Free sample

by Joe Kissell

Ebook: $10.00

• More Info
• Contents & Intro
• What’s New
• FAQ
• Reader Raves
• Blog

“Awesome. You did an amazing job breaking it down. This should be mandatory reading.” —Rich Mogull, CEO at Securosis

This ebook helps you overcome frustrations that arise when attempting to design a strategy for dealing with the following password problems:

• 9-character passwords with upper- and lowercase letters, digits, and punctuation are NOT strong enough.

• You CANNOT turn a so-so password into a great one by tacking a punctuation character and number on the end.

• It is NOT safe to use the same password everywhere, even if it’s a great password.

• A password is NOT immune to automated cracking because there’s a delay between login attempts.

• Even if you’re an ordinary person without valuable data, your account may STILL be hacked, causing you problems.

• You can NOT manually devise “random” passwords that will defeat potential attackers.

• Just because a password doesn’t appear in a dictionary, that does NOT necessarily mean that it’s adequate.

• It is NOT a smart idea to change your passwords every month.

• Truthfully answering security questions like “What is your mother’s maiden name?” does NOT keep your data more secure.

• Adding a character to a 10-character password does NOT make it 10 percent stronger.

• Easy-to-remember passwords like “correct horse battery staple” will NOT solve all your password problems.

• All password managers are NOT pretty much the same.

• Your passwords will NOT be safest if you never write them down and keep them only in your head.

“Joe handles a confusing and scary subject more clearly and calmly than I would have thought possible. I’ll be recommending this book to just about everybody I know.” —William Porter, database developer, author, photographer

Tell Us Your Passwords Story…
There Could Be Cookies in It for You!

If you find this book helpful, we encourage you to write to us about your experiences—for example, how you overcame bad password habits or solved a challenging password problem. (If you want to include a photo of yourself, perhaps with an “uncle” you've helped out with advice from the book, feel free!)

We'll post the most interesting and creative responses on our Web site, and once a month (for the first several months following the book's initial publication) Joe will pick his favorite story and send the lucky reader a batch of his famous homemade chocolate chip cookies. (No kidding!) Photos and testimonials about the cookies are also welcome, of course!

Book Info 103 pages Version 1.1 Updated May 24, 2013 1.1 MB download ISBN: 9781615424184 Free sample with Table of Contents, Intro, Quick Start, and section starts. iPad & Kindle An EPUB is available to purchasers of this title; log in to your account to download it. More info... A Mobipocket file is available to purchasers of this title; log in to your account to download it. More info...

About the Author Joe Kissell has written numerous books about the Macintosh, including many popular Take Control ebooks. He's also Senior Editor of TidBITS and a Senior Contributor to Macworld, and previously spent ten years in the Mac software industry.

Book Reviews MyMac (10/10) Contact us for review copies Author Interviews Sundog (Mar-13) MacVoicesTV (Feb-13) MacVoices (Feb-13) Contact us for interview requests

Table of Contents Read Me First Introduction and Comic Passwords Quick Start Understand the Problems with Passwords Learn about Password Security Apply Joe’s Password Strategy Choose a Password Manager Keep Your Passwords Secure Audit Your Passwords Appendix A: Use Two-factor Authentication Appendix B: Help Your Uncle with His Passwords Teach This Book About This Book

Read Me First Passwords are an irritating fact of modern life. It’s tricky to create and remember good ones, but dangerous to use simple ones (or reuse a password in multiple places). This book helps you overcome these problems with a sensible, stress-free strategy for password security. It was written by Joe Kissell, edited by Kelly Turner, and published by TidBITS Publishing Inc.

Introduction

Before we get started, check out the comic that our friends Nitrozac and Snaggy at the Joy of Tech made for us…it’s the Joe of Tech!

Think of a card, any card. Now, keep that card in mind and think of another. Repeat until you’ve picked 12 cards—but make sure your selection includes all four suits, at least one ace and one face card, and no two instances of the same card. Remember the whole set, because I’m going to ask you again tomorrow…

I’m joking, of course. But have you ever noticed that when magicians pull someone out of an audience to help with a trick, they never make such complicated requests? It’s not reasonable to ask someone to create a meaningless string of numbers and letters, remember it indefinitely, and produce it on demand.

But Web sites, banks, and network administrators make exactly that request of us almost daily. Want to buy something online? Sure, but you need more than a credit card—you need a password too. Sync this data with the cloud, sign up for that free service, manage your utilities or PTA schedule online…no problem, but you must have a password for that. “Make sure it’s between 10 and 14 characters, contains upper- and lowercase letters, at least one digit, at least one punctuation character, and doesn’t have any repeated strings. Oh yeah, and don’t even think about using a word that might be found in a dictionary or reusing a password you used anywhere else.”

Are you kidding me? This is madness. Coming up with unique, random passwords all the time, remembering them, and producing them reliably is not the sort of task the human brain is cut out for.

