645 – mobile ad blocking

It's always DNS

The internet just wouldn’t work without the magic that is the Domain Name System, or DNS. If you are not a networking guru, this service is effectively the index of internet hosts (not just websites but also anything else that offers a service on the net), and is used to find the actual address that your computer will connect to, using a name as the reference.

If you put www.bbc.co.uk into your browser, that means you want to connect to a machine called www which belongs to the domain bbc.co.uk, and a beautiful yet simply elaborate system is used to figure out how to find that domain, get the address(es) of the actual host, and provide the info back to your device so you can connect to it and request information.

Being the one service to bind it all also means DNS is often the thing that brings everything to a halt, eg. if your home router can’t connect to your ISP’s DNS server, then you’re basically unable to communicate with the rest of the world as you’d be unable to find anything (unless you hard-code your machine to use a different DNS, like CloudFlare’s 1.1.1.1 or Google’s 8.8.8.8).

Futzing about with DNS can sometimes bring benefits, though. One such is that for the many webpages which contain embedded adverts or clickbait links, if your browser is unable to connect to the source of the advert, then it might just not show the content at all. On desktop computers, you could use ad blocker browser extensions of all kinds, but on mobile devices your choices are a bit more limited.

Stupid Ad from Microsoft Start appIf you rely on mobile apps like Google News or Microsoft Start, which show content within the app and have no ability to install 3rd party browser extensions, you may have to take more action to block out all the insidious and stupid adverts.

A true geek’s solution at home could be to set up a Pi-hole; a DNS server (traditionally targeted to run on a Raspberry Pi microcomputer, hence the name) which will filter out the garbage by deliberately blocking the URL-to-address resolution of thousands of known advertisers or clickbait providers. Great when you’re on the home network, but what about if on the move and connected to another network?

One possible solution here is to use a provider like NextDNS, which has been described as effectively running a Pi-hole in the cloud for you to use.

Enable NextDNS on AndroidFree for up to 300,000 name resolutions (which sounds like a lot, but in reality, isn’t), it’s a snap to try out and if you sign up, you’ll be given simple instructions on how to plug it into your phone, tablet, desktop or even home router, so as to extend protection to every device connecting through that network.

Insidious ad has been silently blockedDNS queries would be routed to the NextDNS service and if the requested host is from one of a plethora of blocked sites – not just ads, but known trackers, phishing links etc too – then it will simply return a dud response as if the site doesn’t exist.

Your app or browser will either show you an empty box, maybe an inline error frame, or it may silently move on and display nothing at all. Just one small victory!

Using a service like this – others are available – can be switched on or off quickly (in Android, it takes the form of a single switch to configure a Private DNS with a URL unique to your account), and works regardless of whether you’re on Wi-Fi or mobile connectivity.

#639 – Macros, Ghosts and GALs

VB and MacrosSince the early days, Microsoft always kept an eye on what its competitors were doing. It was once de rigeur to produce “battlecards” which would show feature-by-feature how one product is better than its competitor, thus assuring the customer they should buy this one. Thankfully, times have mostly moved on to just building as good a product as possible and then let customers and the markets decide – sometimes, they get improved and honed over time to be the best out there, and sometimes they get dispatched to the boneyard as times move on.

Exchange Server boxIn the late 1990s, Office and Exchange (and later, SharePoint) Server were seen as Microsoft’s entrants into the burgeoning “Groupware” market, which became subsumed into “Knowledge Management” c2000. Key competitors to Exchange & Outlook were Lotus Notes and Novell GroupWise, both of which came from being collab tools and gained email functions. Notes was arguably much more mature and feature rich even if the UI was sometimes clunky, GroupWise was much leaner but found a niche in several industries. Amazingly, GroupWise is still a thing and Notes evolved first into IBM Notes/Domino and was eventually sold off to now be HCL Notes and HCL Domino.

One of the early moves Microsoft made to elevate Office apps to more than just writing documents, was to try to make the docs more capable through adding Macros, and later, Visual Basic for Applications. This allowed a moderately skilful user to dabble in programming to make smarter applications centered around documents; what seemed like a good idea at the time unwittingly unleashed a wave of malware, where bad actors wrote macros to do undesirable things. Following the “Melissa” worm in 1999, Office stopped Macros running without asking the user for permission. Using Macros for anything more than tinkering never really took off.

