The Nine Joys of Paper Note-taking

Everyone takes notes. And we all have many ways to capture those precious thoughts at random times; more ways now than ever before. Tablets, phones, laptops, notebooks, Moleskines, business cards, napkins, coasters. If there's a way to write on it or with it, chances are, someone has used it to take a note.

Moleskineh Amir Kuckovic via Compfight

And while many of my peers advocate using their gadgets for journaling and writing and note-taking, I'm a bit more old-school. I prefer a fountain pen and a good, sturdy paper like the Rhodia Webnotebook.

Change Your Perspective

I'm a technologist, a software developer, so you might well wonder why I wouldn't prefer to use some gadget to capture these things and, in fact, I often have. I have electronic calendars, to-do lists, and notes of all kind thanks to tools like Evernote, Dropbox, and others.

But when I really want to think and let my mind work at its best, nothing beats a blank sheet of paper.

I've found nine reasons for this.

  1. My eyes need a break from staring at computer screens all day and paper helps my eyes relax.
  2. A quality pen on quality paper just feels rich and special. It transports me back to another time, when great writers created whole works in this fashion that we're still reading today.
  3. Paper never interrupts me with email alerts or twitter alerts or software update alerts or....
  4. Ink is permanent. When I write something down, I'm more hesitant to scratch it out and start over. I get a permanent record of all my thoughts even as they develop, and can revisit ideas I thought were poor at the time but which might be gems later. In pixels, I can erase a sentence, a thought, and it's just gone forever.
  5. Ink is permanent. It makes me consider my thoughts as I write.
  6. Did I mention that ink is permanent? My laptop can crash. My iPhone can get stolen. The sync service I use can go out of business. The bits and bytes that represent my data can be lost to me in many ways. But my notebook is mine as long as I hold on to it.
  7. I can easily change from text to drawing to annotation without requiring different applications. I just draw or write or annotate. Simple as thought.
  8. The finished product often has a romantic look that just makes me feel good when I look at it. No matter what font I use, I can't duplicate that on any screen.
  9. The change of perspective, from lit screen to soft paper, often gets me thinking in new and different ways.

Are there times when I capture a note into my phone? Certainly. There are always going to be serendipitous moments when I need to grab a thought and hold it for later, and nothing does that like whatever I have at hand. Usually, that's my iPhone.

But for most things, my most important thoughts, plans, and cogitations? Those are going on paper.

How about you? How do you capture your important and not-so-important thoughts? Leave a comment and join the discussion!

Guess This Password: I Dare You....

When's the last time you forgot a password? How about the last time you almost remembered a password but forgot some small piece of it? Knew basically what it was but you'd made it so complex, possibly because of the rules being enforced, that you almost wrote it down but didn't but now wished you had?

password_strength

Highly secure passwords shouldn't be this hard. It is possible to create hacker-resistant passwords that are easy to remember. But I still wouldn't change them on a Friday....

Let's get started.

How-To

Like in the XKCD strip above, we can string unrelated but memorable words together and create a mental picture. We can also take a lengthy phrase and extract the initial letters of each word to produce a password, like "When in the course of human events it becomes necessary" could become "witcoheibn". In either case, the likelihood of a human just randomly guessing either password is pretty slim

Toss in some uppercase letters or digits if required by the web site(s) or by the security tier you're creating this password for.

Why do these passwords work, though? Why is this better than just using my birthday, or my pet's name or my favorite sports team?

That comes down to the ability of a computer to make a lot of guesses extremely quickly.

A Little Theory

Hackers generally get hold of files of passwords in encrypted form, which means they can't actually see what your password is. They can only see some jumble of characters that your password was turned into.

Think of the encryption process as a one-way machine that  you can feed a password into and out the other side comes some altered text. Whenever you feed the same thing in, you get the same thing out. But at no time can you take the thing you got out and feed it back through to get the thing you started with. It doesn't work that way.

So there's no way to take your encrypted password, feed it back through the encrypter, and get back the string of characters you typed to produce it.

