I held out as long as I could; I have never used a password vault, thinking that I could remember all of my passwords for several dozen sites and applications without having to trust them to any third party.
Of course, many of the passwords I used were reused a few times, and oftentimes I would have to ask a site to remind me of what my password was. I finally broke down and said okay, I was going to do it.
I signed up for the site that a trusted friend recommended; I even spent the $12 to get the premium service (mostly so that I could use multi-factor authentication with my Yubikey). I then downloaded the app to my laptop. I installed the app…
…and what happened next scared the wits out of me.
I should mention that I knew this was the case; I have in the past used tools to discover passwords on peoples’ computers (and on mine when I forgot them). So why was I surprised when the password app showed me a list of every site I have ever visited from this computer, with a button that said ‘Click here to display passwords’??
Yes, it is true. Unless you take special preventive measures, your computer saves every password you ever use; they are hardly even secured – this program did not take hours or even minutes to list them off, they were readily viewable in under ten seconds… including the passwords for my online banking.
How could this be? It’s simple… passwords suck. They are probably the best option that most of us have available to us, but they really do suck. Multi-Factor Authentication (MFA) solutions like a Yubikey or smartphone authentication programs provide much better solutions, but there are problems with those – firstly they require you to have a device, and secondly they require the site (or application) that you are connecting to support their tool. So if you are connecting to YouTube (which is a Google site) you can use Google MFA; however if you are logging on to some random site where you participate in forums, there is a good chance that this will not be available to you, and you will have to use old fashioned passwords (see article).
The problem with passwords isn’t that they are hard to use, it is that most people do not use them correctly. That is a pretty broad statement, but if you are honest with yourself, how many passwords do you use that are over 90 days old? How many of your passwords are repeated across sites? Some password vault tools will let you run a test across all of the sites in the vault, and it is a cold splash of water in the face to run one of these tests and get a 32% score (yes, I am as guilty of many of these behaviours as everyone else).
For years I said the worst enemy of IT security was yellow sticky notes, and they still are. However it has gotten so much worse than ever, because every site wants complex passwords, and to get around the complexity rules people are using things like DogName1, then DogName2, and so on. I see stickers like the one shown more often than I care to say. The more often we have to change a password, the worse the situation will be. The problem grows exponentially when we have more sites forcing us to do the same thing. So if we have to change a password on ten different sites every ninety days, we are exponentially more likely to pick the same passwords, or derivatives thereof.
But is it reasonable to expect everyone to pick completely random, un-guessable passwords? Is *880638Z7965 a good, completely secure password? Probably not. For one thing, it is going to be impossible for us mere mortals to remember, and so we are going to write them down; for another, if someone gets access to your computer (or smartphone, or any device that you use to log onto whatever site you are trying to keep secure). Remember… if the Password Vault software can determine what your passwords are, so can the hackers.
I recently sent out an e-mail called The Ways of Small Business IT in which I highlighted some of the perils of a small business IT environment; one of the issues I highlighted was users leaving their unlocked workstations unattended. There are much more dire (and scarier) consequences to this behaviour than having your local information stolen. Simple programs installed from a USB key can reveal and steal every password you have ever used on the workstation – business, pleasure, banking, personal, dating sites… everything. So the miscreant would not have to sit at your computer for very long to own you – all they have to do is sit down for a minute and then walk away with all of your sites, usernames, and passwords. Then at their leisure they can access your life from wherever they want.
Scary? Yes. Preventable? Of course. A user who locks their computer when they walk away has taken great steps to prevent this attack. But what happens if the miscreant did not target your computer? What if they target a site where you use your catch-all password? Well it shouldn’t be a problem because that site will shut itself down until it has fixed its own security holes, right?
WRONG. The scary phrase in that last sentence is catch-all password. Here’s what I mean, and for the moment we are going to use the example of a site that we know to have been recently hacked.
Yeah I know you didn’t have an account, and you are completely faithful to your partner, but for the sake of the example, the user list on AshleyMadison.com is compromised. They have your credit card information, but that’s okay because your credit card is insured; they have your name and dating preferences, and that’s a damned shame… but there are fourteen million other men (and seventeen other women) who are in the same boat as you. It’s in the media and it’s ugly, and you are spending half of your time fighting with your partner that someone had used your credit card (and name, and picture, and your sexual preferences) to create their own profile on the site, and the other half of the time speculating about who else was on it, and… you know, doing whatever else you do during the day.
What you do not spend any time doing is changing the password on YourBank.com, YourTradingCompany.com, YourOtherServices.com, and so on. It doesn’t matter that you had been using the same password on those sites as you did on AshleyMadison.com, because… well, in truth you just never gave it much thought, and isn’t it just so much easier to use the same password everywhere so you don’t forget?
