LastPass for Password Management

  LastPass is a fantastic online, cross-browser, multi-platform password management solution that I have been using for just over a year now, and I must say that it is a great service.

Most of us have multiple web sites that we use on a regular basis that require a username and password to log in and gain access to the site.  I, for example, use the web quite heavily.  In addition to having several traditional e-mail accounts, I do my banking online, pay most of bills through company web sites and have accounts with various vendors: Amazon and Netflix, for example, just to name two.

The problem comes in creating secure passwords for all of these various online entities. For security purposes, it is essential to use a password that is not easily guessable:  long passwords that are not in the dictionary.  Ideally, the password should be a mix of upper and lower case letters, numbers, and 'special characters' (%$&*@#, for example).  Furthermore, each of the various web sites that you have accounts with really should have their own unique password.

So the question is how to manage this list of long, non-guessable, non-dictionary, site-by-site-unique passwords: enter LastPass.  I have used other solutions for this problem (KeePass and Password Safe come to mind), but I believe that LastPass is the best.

The Basics

To use LastPass, you create an account at lastpass.com using an existing e-mail account as your username and one very good password that will be your LastPass master password.  You then download a browser plugin for any or all of the browsers you use (IE, Firefox, Safari and Chrome) on either Windows, Mac or Linux.

Once installed, you use the plugin to log in to your LastPass account.  Then, as you navigate the web and log in to the various web sites that you do business with, LastPass will ask if you want it to remember the site's login information for you.  LastPass stores all of your various web sites login information in an encrypted database on your computer.

Now, if you were like me and had some not so strong passwords here and there, now is the time to change them.  I would recommend logging in to all of the various web sites that you use and change the passwords to something secure and allow LastPass to remember it for you.  And creating a secure password is easy because LastPass also has a Generate Secure Password function built in to the plugin.

Cloud Synchronization

There are lots of password storage tools available, but LastPass not only keeps a copy of your encrypted password database on your computer, it synchronizes that database to their servers 'in the cloud'.  This not only means that you have an encrypted backup of you password database, but any computer on which you subsequently install the LastPass plugin can be used to log in to your LastPass account and get the same password database.  Any change to your password database from one computer is synchronized to all others.

Security

One of the things that makes LastPass so appealing to me is that your encryption key is never stored anywhere, and at no time does LastPass have the key for your password database.  As explained by Steve Gibson in episode 256 of Security Now, when you attempt to log in to LastPass, your username and password are concatenated and hashed via SHA 256.  This hash value is used as the encryption key for your password database using AES 256.  Your password is then concatenated with this AES key and hashed again. This hash value is used to authenticate with LastPass in order to synchronize your database.

Other Features

Here are just a few of my favorite features.  Most are free, but some require a $12/year  premium subscription.

• Secure Notes - Save a simple text note that you want to keep private.
• Form Fill-In - Save name, address, and credit card information securely for fast web site form fill-in. 
• Multi-factor Authentication using Sesame application or using a YubiKey.
• Offline database decryption using the Pocket Pass application.
• Mobile applications for your smart phone.

More Information

• Lastpass.com
• Steve Gibson's review on the Security Now podcast  

iOS 4 for the iPod Touch

I am sure that most people are aware that this week Apple is releasing its latest iteration of the iPhone: the iPhone 4. With the upcoming iPhone 4 release, Apple has pushed the newest version of the iPhone/iPod OS, iOS 4, to older iPhone models, as well as the iPod Touch. And while Apple claims to have added "over 100 new features", there are two new features that I find particularly useful: multitasking and folders.


Multitasking

Multitasking obviously isn't anything new to the computer world, but it apparently is to the iPhone/iPod. With the iOS 4 update, a double-tap of the Home button reveals a small horizontal bar at the bottom of the screen that shows all the apps currently running.  The screen shot to the right is from my iPod Touch and shows the four most recent applications that I opened.  A swipe to the left on the task bar reveals more and more apps.  