Blocked Macro warning

Macros disabled entirely

Microsoft announced in February 2022 that all Office Macros in content received online would be disabled completely; this was temporarily rolled back in some test builds for some changes to be made in how it works, but for many, the warning will still be there if you open a Macro-enabled file that you’ve downloaded or been sent.

Unblocking MacroThere are still some very useful Office macros out there, and if you do need to run one that you know is from a trustworthy source, there is a workaround – save the file to your PC locally, then right-click on it to look at the file’s properties, tick the “Unblock” option and apply that. You’ll now be able to choose to run the macro unencumbered.

One such handy macro was discussed back in December 2021 in ToW 611, and is used to find Ghost meetings – ie ones you have arranged but everyone has declined (or at least not accepted). The macro spins through all future meetings in your calendar and lists the ones you’ve organised but where you’re likely to be the only attendee who shows up. Particularly useful at this time of year if lots of people are about to take time off over the summer, and may have declined a few recurring meetings but you – as organiser – still have them in your calendar.

Ghost Meetings

For the latest version of the macro, download the ZIP file to your machine and expand it (or just copy the XLSM file that’s within and put it somewhere else), do the property Unblock thing as above, open in Excel, click the button to allow content, then the Scan Calendar button and you’re all set. You still need to go into Outlook and look at the appropriate date then decide if you want to cancel those meetings or not.

Another more powerful macro – though a little more esoteric – is one which does bulk resolution against the Global Address List, so if you give it a list of display names and/or alias names, it will show the full name, title, department, office, email, and alias name of that person. Handy if you want to get the full details of everyone who is going to attend a meeting, but if you just have a longish list of names then you could just paste them in and see how it goes. This was covered back in ToW 575. One usage scenario recently was to estimate the number of people who were attending a group meeting, but were based at other offices and would therefore need accommodation.

Here’s an example output of over 500 names who were invited to a large meeting; by just providing their display names in column A, it took the sheet about 30 seconds to complete, with 10 identified as distribution lists and 50 unknowns who couldn’t be resolved, either due to no longer being in the GAL or because there were more than one possible name listed.

GAL resolving

If you can manually find the unknown person/people in the GAL, then get their alias name and paste that into column 1 instead of the ambiguous display name, then try to run it again.

634 – M’aidez, m’aidez

Quick Assist logoThe internationally recognized distress signal “May-day!”, as used by pilots heading for trouble among other scenarios, was chosen as an anglicisation of the French “m’aidez”, or “help me”, due to difficulties of understanding other terms over poor quality radio.

With much less serious consequences, those of us with a technical bent might often be asked to help family or friends who have problems with their computer, and may turn to remotely taking over their machine –  from desktop sharing in Teams or Skype, to using software that should be simpler for the technologically challenged to initiate so you can help them out.

TeamViewer is one such bit of software that’s relatively easy to install and configure, so it’s unfortunately a fave of the scammers who prey on vulnerable people by phoning them up and warning that Microsoft has detected a problem with their computer, and they need to get help to fix it.

Microsoft will never proactively reach out to you to provide unsolicited PC or technical support.

Quick Assist updateIf you do want to get or give help from a Windows PC, a venerable in-box inclusion called Quick Assist could be worth a look – it has recently been updated and is delivered via the Microsoft Store, which now has support for any Windows app and not just UWP and PWA. More on that announcement from Build, here.

Sharing security codeThe gist with Quick Assist is that you over the phone, you could talk your victim friend through the process to start it up (Start -> type assist ENTER), then you do the same. The first screen gives an option to enter a code provided, or if you are the one doing the remote assisting, click the button to Assist another person, and you’ll be given a time-limited alphanumeric code to provide the other party.

They type this is to the dialog on their end, and a secure connection is established, whereupon they can choose to share their screen in view-only mode, or they can offer to give you control.

After a couple of prompts to validate that this is really what they want to do, you would see the recipient’s desktop in a window and have a variety of control icons around it, like a short cut to run Task Manager on their machine, shut it down or send messages back and forth between both of you. Unfortunately, the chat history is not preserved but it’s a good enough way to give short instructions.

clip_image002[6]

620 – Change your P@ssw0rd!

clip_image002Bad Actors are all over the internet (not just in your local multiplex), mostly aiming to gain access to data and systems for nefarious purposes, though sometimes they try to do good. Data breaches generally start with the weakest link in the chain: PEBKAC, in other words, It’s Your Problem.

