Category Archives: security

A practical guide to using KeePass password manager

Thinking about using a password manager that is free, secure and you have your doubts about the online ones? Well lucky you, this is just the post you are looking for.
With all these hacks and breaches going around you shouldn’t be reusing passwords and you know it. Instead, you can let a password manager generate long and gibberish-like random passwords for all your logins. That way hackers have to throw a thousand cores and millions of years at it before they can crack them. If they crack one anyway, it won’t matter much because it will only work on that one site.
Trusting all your passwords to a piece of software? Is that a good idea? What about if I need my passwords on another machine, or my phone? What if I’m on vacation?
I’ve been storing all my passwords in KeePass for many years now, so I’ll share my setup. You can use this as inspiration to set up your own KeePass flow.

Why KeePass

There are a few cloud-based alternatives out there but when I started with KeePass those weren’t around yet or I didn’t know about them.
I thought about switching to one but eventually didn’t because:

  1. They are not free or have limited free-plans.
  2. They are using proprietary software, so you can’t tell how they work and if they really do store your passwords safely. KeePass however is open source and has been audited for security in the past.
  3. Storing all your passwords on a server owned by someone else without a local backup sounds like a bad idea to me.
  4. Some can’t be used for things other than websites. Like desktop app credentials. Or even SSH logins and other weird and geeky stuff you need random secrets for.

Yes they are slightly more convenient and look a bit more polished. But for me that doesn’t weigh up against the extra control I get with KeePass.

Installing KeePass

KeePass exists for Windows, Linux, macOS and Android. It’s a typical installation. If you’re as geeky and paranoid as me you download it from the main site and you check the md5 hash of the installation files. That way you’re 100% sure you didn’t download some altered or hacked version. It hasn’t happened with KeePass before, but it did happen to the Linux Mint ISO’s at one point so you can never be sure.

There is a getting started guide on the KeePass website that guides you through setting up and creating a first database. This Lifehacker post does the same thing and also has some nice screenshots for guidance.

Securing your password database

When it comes to securing your password database you have to make sure your master password to unlock it is of course a pretty damn good one. It has to be as long as possible (at least 10 characters, but more is better), higher case, lower case, number, special characters, the whole shebang. On top of that, you’ll have to be able to remember it too. So I guess this is one of the hardest bits.
There are tricks to make this easy though. Think of a good phrase you can easily remember. Or any list of words. Take the first or first few letters of each word, mix it up with some special characters and you end up with something hard to crack and easy to remember.
Or just come up with a good passphrase of random words you can remember. Don’t use Correct Horse Battery Staple or a popular lyrics phrase because they are probably in some password list database already. You can use a word list to generate a random password using the EFF word lists and some dice, or use one of the many generators online.

Just be original. Or try anyway.

Small steps

When I started out I didn’t trust KeePass enough to dump and change all my passwords from day 1. I started out simple, by adding new sites I registered to and use randomly generated passwords from the built in password generator. Later I added sites I frequently used and changed their passwords to more complex ones. Now everything is in there. But not every password is random though. Really important accounts I have in my head too, using a unique, complex password that I can still remember. Really important accounts also have 2-factor authentication activated so even if a hacker finds the password, they still won’t get in.
Knowing those key passwords is also a fallback in case I don’t have access to my KeePass DB for some reason.

Syncing the DB

Now you want to use this on more machines than just your laptop I guess.
There are a few options:

  1. You put the DB on a thumb drive you always have on you. This is a good backup too. You can use PortableApps or a portable KeePass version on the thumb drive and use it anywhere like that.
  2. You sync the DB to your favorite cloud drive and sync it to every machine you want to use it on.

I use Dropbox myself which is great for this to sync between home, work and my phone. OneDrive would also work as it works pretty much the same way.
If you want to get your own Dropbox drive (2 GB free), use this link. Use that to get 500 MB bonus space, and so do I ;).
There are also a number of plugins for KeePass to sync to Google Drive, FTP, and other online providers, so I’m sure you’ll find something you like.

On your phone

Phone closeup with simcard and micro SD card.

If you want access to your passwords on your phone, you’ll need some extra apps. I use Android myself, but I’m sure the same apps exist for iOS.
You will need 2 apps, one to be able to open and use the database, and then something to sync the file to your phone. Unless you do that manually, but I wouldn’t advise it.

To use the database there are plenty of options when you search for KeePass, but the best one I’ve used so far is Keepass2Android.

