So my university just got me a replacement Dell printer for my office desktop, which is a Mac. When I went to Dell’s site to download it, I found that they have the necessary .dmg files readily available – compressed as an .exe file. Looks as though this has been an issue for “quite a while.”:http://en.community.dell.com/support-forums/peripherals/f/3528/t/19297965.aspx You might think that someone at Dell would know that Macs can’t read .exe files. You might think it. Still, this doesn’t match my personal-nominee-for-worst-software-design-decision-of-all-time – the wonderful Windows XP tool you had to use to log laptops onto ‘secure’ wireless networks. This asked you to enter in the secure key in a masked text box, so you couldn’t see what you were typing – which is annoying, but in principle justifiable for security reasons. Then, it asked you to enter it in _again_, as far as I can make out, for no logical reason whatsoever that I could make out, and booted you back to the beginning of the process if the two passwords didn’t match. When you have long randomly generated passwords (as you should), there is a not insignificant chance that you are going to type it in incorrectly. Being forced to type it in twice doubles this chance for no apparent gain.
While I’m on a roll, I’m also peeved at Google’s recent decision to randomly challenge you to enter in your password again every couple of days, even if you are already logged in – since I use a long randomly generated password that is impossible to memorize, this usually involves a couple of minutes of searching for the password while swearing profusely. So that’s my life at the moment – how’s yours?
{ 46 comments }
Kieran Healy 06.24.10 at 12:02 am
On the password thing, 1Password is what you are looking for. One master password controls access to your stable of randomly-generated passwords for anything you visit in your browser. When it’s unlocked passwords are autofilled with a cmd-/ keystroke. Best Mac utility ever.
gary rambo 06.24.10 at 12:03 am
There’s an app for that, at least on linux and probably windows: MyPasswordSafe stores long random passwords, behind a single password of your choice of length and difficulty, and copies them to the clipboard when you need to provide them.
Naadir Jeewa 06.24.10 at 12:08 am
The generic postscript drivers work just fine for the 2330dn, provided you have it plugged into the network, and not via USB. It’s a nice printer otherwise.
Naadir Jeewa 06.24.10 at 12:12 am
Oh, btw, just checked that .exe file. As it’s a self-extracting zip file, you should be able to just rename it .zip and/or re-open it with Stuffit Expander or Ez7z or 7zX
qb 06.24.10 at 12:16 am
Some masked text boxes allow for cut and paste, so’s you can type it into word and then drop it into both boxes. Viola! My life right now involves parsing Kenneth Goodpaster’s argument for why being alive is a sufficient condition for moral considerability. I feel as though I should win a prize for completing this task.
anonymous 06.24.10 at 12:26 am
A secure password manage can be quite helpful – I would favor a cross-platform, free (as in speech) program such as keepass .
john b 06.24.10 at 12:52 am
You misspelled “as you absolutely never ever should ever, unless you’ve the kind of memory that allows you to state pi to 250 digits”.
Memorising long randomly generated passwords is effectively impossible for most people (including you, as you note below). Which means they write them down on post-it notes or save them in plaintext files. Either of which is far less secure than the theoretical risk of someone cracking a non-random password, as long as the non-random password isn’t readily guessable.
Something which is complex but memorisable and hard to guess – say, a random phrase misspelled in a particular way and with letter/number substitution, followed by a number of some kind that means something to you but isn’t publicly associated with you – and which you never write down, is far better.
(BTW, the XP wireless tool gives you the option of displaying the passkey in plaintext or obscured, depending on personal levels of paranoia.)
Justin N 06.24.10 at 1:01 am
http://www.bad-neighborhood.com/password-generator.htm
I use long pseudo-random password strings (because I lack access to the kind of equipment required to get TRULY random passwords), and change them every few months. The above password generator creates such strings that, while nearly uncrackable, are actually memorable.
Elaine 06.24.10 at 1:09 am
A free variant on 1password is KeePassX. There is a user generated modification here that allows auto-type fill in.
Current 06.24.10 at 1:17 am
I used to work for one of the above companies. You should see the software they perpetrated for internal use.
The driver probably is a self-extracting zip so if you can find an unzip tool that may do it. However, just renaming it to .zip doesn’t generally work. Zip files and self-extracting zip files have a slightly different format.
fardels bear 06.24.10 at 1:39 am
So, you have a long, randomly-generated password but you keep your computer logged in to your google account? Doesn’t that kind of defeat the purpose of having a password?
Bloix 06.24.10 at 1:52 am
I use things like an obscure movie title followed by a former phone number, and the name of a childhood pet at the end. Not random but pretty difficult to reproduce, I would think.