Identity protection company SpyCloud reports that more than two-thirds of passwords which have been breached online are still in use and most users still have the same username and password combo across multiple accounts. If you want to keep your own personal identity and data safe, it’s job #1 to make sure you have unique passwords for each website you use, and that the passwords are not made up of guessable words or phrases.

clip_image004clip_image006The Edge browser gives you some tools to manage your passwords better – look for the Password Generator, or the drop-down Suggest strong password option, when you’re registering a new sign-in, and it will generate a long and complex password, stored in your account so in future you can be automatically signed in.

clip_image008Some sites don’t trigger the password generator or suggestion – perhaps due to how they describe or display the password field(s) – so another option is to use a browser extension like btPassnumerous others are available. It simply drops an icon on the browser toolbar and will show a password of varying complexity and length, which can be quickly copied to the clipboard and pasted into password fields. Since some sites don’t like special characters in the password, you can tweak or edit the text it creates.

Security software company F-Secure has launched a free online password generator, if you’d prefer to create your secrets that way.

clip_image010The Manage passwords option seen in some password drop-downs – also available from the settings menu or by entering edge://settings/passwords into the address bar – gives access to Password Monitor, which warns you if passwords you have saved are known to have been breached, and can display a list of the sites where your previously-set password has been found in a trove of hacked accounts.

clip_image012You can quickly check the password used and decide to visit the page to change it – assuming the site still exists – or simply ignore it (on the assumption that you’ll be cleaning up and not using the compromised passwords on any sites you still want to actually visit).

If you install Microsoft Authenticator on your phone and sign in with the same account as you use in your browser, the saved passwords will be available through Authenticator too – so having very complex passwords should be no barrier to usability any more.

600 – Welcome to Windows 11

Just in time for the holiday season and for the ranges of updated PC kit that’s coming, clip_image002Windows 11 is nearly here – ETA October 5th 2021.

In December 2009, when ToW was only #1 (it took a year before the internal-to-Microsoft emails were published to the web, and years after that before www.tipoweek.com arrived), Windows 7 was only 6 months old, having replaced the Windows Vista predecessor which everybody loved so much (for some great insights into what happened during the dev cycle of Vista, see here and here).

Windows 7 was the bomb, then Windows 8 came along and failed to set the world on fire to quite the expected extent. Windows 8.1 fixed a lot of the complaints and generally speaking, all was good. Windows 10 came out 6 years after Windows 7 and for some was its true natural successor, and since mid-2015 it’s been very widely deployed, even if the mobile ambitions were less than realised.

clip_image004For a while it was thought there would be no new releases of Windows, just incremental updates (Windows as a Service if you like), but we are now on the cusp of the next big milestone – Windows 11.

There’s a lot to like about the major update from Windows 10, such as its refreshed UI, easier window management (especially if you have multiple monitors), improved security and streamlined performance to take better advantage of modern hardware, like the new range of Surface products which will ship with Windows 11.

Existing users will get the upgrade free of charge after October 5th, either by kicking it off proactively or by waiting for Windows Update to offer it.

If you feel like a weekend project and want to upgrade a home PC to Windows 11, there are ways to grab it sooner than 5th October – join the Windows Insiders program if you’re not already in (it’s free – just go to Settings / Windows Update and you’ll see an Insiders option), and you can choose to receive the Beta preview, and download it from Windows Update.

If you’d like to manage the upgrade a bit more (or do a clean install), you can grab the Beta Channel ISO file and run the update from there. The clip_image006current Beta version (stay away from Dev Channel unless you really know your onions) will be very near to the version that’s released (if not actually the same in everything but name), so going Beta now will get you on the ladder to receive the final bits very soon.

clip_image008There are some downsides, though – creaking old PCs may not be compatible – find out if yours is, by running the Health Check app.

The specs required to run Windows 11 were somewhat controversial when announced – only modern processors are supported, even though an older but powerful PC with beefy CPUs and lots of memory would normally be considered fine.

Trusted Platform Module 2.0 is also a requirement, as part of the base security platform: generally speaking, A Good Thing and not an issue for modern laptops. Older desktops – especially home-built ones – are less likely to have a TPM chip on board, and if there is, it’s probably not enabled by default.

Some features are still waiting to be delivered; the unveiling in June showcased the new Microsoft Store, and that would include Android apps which could be used in emulation on the PC – that’s still “coming soon”, along with a number of in-the-box app updates (like Paint, Photos, Mail & Calendar and more) which will arrive “later”.