Faced with this difficult and increasingly absurd task, people naturally tend to look for shortcuts their brains can handle. They pick easy passwords, like their kids’ names or patterns of keys on the keyboard. Even if they go to the effort of creating something more complex, they use the same password everywhere, because then they have only one thing to remember instead of hundreds.

Speaking as a fellow human being, I don’t blame anyone for taking the easy way out. You might try to come up with clever, random-looking passwords the first few times, but once your list of password-protected accounts grows into the dozens, and then the hundreds, it’s not plausible to keep following the rules.

However, speaking as a technologist who has spent lots of time researching and thinking about security, I’m terrified for people who do this. I know how easy it is to guess, crack, or otherwise uncover someone’s passwords, because I’ve done it myself. And people with far greater skills and resources than mine spend all day, every day doing the same thing—not for legitimate security research but to steal money and secrets, to cause mischief, or to show off.

Every couple of months I read about another high-profile case in which millions of passwords are leaked, hacked, or stolen. And then I take a look at that list of now-public passwords and shake my head when I see that thousands of folks thought password was a pretty good password! I understand why they did it—they were only trying to manage an unmanageable problem—but I feel sorry for them, as their problems didn’t end with the site that was hacked. Because these people invariably use the same password on lots of sites, many of them had money and identities stolen, private email messages read, or hate mail sent in their name. It’s a big, scary deal.

Back in 2006, I wrote a book for Mac users called Take Control of Passwords in Mac OS X. In that book, I attempted to explain all the ways passwords are used on a Mac and give advice about the best ways to manage them. I offered the best guidance I could at the time, based on the available facts. But when I look back at that book now, I get an uneasy feeling because anyone who took my advice then might now be living with a false sense of security. The technologies and tools for guessing passwords and breaking encryption have taken massive leaps forward in recent years, with no signs of slowing down. What was safe then may be ridiculously insecure today.

On the bright side, the apps and techniques available to us good guys have improved too. While I can’t solve all the world’s password problems, with a combination of technology and common sense, I can probably help you solve about 98 percent of your password problems.

My goal in this book is to lay out a simple strategy that will keep you as secure as possible with a minimum of effort. Sometimes, I admit, there’s a trade-off between security and convenience. You have to choose which is more upsetting: adding another lock to your door or risking a break-in because the neighborhood’s gotten worse. But you might be surprised to discover that in many cases, you can significantly increase your security without extra effort. Remember how I said that generating and remembering random passwords is not something the human brain is good at? That’s true, but I’ll bet nearly every human reading this book has a computer as well as a smartphone or tablet, and those devices are fantastic at generating and remembering passwords—if you use the right apps, in the right ways, at the right times. (And yes, I’ll also talk about the situations in which your gadgets can’t help you. Don’t worry; those problems have solutions too.)

If all this talk of hacking and identity theft sounds scary, I’m sorry. I don’t mean to frighten you. Much. But I do want you to have a clear understanding of the threats out there so you’re motivated to adopt better password practices. It won’t take long, it won’t cost much, and it won’t be difficult. Once you’ve done it, you can go back to not being scared, just like me. In fact, that’s the whole point of my recommendations—I want you to be relaxed and confident, knowing that your passwords are solid and that you have an easy, reliable way to create and enter passwords whenever they’re needed.

This book is no rehash of Take Control of Passwords in Mac OS X, although I’ve borrowed a few sections that are still useful. Instead, I’m looking at the problem of passwords in a broad, platform-agnostic way. Whether you use a Mac or a PC, an iOS or an Android device, something else entirely, or—more likely—a combination, you’ll find guidance to help you take control of your passwords. By the end of this book, I hope you’ll thoroughly understand the vulnerabilities and threats associated with passwords, ways to minimize your risks, and how to use passwords safely without losing your sanity. No one can give you an ironclad promise of perfect, unbreakable security, but with the advice in this book, I can get you pretty darn close.

Passwords Quick Start

To get the most out of this book, I strongly suggest reading it in linear order because each chapter builds on the material that comes before it. Whatever else you do, don’t skip the chapter Apply Joe’s Password Strategy, because using just a piece of my strategy (such as a password manager app) may solve only part of the problem while making other parts worse!

Get your bearings:

• Find out what’s wrong with passwords and the ways most people use them; see Understand the Problems with Passwords.
• Discover what makes a good password and why that’s not all you have to worry about; see Learn about Password Security.

Develop your password toolkit:

• Learn my three-point password strategy—and what to do in situations that don’t neatly fit into it; see Apply Joe’s Password Strategy.
• Arm yourself with a good cross-platform app for creating, remembering, and entering random passwords; see Choose a Password Manager.

Tie up loose ends and fix old problems:

• Make sure your passwords don’t fall into the wrong hands while always remaining available when needed; see Keep Your Passwords Secure.
• Clean up all those awful passwords you created before you saw the light; see Audit Your Passwords.

