Happy New Year - Time to change passwords?

It's that time of year again!  Haven't changed your passwords in a while?  Read on, and hopefully you will be paranoid enough to start!

Most people use the same one or two passwords for everything, and rarely change them.  This means that if someone gets your password once, you could lose it all.  Just earlier this year one of my friends had multiple accounts hacked by a nameless enemy.  

Think you're careful enough that no one else will get your password?  Think again!  I don't know how many times I see people not log out of their accounts on shared computers at my department.  

10 ways that someone could get your password:

1. Guessing!
   
2. You told them, or someone they know.
   
3. They got into your email (you didn't log out or they had this one password) and found the rest of your passwords emailed to yourself!  Many websites will unfortunately email your password to you after you register.
   
4. They found it stored on your computer (or written down) either just by being nosey, or doing a search on the contents of your files.
   
5. There was a keystroke logger on the computer you used to sign in.  A keystroke logger records all of the keys you type.  This is a danger when you are traveling, using a shared computer at school, the library, at work, at a friend's house, or even in your own home (wife suspicious?).  Keystroke loggers hide in the background and you will probably not notice they are there.  Some keystroke loggers are not even software installed on your computer, they get plugged in in between the keyboard and the computer.
   
6. They have a program that reveals what's behind the ******'s saved on your browser.
   
7. They intercepted your internet traffic, through which you send your password in plain text whenever you're logging into an unsecured site (don't see the lock icon at the bottom? it's not being encrypted).  This is particularly a risk if you access the internet wirelessly through an unsecure connection.
8. They are a site administrator with ill-intentions.  Most sites you register at will automatically encrypt your password with an encryption algorithm called MD5, but as a developer I know that sites can easily be set up to store passwords as plain text.  Also, MD5 is not completely secure.
   
9. They used a password cracker.  Websites that tell you to make your passwords long and include weird characters are trying to prevent this.
   
10. Maybe more...?  Okay, so that was only 9.
    

What should you do?

• Change your passwords regularly (I do mine once a year)
• Always log out of your accounts when you use a shared computer.  Even if it is an unimportant site, someone could change your email and request a forgotten password.
  
• At the very least, use a different password for important sites (bank accounts) than for unsecured sites.  I use a different password for almost every website.  Sound way too complicated and annoying? Read my note below on password algorithms.
• Search your email for your password(s) and see what comes up.  You may be surprised!  Delete these emails, or if you want to save them then forward them to yourself with the password removed.
• Search your computer for your password(s) and see what comes up.  Have the search actually search the contents of files.  This will also help you find a keystroke logger if one is secretly installed.
• Choose good passwords.  Longer passwords and passwords that are unpredictable/have a variety of characters (uppercase, lowercase, numbers, punctuation) take exponentially longer to crack.
• Check for back doors.  A site I was recently working on got hacked twice because the first time the hackers created back doors.  This could be as simple as setting up email forwarding to another account (or POP3 access), so when they request a forgotten password they get the email too!  If you have been hacked, also make sure the email addresses on your accounts haven't been changed.  If your bank offers alerts for certain types of activity, take advantage of it!
• Don't use your normal password for shared accounts (like if you share Netflix).  Make up something completely different.  

Some sites have a feature that lets you see the last activity on your account, like online banking accounts, and now Gmail!  In Gmail, you can even see the IP addresses from which your account was accessed. More information.  If you are concerned, check this periodically to see if there is any suspicious activity.

Password algorithms

Want to be uber paranoid and have a different password for every site? Heh.  It sounds like such a pain, but it doesn't have to be!  I actually think this is easier than memorizing a handful of passwords.

1. Choose a good "root" password.  Like ChzB3rgr!
   *Many sites don't allow punctuation or and some sites don't allow passwords with more than 8 characters.  Keep this in mind when you choose a root password.
2. Choose an algorithm or "codes" based on the website, or other things like the year, to add to the beginning or the end of the password.  Make them easy to remember and difficult to figure out.

Be creative!

For example, add SC to the beginning of your bank account (secure) passwords.  Or YUM! or whatever.  Add 9 to the end of your passwords for passwords for the year 2009.  Or 18 for 9x2.  To make it different based on every site, maybe choose the first two letters (or last two, first and last, the letter in the alphabet after the second letter) of the websites name.  Be careful with this because sites often have logins through third parties or subdomains and you want to remember which letters you chose.