If you want to get your hackles up on everything that’s wrong, check out Windows Weekly. It’s a fair accusation that the primary driver for Windows 11 is to add some juice to the PC market by encouraging people to buy new machines rather than keep upgrading old ones; but if your existing computer will run Windows 11, it’s a great looking and functionally improved update.

586 – Pick Up Thy WordPress

clip_image002This tip has been a very long time coming. Back in ToW 479, the subject of running WordPress on Azure was mooted, and it prompted an internal-to-MS conversation about the guidelines for publishing stuff externally.

The extended back story is that there were hundreds of employee blogs which had been published under the technet.microsoft.com and msdn.microsoft.com sites, both of which URLs could trace their birth back to the 1990s, and a project was underway to clean them up and rationalize somewhat.

Initially, guidance to MS bloggers was (basically) “unless you’re an official blog, you have <nn months> to move your stuff elsewhere before it gets deleted.” Certainly, there was to be no new content after the cut-off date.

That guidance relented somewhat and content from relatively active blogs was migrated to the Microsoft Docs archive though taking a trip through the final posts from the ToW host blog, The Electric Wand, shows that lots of graphical content was not carried across – more of a lift & dump than a lift & shift.

Blogging is a bit old-hat these days but lots of people do still maintain a blog to share stuff they think is interesting; see Scott Hanselman as one example.

Anyway, the solution for Tip o’ the Week was to move to an external website – www.tipoweek.com – which is hosted in Azure and, like about a third of all websites, running under the content management system, WordPress.

clip_image004Setting up a WordPress site is pretty straightforward, really – though you do have a variety of options on what kind of site you want to build. If you need a complex site with lots of control over it, then you might clip_image006want to run it in a Virtual Machine or a container. For most of us, though, a simple App Service will suffice. From the home page of your Azure subscription, just Create a resource and search services and marketplace for WordPress, then select the WordPress App Service from the multitude of options you might get.

For more tips on how best to get up and running with WP in Azure, see here.

clip_image008One retiring Microsoftie (not the shy type, but leaving the company, today in fact), emailed last week to point out that the tipoweek.com website was being flagged in Edge as Not secure. Oh Noes!

This has, in fact, been a niggling issue for a while, since Chrome (and Edge, given its diet of Chromium) instituted a policy of flagging any website that doesn’t use the secure HTTPS protocol & SSL by default.

Secure Sockets Layer, if you’re not overly familiar with it, relies on a way of encrypting data travelling between two points, using a previously-generated pair of mathematically-linked digital keys. If you have one key, you can use it to encrypt data which can only be decrypted by the other key in the pair (ie you can’t even use the same key that encrypted the data to decrypt it again). Typically, one of these keys is publicly accessible and the other is kept private.

clip_image010One way of sharing a public key is to embed it in a site’s SSL certificate, which is in turn validated by a mutually-trusted third party (called a certificate authority). If you visit the website for an institution like a shop or a bank, then your browser will download the site’s certificate, validate that it’s still current and trusted, then use that public key to encrypt data sent to the site. Since that data can only be decrypted using the corresponding private key, we can validate that the site is not being impersonated.

The whole public/private key encryption process has something of a computational overhead associated with it, but once we have established a secure connection, we could use a faster encryption technique for data sharing by using a single key that can both encrypt and decrypt the same data.

In other words, if I go to a website that presents me a certificate specifically issued for that URL’s domain, I can be sure that the site handing out the cert is who they purport to be. This could be validated by me generating a random set of numbers, encrypting it with the public key and sending that to the site; it would decrypt the gobbledygook with the private key that only it has, and we now both have the same set of data that has been securely shared between us. That would form the symmetric key that we can use for the rest of the connection.

For more detail on these kinds of topics, check out the Cryptography 101 podcast on Hanselminutes.

clip_image012In Edge, if you want to look at a secure site’s certificate, click on the padlock icon (or the handbag icon as some people once saw it – that meant it was safe to shop) – and click the “Connection is secure” banner, then click the little certificate icon in the upper right.

clip_image014

The trouble is, if you’re hosting a hobby or a community web site, paying for an SSL certificate might seem a bit of overkill; web hosting companies will try to bundle them into domain protection and other security features which might be no big deal for a commercial enterprise but a little stiff for a parish newsletter.