For syncing the file to my phone I use Dropsync. This syncs a Dropbox folder to a folder your phone. You can use the free version if you’re only setting up 2 folders.
You can also use the Dropbox app itself and mark the file to be available offline, but I’ve noticed this doesn’t always work. I often ended up with an old version of the database when I needed it.
Maybe in the future this’ll get better, but until then, Dropsync is what I’m using.

Extensions

KeePass has a ton of plugins allowing you to customize it for all sorts of things. There are plugins to have it integrate in your browser, synchronize files over all sorts of protocols and services, export, import, add visual features and whatever.

I use as little plugins as possible though, as each plugin has access to your database and can be a possible vulnerability. Yes. Tin-foil hat here. But LastPass’ Chrome plugin leaked your login credentials a while ago, so there you go.

By using the standard keyboard shortcuts on PC you can get a long way already. Be sure to check out the Auto-Type override documentation if you have a website which isn’t playing nice with the defaults. You can find a way to get it to work for 99% of the websites out there. The other 1% just have really shitty UX.

join the EFF summer security reboot and get some cool dice

DSC01217The Electronic Frontier Foundation is on the fore-front when it comes to defending our digital rights. Even as a European I think they are doing important work even though they are mostly US centric. This because whatever happens in the US ripples over the pond and affects Europe and the rest of the world anyway. That means that next to larger fast-food portions increased digital surveillance is on its way to the EU as well.
Next to protecting our digital rights they are the author of a number of awesome security plugins and tools like the HTTPS Everywhere and Privacy Badger browser plugins and a driving force behind the Let’s Encrypt free web site certificate tool set.

Next to a lot of security tools and tips (see the site & newsletter) they now have a Summer Security Reboot fund drive where you can get a cool geeky secure-password generating dice set for a mere $20 membership until the 20th of July.

So if you like what they are doing for a secure and free internet in the future, go check them out and get yourself some cool dice in the process.

If you feel more like donating to a EU centric counterpart of EFF, you can check out EDRI.org instead (no dice there though).

Photo by Violet Blue, cc-licensed.

disabling Dell software without uninstalling

Yes, a cat. Cause it's the internet after all.

You know how it goes. You get this new and shiny computer from big computer company X and with it you don’t only get your OEM licensed Windows OS but also some “super handy” tools X happened to install just for you.

Dell is no different so mine come with Dell Data Vault, Dell SupportAssist and Dell Update Service. All of this is (of course) for your own benefit to update your machine to the latest drivers and blah blah blah, even though anything crucial is sent through Windows update anyway.

The downside is that these things are constantly running and using up your precious CPU and memory, while you’ll probably never need them. Ever. Oh, and they also come with some security vulnerabilities apparently, which is always a good reason to kick their butt.

I don’t know what Dell Data Vault even does and don’t care to either (its backup software probably). To make things worse it even causes my system to lag sometimes which I notice as my audio glitches up when that happens. I don’t always listen to breakcore you know, so I do noticed that sometimes.

I also noticed that uninstalling Dell Data Service is pointless as (I think) the Dell UpdateService will just reinstall it. Which sucks.

So I see two options.

  1. Uninstalling all Dell related software. This is kinda drastic and you might want that stuff if you need support after all.
  2. Disable the software and prevent it from starting up altogether.

So how do you stop those services from starting up automatically? Here’s how:

  1. On you desktop, press WindowsKey-R, this brings up the Run prompt.
  2. Type services.msc and hit enter. This brings up the list of services installed on your machine.
  3. Look for the Dell ones in the list.
  4. Open them, one by one, and in the General tab select the startup type “Disabled”.
  5. Hit “OK” to save.

How to disable a service from auto-starting.Note that in the screenshot I’m disabling a completely innocent service per demonstration as I don’t have a Dell machine handy with an English version of Windows on it.

From now on those pesky services won’t be wasting your resources anymore, until the day you might need them again. All you have to do then is go back into the services console and switch the startup type back to Automatic and save.
Then right-click the services in the list and choose “Start”, or simply reboot the machine.

But we’re not quite there yet. There’s still the case of PCDoctor and the SupportAssist client. Those sneaky startups are hidden in the scheduled tasks. You can disable them using the Task Scheduler like this:

  1. Press WinKey-R and type Taskschd.msc, press enter.
  2. In the list of scheduled tasks in the root node you’ll see a “Dell SupportAssistAgent AutoUpdate” or something similar.
  3. Right click the task and choose “Disable”.
  4. Repeat for any other Dell tasks in there.

They don’t all have “Dell” in their name, but if you check the Action tab below the path to the executable will give them away (like in the screenshot). In my case I had some additional PCD (PC Doctor) tasks and one SystemToolsDailyTest task to disable.