Handle special cases:

• Deal with systems that use a password in combination with another authentication method (such as a secure token or SMS verification); see Appendix A: Use Two-factor Authentication.
• Get advice for improving password security for someone who’s unwilling or unable to follow my regular strategy; see Appendix B: Help Your Uncle with His Passwords.
• Use the material in this book as the basis for a class or training session on password security; see Teach This Book.

What’s New in Version 1.1

Version 1.1 is a fairly minor update intended mainly to address questions prompted by the book’s initial release and to add extra detail in a few key areas. The major changes are these:

• A visual switch to Take Control’s new cover style and matching interior layout.
• Clarifications in the sidebar About Hashes and Salts, including a mention of what a rainbow table is
• Thoughts about the security implications of using the “Haystack” method of padding passwords in Timeworn Tricks
• Near the end of All about Entropy, a note about the maximum length of Apple ID passwords and a warning about using passwords shorter than 14 characters in Windows XP
• Information about Apple’s two-step verification option for Apple IDs in Multi-factor Authentication and Use Apple’s Two-step Verification
• A tip about using Bluetooth keyboards to enter passwords on an Apple TV in Devices without Full Keyboards
• A new section called Authenticating with Another Site’s Credentials, which discusses the implications of using Twitter, Facebook, and other services to log in to third-party sites
• In Features to Look For (in a password manager), the addition of sharing logins with other people
• More detail about LastPass, including Grid Multifactor Authentication and the LastPass Security Challenge
• An update on the status of myIDkey
• A tip in Use Google’s Two-step Verification about using the Google Authenticator mobile app with other services, such as Dropbox
• A new chapter called Teach This Book, which provides links to additional resources if you want to help other people improve their password security

Can I read this ebook on an iPad, iPhone, iPod touch, or Kindle?

There are lots of great ways to read our ebooks on these devices. For more details, please read our latest Device Advice.

Ask a Question

Feel free to ask us if you have a question about this title!

Send Us Your Comments!

How could we not publish such kind words? If you'd like to send us your comments (good or bad, though we hope they're all good), just click the Feedback link on the cover of your copy of the ebook. Be sure to let us know if we can publish your comment. Thanks!

"I've purchased several of [Joe's] books and found them more than helpful... you have kept me from committing technocide and offing my computers and iPhone. I am going to purchase more of your books as soon as I'm finished with this email." —Michael Israel, performance artist

"I've been reading your Take Control books for years, and this book is the best yet. Just the right amount of knowledge to inspire action. The way most people do this stuff is frightening. I, for one, am going to move my personal stuff to your new system." —Matt C.

"The author provides many useful tips to assist developing passwords and password management strategies. Do you know what a VIP list is relative to password security? I didn’t, but I do now, and I’m using it! — David M. Acklam, MyMac review

1Password Security Question

March 4, 2013 -- 

A reader named Michael I. wrote in with this question for Joe: "Enjoyed your book on passwords, but it seems that 1Password on an iPhone has a four-digit password... isn't that easily broken? Or is there something special about it being on an iPhone?"

Here's Joe's reply: "Very old versions of 1Password for iPhone let you choose, for each password, whether to protect them with a four-digit code or a full password. The current version always uses a full password, for everything. However, you can optionally set it so that if you leave the app and come back during a certain period of time, you can do a "quick" unlock with just a four-digit code. You might want to check to see that you have the latest version of 1Password, which requires iOS 6: https://itunes.apple.com/us/app/1password/id568903335?mt=8."

And Michael wrote back, "Interesting... I always update my apps and recently did update the version of 1Password I have from the App Store updates section. Because it does not perform as you wrote, I did a search and see there is a completely new version—I've just upgraded. I'm guessing there are other people who don't realize they are not using the latest version."

—Tonya Engst 

---

Joe Talks Passwords on MacVoices

February 28, 2013 -- 

Chuck Joiner and cartoon superhero Joe Kissell discuss Joe's new book and the advice it offers for corralling the wild herds of passwords you've probably acquired over the years. Plus, you get to view Joe's new stateside center of operations and its advanced technology (much of it cleverly disguised as shipping boxes). See the video here or listen to the audio here.

—Michael E. Cohen 

---

Using the Keychain in Older Versions of Mac OS X

February 27, 2013 -- 

Take Control of Your Passwords covers passwords in a general way, and from the perspective of the digital environment of 2013, in which lots of people use mobile devices or multiple computers, and when iOS 6 and 10.8 Mountain Lion are Apple's current operating systems. But if you are using an older version of Mac OS X, such as Snow Leopard, here is useful and still applicable information about using the Keychain, Mac OS X's system-wide password manager, taken from Joe's earlier Take Control of Passwords in Mac OS X, Second Edition.

—Michael E. Cohen 

Read more...

Orders are processed for us by eSellerate on a secure site.
Copyright 2013 TidBITS Publishing Inc. | Privacy Policy | Contact | Follow on Twitter