Sebastian 06.24.10 at 2:06 am
I thought on Mac – just like Linux – you’d be mostly fine without printer drivers by now – is that not right? (honest question – I thought this was one of the things that Mac was good at?)
On my Ubuntu I get 9 out of 10 printers to work without downloading anything – on the downside, number 10 is a major PITA – but if Mac did everything like linux + proprietary drivers for the rest it should be fine, no?
loabn 06.24.10 at 2:16 am
http://www.slate.com/id/2223478
I have found Manjoo’s technique effective for generating pseudo-random passwords.
Michael H Schneider 06.24.10 at 3:00 am
Just patch it in under ddt in the usual way.
(I’ve forgotten where I stole this from. Possibly Pournelle’s column in Byte)
David W. Fenton 06.24.10 at 3:11 am
1. The WinXP wireless configuration dialog does *not* allow you to view in plain text.
2. Windows 7 (don’t know about Vista — never used it) allows you to display the characters or not.
3. Any password dialog that allows cut/paste is written by an incompetent programmer, and you shouldn’t trust its security at all.
4. The only wireless configuration software worse than what MS provides with Windows is all the completely crappy and unworkable garbage that the wireless adaptor manufacturers supply with their hardware. One vendor, Netgear, now allows you the choice of using their software or Windows to configure your wireless adaptor. Windows is by far the superior choice.
(in case you’re wondering, I do this for a living and have uninstalled such software from Linksys, Netgear, Trendnet, D-Link, Lenovo and others, and in all cases, the Windows wireless support was by far the more reliable)
joel hanes 06.24.10 at 3:17 am
You can generate pretty good and easily-memorable passwords by cussing at the “new account” dialogue, and then using the first (or second, or third) letter of each word in your epithet, and substituting 2 for “to” and 4 for “for”
In this scheme,
Damnit, I just want to log in to my bleeping google account !
becomes
D,IjW2Li2mFgA!
Jacob Christensen 06.24.10 at 3:19 am
Not a password issue but on a good day my office computer (Windows XP) takes something like 15 minutes to get up and running – as in: Before I can access my mail, open a browser, open the word processor.
Absolutely brilliant.
OK, maybe I should drop shutting the damn thing down and just leave it running when I go home.
The Raven 06.24.10 at 3:19 am
The custom of obscured passwords comes from the days of printing terminals, when you really, really, really, didn’t want to leave a printed copy of your password around. Later, when computer access was concentrated in “terminal rooms,” it was still useful to protect against “shoulder surfing.” But nowadays, in many situations, it’s just a nuisance.
The practice of entering a password twice comes from the need to correctly enter an obscured password. I am not aware of any valid reason to use it for access.
Croak!
David 06.24.10 at 3:44 am
Or, you could just find out who actually makes the “Dell” printer and the Mac probably already has the driver for that.
john b 06.24.10 at 4:52 am
David F, thanks for correction, and sorry Henry for false correction. It’s been a while since I used wireless on XP other than on networks I’ve set up myself (which have human-memorable passkeys rather than random character strings, because I’m not a raving masochist). MacOS gives you the option, which is why I assumed XP did as well.
Agreed with you 100% on the rest, quite why on earth anyone feels the need to use their OEM’s godawful software rather than the barely adequate but almost invariably superior Windows driver is beyond me (that goes for all OEMs, not just wireless).
Andrew Brown 06.24.10 at 6:23 am
Patch it with ddt! The smarter-ass alternative to “Here, let me google that for you”
Cian 06.24.10 at 8:26 am
If you touch type its fairly easy to generate a random password and embed it into muscle memory. I have several passwords like this which I don’t “know”, but I can type on demand. Then I just use KeyPass as a secure dumping ground just in case I forget them.
Alex 06.24.10 at 9:23 am
What Cian said. Also, ISTR Bruce Schneier recommends passphrases, rather than passwords or randomised keys – someone running a dictionary attack needs to scan not just the set of possible words, but also the possible combinations of words, and they need to detect word boundaries. As the passphrase doesn’t have to make sense, common heuristics for parsing natural language won’t work. So it gives you a lot more entropy while remaining reasonably memorable, and of course, passphrases have thenice feature that the weirder and less likely your passphrases, the more memorable they are.
dsquared 06.24.10 at 9:56 am
I’m also peeved at Google’s recent decision to randomly challenge you to enter in your password again every couple of days, even if you are already logged in – since I use a long randomly generated password that is impossible to memorize
I detect a certain inconsistency here between the “long randomly generated password” security thing, and the “keeping logged in for days at a stretch” thing.
