Keeping It to Yourself 644 Beefing up your password Sorry to have to tell you this, but using the name of your pet parrot (dead or alive) as a password is pretty lame. So, too, is using your birthday or your wife’s middle name. The problem is that a dedicated hacker could probably find any of these details with a bit of searching on the Internet. Don’t use your birthday, birth year, your partner’s name, your children’s names, or anything else that a determined hacker might be able to glean from public records. An auto- mated assault could try every possible pet name — trust me, there aren’t all that many — to get into your system. ✦ Go alpha and numeric. The best way to create a strong password is to use a combination of words and numbers that have meaning to you but aren’t traceable to you. Do you remember an old friend’s phone number (not their current number)? Did that friend have a strange nickname? And was there a particularly unusual food that you — or your friend — enjoyed or despised? Using that formula, I might construct a password like this: ReverendKL5-1243TofuPie No way could someone guess that password or could a computer ran- domly figure it out. (Note that not all operating systems or web sites distinguish between upper- and lowercase, but it can’t hurt to include them.) And I could even make a great big note on my desktop that reminds me of the password but would be of no help to anyone else. The hint might say: Fran’s nickname, phone, yucky soy dessert. ✦ Make it meaningful. A totally random password like J8kl)$32H*/xc is a very strong defense, but is also very difficult to remember, and in some cases a password-cracking program may determine the method used by your software’s random-password generator. ✦ Be unpredictable. If you want to include the word Spoon in your pass- word, try replacing one or both of the letters o with a zero. Or even better, try something odd like a pair of parentheses to represent the o. One example: sP()()n ✦ Be fickle. Change your passwords every few months. I know that’s easier said than done, but it’s good practice in case someone has picked up some of your personal information and is poised to attack. One way to avoid having to come up with a completely new password is to create a replaceable component. For example, if your current password is ReverendKL5-1243TofuPie, you could change the food every few months. Make it ReverendKL5-1243Curds&Whey for a while, and then change it to Tapenade. 46 140925-bk09ch01.qxp 4/8/08 12:53 PM Page 644 Book IX Chapter 1 Traveling with a Laptop Keeping It to Yourself 645 Locking the software If a thief is after your machine, she doesn’t want to damage it; that would reduce its value. But if a laptop’s real worth is the information on the hard drive, a bit of broken plastic won’t stand in the way of a theft. Or the crook might even remove the hard drive — smaller than a paperback book — and leave the computer. The most important strategy is this: Always act as if the information in your laptop is about to disappear. It (along with the machine that holds it) could be stolen or lost or corrupted or made unreadable. Therefore, please remem- ber Sandler’s Top Three Rules of Laptop Data Security: 1. Back up your data to a form of removable media. 2. Keep the backup in a safe place, separate and apart from the laptop. 3. See Rules 1 and 2. Keep all sensitive information off the hard disk drive: ✦ If your office is set up with a secure web site, keep data there and sign in over the Internet. ✦ Store all sensitive information on removable media. Consider these possibilities: • A password-protected USB flash disk. Corsair’s Flash Padlock is a block of flash memory that you can access only after you enter a numerical password of as many as 10 numbers, which, not coinciden- tally, is the same length as a phone number. (I suggest using a phone number of a friend or relative with a different last name.) Once the Corsair is unlocked, it appears just like any other storage device on your machine; it automatically locks when you remove it from your laptop. The product is available at retail stores and web vendors. • A fingerprint reader. These block access to the hard disk by anyone other than the person attached to the proper finger. IBM (and its suc- cessor owner of the laptop line, Lenovo) has offered this technology. A small reading pad, on the wrist rest below the arrow keys, verifies a user’s identity when he swipes a finger across a tiny sensor. Once identity is established, users are automatically logged on. The solu- tion blocks most casual attempts at unauthorized use, but probably wouldn’t keep someone from removing the hard disk drive and offloading its information to another drive. • A CD-R, CD-RW, or recordable DVD that you can mix in with your music disks and store away from the computer. ✦ Store the removable media in a different suitcase or in your pocket. 