Fortunately, there are alternatives, though they do need a bit of spade work to get up and running. Hanselman (yes, him again) discussed using an extension and an organisation called Let’s Encrypt, whose goal it is to make the web 100% secure. They have issued over 225 million SSL certs, and will generate 3-month-validity certificates free of charge, as an alternative to paying anything from $60-200 a year to a commercial issuer. With a bit of practice, it doesn’t take long to create and manage the certs and if you only need to do it 4 times a year, then it could be time well spent and money well saved.

clip_image016An alternative method was written up by fellow Microsoftie Andreas Pohl, using a slightly more manual method to create the certificate then import into Azure; if you’re looking for an excuse to get Windows Subsystem for Linux up and running, then this could be it.

Once you have the certificate exported to a file, it’s a matter of a few clicks to import it into the Azure App Service that is running WordPress, set up the bindings appropriately, and you can then flick the switch to make the site only service up content over HTTPS.

clip_image018And thus display the handbag of security to anyone who visits.

569 – Password migration

clip_image002One of the problems with free software and particularly free services, is that at some point, they might stop being free. The path of freely-provided online services is littered with companies who gave their service away to get the users, then grappled with the reality that more users means more costs to deliver the service – and if they don’t get enough income from whatever sources they can, the free ride will come to an end. Just look at Photobucket. And every web site that makes you whitelist them in your ad-blocker before you can continue.

The latest in a line of what-used-to-be-free but is now tightening its belt is LastPass, an excellent password manager that has a lot of users but may end up with a good few fewer. The day after the Ides of March, LastPass Free will only allow use on a single device type, so if you currently use it to sync passwords across desktops and tablets or mobiles, then you need to start paying (and maybe you should) or stick to either mobile or desktop.

As soon as the company announced its plans, the web sprung up many articles offering “what is the best alternative to…” type advice. Only a few weeks ago, ToW#561 espoused the virtues of cleaning up your passwords, featuring LastPass and also trailing some features that were coming to an alternative that you might already be using to provide 2 factor authentication on your phone – Microsoft Authenticator.

It’s fairly easy to switch to using Authenticator on your device to also sync passwords and to provide the Auto-Fill function which plugs in usernames/passwords not only to sites on your mobile browser but to other apps too. If you already have a load of passwords set up in LastPass or other locations, there are methods to export them and then import the data into Authenticator.

clip_image004

In the case of LastPass, you sign into the Vault (either through the browser plugin or directly on their website) and under Advanced Options, select the Export function. It will immediately drop a lastpass_export.csv file into your Downloads folder; be very careful with this file as it contains all your usernames & passwords in clear text.

clip_image006You can get these passwords into Authenticator either by copying the file to your phone (Not a Good Idea) and importing from there, or by installing the Microsoft Autofill extension for Chrome into Edge (remember, Edge is a Chromium browser under the hood), then click on Settings and choose the Import data feature.

Now navigate to your Downloads folder and choose the lastpass_export file. It might take a little while to complete, but when it’s done, make sure you go back to the Downloads folder and clip_image008hard-delete that CSV file (ie select the file, hold the SHIFT key down and press the Delete key – this makes sure it doesn’t go to the recycle bin). You definitely don’t want that file being left behind, or copied or synced anywhere that is not encrypted.

The LastPass browser extension (like other password managers) remains potentially useful on the desktop as it can help to sync passwords between profiles (eg the Work and Personal profile of Edge, if both have the extension installed and logged in using the same LastPass account), or even between browsers – in the cases you might want to use Chrome for some things and Edge for others.

Edge on the PC does have password sync capabilities, though not quite with the same level of flexibility –

clip_image012clip_image014

clip_image010

Edge will let you sync passwords, favourites etc if you’re using a Microsoft Account (eg outlook.com) for your Personal profile, and it may do if you have a Microsoft 365 account for your Work Profile.

In a twist of fate, if you pay for a Microsoft 365 Family or a small business environment rather than using the free Microsoft Account, your subscription lacks the Azure Information Protection feature that is required to allow syncing. In which case, a 3rd party password sync feature may be your best option, even if you choose to use Authenticator on your mobile device, and perhaps do a periodic export/import from LastPass to keep your mobile passwords in sync.

Or best of all, just install the Autofill extension into multiple profiles (or Edge & Chrome), signing into the extension using the same Microsoft Account, to keep the passwords in sync. Tidy.