Folders

Another new feature is the addition of 'folders' to the home screen.  This makes it much easier to organize various related apps by simply dragging icons from one app onto another.  For example, I created folders called 'Games', 'Books', 'Social', etc. To access the apps I just tap the folder icon and it opens to reveal a small horizontal bar in the middle showing the apps for me to choose.

Bruce Schneier: Uber Nerd

For the past several weeks I have enjoyed reading and studying Bruce Schneier's book "Applied Cryptography".  Now, while I have no aspirations of becoming a cryptanalyst, it has been an interesting study during my down time between semesters.  I'm now up to the chapter on cryptographic hash functions: oh the suspense is killing me.  But I digress.

One little nugget I thought amusing was something Bruce wrote in the preface of his book.  I know. I know. "You actually read the preface?", you ask.  Yes...sadly.  Anyway, in the preface to his book, Bruce waxes poetic for a couple of pages explaining how important it is that the citizens of a free nation be allowed the right to keep their data and communications encrypted and secured against unauthorized government eavesdropping (a.k.a. illegal wiretapping).   He sums up his discussion writing, "The lesson here is that it is insufficient to protect ourselves with laws; we need to protect ourselves with mathematics [emphasis added]."  I have never thought of math as a weapon. Bruce Schneier: Uber Nerd.

Clean Install of Windows 7 - via the Upgrade Media

Recently, Paul Thurott explained how to do a clean installation of Windows 7 using the Windows 7 upgrade version.  Of course you need to actually own a previous version of Windows to qualify for the upgrade, but what PC user on the planet doesn't?  Now, Paul is not advocating software piracy, and neither am I, but when I upgrade to a new OS, I want to do it cleanly: wipe the hard drive and start fresh.  And what if I need to replace my hard drive at some point.  Does Microsoft really expect me to first install a previous OS version just to have something on the hard drive for Win 7 to upgrade: ludicrous.  Click here to go the WinSuperSite and see how to do it.

If you don't need the screen shots of the procedure, here's important part about the registry hack. Just be sure not to try to activate Windows or give it your product key during the installation itself.  You'll do that later. From Mr. Thurrott:

After performing the clean install, ensure that there are no Windows Updates pending that would require a system reboot. (You'll see an orange shield icon next to Shutdown in the Start Menu if this is the case).

Then, open regedit.exe with Start Menu Search and navigate to:
HKLM/Software/Microsoft/Windows/CurrentVersion/Setup/OOBE/

Change MediaBootInstall from "1" to "0".

Open the Start Menu again and type cmd to display a shortcut to the Command Line utility.

Right-click this shortcut and choose "Run as administrator." Handle the UAC prompt.

In the command line window, type: slmgr /rearm

Then tap ENTER, close the command line window and reboot. When Windows 7 reboots, run the Activate Windows utility, type in your product key and activate windows.

How to network Windows XP with Windows 7

It hopefully won't be a surprise to anyone that the latest version of the Microsoft Windows operating system (Windows 7) was released last Thursday.  Since then I have successfully installed Windows 7 at home and at the office.  The one place I did not install Win 7 was on my Dell Mini netbook.  I attempted that during the summer using the last beta version of Win 7 but with disastrous consequences.  As a result, I was in a situation of needing to network my netbook, running Windows XP, with my desktop, running Windows 7.  Having spent some time and effort figuring out how to do it, I decided to write up the procedure formally so that I would have it as a reference, should I need to redo the whole thing in the future.

If you are in a similar situation, then keep reading; I believe you'll find the rest of this post useful, but be forewarned, it gets a bit tedious.  For the purposes of keeping the blog post relatively short, I am only posting the text version of the procedure here.  If you're interested, you can download a PDF version (which includes screen-shots of the various procedures described) from here.

Ready? Here we go...

---

The following document explains how to network a computer running Windows XP with one running Windows 7.   This is most likely useful in a home setting in which someone wants to connect a netbook running XP with a desktop running W7.  For security reasons, if you’re connecting the netbook wirelessly via a wireless router, be sure to use WPA-2 (a.k.a AES) encryption to connect your netbook to your network (WEP is completely useless).