Now the bad guys have your password… and believe me, it isn’t tough to guess your username for all of those sites… especially since you also used the same password for your e-mail account, so what they can’t easily figure out they can easily ask all of the other businesses to resend it and the businesses will do it because the hackers asked from your e-mail account.
Is there a good solution? For businesses there are several… multi-factor authentication, soft tokens, and so on. For individuals? Well, there’s vigilance… and listening to people like me when we tell you not to use the same passwords, and not to write them down, and to change them frequently.
In my next article I am going to use a lot of the tools I discussed in this piece to demonstrate why your work laptop should only be used for your work resources.
I am not going to lie to you and say that every environment that I manage or have managed is an optimized Secure, Well-Managed IT Environment. It’s just not true.
In a secure, well-managed IT environment we monitor to make sure that things are working the way they are supposed to. When we spin up a new server, for example, the proper agents are installed for anti-malware and monitoring without our lifting a finger. Tuesday evening a new server is spun up, Wednesday morning it is already letting us know how well it is running.
But what about the other environments? Many smaller environments do not have automated deployment infrastructures that make sure every new server is built to spec. What do we do for those?
The answer is simple… where automation is lacking we have to be more vigilant in our processes. When a new server (virtual or otherwise) is created, we not only install an operating system… we also make sure we add the monitoring agent, the anti-virus agent, and make sure you schedule proper backups because if you don’t it will all ne for naught if everything goes down.
So the answer is to make my environment completely automated, right?
Well, yes of course it is… in an ideal world. In the real world there are plenty of reasons why we wouldn’t automate everything. The cost of such systems might outweigh the benefits, for example… or maybe we do not have an IT Pro managing it, just the office computer guy. Ideally we would get that guy trained and certified in all of the latest and greatest… but if you work in small business you know that might not always be the reality.
So what IS the answer?
Simple. I have a friend who has made a fortune telling people around the world how to make checklists. I am not the guru that Karl is, and you don’t have to be either. But if you do have a manual environment, spend the time to make a checklist for how you build out systems – make one for servers, one for desktops, and probably one for any specific type of server. You don’t have to do it from memory… the next time you build a machine write down (or type!) every step you take. 1) Create virtual machine. 2) Customize virtual machine. 3) Install operating system… and so on. When you are satisfied that your system is built the way you want it (every time) then you should try it again… but rather than using what you know, follow the checklist.
These checklists, I should mention, should not be written in stone. There are ten rules that were so written, and that’s enough. Thou shalt not murder is pretty unambiguous. Thou shalt install Windows 8.1 may change when you decide to upgrade to Windows 10. So make sure that every time you use the checklist you do so with a critical eye, trying to see if there is a way to improve upon the process. The Japanese word for this is Kaizen. They are pretty good at a lot of things from what I have seen
True story: I gave this advice to a colleague once who thought it was great. He started creating checklists, and had his employees and contractors follow them. One day he invited me for a drink and told me a funny story. His client had been using System Center Operations Manager (SCOM) to monitor all of their servers. He had a checklist that included installing the SCOM agent in all servers. One day the client decided to switch from SCOM to SolarWinds (a great product!) and after several weeks he decommissioned his SCOM infrastructure. Six months later the client (a pretty big small business) complained that since they switched from SCOM to SW all of their new servers kept reporting a weird error. It seems that the IT Pro who was following the checklists had continued installing the SCOM Agent into their servers, and since it could not find a SCOM server to report to, it was returning an error. As I said, these checklists should be living documents, and not set in stone.
There is no one right or wrong answer for every environment. What is a perfect inexpensive solution for one company might be cost prohibitive for another. The only thing you have to do is use your mind, keep learning, use common sense, and keep reading The World According to Mitch!
I have been watching the numbers on the site for years. This month we have broken almost every record for the site’s history. A couple of hours ago The World According to Mitch welcomed its 20,000th visitor for the month of August. That is by far a record… and considering today is only the 28th, the bar will be set VERY high! :) Thank you to all of my readers! -Mitch
I was in the army and did not own a computer. I had vowed to put the world of computers behind me. But twenty years ago today, on August 24, 1995, Bill Gates got on to the stage and launched Windows 95.
Microsoft Windows was, of course, already ten years old at the time; Windows 1.0 was released in 1985 with very little fanfare or acceptance. Windows 2.0 was really only used by people who wanted to use Ventura Publisher (a desktop publishing package). Then when Windows 3.0 (and later 3.1 & 3.11) came out there was already a bit of an uptake. But it was Windows 95 that really made a difference. Before that day the majority of the mainstream had no idea who Bill Gates was… but they know now.