46 140925-bk09ch01.qxp 4/8/08 12:53 PM Page 645 Keeping It to Yourself 646 Requiring a password to log on to Windows When you install or activate Windows, you’re offered the opportunity to add a system password that must be entered each time the machine is turned on; on advanced versions of the operating system a distinction is made between the Administrator (who can change the system’s configuration and settings) and a User (who can sign on and use the system but can’t change the way it operates). Enable and set a Windows logon password. Although this isn’t a very strong defense against a determined hacker, it should protect against unwanted access by an amateur. Passwords are usually set at the time Windows is installed or first activated; you can also add a password to a system already configured if you have Administrator access. To enable or change password on a Windows XP or Windows Vista machine, follow these steps: 1. Click Start ➪ Control Panel ➪ User Accounts. 2. Click an option based on your needs: • Choose an Existing Account (Go to Step 3.) • Add a New User (Go to Step 4.) 3. Choose Add or Change a Password. 4. Establish a password. The logon screen appears. It includes a password hint to help you remember a forgotten code; be as vague but meaningful as possible in creating a hint. Adding a password won’t prevent someone from stealing your laptop, and some programs allow hackers to break most codes. In addition, putting a password on a drive does not prevent someone from reformatting the drive or replacing it with a new one, although your data may be protected from misuse. If you created a system or startup password, you can later change or remove it once you properly sign on to the system. Under Windows XP or Vista, do this: 1. Go to the Control Panel. 2. Click the User Accounts icon. 3. Click one of the following: • Create a password for your account • Change your password 46 140925-bk09ch01.qxp 4/8/08 12:53 PM Page 646 Book IX Chapter 1 Traveling with a Laptop Keeping It to Yourself 647 4. Type the password in the New Password box. 5. Type the password in Confirm New Password box. If you forget your password, you can use a password reset disk to create a new one; the “disk” can be a USB flash drive or CD. To create the disk, follow along: 1. Open the Control Panel. 2. Click the User Accounts icon. 3. Click Create a Password Reset Disk. You should create the reset disk and store it away in a safe place; if you don’t have a reset disk, you may lose access to your operating system and files. Some third-party and free sources offer tools that allow you to get past a forgotten or corrupted system password; that fact should give you pause. Microsoft itself warns that this is not an industrial-strength lockdown of your data but merely part of a comprehensive security plan. Password protecting and encrypting a file Most current software programs (including the Microsoft Office 2007 suite and later editions) let you encrypt and add password protection to an indi- vidual file. The lockdown can prevent someone from opening, deleting, or changing a file. Again, the level of security isn’t anywhere near that used by spy agencies, but it should deter the casual finder or keeper of your laptop. Microsoft doesn’t offer any assistance in recovering a lost password; if you lose the password, you won’t be able to open the file. If you must write down the code for a file, do so in a notebook that isn’t stored with your laptop, and use some coding to hide it. If the password is the phone number of an old friend plus the year your cat was born, make a note like this: Chuck#+catyr. To encrypt and set a password to open a document, do the following: 1. Open the Microsoft Office 2007 program and file you want to protect. 2. Click the Microsoft Office Button. It’s at the top-left corner of the screen. 3. Choose Prepare ➪ Encrypt Document. The Encrypt Document dialog box opens. See Figure 1-1. 46 140925-bk09ch01.qxp 4/8/08 12:53 PM Page 647 Keeping It to Yourself 648 4. Enter a password in the Password text box. It can be as many as 255 characters. 5. Click OK. The Confirm Password dialog box appears. 6. Type the password in the Reenter Password text box. 7. Click OK. 8. To save the password, save the file. A strong password ✦ Is longer than a short password (at least 10 to 14 characters). ✦ Combines uppercase and lowercase letters, numbers, and symbols. For example, here’s one: 25yorBit!78. Use a phone number of someone who isn’t easy to link to you, and mix in a strange word; WA7202903gruyere. (And no, I don’t use either of those pass- words in my system or with any banks.) Or you can use an obscure quota- tion or phrase; don’t use something guessable like “The quick brown fox jumps over the lazy dog.” Setting a password to restrict others You can assign two passwords, and they must be different: ✦ One to access the file ✦ One to provide specific reviewers with permission to modify its content Figure 1-1: Microsoft Office 2007 can encrypt individual files created under any of its components. 