Got it?

Good.

Move Along, Not Worth The Effort

So all the hacker has to work with is the ciphertext, which is the fancy cryptographer's term for the encrypted password. The thing you type is called plaintext. Don't worry, there won't be a test.

They also have access to the encrypter. So what they do is take a dictionary and start feeding words through it, using a computer program, to see what ciphertext results from each word they feed in. The program compares these ciphertext strings against the entries in the password file looking for matches. If it finds one, they know what the password (plaintext) was that created that ciphertext, and voila! They know your password. After checking just the words, they'll start wrapping them in numbers using common patterns.

So if your password is a dictionary word, or is closely related to a dictionary word, they'll find it pretty quickly.

If they don't come up with a match for you, they have to do what's called a brute force search. They now have to build up plaintext strings one by one and push them through the encrypter hoping for a match. They'll start with "a", proceed to "b", and then to "c" and so on, adding characters as needed until they find a match or get tired and quit. And that is the goal of our passwords above -- to make our passwords resistant to dictionary searches and so lengthy that they also resist quick brute force searches so that the hackers give up and move on.

Hackers aren't going away. Like protecting your home from burglars, all you can do is provide enough security around your digital life to deter them and encourage them to go look for an easier target elsewhere.

"PrincessBadFrogBreath" or the lyrics to your favorite song. Take your pick; either is likely a security upgrade.

Does this approach look like something you could implement today and make your passwords more secure?

Thanks to XKCD for the strip above -- if you don't read XKCD, give it a look today.

How is a Password like Wedding Cake?

Frank Gehry Wedding Cake

I wrote a few weeks ago about how to create an easily remembered password that would be unique to each site you visit, yet simple to reconstruct each time you needed them. And that's great, but what if it's too much pressure in your already crammed-full life? What if the added password security that method offers isn't worth it to you?

You're still in luck, because I've got an alternative. Several, actually, but this is the first I'm going to propose. If the haystack approach was the Ferrari of passwords, then consider this to be the Grand Cherokee.

Here we go, then.

How Secure Is Secure?

How secure you need to be depends on what you're protecting. You'll probably want to protect your bank account differently than you protect your social networking accounts, and those still differently than you protect the web site account for your neighborhood kaffee klatsch group.

It comes down to a variety of factors that you need to consider:

  • What's the risk to you if the account becomes compromised?
  • How much damage could someone do to you if they had access to that account?
  • What would you lose if you lose access to that account?
  • How much effort would it take for you to reconstruct everything in that account from scratch? Would you want to?
  • Are there non-economic intangible losses that could result from someone gaining access to that account (loss of your digital photo collection, for example)?
I'm not suggesting you sit down with a spreadsheet and assess each account according to these criteria, but as you consider how you're going to protect each one, having some objective guidelines will help.

Three Tiers

I suggest breaking your accounts into three groups:

  • Low security, for accounts that represent extremely low risk. These are accounts that either contain nothing of value, or which can easily be lost or reconstructed should compromise happen. For me, these are things like library accounts, neighborhood association accounts, and so on. There is no financial data, no data that can't be replaced associated with these.
  • Medium security. Here, there is some risk, but I need to be able to access these accounts frequently and quickly. Most social networking accounts fall into this category for me. Again, there is little risk of financial ruin.
  • High security. Here is where I put any account that has a stored credit card number or other banking information. If it could cost me money, it goes here. If it has access to money, it goes here. If I'm relying on it for offline storage of important data, it goes here. Dropbox, Flickr, Shutterfly, Google Drive; these services could all potentially exist here alongside Amazon, iTunes, my bank accounts, and so on.
Now that we have our accounts grouped into tiers, we can apply a single password to each tier.

These passwords should increase in complexity from lowest tier to highest. For example, the highest tier password should be longer (10+ characters) than the lowest (6). The highest tier password should contain more types of characters than the lowest (a mix of upper and lowercase letters, numbers, and symbols for the highest).