Thirty years after the launch of Windows and 20 years of Windows 9x and everyone knows who he is. Microsoft changed the world, although whether it would have changed without them is a fair debate.
Happy birthday Windows 95… Many happy returns!
It is almost ten years since I started blogging. It is hard to believe that it has been that long, but there it is… A little over twelve years ago I registered my first domain and opened my own website, and I used that as a pulpit from which to to ‘speak’ to the masses. I was thrilled when I got 20 hits in a week.
Although my blog has moved a few times (and has been renamed once) I have always said that I do not do it for the money… mostly because there has never been any. I have never sold an ad, never accepted money to post an article. Don’t get me wrong, the fact that I have a site with nearly 900 articles on-line does lend to my professional credibility, and I am sure that has brought me business over the years. My reasons are not entirely altruistic. Primarily so, but not entirely.
Sometime in 2014 I followed a friend’s advice and posted a ‘Donate’ button. It took me a few minutes on PayPal figuring out how to even do it, but I did… and then I forgot about it. Why? Because nobody ever clicked it, but mostly because I have never blogged for the money, and was not going to start now.
It happened last week. I got an e-mail from PayPal notifying me that someone had sent me $5. I assumed it was a refund I was waiting for from eBay. I went to see if I was right, and I was not… someone had found one of my articles very useful, and made a donation! I was elated!
Of course, over the years I have received hundreds of thank-yous for different articles; people have left comments, I have had people buy me drinks, and dinners, and coffees, and once a small stuffed animal. But after a decade this was the first time I had reaped financial gains from the blog. Yes, it was only $5… but that is $5 more than the reader had to send.
I don’t want any of you to think that this is a whole ‘I have my hand out’ article… that is not the intent. I was just happy about it… and happy is a good way to end a week. Happy Friday!
Over the years I have consulted for many companies, from really small to really large. I have managed organizations of five users, and of fifty thousand. I realized a long time ago – and have never been shy in saying – that while the two are very different, the truth is that while Enterprise policies can be modified to SMB (Small & Midsized Business), the opposite is hardly ever true.
I was reminded of this recently when a friend of mine who manages a small company lamented to me that he couldn’t get his users to lock their computers when they leave their desks. This is certainly a subject that I am familiar with, and have seen it happen many times in businesses large and small.
In large companies it is easy to decree, and more often than not an IT Manager will get corporate buy-in. The truth is, it is impossible to know who in a large company may be on their way out, or looking for ways to embezzle, or a hundred other scenarios that would cause people to see an unlocked workstation as a prize.
But what about in a smaller company? Say, a company with ten employees who are all family, friends, or at least very friendly. The type of organization where everyone knows everyone’s business not because of gossip, but because everyone shares? The type of organization where everyone trusts everyone and for good reason. Should the policy be any different in this type of company?
Let’s face it: unless you are an IT service provider then chances are that most of the people in the company will not understand IT; they will simply use their computers for their needs, and assume that their computer come on because that’s the way it is. They do not understand IT… and they frankly do not need to understand IT, as long as their computer keeps coming on.
So in a large organization with written Policy & Procedure statements for proper computer usage, it is easy to mandate how users may use their computers. If they are curious about a policy that does not make sense to them then they are free to ask IT about it, but at the end of the day they are not allowed to simply ignore the policies that they do not like, understand, or agree with.
In a smaller organization things can be trickier. For one, there is seldom a written document outlining how people can use their systems, and when there is one, it is usually harder to take any real action against someone, unless the IT department has complete executive buy-in… and how often do you think that is?
When I was at Microsoft there was a written rule that anyone leaving their computer unattended for any period of time must lock it. There was another written rule that we were forbidden from touching anyone else’s workstation for any reason. There was, of course, a third rule that nobody was allowed to enter the office who did not belong there. Okay, we should be covered. On the odd occasion when someone did leave their workstation unlocked, the worst that might happen is that someone on the team would send out an e-mail from that person’s computer that they (the person who had left their unlocked workstation unattended) were buying beers for the team. More often than not, it wasn’t even that.
There used to be a website called www.unlockedworkstation.com. It was a common tool used by IT tricksters to remind people who had made the mistake once to not make it again. I was quite fond of that particular trick… but the page disappeared at some point, and what can you do?
All of these tricks that people play may be cute and funny… but what are the real ramifications of leaving a workstation unlocked? Lost or stolen or otherwise compromised data, people reading compartmentalized documents that they should not be able to, not to mention what they could do if you have passwords saved for your accounting or HR or any websites including banking. It can be costly or disastrous.
