Jason Stevens

Director of Software Engineering

Too Many Passwords to Remember? Use a Password Manager.

Markus Jakobsson wrote an interesting article for Wired recently debunking some Cyber Lock common myths about password security. He argues that longer passwords that are easy to remember are actually more secure than the shorter, more complex passwords that many systems enforce. It’s worth a read:

Fighting Hackers: Everything You’ve Been Told About Passwords Is Wrong

I think Jakobsson’s argument misses one point: even if passwords are memorable, most people have far too many to actually remember them.

Password managers are the answer to this situation. These are programs on your phone, desktop or web that remember usernames and passwords for you. You only need to remember one password, the one for your password manager.

Let me describe how this works. When I come to a login form on the web, I press a key combination to bring up my password manager. If I haven’t already unlocked my password manager it will ask for the master password. Afterwards it looks up the credentials for the site I’m on, fills in the username and password fields and logs me into the site. Once the password manager is unlocked then I can log into any site with a single key combination. (Don’t worry, it’s much faster than it sounds!)

Some password managers are applications that run on desktops, tablets or phones. These usually store usernames and passwords in encrypted files on disk so that the information is secure in case the device is stolen. Other password managers are web based, storing that same encrypted information out in the cloud. Either way these products offer a great combination of security and ease of use.

I’ve been using a password manager called 1Password for several years on my Macs, iPhones and iPads (it’s also available for Windows and Android.) The Mac version is fantastic and logging into websites really is as simple as pressing a key combination. On iOS the experience isn’t quite as smooth and requires a copy and paste of the password. 1Password also isn’t cheap, desktop licenses start around $50.

Another very popular password manager around the Matrix office is LastPass.  LastPass is web based and should work on any device with intranet access. There is no cost to use LastPass, though a $1 per month subscription to the Premium service enables some additional features.

So take a look at the password managers that are out there, pick one and start using it. Not only will it make your online experience easier but more secure as well.

Have you used a password manager you love? Tell us about it.

Tanya Kennedy Luminati

Director of MatrixMaxx

How Does Online Credit Card Payment Processing Work?

I get a lot of questions from my clients about online credit card processing: how it works, how the fees are structured, and how to lower the fees. This whole system is very, very complex, and I’m not convinced that there is anyone in the world who really understands every aspect of it.

High level summary:

  1. You fill in a commerce payment form on a website, then click SUBMIT. (There are thousands web vendors who can provide custom or off-the-shelf web forms for this purpose.)
  2. Your payment info goes through a Payment Gateway (e.g., PayFlow Pro or Authorize.net) to the Processor of the Merchant’s BankCredit Cards
  3. Next comes authorization. Depending on card type, this might come from the Processor or the card-issuing Bank. Bottom line: someone says ‘approved’ or ‘declined.’
  4. Approved transactions are then ‘cleared’ for settlement
  5. Settlement is when the money actually moves around. This is usually in a nightly batch but sometimes it is real-time (which can lead to reconciliation headaches for businesses as then the fees are often deducted per transaction as opposed to a separate charge by batch or time-period).

This is a highly simplified breakdown; the process varies depending on the vendors involved. (For example, some vendors can handle more than one step in this process.) There are industry professionals who spend all of their time, every day, thinking about credit card processing. I actually spoke to a ‘Durbin Amendment’ Specialist’ a few weeks ago. His entire job focuses on understanding the so-called Durbin Amendment (and the Durbin amendment’s associated scams) which is just one piece of the larger Dodd-Frank Wall Street Reform and Consumer Protection Act (effective 10/1/2011), which only impacts certain pieces of the huge card processing industry.

This complexity helps to explain why fees are so high. Every single ‘player’ in this system needs to get paid for doing their part. The more complexity, the higher the cost.

So how do you lower the cost of these fees?

  • Talk to your current merchant bank. They might actually have some immediate ideas for you.
  • Ask for and include CID/CSV on your payment transmissions, whenever feasible.
  • Ask for and include Billing Address on your payment transmissions, whenever feasible (Note: some banks give a processing fee break for just providing zip code, so you can save your user some time by just asking for it.)
  • Shop around for a new merchant bank, processor, or gateway. Everyone wants your business, and sometimes a ‘little guy’ can give you a better deal than a ‘big guy’. But beware! There are costs to making these changes, so be sure that the money you’d save in fees justifies the cost to make the change.

Has anyone stumbled upon good articles, diagrams, or explanations of this complex industry that are aimed at the novice as opposed to the expert? I’d love to see them.

James Wood

Programmer

Sandbox Security in ColdFusion 8

There are certain tags that by default are enabled in ColdFusion that I am never going to use and are a security risk. With this in mind I wanted to disable these CF Tags in a ColdFusion enterprise environment.

We have done this before in the ColdFusion standard edition and it is quite straight black keysforward. So I went ahead and enabled Sandbox Security in a specific CF instance. One of the differences in the Enterprise edition is that you can specify specific directories to define specific permissions. So you can have different permissions on different instances.

I added the directory of the site that I wanted to disable cfexecute and then disabled the cfexecute tag. I was prompted to restart the CF instance and then went to my site. I got an error. I went to CF administrator to change the settings back and it wouldn’t respond! What the…?

Having played around with the guts of ColdFusion and its settings, I knew that I could revert the Sandbox Security by changing the xml file. That file is called neo-security.xml in the \WEB-INF\cfusion\lib folder of the instance that I was updating.

So, what next?

Continue reading

Hassan Elhassan

Front End Web Developer

Quick Tip: Saving passwords in browser not a great idea

We’ve talked about how we love Keepass and LastPass because they’re good for password management. Instead of using a manager, lots of people let their browsers save their passwords. Easy, right?

But, is this a good practice?

Not so much.

Lifehacker shows us why you should never do that. Here’s how a person can easily reveal your hidden passwords in any browser!

Once again, a password manager is a better way to store your passwords.

Do you have any stories about password protection you’d like to share?

Rich Frangiamore

Systems Admin

No Excuses: Password Security

Pardon me for being verbose here, but we need to talk.  It’s about your passwords.

It’s official.  There is no longer any excuse for any of us to not be using multi-factor authentication with our sensitive accounts.  There is also no longer any excuse for any of us to not be using complex and unique passwords for every site we visit.  None.

It’s all over the blogosphere.  Everywhere.  Online businesses and services are being compromised.  Accounts are being stolen.  It does not take a PhD to have a secure online identity, but sadly, some people still don’t take this seriously.

The resources are out there, and they’re mostly free.  Yes, 100% gratis.

No excuses.

I’m going to talk about two components:  password security, and multi-factor-authentication (MFA), (aka, two-step verification).

Continue reading