The procedure consists of:

1. Assigning the same workgroup name to both the XP and W7 computers.
2. Creating a password-protected standard-user account on the W7 system.
3. Configuring the network settings on the W7 system to allow network and printer sharing.
4. Choosing which folders on the W7 system to share.
5. Logging into the W7 system from the XP system.

1. Assigning a Workgroup name in XP
   a)  Log in to an administrator account on the XP machine.
   b)  Right-click My Computer and select Properties to pull up the System Properties window.
   c)  On the System Properties window, select the Computer Name tab, and click the Change button to assign your workgroup a name.
   
   
2. Assigning a Workgroup name in Windows 7
   d)  Log in to an administrator account on the W7 machine.
   e)  Right-click My Computer and select Properties to pull up the System window.
   f)   On the System window, click Change Settings under the Computer name, domain, and workgroup settings section and assign the same workgroup name as on the XP machine.
   
   
3. Creating a user account in W7
   a)  Next, create a password-protected standard-user account in W7.  This will provide an account for a user on the XP computer to use to login to the W7 system.  On W7, go to Control Panel,  User Accounts and click Manage another account.
   b)  On the resulting Manage Accounts window, click Create a new account and create a standard user account. Be sure to assign the account a password
   
   
4. Configuring Network Sharing in W7
   a)  Go to the Control Panel and select Network and Sharing Center.
   b)  On the left pane of the Network and Sharing Center window, click Change advanced sharing settings.
   c)  On the Advanced sharing settings window, there are two groups of settings to configure: Home or Work and Public.  In Windows, each user account has its own set of folders for My Documents, My Pictures, My Music, etc.  In W7, there is also a set of ‘public’ folders: Public Documents, Public Pictures, Public Music, etc.  These ‘public’ folders are meant to be a shared repository of data that can be shared with all user accounts on the computer.  You need to configure the Home or Work settings separately from the Public settings.  I did not want to use the ‘public’ folders, so I turned that functionality off.
   
   I set the following Advanced sharing settings:
   
   i.    Home or Work (current profile)
   
   •    Network Discovery: on
   •    File and printer sharing: on
   •    Public folder sharing: off
   •    Media streaming: N/A
   •    File sharing connections: 128-bit encryption
   •    Password protected sharing: on
   
   ii.   Public
   
   •    Network Discovery: off
   •    File and printer sharing: off
   •    Public folder sharing: off
   •    Media streaming: N/A
   •    File sharing connections: 128-bit encryption
   •    Password protected sharing: off
   
   Once finished with these settings, click the Save Changes button at the bottom of the Advanced sharing settings window.
   
   With this configuration I am not using the ‘public’ repository of folders, but will choose which folders I want to share later.  I am also requiring that a user of the XP computer provide a user name and password to connect to the W7 system (more on that in a bit).
   
   
5. Sharing a folder in Windows 7
   
   a)  While still logged in to the administrator account on the W7 machine, right-click any folder that you want to share, hover over Share with and then click Specific people…
   b)  Choose to share the folder with the password protected user that was created earlier.
   c)  Assign either Read or Read/Write privileges for the folder and click the Share button
   
   
6. Connecting XP to the shared W7 folder.
   
   a)  Now, back on the XP machine, map the remote W7 folder as an XP network hard drive.  To do this, right-click on My Computer (in XP) and click Map Network Drive…
   b)  On the resulting Map Network Drive window, pick an unused drive letter, click the Browse button, and browse to the W7 folder that you want to connect to.  Click the Finish button when you’re…um, finished.
   c)  Now you have a network drive on the XP system (Z: for example) that maps to the shared W7 folder.  Double-click the network drive to connect to it.
   d)  When you try to open the mapped drive you’ll be prompted for a username and password.  Use the W7 standard user account user name and password that was created earlier and click.

Ta Da