565 – 88 Edge updates

clip_image001Just over a year ago, the new release of the Edge browser with the Chromium engine was released, and lots of functionality has been shipped since. Much effort has been to differentiate the Edge browser from others, because it integrates better with Microsoft services and other offerings. From synching settings, history, favourites, extensions… to adding protections around passwords and having a great multi-profile experience… it’s been getting better all the time. But 88 updates? That’s crazy!

(it doesn’t necessarily have 88 updates – that was just a ploy to get in the Crazy 88 link above)

The latest version of Edge shipped to mainstream users recently; release 88 is named after the core engine version, so Google shipped Chrome 88 at the same time. Some of the “what’s new” in Chrome will be consistent with Edge, since the rendering engine is the same – like the deprecation of a couple of features; Chrome & Edge no longer have FTP support natively, and they finally killed Flash.

Back to Edge 88 – go to the menu, then settings | about to find which version you have – there are a bunch of cool things to try out or investigate:

Themes – there are some really nice pre-built themes packaging background images and colour schemes; see them here. You can apply a theme to a specific user profile, which might help you differentiate them from each other – so a Forza or Halo theme applied to your personal profile would change the colour scheme for that one, making it easier to spot which profile you’re using. You can also add themes from the Chrome web store.

clip_image003Sleeping Tabs – helping to reduce system resource demands, Edge can now make tabs go to sleep if they haven’t been used for a while. You need to switch it on (the plan being that it will be a default in a later version) by going to edge://flags and search for sleep.

If you regularly use websites that fire notifications – like mail, or news readers – then be aware that they will not show when the tab is asleep. Work is underway to report back which sites should not be put to sleep, so Edge will be able to know when it’s a help and when it would be a nuisance.

clip_image005Passwords – as discussed previously when it was in dev mode, the password monitoring and strong password suggestion features are now generally available. Edge can look for common username/password combinations that are in your cached credentials, but which are known to have been leaked.

If you get a report of such a leak, you should change all of the passwords on affected sites as soon as possible. Looking under Edge Settings / Profile / Passwords, you should see the options to enable both Password Monitor and suggestion. For more info on how the Password Monitor works, check out this MS Research note.

PWAs and ProfilesProgressive Web Apps are increasingly being seen as the way to take a site and treat it like an app; it can show up in Start menu, can be pinned to task bar, will run with a specific icon and name, and won’t have all the UI of a browser, so it looks just like a native app.

clip_image007To install a PWA on Edge, just go to the menu on the top right when you’re browsing to a site, and you clip_image009should see Apps > Install … as an option. You get to give the “app” a name, and it will then look and feel much like a native application.

clip_image011If you install the PWA in more than one Edge browser profile, there’s a new function that means when you start the app – from the Start menu etc – then you can switch between which profile it should run in (scoping identity, passwords etc within).

PWAs are cool. Unless you’re using Firefox, where PWAs are not cool.

561 – Password clean up

clip_image001As most of us look to put 2020 firmly behind us and take some down-time over the festive season, there may be a list of jobs which get left to this time of year – filling out the annual tax return, maybe, or clearing out that drawer with miscellaneous stuff in it.

clip_image003You could set your sights higher, even – like gathering all the papers scattered throughout your house (user guides, receipts, utility bills etc etc) and putting them in one place, as recommended by Getting Things Done guru, David Allen.

Or just scan them all in then recycle…

Maybe it’s time to finally sort out all the passwords you use for different websites. Even though Multi-Factor Authentication is gradually replacing the need to enter a username & password every time you access a resource, there’s still often a need to create a username and password combo when you sign up for something. If you’ve used Edge or Chrome to remember your passwords, you might find there are many hundreds of them, and being weak carbon-based lifeforms, we’re quite likely to use the same ones for many sites. Naughty!

clip_image005There are browser addins and other tools you can use to remember the passwords you use, and (using LastPass as an example) can give you the option of generating something strong and unique at the point of signing up on a site, then syncing that username and password back to a central service so you don’t need to re-enter it next time (or remember something truly unmemorable). LastPass recently announced their 2020 stats – they’ve generated 94 million secure passwords and been used to log in more than 10 billion times.