John Quiggin 06.24.10 at 11:05 am
(Stolen) I just use my son’s name as a password. For security, I’ve named him r!12AçZ3 and I change his name every 60 days.
Henry 06.24.10 at 11:32 am
bq. I detect a certain inconsistency here between the “long randomly generated password†security thing, and the “keeping logged in for days at a stretch†thing.
Fair enough – but the threat from someone sneaking it off my machine in the office is pretty minimal (my office is locked when I am not there). The chance of someone guessing it through the procedure of your choice is at least somewhat significant, given the number of spam solicitations I have seen from email accounts recently (including a couple from people whom I would imagine to be pretty careful about security in general).
Kevin Donoghue 06.24.10 at 11:41 am
…my office computer (Windows XP) takes something like 15 minutes to get up and running….
Perhaps Norton Antivirus doesn’t trust you?
Jacob Christensen 06.24.10 at 12:58 pm
@25 Nah – it’s not Norton because we use a different AV-programme. I blame the network settings.
Earnest O'Nest 06.24.10 at 1:16 pm
I don’t trust Norton, he keeps on stalking me.
mpowell 06.24.10 at 3:17 pm
(including a couple from people whom I would imagine to be pretty careful about security in general).
Maybe your assumptions are wrong. Long, random passwords are not a good idea if you are writing them down. I go with a medium length random password appended to a nonrandom password. 6 random characters already increases the space to 50B possibilities and then unless the hacker is aware of my technique, a much larger space given my passwords are 10+ total characters. Also, remember that you just have to avoid being the low hanging fruit here.
y81 06.24.10 at 5:10 pm
Is there empirical data on what percentage of security breaches are due to (i) passwords being guessed versus (ii) unauthorized access to machines that are left turned on, logged in etc. versus (iii) some other means of unauthorized access?
Me, I leave my machine on and my passwords are not very complicated. On the other hand, I don’t have computer access to any interesting sum of money.
Saheli 06.24.10 at 7:39 pm
Are you sure Google is logging you out? And that you’re not falling for the new phishing scam?
Keith 06.24.10 at 9:21 pm
Long randomly generated passwords are only useful if you’re a CIA agent or an Apple engineer prone to drinking too much. Otherwise, simple 8 bit encryption serves 99% of all your password needs. Even that is probably more than is really necessary since, like Henry, most people want to leave their apps open, thus defeating the purpose of a password. The majority of computer users are not carting around state secrets or iPhone prototypes. Most of us will never have our identity stolen or our email hacked and for those of us who do, it’s really easy to just change the password to some other simple, memorable keyword.
Tom West 06.25.10 at 2:46 am
Okay, Saheli, you’ve just scared the heck out of me. How the heck did you do that? I’m looking at the page source and I still don’t understand how you you messed with the displayed URL. Is there a reference you can point me to that explains this?
sg 06.25.10 at 4:25 am
are you guys kiddy-fiddlers or something? Who needs a randomly-generated password? A simple 8 character word that isn’t your own, your partner’s, your kid’s or your dog’s name will suffice to protect your holiday snaps from evil hackers. If you don’t want your partner finding your porn, the problem isn’t your password…
I have a mac, so no slow bootup problems or anything else, really. And it has windows 7 dual-booted, so no game problems either. There is just the small issue of the warning that keeps flashing up to tell me my hard drive is “failing”…
David W. Fenton 06.25.10 at 5:39 am
If you want a fast boot:
1. replace your hard drive with a solid-state drive.
2. replace your current Windows with Windows 7.
3. ditch your AV/Security software in favor of Microsoft Security Essentials.
4. remove all shortcuts to IE and use FireFox or Chrome or Safari or Opera as your default browser (this makes your machine safer without the Draconian AV/security software).
5. uninstall your OEM wireless software and use the Windows configuration utility Not all hardware allows this, unfortunately, though one thing I’ve discovered only recently is that setting the Wireless Zero Configuration service to run automatically can cause adaptors that otherwise don’t work to function properly without installing any software other than the basic drivers.
I can’t stress enough how much of a big deal the solid-state drive is. It makes the computer a completely different kind of machine, as it boots so fast as to be shocking. It’s a particularly good combination with Win7, which is optimized to properly capitalize on the particular characteristics of a solid-state drive.
If you’re concerned about the cost per GB, move your big files off to an external hard drive (1TB drives are easily found for $100; 1TB networkable SANs are available for under $250 if you’d like your files available on your whole home network) so you can get a smaller solid-state drive (though NewEgg.com recently had 160GB drives for under $300, which is way more than enough for everything you need except large video/audio/graphics files).
