Wednesday, December 29, 2010

New Years Resolution #2: Password Policy

They say there's a syndrome in medical school where med students become temporary hypochondriacs and think they have symptoms of every disease that they study.  Graduate school may be having a similar effect on me, but hopefully in a more productive manner.  However, it's been said that "just because you're paranoid it doesn't mean they're not out to get you" so I've decided to greatly improve my password policy in 2011.

In the past I've had 3 or 4 different passwords of varying strength that I've used for pretty much everything.  That's better than most people (most people only have 1 password for everything), but it's still pretty stupid from a security standpoint.  If one or more of those passwords were ever compromised (and trust me, I'm sure they have been at one point or another), then the attacker (or ex-girlfriend) would have access to pretty much everything they'd need to own me.  Think about how much information you have out there.  Between email, IM, facebook, twitter, banking, bills, student loans.. It's pretty scary.

In 2011 I'm adopting a new policy: unique and reasonably-secure passwords for each and every service.  I'm talking about passwords like this:
,H!i43/%]I.3{X#TT"Z2/e%IL
Don't use that as your password, BTW.  Since it's posted on the internet, it's no longer secure.

Having long, random passwords that are unique for each service is really the best way to protect your data.  Not don't get me wrong,  passwords suck as a form of authentication by themselves, but it's what we're stuck with for the time being, so it's best to make them as strong as possible.  A hash of the password above would not be found in a dictionary attack.  It would take an unreasonable amount of time to crack with a rainbow table or brute force method.  It is, however, very difficult to memorize a password like that for every service used.  That's where the tools come in.

By using a combination of KeePass, KeePassX, and KeePassDroid I am able to access an encrypted database of all my passwords on all of my devices.  I use Dropbox to securely sync my password database among my devices.

KeePass allows me to generate, store, and organize secure passwords for all of my services.  It also allows me to copy my passwords to the clip board, so I can log into services without having to manually type the complected passwords.  I do try to copy something else to the clip board after logging in, however, so that my password isn't lying around in memory.


Hopefully, this new system will help better secure my data in 2011.  Are there any problems with this scheme?  What is your password policy?

New Years Resolution #1: Hacker Run

I can't count how many times I've started a work-out routine, and stopped after a few weeks.  It makes me sad, because all that time is wasted.  All that productivity, all that work, and all those hours of walking funny because I'm sore are all for naught because I'll inevitably get lazy or busy and revert back to my natural nonathletic state.

Let's try something different this time.  Time to start Couch to 5k again.  The end game?  I've signed up for a Hacker Run and will be participating in the United Way Mississippi River Run in April.

From the Hacker Run Website:
We have designated April to be be “Hacker Run Month” where hackers from all over the world will run a race (5k, 10k, 1/2 or full marathon) in the city of their choosing any time during the month of April. All you have to do is find a run in your area and sign up, It could be a 5k, 10k, 1/2 or Full Marathon: It doesnt matter. Kansas City is currently leading the charge, but hackers from all over the world are encouraged to participate!
Let's see if I can stick to it this time...

Hello World!

Following the lead of my friends Coy and Nate, let's try this blogging thing.  I'll have to practice my new pick-up line, "I'm so awesome, have you seen my blog?"

My name is Joe Sylve.  I'm a Research Assistant for Dr. Golden G. Richard, III at the Greater New Orleans Institute for Information Assurance (GNOCIA).  I'll finish my Master's in Computer Science and Information Assurance in Fall '11 and that's where my story ends.  Will I get a PhD?  Will you hire me?  Will my friend Brett launch me into space with just the items in his pockets and a lawn chair?  Who knows?

My current research is in forensically-secure mobile computing, but my interests also include reverse engineering, kernel hacking, and network security.  BTW the GNOCIA is looking for two postdocs to assist with our research (see posting).  If you want to work with some very interesting and intelligent people, and live in the best city in the country for a while, you should apply.

Along with security research and graduate school, I also run a summer camp in Bay St. Louis, MS.  If you're looking for a safe and fun time for your child this summer on the Gulf Coast, you should check us out.