Another good tool to disable scheduled tasks if from the CCleaner tools menu, or by using the SysInternals Autoruns tool.The name of the task doesn't tell, but the path to the executable does indicate it's a piece of Dell software.

This worked for me, but as is mostly the case with things you find on the internet… use this info wisely and at your own risk. ;)

Photo by Massimo Regonati, cc-licensed.

reset the net

On´n´Off - Going into standby mode

It’s on!

If you want to kick some NSA buttocks and claim your privacy then get yourself this reset the net pack and install some super-duper encryption for your PC, Mac and phone(s).

There ain’t that much on there really, but if you scroll down to the Other Resources section there’s links there like the Prism Break one I mentioned before, which contain tons of (more techy) tools and software for all your stealthy encryption needs.

Photo by Sven Seiler, cc-licensed.

time to change some passwords

Untitled

So you’ve probably heard of that nasty heartbleed bug this week. If you’re still using the same password all over the place you can now see why that’s a bad idea. If you don’t want to get your accounts hacked, now is a good time to start using KeePass and have random hard to hack passwords for your non-essential accounts, and hard to crack ones for the ones you need access to without any additional software.

Also, two factor authentication baby. Use it.

Picture by Baie, cc-licensed.

how to secure your wordpress blog

carcassonne

WordPress is popular and as it goes with all kinds of popular software, it becomes a target for hackers trying to take over and use your site to send spam into the world, or just cause some other kind of mayhem.

To protect yourself from this kind of trouble, there are a few things you can do to prevent bad things from happening to your precious WordPress site.

  1. First of all, keep your WP software up-to-date. There are usually some security fixes in there and you do want to have those live on your public facing site. Hackers know what the vulnerabilities are in old WP versions and scan the internet automatically for unpatched sites. Don’t become an easy target by not having the latest version of WP installed. The latest version of WP (v3.7.1) is able to do security updates itself which is awesome. Be sure to check if your site supports this and activate it if it does.
  2. Keep your plugins up-to-date as well for the very same reason. Old plugins can offer a way in for hackers and we don’t want that to happen.
  3. Delete (old) plugins you don’t use anymore, or replace them with newer ones. JetPack has a lot on board out of the box now so you can probably ditch a few old plugins. The less plugins you have, the less possible vulnerabilities your site has.
  4. Take regular backups. In case something goes wrong, you can at least restore a version you know isn’t compromised.
  5. Harden your WP site by configuring your .htaccess file if your site runs on an Apache web server. It’s explained nicely how to do that in the link. It can prevent hackers that do get access through a bad plugin to do any more damage to the rest of your site.
  6. Use a long, hard to guess and preferably random password for your admin account. Using a different admin user is also a good idea. Brute force login attempts are made against the default “admin” user, so if that one has a long random password you’re pretty safe there. You can use something easier to remember for an alternative admin account if you want, but I recommend you to use something like KeePass to manage long & unguessable passwords anyway.

Here are some plugins that can help with these tips:

  • WordFence scans your site for possible vulnerabilities by checking your installed WP and plugin files with the ones from the official releases. It also helps with the first 2 tips by warning you by email if a plugin or WP itself needs an update. Quite handy.
  • All In One WordPress security & Firewall plugin scans your site settings for security vulnerabilities and helps you get rid of them. It also has a firewall built in.
  • WP security audit log won’t prevent anything, but it keeps track of logins, updates of plugins etc, so that if something weird happens, you can use it to figure out the “when” and “what”.
  • A backup plugin. There are plenty and you should pick one that fits your needs. I’ve used BackUpWordPress for a DB backup only, but it can also backup the files. It sends you an email with either the zipped backup or a link to download it if it’s too big to stuff in the email. Another good option is UpdraftPlus which can backup your files & DB to remote storage like Google Drive or Dropbox a.o. Your hoster might also have a full backup feature, which is usually the best option anyway as it will backup more than just your WP site.
  • BruteProtect protects (as it says) against brute force login attempts, a problem a lot of WP blogs had to deal with lately. Next to that you should of course make sure you have a complex password for your admin account.
  • Bad Behavior is mainly a tool to combat spam, but since it scans for incoming malicious requests it can also block the occasional bot looking for vulnerable sites.

For a more extensive guide to securing your WordPress site, also check out this Bloggers Guide to WordPress Security. It’s long and full of great tips and guides covering a wide rang of security practices like how to combat spam, CAPTCHA’s and setting up HTTPS.