46 140925-bk09ch01.qxp 4/8/08 12:53 PM Page 648 Book IX Chapter 1 Traveling with a Laptop Keeping It to Yourself 649 To prevent unauthorized viewers from seeing or changing a file you created in Microsoft Office 2007, do the following: 1. Open the file. 2. Click the Microsoft Office Button. It’s in the upper-left corner of the screen. 3. Click Save As. The Save As screen appears. 4. Click Tools ➪ General Options. The Tools menu is in the lower-left corner. See Figure 1-2. 5. Type a password in the Password to Open text box. This password requires that users enter a password before they can view the document. Under this less-secure system, the password can’t be longer than 15 characters. Figure 1-2: Microsoft Office 2007 offers encryption of individual files, file- sharing limitations, and read- only recommend- ations. 46 140925-bk09ch01.qxp 4/8/08 12:53 PM Page 649 Keeping It to Yourself 650 6. Type a password in the Password to Modify text box. This allows viewers to read a document but requires a password before they can save changes. This feature doesn’t use encryption; it helps you control the pool of reviewers who can change a file. 7. Select the Read-Only Recommended check box. This restricts viewers so they can only read a document, not save it with changes. When the reviewers open the file, they’re asked if they want to open the file as read-only. The huge loophole to this method is this: A viewer can open a file and use the Save As function to copy the file under a different name for modification. Changing a file’s password To change a previously assigned password, follow these steps: 1. Open the Office program. 2. Open the file using the password. 3. Click the Microsoft Office Button. The button’s in the upper-left corner of the screen. 4. Click Save As. The Save As dialog box opens. 5. Click Tools ➪ General Options. Since you signed in with the password, it appears on the screen. 6. Select the existing password. 7. Type a new password. 8. Click OK. You’re prompted for the password again. 9. Retype the new password. 10. Click OK. 11. Click Save. If prompted, click Yes to replace the existing file. Removing a file’s password To remove a password from an Office file and allow free access to it, follow along: 46 140925-bk09ch01.qxp 4/8/08 12:53 PM Page 650 Book IX Chapter 1 Traveling with a Laptop Encrypting the Disk 651 1. Open the file using the assigned password. 2. Click the Microsoft Office Button. It’s in the upper-left corner of the screen. 3. Click Save As. 4. Click Tools ➪ General Options. Since you signed in using the password, you can see the password on the screen. 5. Select the password. 6. Press Delete. 7. Click OK ➪ Save. If prompted, click Yes to replace the existing file. Encrypting the Disk For a deeper shade of security — in most situations and against most evildoers — the solution may lie in whole disk encryption. Again, a caveat: the National Security Agency (the domestic spies), the Central Intelligence Agency (our crack international somewhat-secret agents), and the staffs of dozens of other government entities, as well as private snoops, can break just about any code they put their collective minds and banks of computers to. But if you’re talking about whether your average street thief can steal your laptop and then break encryption . . . that’s rather unlikely. The same loop- hole exists here as with many other systems: A casual thief is more liable to try to erase or remove the disk and replace it before reselling it. The idea of whole-disk encryption is that the process is independent of the operating system; it blocks access to Windows, makes all files on the drive unreadable, or both. Among sources of this technology are PGP Whole Disk Encryption and TrueCrypt. And the hard disk maker Seagate is leading the way from the hardware side with its Momentus drives that include built-in encryption chips. Microsoft’s built-in encryption utilities The Encrypting File System (EFS) permits users to encrypt files so that only a person who properly logged onto an account can access them. Users with the following platforms can use EFS: 46 140925-bk09ch01.qxp 4/8/08 12:53 PM Page 651 Encrypting the Disk 652 ✦ Windows XP Professional ✦ Windows XP Media Center ✦ Windows Vista Business ✦ Windows Vista Ultimate Its primary advantage may also be its disadvantage: No additional password is needed beyond the one required to log onto an account. Once someone is through that door, there’s no further protection. To use EFS, follow this brief set of instructions: 1. Right-click the file or folder you want to protect. 