Martin Wisse 06.25.10 at 8:01 am
More annoying than having to enter a password twice is having to put in an e-mail address twice during a registration process. What the heck is the point of that?
What you really don’t want to use if you want a fast pc: Windows Vista. Not just slow and bloated, but with everything made just that little bit worse or more awkward to use than it was under XP (which wasn’t that bad in the end). Just the fact that the “up a directory level” button is missing in the windows explorer is enough to drive me insane every time I use the bloody thing.
john b 06.25.10 at 8:13 am
I used to do this. Then I went on holiday to France. After that experience, I don’t do this any more.
PHB 06.25.10 at 12:55 pm
The issues with WiFi security are not limited to the stupidity of entering the passphrase twice.
If you are still using WEP you are wasting your time. WEP has been broken at the level that there are little apps people can stick on a laptop that can crack the network traffic in real time.
The protocol was broken early and often. And some of us pointed out then that having every machine in the network use the same key is stupid. But they didn’t want to take notice so they ignored it and then botched in 802.1x into the spec as an afterthought.
I find that pretty much every system I use has issues with 802.11. They all have a habit of forgetting passkeys. Which I suspect is due to the fact that the dufusses didn’t provide a means for a system to verify it was authenticated in the protocol. So the machine thinks it failed to connect, thinks the passphrase must have been wrong and deletes it. Only there was some network issue for the failure.
It would be very easy to sort out all these issues if every adaptor had a X.509v3 certificate that binds the MAC address of the card to a public key. Then instead of using passphrases you simply try to connect the machine to the network, the network says that machine x with MAC Y wants to connect, you approve it and the machine can then connect to the network in perpetuity because the cert never expires.
It could have been simple, we have the same tech in cable modems and it costs less than a penny a machine. Instead we got someone who does not understand crypto to botch something together.
roac 06.25.10 at 1:40 pm
the dufusses didn’t provide a means for a system to verify it
I think the plural of “doofus” (my preferred spelling) ought to be “doofi.”
John M. 06.25.10 at 3:12 pm
“If you want a fast boot:…etc”
You could do all that stuff. Or just a buy a Mac. Or even a Mac with a solid state drive if you really want to show off. Fast, very fast.
Dan 06.26.10 at 5:41 pm
@Tom West
I don’t think Saheli did anything.
Looks to me like he intended to paste the url he was linking to via Ctrl-V, but managed to just hit the ‘v’ instead (href=”v”), which did nothing but append a v to this page’s url.
The weirdness comes when this:
https://crookedtimber.org/2010/06/23/awesome-design-decisions/v
… redirects you to this:
https://crookedtimber.org/2004/07/07/vacation/
But try adding any random letter or letters to the end of any CT url:
https://crookedtimber.org/2010/06/23/awesome-design-decisions/ab
https://crookedtimber.org/2010/ha
https://crookedtimber.org/ga
https://crookedtimber.org/gat
https://crookedtimber.org/thispartdoesn'tseemtomatteronewit/awesome/
I don’t see any indication of the CMS used here, but I’ve successfully repeated this trick on several WordPress sites, so I suspect it’s some WordPress php/htaccess goofiness. I suspect it’s simply loading the most recent post whose url id begins with the final bit of url text.
Looks harmless to my eyes (though who knows with WordPress) and, in any event, probably bears no relation to the “new phishing scam” Saheli intended to freak everyone out with.
Dan 06.26.10 at 5:43 pm
Or, rather, the first post id it comes to alphabetically that begins with said text.
David W. Fenton 06.27.10 at 2:07 am
1. “Why do you have to type the password in twice?”
To insure that you don’t type the wrong password, and then be locked out of your account. Indeed, just this past week, I was stripping a computer to be given away to someone else, and somehow hit the caps lock and ended up entering the password in reverse case. Unfortunately, it was Win2000, which doesn’t helpfully inform you that you have the caps lock on when you’re typing in the password change dialog, so it took some doing for me to figure out what I’d done. Now, obviously, double typing didn’t catch the caps lock issue, but the point is that I thought I’d put in one password, but I’d actually entered something else entirely. The double entry of the password is supposed to insure against that (within the limits of what it can catch).
2. “Get a Mac.”
This is not helpful at all. I’m a fan of the Mac and think that those who want to use Macs should do so, but I’m a Windows user and support Windows clients and suggesting the switch to Mac is not going to help anyone. It just makes you look churlish. I’m also not sure it guarantees the fast boot, either…
Arno Wouters 07.07.10 at 6:15 pm
Henry writes:
May I suggest 1Password to help you deal with this problem?
Comments on this entry are closed.