for web writers called MultiMarkdown thanks to a recent Mac Power Users podcast. Now on first glance, you’ll probably think that this is too nerdy/geeky for the common person, but it’s actually a gift to anyone who’s been troubled by the fact that it’s so darn hard to convert anything to clean HTML. If you’ve never had that thought, or never had the need to convert a document to HTML, you can safely move on. If you have, read on…

If you’re a blogger, you’ve probably experimented with different ways of composing your blog posts. Perhaps you’ve tried word processors like Microsoft Word or other desktop apps because you don’t like editing in a browser (like me). Writing in these apps works fine (assuming you aren’t distracted by the superfluous amount of commands bordering your page), but for all the technology and ubiquity of the Web,  converting your composition to something that can be rendered on a web page is still a royal pain.

Microsoft Word, for example, is designed to generate an inordinate amount of additional HTML coding around even the simplest of HTML documents. There was probably less code running the Apollo space craft than is contained in a Word-generated HTML file. And of course, once pasted into your blog editor of choice, it never looks the same as it did in Word.

Maybe you’ve also tried composing in a simple text editor like TextEdit on your Mac or even Notepad on your PC. Again, the writing part is easy, but now you’re stuck having to type long HTML commands like anchors, breaks, paragraph codes, etc. over and over. And if you need to create a table, just forget it.

The underlying problem is that you find yourself playing the role of a programmer at least as much as a writer. This can be a major distraction that ultimately affects the quality of your work.

MutltiMarkdown eases the woe of the common web writer by providing simple, intuitive shortcuts for HTML codes. For example, a table can be created simply using the pipe symbol like this:

|col 1|col 2|
|--|--|
|abc|def|

The above bit of code turns into

</col> </col>

col 1	col 2
abc	def

I really like the way MutltiMarkdown handles links too. There are several different ways of typing a link. The simplest is like this:

[Google](http://www.google.com)

If you have long URLs, you may want to use this footnote-like method:

[Google][1]
[1]: http://www.google.com

The second alternative above has the advantage of keeping your text even cleaner, so you don’t have long URLs cluttering up your paragraphs. You can put the hyperlink number anywhere in your file (I like putting them in a stack at the bottom.)

Both methods generate the same result: Google.

So in summary, with MultiMarkdown, you can focus on your writing, not your coding. When you’re done drafting, you simply convert your text file to HTML using a script provided on the MultiMarkdown website.

If you’re a Mac user, you’re in even more luck. Fletcher Penney, the author of MultiMarkdown, created several apps that let you simply drag and drop your MultiMarkdown text file to create HTML, RTF, and other formats.

Even better, there are a number of Mac apps that are compatible with MultiMarkdown like Scrivener, OmniOutliner, and Notational Velocity.

In summary, if you use MultiMarkdown to write your HTML-bound documents, you can

1. Write in a simple text editor using the MultiMarkdown syntax.
2. Save the file like file.txt (or whatever file name you prefer).
3. Drag the text file to one of the apps that automatically translates the MultiMarkdown format into HTML.
4. Copy your HTML to your favorite blog editor (or wherever you want it).

Let me know if you have any questions on MultiMarkdown or how you’re using it in the comments.

Also, be sure to check out the original Markdown page and PHP Markdown Extra for extra syntax tips.

Welcome to my new blog. I decided to move from Tumblr to a more comfy spot with my own domain.  In very general terms, this blog will be about getting more efficient at life without overly compromising your life to get there. I'm looking forward to posting my thoughts on everything from technology to personal finance to general tips on. . . stuff.

The posts that precede this one were imported from my Tumblr blog. There are a couple of scraps of decent information scattered in them, so I thought I'd bring them with me. Unfortunately, I couldn't find a straightforward way to move the comments too.

Also, I'd like to give a big shout out and thanks to my buddy Andy (AKA The Digitante), who was extremely helpful in giving me tips on setting up this blog. Andy is an awesome resource on all things tech (and more), and I encourage you to check out his blog and follow him on Twitter.

Windows Phone forgets how to copy and paste: From the CNET article above:

“We [Microsoft] don’t enable copy and paste and we do that very intentionally,” Windows Phone executive Todd Brix said in an interview.

Brix said many times when a user copies something on a phone, what they really are looking to do is take a specific action, such as calling a phone number or e-mailing an address. For those specific tasks, Microsoft has what it calls “smart linking,” which lets a user double click on a phone number and either call it or add it to the phone book. For an address, one can get a map without having to copy and paste the address.

“It’s actually an intentional design decision,” he said. “We try to anticipate what the user wants so copy and paste isn’t necessary.”

Wow, it’s a good thing Microsoft knows what users want better than they do. If only iPhone and Android users were so lucky. But wait, isn’t Windows Mobile beginning to rapidly lose market share to Android and iPhone?

But seriously, this is just more evidence why Win mobile is slipping. In particular, look at younger generations. I suspect very few people would make the independent (i.e. non-work) choice to use Windows mobile over an iPhone, Droid, or Blackberry. For younger generations, these other options are their first choice. For them, “Windows” is the OS their parents use at work and constantly complain about.

I think MS is currently facing a very a critical point in their development. Mobile technology adoption rates are very high. If mobile is the future, and if mobile devices ultimately converge with conventional desktops, where does that leave MS? If MS is to survive, they need to transform into a company that exudes innovation like Apple or Google. Right now, that’s not happening.

It will be very risky for MS to continue being “all business” in a world where business and personal blur together more everyday.

This Computerworld article sums up quite well why I’m looking forward to my new iPad. I don’t want a device that multitasks so well that my head will spin off as I try to do 20 things at once. In fact, if the iPad did multitask, I think it would fail as an e-reader. The human mind simply isn’t wired to be able to read an article, chapter of a book, or any other reasonable amount of text while bells, whistles, and sirens are going off around the page.

The iPad’s success, like other Apple products, will stem from it’s simplicity and quietude. I also hope that it represents a shift back to the single-tasking world. We need to do a better job at focusing on one thing and one thing only.