So for Gmail, your password could be 18ChzB3rgr!I

ChzB3rgr! as a root password

9x2 = 18 as a prefix to represent passwords for this year, 2009

I, two letters in the alphabet after the letter G (first letter of Gmail) as a suffix

Or even 18YummyI - now that wasn't too hard was it?

Use the same algorithm for all of your passwords.  I know this example sounds complicated, but you can make it as simple or as complicated as you want.   Like just having YummyG9 works too (root=Yummy, suffix=G for Gmail, prefix=9 for 2009, although it is easier to figure out).  This is much easier and more secure than remembering 20 different passwords!

If you have as many different accounts as I do, you would spend forever changing all of your passwords at once.  If you do this every year, you can do it over time because you know the password will either be with the old algorithm, or the new one.  Try them both, and if it's old, change it once logged in.

Thoughts on Joomla from a new user

From what I've heard, Joomla is supposed to be easier to use than Drupal, but less powerful.  So when I started using Joomla I expected it to be a simpler, prettier version of Drupal.  I'm finding that they are much different from each other than I first expected.  

At first I liked Joomla's more graphically-intense user interface but am starting to dislike it quite a bit because of how much clicking you have to do to accomplish things.  Also, I have to keep two separate windows open to see the administration and the results, because they are completely separated from each other.  

I think Joomla has it's act together more as far as templates and monetizing the work people do.  They have a lot of templates licensed with Create Commons, and a lot of sites for buying templates, getting free templates, free templates with upgrades, etc.  As a result, they have more numerous, higher quality templates than Drupal.  I think with Drupal people generally always expect to spend a good amount of time doing theme customization.  

Some things that bother me about Joomla:

• Joomla's documentation is powered by MediaWiki, a different CMS!
  
• Their own site is mostly *.html pages - I must be missing something about how their CMS works (it's so different than Drupal) or else they just really don't like using their own CMS.  Or else I don't know how to use it properly for the site I'm working on.
  
• A site I recently got hired to help with -my first Joomla site- just got hacked twice (once before I started, and just happened again).

Butterfly

I caught some caterpillars while my niece was here so she could see them grow into butterflies.  One of them emerged a few days ago (here's a pic of it on my ceiling).  It was cold, dark and rainy outside so I thought I'd wait until the next morning to let it go.  But the next morning it was gone!  Looked everywhere and didn't see it for days.  I figured I would find a dead butterfly in one of my socks one day or something.  

It came out of hiding today!  It was behind the pot for my biggest orchid plant when I found it, trying to get out of my window.  Hopefully it will be happy in Berkeley, the land of wild anise.  This is where they lay their eggs and what they eat as caterpillars...don't know about the butterflies.

Communication woes

When you are a part of millions + 3 Web 2.0 websites with friends, or followers, or whatever they're called - what's the best way to communicate with your friends?  Email makes most sense to me! But I'm thinking it would be annoying to get emails that just have like a one line comment.  

Maybe comments are to email as text messages are to phone calls (comment : email : : text message : phone call)?

Where to leave comments? Isn't it weird for that stuff to be in public?

Also, amazed at how much time it must take for people to do this 2.0 stuff, but I'm going to keep keeping on.

In other web-related news, cross-browser compatibility issues should suck it!  A client asked me to put music and her website (generally not recommended but whatever) and I couldn't believe how difficult this turned out to be for it to work in all five of my browsers.  Old fashioned way? Nope.  Using JS to make this all better?  Nope.  Only good solution? Flash - and still not everyone has this!  I'm not really a flash person, so here's a site with an easy way to do this for free.

Web 2.0 Adventures

I just discovered this blog that I started in undergrad and completely forgot about!  I apparently used it as a diary, hmm, not what I want on the internet!

So out with the old, in with the new.  One of the reasons I've avoided starting a blog is because I don't know what to make it about.  I'm giving in and just making a personal one.  Topics most likely to be seen? Energy, international development, geeky web stuff.  

Yesterday I got made fun of for the apparent dichotomy between me being a total web geek/web developer and not doing all the geeky web 2.0 stuff that comes along with it.  So I'm starting this experiment (again) to see if I can actually get interested in making my life utterly public.  

So here it goes:

Blogger (This)

Twitter

Picasa

Flickr - coming soon

YouTube

delicious

Pandora

Friendfeed

Other sites:

Facebook

Couchsurfing

LinkedIn

Kiva

Naymz

Here goes nothing!