How To Rotate

All passwords should contain digits, because many systems will require you to change them every 30, 60, or 90 days. Having at least one digit in the password allows you to increment the digit(s) and reuse the password 10 times for a single digit or up to 100 times for a password containing double-digits. While this might seem like cheating, it decreases the likelihood that you'll have to write the password down when you change it, and that alone makes it more secure.

Tomorrow, we'll talk about how to actually construct a password to make it memorable without using the haystacking method.

Can you think of other examples of web sites or accounts that might or might not fit into the three-tier system?

Image Creative Commons License Andrew Morrell via Compfight

Password Security: A Combination in a Haystack

Every week, it seems, some web site or another has reported that their password database has been compromised by hackers, which means the bad guys have access to your email address, username, and password for at least that one web site. And if, like most of us, you are a little lazy and you use the same password in multiple places, then they can start probing around and seeing where else you used that same username/email/password combination. Let's hope it's not your bank. 4354264923_ac43bb95e6

Some advisors tell us changing our passwords frequently is the solution. Others say having tiered passwords, based on how much security we think a site deserves is an answer. Still others advise using secure services like LastPass to store our passwords.

But what if you want to do it yourself? What if you want to be as secure as you can, without relying on a company that might go out of business taking their service with them? What if you don't want to have to try to remember your passwords, but want to be able to reconstruct it easily and quickly?

An Algorithm

For each web site you go to, you need a simple method of devising a short, six-character password. It should be something you can remember easily and perform each time you see the name of the web site so that the password just comes to you. Let's use amazon.com as an example:

Taking the six letters "amazon", let's uppercase the second letter, shift the third letter three letters to the right, and uppercase the last letter. Thus, "amazon" becomes "aMdzoN". The idea is to introduce some randomness, and some uppercase letters. That's all. We'll add the rest of the complexity in a moment. Don't go crazy here, keep this manageable.

So for any web site you visit, take the first six letters of the web site name (if there are less than six, use all of them and if there are more than six, use just the first six) and manipulate them in some fashion like this to get your core password.

In a Haystack

The haystack is the "container" into which we're going to insert that core password. It will be the same for each and every password we ever create. It will consist of six characters before the password and six characters after the password. The first six can be "......" or "()()()" or "^^^^^^" or whatever characters you choose. Likewise, the final six can be anything, but I suggest mixing numbers with the symbols, like "333***" or "---777".

Putting the pieces together, our password for Amazon becomes, for an example, "()()()aMdzoN333***". That's an 18-character password, but you really only have to remember the haystack and the method for constructing the site-specific portion in the middle to get there. With practice, you'll be able to do it in a few seconds.

Why It's Secure

Password haystacking was invented by Steve Gibson of Gibson Research, and he has a web page which will help you compute the security of any haystacked password. Using our example above, if a hacker had a computer capable of guessing a trillion passwords per second, it would take 1.28 trillion centuries to search all the passwords in the space defined by the combination of letters and symbols in our password. That's quite a few. It would take less time to find ours, but it's still a prohibitively long time.

Hackers crack passwords primarily through dictionary attacks. They have long lists of dictionary words, and words with numbers interspersed, with upper and lower character combinations. They push these through encryption programs and try to match the results against the encrypted form of your password and, if they get a match, they'll know your password.

By haystacking our password, we've made that search impossible. There is no password dictionary on the planet that will contain "()()()aMdzoN333***" or anything remotely like it. Which means that to find our password, the hacker must do a brute force search. That means starting a "a", proceeding to "b" and continuing on, searching every possible combination of letter, number, and symbol until they find a match. This is why it takes centuries to match our password, because the number of combinations is staggering. By including uppercase, lowercase, numbers and symbols, we have a total of 95 different characters in our "alphabet", for a combination of (are you ready for this)?

401,440,002,697,135,760,758,578,320,767,017,120

That's how many combinations of these characters are possible up to a password length of 18.

Still think using your pet's name is a good password?

How many passwords do you think you'll change in the next 24 hours using this technique?

Image CC by 2.0 George Kelly