Are any of these likely or possible in a smaller, family-type company? Probably not. However there are best practices in IT, and if the Enterprise best practices that apply to large corporations are applied to a smaller organization are generally a good idea… especially when people take their laptops out of the closed and safe confines of their locked office. If they are not used to locking their workstation every time they stand up from their desk, are they sure to remember to do so when they stand up to go to the restroom in a cafe? What about when they are at a client meeting, or trade show? When an action is drilled into you, eventually it becomes a habit that you will do the same every time, whether in private or in public.
I have known a lot of IT Pros throughout my career, and most of them are not megalomaniacal power-hungry fiends who impose rules just to show that they have authority. The policies that they set are not meant to prevent users from working, they are meant to protect the company, and to enable the worker to work safely.
So should a seemingly useless policy like forcing end-users to lock their computers be enforced in small businesses? The answer is yes… just like they should have to change their password every 30-60 days, they should have to have a screen saver, and they should not be allowed to leave corporate secrets on the table at Starbucks. It’s just common sense.
Now getting them to comply… that’s a different fight!
When I first got into IT after the army my boss at the time was big into Linux… which didn’t bother me at all, because I wasn’t really ‘in to’ anything. I certainly knew Windows better than I knew Linux, but I was just happy to be there. There was one concept that I had the hardest time understanding, and that was virtual desktops.
It didn’t come up very often, but when it did (especially at one particular customer) he would show it to me… but it took me the longest time to finally understand… we were working on the same computer, and the prompt (bash) looked the same… but when we pressed that magic key combination we were all of a sudden working in a completely segregated memory space; so if we had a process running on Desktop 1, we could port into Desktop 2 and continue working. I really just didn’t get it.
I finally got it of course… I never really used them much beyond that though, because I left Saturnus and spent most of the next twenty years working with Microsoft technologies… and of course Microsoft did not have Virtual Desktops.
Of course they probably had a decent rationale… with Windows you did not actually need to segregate desktops because you could run multiple applications simultaneously, and just minimize the ones you weren’t using. I suppose that made sense… but when Linux implemented a GUI and they still had virtual desktops (I specifically remember seeing a Novell implementation of it) even with the ability to minimize apps.
Well guess what… they do now! In Windows 10 Microsoft has implemented a new technology that the Linux world has been using since at least the mid-1990s. I can now, on the same computer (logged on as a single user) segregate what I am doing between desktops… in other words, I can have all of the applications I run for my personal use – say, blogging and Internet banking – running on a single desktop, and have all of my work applications – say, e-mail, Excel, and Hyper-V – running on a separate desktop.
This all sounds good… and I like how it works. It took me a few minutes of playing with it to figure out how to have two instances of the same program (say, Microsoft Office Word 2013) running on separate desktops. It does work, but it’s a bit of a workaround.
Stop talking and show us how!
Yes, I know… I am verbose. Here’s how you do it:
To create a new virtual desktop simply click Ctrl + WinKey + D (Get it? New Desktop). Alternately you can open the Task viewer and click the New Desktop icon in the bottom right corner (see screenshot).
Switching between desktops is also pretty simple. From the keyboard simply hit Ctrl + Winkey + left-arrow or right-arrow.
(I would have loved to be able to set different desktop wallpapers for each virtual desktop, but so far I haven’t figured that out).
To move a running app between virtual desktops, open the Task view, then right-click on the app you want to move.
As you see, you will have the option to either close it or move it to another existing or new desktop.
And so how do you have two instances of the same program open in two different virtual desktops? Simple… open a second instance of it in the existing desktop, and then move that second window to the different virtual desktop. You would think there would be a cleaner way…
Okay, this is all very nice functionality… but is it really new to Windows? If you are a regular reader of this blog you probably know a thing or two about SysInternals (https://technet.microsoft.com/en-ca/sysinternals). There has been a SysInternals tool called Desktops (https://technet.microsoft.com/en-ca/sysinternals) for several years that does exactly this. So is it really new? Or is it another case of Microsoft saying ‘Okay, we have this new OS… what can we add in to make it look better, without spending a lot of time coming up with something new?’ Don’t get me wrong, I like the functionality… but to call it New is kinda pushing it. Linux (free) has had it since 1995, SysInternals (also free) since 2010… and now it’s in Windows so we should be excited. Okay, I’ll get right on that… tomorrow.
Don’t get me wrong… I like Windows 10, and I like Virtual Desktops. But calling them a new feature is pushing it a little. Next thing you know they will include BGInfo and ZoomIt in Windows 10.1 and we will all be expected to jump up and down.