or, The Hitchhiker’s Guide to Fear and Loathing at a Public Library Reference Desk


Creating Better Passwords By Knowing How They’re Cracked

   October 1st, 2014 Brian Herzog

password are like pants signThis weekend on Twitter, @itsokayihaveabook linked to a great article on the current thinking for choosing a secure password. I don't keep up with this stuff all the time, but every so often I will check in to see what the developments are. If you only read one password security article this year, this is a good candidate.

I liked this one because it wasn't just preachy-talky on why good passwords are important - he explains how password hacking works, and gives advice based on that to create better passwords.

Some things not to do:

  • don't use words: password guessing software crunches through multiple dictionaries at unbelievable speeds, so even nonsensical word combinations will eventually be guessed
  • don't use personally-identifiable information: many aspects of our lives are online, and hackers will use everything they know about us when guessing passwords - so don't use addresses, phone numbers, birthdates, schools, mascots, relatives' names, etc
  • don't be common: there's lots of standard passwords (like pa$$w0rd, temp1234, i<3book$, etc) that are incorporated into password-guessing - even though it looks tricky to the eye, if other people are using it, chances are the hackers will try it
  • don't reuse passwords: with corporate-level security breaches, even a good password might be compromised through no fault of your own. But if you use the same good password for all your accounts, once the hackers get it from Home Depot or Target or where ever, then it's much easier for them to get into your PayPal and Amazon and bank accounts

So here's what he feels you can do - the "Schneier scheme":

So if you want your password to be hard to guess, you should choose something that this process will miss. My advice is to take a sentence and turn it into a password. Something like "This little piggy went to market" might become "tlpWENT2m". That nine-character password won't be in anyone's dictionary. Of course, don't use this one, because I've written about it. Choose your own sentence -- something personal.

The entire article is worth reading. But his bottom-line takeaway is kind of scary: "Pretty much anything that can be remembered can be cracked."

I'm going to start recommending this technique when helping patrons set up email accounts. Thanks Jenny!

Update 10/3/14:

A reader sent me a link to another article, Why you don't need long, complex passwords. I sort of referenced the gist above, but it does a much better job of spelling out another major vulnerability. Thanks R. E.!

The bottom line of all of this seems to be that living is inherently dangerous, so live well and don't worry too much about it.



Tags: , , , , , , , , ,



Libraries Holding Privacy Literacy Workshops for Patrons

   September 18th, 2014 Brian Herzog

rad ref logoYou may have seen this, but it bears cross-posting:

Librarians in Massachusetts are working to give their patrons a chance to opt-out of pervasive surveillance. Partnering with the ACLU of Massachusetts, area librarians have been teaching and taking workshops on how freedom of speech and the right to privacy are compromised by the surveillance of online and digital communications -- and what new privacy-protecting services they can offer patrons to shield them from unwanted spying of their library activity.

Read the full article on Boing Boing - please, read it. Good stuff.

It's important also to know this isn't a one time have-a-workshop-and-everything-is-fixed situation. Online privacy and security evolves constantly - a good example is Overdrive's recent announcement of changes to their app.

On the one hand they said they can do away with Adobe IDs, but on the other they want to start forcing patrons to register with Overdrive. It's increasingly common for patron information to be controlled by third-parties, but it's still not a good thing - and definitely something patrons should know about. And if it's not their librarians telling them, who will?

Thanks for pushing this, Alessandro!



Tags: , , , , , , , ,



LISNews Series on IT Security in Libraries

   August 30th, 2011 Brian Herzog

Everybody Cooperate for Safety First signOver on LISNews, Blake has a series of posts on IT security in libraries, and it's absolutely worth checking out. So far there are five parts:

  1. IT Security For Libraries
  2. Practical Tips For Online Privacy
  3. Practical Advice On Choosing Good Passwords
  4. Staying Safe Online
  5. 20 Common Security Myths

It's good for library staff to know and abide by this information, but it is also very useful material for building a online safety program for the public.

Another of my favorite security-related posts is the Email Scam Competency Test, to see if you can tell legitimate email messages from scams. At the end of the test, click the "why" links to see the clues for telling the difference.



Tags: , , , , , , , ,



Spy-Tech Devices Found in Library

   February 15th, 2011 Brian Herzog

USB KeyloggerDid you read the story about a library in England that found two devices, designed to steal patron information, plugged into their computers?

It almost sounds like an urban legend, but even if it were it's still a good remind to all of us that this could happen anywhere.

The devices are USB keyloggers - someone would unplug the keyboard from the computer, plug the keyboard into this device, and then plug it back into the keyboard's USB port. With this device between the keyboard and computer, it can record every keystroke made on the computer - including websites visited, username/password combinations, credit information, etc.

The best defense against this is for library staff to check for these, or anything attached to a library computer that shouldn't be there. The article also suggest plugging keyboards into the front of computers, to make spotting them easier.

To notice something like this, of course, library staff must be familiar with what should and what shouldn't be there. I don't mean to be all preachy, but this is a good opportunity to familiarize staff who may not be really tech-savvy with library equipment. And another thing: take a few minutes today and check all of the computers in your library.

Thanks Dale for sending this to me, and it was also on LISNews.



Tags: , , , , , , , , , , , ,



Loan Period: One Guilty Conscience

   January 13th, 2011 Brian Herzog

Returned DVDs with note "I'm sorry took these w/out checking them out"Over the last few years, we've noticed a rise in DVD thefts at my library. It seemed to happen in waves - once in awhile, we'd suddenly notice ten or so empty DVD cases on the shelf.

In general we're pretty relaxed at my library, and try to err on the side of good customer service. However, as the empty cases built up, staff started investigating ways to curtail the thefts.

But the kicker was that, when we ran the numbers, all of the security options we looked at (cameras, dummy cameras, security cases, a DVD jukebox, keeping DVDs behind the desk, etc.) were actually more expensive than just buying replacement DVDs. At least, this was true for the rate of theft we were seeing.

It seems counter-intuitive, and a little aggravating, but this is the route we took. The Circ staff was especially frustrated by the apparent "do nothing" approach, but we reviewed the numbers multiple times over the years, and replacement was always the cheapest option. Well, that combined stepped-up monitoring by staff.

And then something happened that no one expected: a stack of DVDs with a note attached ended up in our bookbox. Apparently, whoever had been stealing them got a conscience (or else, as one popular theory holds, his mother found them*). And then, a week later, a second stack of disks showed up.

We had been saving the empty cases all along, so re-adding them to the collection was easy. Hopefully, this trend will continue, and we'll end up with all of our DVDs back - just a couple years late. And we haven't noticed many missing lately, so the increased staff monitoring also seems to be working.

 


*Most of the DVDs that were stolen were Adam Sandler/Will Ferrell/American Pie-type movies, which implies the culprit(s) is probably high school boys.



Tags: , , , , , , , ,



Email Scam Competency Testing

   May 6th, 2010 Brian Herzog

SPAM wallHere's something neat - and vital for library staff, both for those who directly provide computer help to patrons and for anyone else who uses a computer in their daily life:

A recent Slashdot post linked to a test to see how well people can identify spam, scam and phishing email messages (which can happen to anybody).

The test is provided by SonicWall, and would be a great for:

  • taking as a group during a staff meeting or training day
  • testing new employees to help protect your network and increase their tech competency
  • showing to students and computer literacy classes to teach them to evaluate websites and email messages

After you're finished, be sure to click the "why" links on the test results to see exactly what looks suspicious and what are the red flags - that is the most helpful part of the test.



Tags: , , , , , , , , , , , , ,