Microsoft Edge offers some password management capabilities – as well as being able to remember passwords within the Edge browser, and sync them between different machines or mobile devices, Edge is also getting to be capable of suggesting and storing complex passwords for new sign-ups.

clip_image007Edge is beefing up its password security in other ways, offering proactive warnings if your passwords have shown up in databases of leaked credentials (at the moment, this is a test feature in the dev builds). One-by-one, you can use Edge’s “fix leaked passwords” function to check what the existing password is for each site, and then click a button to jump to the site to reset it – in some cases, going straight to the change password part of the site.

clip_image009Finally, the password sync feature is getting some extra legs – using the Microsoft Authenticator app on your phone and it’s new beta Autofill feature, you can use that app to provide the username/password for website or even mobile app logins. There’s a Chrome extension too, so if you want to switch back and forth between Edge & Chrome on a PC, your passwords will be available to both.

In some senses, storing passwords and allowing them to be automatically filled in feels like a security risk – anyone with access to your unlocked computer or phone could potentially access your online services. Using Autofill and Authenticator, though, the default setup is to require biometric authentication – so you’ll need a fingerprint or camera, or unlocking with a PIN, before the auto-fill will happen.

Also, it’s more important to have complex passwords that are hard to break or guess, and to have different ones for each and every site or app you use.

This is the final ToW for 2020. Let’s hope ’21 brings us all better luck.

In the meantime, have a great holiday season, stay safe, see you on The Other Side!

556 – Using MFA more widely

{10B132AF-CB81-488A-9B6B-27D6F996ACBA}Previous Tips have covered making use of 2FA – or 2 Factor Authentication – with your Microsoft Account (ie your account from Outlook.com/Hotmail/MSN/Passport etc) and how to manage passwords better, so you don’t end up with P@ssw0rd1 for every single one of your website logins. Dealing with passwords can be complicated and since humans are typically weak and seek the path of least resistance, this can often lead to huge security lapses.

So 2FA – or its cousin, Multi-Factor Authentication (MFA) – is a better way to secure things, as a remote system can validate that the user knows something which identifies them (their username & password, secret phrase, date of birth etc etc) but also has something that identifies them too; a security token, smart card, digital certificate or something else that has been issued, or even just a mobile phone that has been registered previously with whatever is trying to validate them.

Although such systems have been around for a while, the average punter in the EU has been more recently exposed to 2FA through a banking directive that requires it for many services that involve transfer of funds, setting up payments or even using credit cards. In some cases, the tech is pretty straightforward – you get a SMS text message with a 6-digit one-time code that you need to enter into the mobile app or website, thus proving you know something (you’re logged in) and you have something (your phone), so validating that it really is you. Or someone has stolen your phone and your credentials…

MFA is stronger than 2FA, as you can combine what you know and what you have, with what you are. An example could be installing a mobile banking app on your phone then enrolling your account number, username & password; the know is your credentials, and the have is a certificate or unique identifier associated with your phone, as it’s registered as a trusted device by the banking service that’s being accessed. Using your fingerprint to unlock the app would add a 3rd level of authentication – so the only likely way that your access to the service (for transferring funds or whatever) could be nefarious, is if you are physically being coerced into doing it.

2FA and MFA aren’t perfect but they’re a lot better than username & password alone, and Microsoft’s @Alex Weinert this week wrote that it’s time to give up on simpler 2FA like SMS and phone-call based validations, in favour of a stronger MFA approach. And what better way that to use the free Microsoft Authenticator app?

Once you have Authenticator set up and running, It’s really easy to add many {6CB942E5-5D57-48E1-BE97-E89CA2CF482B}services or apps to it – let’s use Twitter as an example. If you’re using a browser, go to Settings and look under Security and account access | Security | two-factor authentication.

{3D294F5C-25AA-4DA7-8C84-C13CF43B7321}If you enable 2FA and tick the box saying you want to use an authenticator app, it will ask you for your password again, then show you a QR code which can be used to enrol in the app.

In the Microsoft Authenticator app itself, add an account from the menu in the top right and then choose the option that it’s for “other” – presuming you’ve already have enrolled your Work or school Account (Microsoft/Office 365) and your Personal account (MSA, ie Outlook.com etc).

{E43FB7C2-CE71-430B-A0BC-21A7CB912CD0}

After tapping the option to add, point your phone at the QR code on the screen and you’re pretty much done; you’ll need to enter a one-time code to confirm it’s all set up – rather than getting an SMS, go into the list of accounts in the Authenticator app home screen, open the account you’ve just added then enter the 6-digit code that’s being displayed. This is the method you’ll use in future, rather than waiting to be sent the 6-digit code by text.

As you can see from the description, there are lots of other 3rd party apps and websites that support MFA using authenticator apps –