2. Select Properties. 3. Click the Advanced button. 4. Click the Encrypt Contents to Secure Data check box. When you initially encrypt a folder, the system may require some time to create a new folder and encrypt its contents; once the folder is marked encrypted, any file saved or copied to it later is automatically encrypted as it’s recorded, with little impact on performance. The downsides of EFS: ✦ If you’re logged into your machine when it’s stolen or lost, the door is wide open (at least until someone turns it off or it runs out of battery power). ✦ You may lose file access if Windows itself suffers corruption and must be reinstalled or substantially repaired. ✦ Hacking tools to get past EFS barriers are widely available. Microsoft added a stronger and thus far more secure version of encryption as part of Windows Vista in its Ultimate edition. Bitlocker prevents Windows from booting without the proper password (before login), protecting both the operating system and its files. However, it is subject to the first two shortcomings of EFS outlined before: Once the door is open, all is revealed, and a corruption of Windows itself could make everything on the disk unreadable. For more information on EFS or Bitlocker, consult the Microsoft web site at www.microsoft.com. 46 140925-bk09ch01.qxp 4/8/08 12:53 PM Page 652 Book IX Chapter 1 Traveling with a Laptop Encrypting the Disk 653 Software-based encryption programs Software encryption is the next level up in security planning from scrambling the data on the disk and requiring a password before they can be read. However, like a password that exists in the BIOS, software encryption uses a decoding key located somewhere on the drive, and a determined (or profes- sional) crook should eventually figure out how to break the code. No matter what form of software-based encryption you use, keep your Windows operating system up-to-date and regularly consult your encryption software maker’s web site for updates. Hackers will always try to prove their worth by breaking the supposedly unbreakable; if and when that hap- pens, Microsoft and other makers usually come up with a fix and the game continues. Another shortcoming of software-based encryption programs is that they function as an element of Windows or other operating systems. And in most cases, for technical reasons they can’t encrypt the operating system files themselves; they only encrypt data and settings. However, the loophole here is that most applications store temporary and backup versions of files, as well as fragments of files, in various places on the disk. These may exist out- side of the encrypted “bubble” around your critical files. Examples of industry-standard technology follow: ✦ PGP Whole Disk Encryption offers a platform that lets you use that company’s file and e-mail encryption products, as well as those offered by other companies, spread across a managed network. See www.pgp. com/products/wholediskencryption for more details. ✦ TrueCrypt is an open-source (read: free) disk encryption program. The software creates a virtual encrypted disk within a file and mounts it as a real disk. You can use it to encrypt an entire hard-disk partition or a storage device such as USB flash drive. The process is automatic and conducted in real time (as data is recorded and without significant reduction in speed). In theory, a TrueCrypt volume can’t be identified or distinguished from random data. It’s impossible to beat the price on TrueCrypt, since it’s offered for free. However, as an open-source product (meaning that anyone can read and modify its coding), there’s always the possibility that someone might succeed in cracking its system or corrupting it. Use the Internet and user groups to check on the current status of the product. Consult www.truecrypt.org for more information. ✦ Cryptainer is available in a free basic version called Cryptainer LE and a more fully featured commercial edition. Cryptainer Mobile edition encrypts any data on any media including USB flash drives, CD or DVD 46 140925-bk09ch01.qxp 4/8/08 12:53 PM Page 653 . picked up some of your personal information and is poised to attack. One way to avoid having to come up with a completely new password is to create a replaceable component. For example, if your current. Always act as if the information in your laptop is about to disappear. It (along with the machine that holds it) could be stolen or lost or corrupted or made unreadable. Therefore, please remem- ber. Security: 1. Back up your data to a form of removable media. 2. Keep the backup in a safe place, separate and apart from the laptop. 3. See Rules 1 and 2. Keep all sensitive information off the hard disk