Locking It Down

Posted by kirk on Oct. 28, 2013

In my previous post about keeping unsavory things off of your network, I made an analogy between DNS and the Contacts database on your mobile phone. As I was explaining this to someone the other day, I used the analogy of a phone book. I pointed out that back in the day, if my parents didn't want a phone number to be accessible, then they could have blacked it out of the phone book with a marker. Such an act would have effectively made that number impossible to find. And that is essentially what Open DNS will do for you.

However, there are some weaknesses with this methodology. Looking at a different phone book is a way around it. Or just waiting until the new phone book arrives each year. And the same goes for configuring your router to use OpenDNS. Someone with admin access to your computer can change the DNS that your computer uses, and open everything back up. Or they could hold down the factory default button on the router, which would cause the router to ask your ISP which DNS server it should use.

You are probably thinking that maybe I shouldn't have written that out -- spelled out a way for your kids to get around the filters you put in place. Maybe I shouldn't have. But at the very least it will keep you honest. Your kids should not be administrators on your computers at home. They probably shouldn't even be administrators on computers that you buy specifically for them. There are lots of reasons for this, and I hopefully just gave you another one. Putting in filters in place and then giving them admin access is kind of like telling them not to drive your car, and then putting the keys under their pillow. All they have to do is look, and the temptation is there.

If you are serious about protecting yourself & your kids as well as teaching your kids good computing habits, do the following things, right now:

  • Set up an account for you, your partner (if you have one), and your kids. Ideally everyone who uses the computer should have a separate account, and only you and your partner (if you have one) should have administrative access. If that's too much, then make an account for the old people to share (with admin access) and an account for the kids to share (without admin access).
  • Move your router to someplace where it is hard to get to. If it is sitting next to the TV, then resetting it is easy.
  • Put a password on your wifi.

As with all things, setting a good example is the best way to encourage proper behavior. Aside from the above, there are some general best practices that you & your kids should do:

  • Get a password manager. OnePassword, Dashlane are good options. LastPass as well. Set a good master password on your vault. It should be easy to remember and no less than 16 characters. XKCD explains as well as anyone.
  • Put all of your passwords into the password manager. And change them all while you are at it. If you do this properly, you'll have insanely complex passwords for super important sites (banks, credit cards, socials, your primary emaiol account). As a case in point, my Facebook password is 92 random characters that can be typed on a typical American keyboard. I don't need to know what it is. I only need to know how to unlock the password manager. The longer the password the better. The longer your password, the less frequently you'll need to change the password.
  • Make sure all of your important accounts have unique passwords.
  • While you are changing your passwords, turn on multi-factor authentication.
  • Set your phone to auto lock. 10 minutes or less. 5 would be better. (You'll get better battery life as well).
  • Set your computers, all of them, to have a screen saver come on after 10 minutes. 5 would be better.
  • Set the screen saver to require a password to unlock.

So the one in there that you probably have the most questions about are multi-factor authentication. You can do this with Gmail, Facebook, Dropbox, iTunes and lots of other services that you probably use. The reason that people don't like changing their passwords is that they don't like having to remember a new password -- mostly because they think that their password needs to be complicated. The merits of password complexity are much less debatable than they were in the past, but if you like simpler passwords, or don't like changing your password, then multi-factor authentication is great way to continue to be lazy, while getting some decent protection at the same time.

In order to explain how it works, I'll walk you through what happens when I log into my Gmail account. I log to outlook.com, and type in my username & password, just like normal. I get a new screen telling me that I need to enter a code to be able to log in. At this point there are a couple of things that can happen. The simplest way for this to work is for Microsoft to send you a text message with the code in it. I enter the code into the website, and voilĂ , I'm logged into my email. There is a box that I can check that tells Microsoft to remember the computer than I am on, so I don't have to go through this every single time. Any time I log in from an previously unknown browser, I have to have the 2nd code in order to get in. That code only lasts a few minutes, after which it is no longer valid. In essence, I could give you my password, and you could take it home, but you couldn't log into the email account unless you've also stolen my phone.

This means that Microsoft requires my password and that the person logging in have access to my phone. So my password for Microsoft hasn't changed in some time (over a year), but it is less important, since no one can log in without having my phone. Or being extremely lucky. It doesn't hurt that my password is long enough that it is statistically improbably that someone would be able to guess it.

Update 9/13/2022: Updated some of the advise to better align with modern best practices.