Friday, October 21, 2011

Lock Down Google With Two-Factor Authentication

Article first published as Online Security: Using Two-Factor Authentication With Google on Blogcritics.

Did you know you can now use two-factor authentication with your Google account? Think about it: most people use a single username/password combination to gain access to a system-wide array of services in the Google universe. Gmail, AdSense, Blogger, Analytics, Docs, etc, is a whole lot to leave vulnerable to the single username and password approach. And it’s easier than you think for a hacker to acquire your password without your knowledge.

Recently, Google has made two-factor authentication available as a login option worldwide. Two factor authentication in its most basic definition is this: A) something you know (your trusty old Google username/password); and B) something you have (a key or one-time passcode that regenerates every 60 seconds). In short, A + B = access to your account. You need both. So even if your password got sniffed, or you left it in your stolen wallet somewhere, the hacker would still need a unique code to complete the login process.

Google makes it easy, too. The idea is after you login using your normal user/pass (A... something you know), you will be asked for a unique piece of information, a code, to complete authentication (B... something you have), to verify your identity. The code is something your smart phone can provide for you. Simply download an app (iPhone, Android, and Blackberry are supported). The app generates a code based on an algorithm that Google and your smart phone app have in common. Or if you prefer, a regular cell phone can be used (a txt message will arrive with the code embedded). The code is only good for 60 seconds, and then it expires and another code is generated.

So why bother? Your account will be a lot safer if you enable two-factor authentication, especially if you're a regular user of multiple Google products. Heck, it even makes sense even if you just have Gmail. Lock it down, people! Google has prepared a great set of instructions to help you get started. Go to to find out more.

Read more:

Wednesday, October 12, 2011

You Still Have Great Taste

“What nobody tells people who are beginners — and I really wish someone had told this to me . . . is that all of us who do creative work, we get into it because we have good taste. But there is this gap. For the first couple years you make stuff, and it’s just not that good. It’s trying to be good, it has potential, but it’s not. But your taste, the thing that got you into the game, is still killer. And your taste is why your work disappoints you. A lot of people never get past this phase. They quit. Most people I know who do interesting, creative work went through years of this. We know our work doesn’t have this special thing that we want it to have. We all go through this. And if you are just starting out or you are still in this phase, you gotta know it’s normal and the most important thing you can do is do a lot of work. Put yourself on a deadline so that every week you will finish one story. It is only by going through a volume of work that you will close that gap, and your work will be as good as your ambitions. And I took longer to figure out how to do this than anyone I’ve ever met. It’s gonna take awhile. It’s normal to take awhile. You’ve just gotta fight your way through.” 

Ira Glass (about).

Wednesday, October 5, 2011

Guest Blog: Online Password Strategy

by Michael Puhala
Day job: Dir. of Sales Engineering, Lithium Technology
Twitter: @puhala
Personal site:

Late last year, I posted an article about online password strategies.  For a refresher, you can visit that article here:

I mentioned technologies such as Lastpass, 1Password and Passpack that help manage your online security and provide some serious convenience in the process.  However, other than mentioning the technologies I liked, I did not really prescribe a specific path to help protect your identity and your accounts.

Consider this a mini guide in finally getting on-top of your online security practices.

Of course, the easiest thing to do is do nothing.  I am going to make some recommendations from the easiest to options that take a little more effort.  Obviously, the path of least resistance also is the most vulnerable in terms of online security.

Option 1 - Easy
If you are the kind of person who uses a single password for everything that requires you to sign-up, you should really rethink that strategy.  At the very least, use a different password for those accounts that are tied to online banking, and anything related to your personal finances (e.g. Paypal Account, money management, and commerce sites like  This password should be at least eight characters long and have some combination of upper and lower case letters, numbers and special characters like punctuation.  Also, if you have not changed your passwords to these accounts in more than a couple of years, you should set a reminder to change your passwords at least every couple of years if not more frequently.

Option 2 - Moderate
Using a technology like Lastpass can not only help make your online activity more secure, it provides some added convenience like automatically logging you into frequently used sites after you put in your master password when you start your computing session.  In some ways, this option might seem less secure than putting in your password manually each and every time, but one way that potential threats make you vulnerable is through key-logging software that tracks your typing history and is an effective method to extract passwords.  If lastpass is automating the login, than you are not using the keyboard to type your password.  Lastpass gives you the option to login to the service using an on-screen keyboard which would also prevent key-logging.  Lastpass and other similar services also allow you to generate unique and random passwords for each site which is a great method to keep you secure.  Since you are not having to remember the passwords that are generated, you can use a stronger password combination and length than what you would typically try to remember.

Option 3 - More Involved
As you might guess, this is the option I recommend and use myself.  The most secure method of online password protection is called multi-factor authentication or two-factor authentication. This involves a two step process to gain access to a account.  Some companies like Google and PayPal offer two-factor authentication when logging into those systems.  Lastpass also offers two-factor authentication when logging into this system.  As Lastpass manages all of your online identities and stores this information in the cloud (encrypted of course), I prefer using a more secure system for gaining access to all of my online passwords.

Enter the Yubikey by Yubico.  This solution includes a USB key that is required to be plugged into the computer before gaining access to your Lastpass account.  It’s called two-factor authentication because both your master password is needed and the Yubikey USB device is used.  Brilliant!  So, even if someone has your master password, they can’t gain access to your password management system unless they also have the USB key.  Conversely, just having the USB key does you no good, because you also need the master password.  Also, the USB key is very nondescript.  Most people will pass if off as a thumb drive rather than a security device.  It can be placed on your keyring so that it’s always with you.

I’ve chosen to use a Yubikey together with Lastpass, however, I do not use Lastpass to gain access to my Gmail account as I want a separate layer of protection for my email system.  Gmail now offers its own two-factor authentication system.  Rather than a USB key, I downloaded an app to my Android phone that generates a real-time secondary passcode to be entered after you use your normal password.  Also, since Paypal is tied directly to my bank account, I use a separate hardware based security key to gain access to my Paypal account. The combination of these systems provides multiple layers of security.  For my banking information, I have configured Lastpass to prompt me for my master password (and Yubikey) before it will automatically login to my account.  You might see the precautions that I’ve taken as extreme, but my perspective is that it’s easier than ever for someone to hack their way into a whole treasure trove of personal information. 

For great technology advice sent directly to your inbox a few times a month, signup for my newsletter, called Citizen Savvy here.

Twitter: @puhala