Category: How To

How to do something.

Making a Podcast, Step 2: Gather your recording equipment

Note: This post is third in a series where I share what I’ve learned starting and producing the Recompiler podcast. If you haven’t already, start with the introduction. This post follows Step 1: Identify a Topic, Point of View, and Structure.

Step 2: Gather your recording equipment: Computer, microphone, audio interface, headphones for monitoring.

There are numerous ways to record and produce podcasts. Not unlike photography, you can put together a digital recording rig for very little or you can spent thousands  or tens of thousands of dollars on expensive, high-end gear. I recommend that for your first podcast endeavor, you get the best quality gear you can comfortably afford. If you end up doing a lot of podcasting, and find a way to fund it, you’ll surely want to upgrade your equipment. And by then, you’ll have more experience to guide you.

Below I give an overview of what you’ll need and explain what I picked for the Recompiler. For a more detailed guide, check out Transom’s excellent Podcasting Basics, Part 1: Voice Recording Gear.

Computer or portable recorder too?

First, you’ll need to decide how you’ll be recording your audio: via a computer or a portable recorder. If you’ll mostly be doing field interviews or otherwise traveling a lot, a portable recorder might make sense. The downside is that you’ll still need a way to edit and publish your podcast and that requires a computer. For the Recompiler, I first thought I’d be doing a lot of field recording so I picked up a Sony PCM-M10 ($200 at the time). While I use it for other things, I haven’t ended up using it much for the podcast. Instead, I record at my desk directly into my refurbished MacMini. The good news is that you don’t need a high-end machine to record and edit podcast audio. There’s a good chance that a computer you already have available to you will be sufficient. And, audio recording and editing software is available for Windows, macOS, and Linux.

Microphone and audio interface

Being an audio medium, you’ll need to have a way to record audio. Most all modern computers have microphones built in. You can certainly start with whatever you have available to you. If you can’t afford to buy anything new, and you are ready to get started, don’t let the lack of an upgraded microphone stop you. A smart phone is also another good getting started option, especially if you have an iPhone. Most portable digital audio recorders have microphones built in as well.

However, if you do have a couple hundred bucks to spend, I recommend getting a better external microphone along with an audio interface.

External microphones generally connect via USB or XLR. Some have both. If the microphone has USB, you connect it directly to your computer with a USB cable like you would an external hard drive or non-wifi printer. If the microphone has XLR, you need an audio interface between the microphone and the computer. The microphone connects to the audio interface via an XLR cable, and the audio interface connects to the computer with a USB cable. The XLR setup is overall more complicated and more expensive, but generally provides better quality.

There are several USB microphones aimed at first-time podcasters. When I recorded In Beta, I used a refurbished Blue Yeti. I did not get the best of results. 5×5 nearly always complained about my audio quality. And, in general, I’ve had trouble with USB-based microphones, where I often have a ground-loop hum, which everyone but me can hear. As with all things, YMMV. Some folk swear by the Yeti, and other USB products from Blue. Rode also makes a USB microphone, but it’s more expensive than Blue’s offerings.

Having given up on USB microphones by the time we were planning the Recompiler, I looked for an affordable XLR solution. I settled on the Electro-Voice RE50N/D-B, a hand-held high-dynamic microphone with the Focusrite Scarlett 2i2 audio interface. My choice of microphone was based on: price (was in my budget), ability to use it in the field as well as in the “studio”, and that it would work with my chosen audio interface without extra equipment. I don’t recall how I settled on the Focusrite. I think it was a combination of a recommendation via Twitter, price, and brand (Focusrite seemed well-known and dependable). I’m happy with both choices. The Scarlett 2i2 worked right away without fuss and I get decent sound from the RE50N/D-B in a variety of environments.

If you’re just getting started, I definitely recommend the Focusrite Scarlett 2i2 ($150 new) if you want to be able to record a guest or other audio source in studio, or the Scarlett Solo ($100 new) if you just need to record from one audio source. Look on eBay for used equipment to save money.

As far as microphone, there are too many options and preferences for me to feel comfortable giving a specific recommendation. If you’re just starting out, I recommend reading through reviews on and then getting the best microphone you can comfortably afford, knowing that it won’t be the last mic you buy if you stick with podcasting.

Other accessories

Unless you’re doing field interviews exclusively, you’ll need to get something to hold your microphone. This can be a tabletop or floor stand, or a desk-mounted arm. You might also want to include a pop filter and/or a shock mount. The Transom article I first mentioned earlier gives a good overview of options for these.

For the Recompiler, I use the RODE PSA1 ($100) as a microphone mount and the simple foam microphone cover that came with the RE50N/D-B. I haven’t needed a shock mount because, I think, the RE50N/D-B is designed as a hand-held mic and doesn’t pick up a lot of vibration. I’m also careful not to bump it, the mic boom, or my desk while I’m recording.


Don’t forget to get and use a decent pair of headphones while you’re recording and editing your podcast audio.

For the Recompiler, I picked up a pair of Sennheiser HD 202 II ($25) which are dedicated to audio recording and editing. In fact, they never leave my desk. That way I’m never scrambling to find them when it’s time to work. The Sennheisers I have aren’t amazingly awesome, but they were inexpensive and get the job done.

Whatever you pick, aim for headphones designed for studio monitoring, that are over-the-ear, do not have active noise cancellation, and do not have a built-in mic. If you do end up using headphones with a built-in mic, double-check that you are not recording audio from that mic. There’s nothing more disappointing that recording a whole segment or show only to realize you used your crappiest microphone.

If you have it in your budget, you might consider the Sony MDRV6 ($99).

Questions or comments?

Please get in touch or leave a comment below if you have questions, comments, or just want encouragement!

Next post…

Stay tuned for the next post in this series!

Making a Podcast, Step 1: Identify a Topic, Point of View, and Structure

Note: This post is second in a series where I share what I’ve learned starting and producing the Recompiler podcast. If you haven’t already, start with the introduction

Your first step in making a new podcast is to identify a topic, point of view, and structure for your podcast.

This sounds simple, but it’s helpful to think about at the beginning, to record your answers in writing, and to refer back to them often and your podcast matures.

For the Recompiler, the general topic (technology) and point of view (feminist; beginner-friendly) was already defined via Audrey’s clear vision for the written version:

The Recompiler is a feminist hacker magazine, launched in 2015. Our goal is to help people learn about technology in a fun, playful way, and highlight a diverse range of backgrounds and experiences. We’re especially interested in infrastructure: the technical and social systems we depend on. We want to share what it’s like to learn and work with technology, and teach each other to build better systems and tools.

As far as structure, early on, we decided that episodes would feature a mix of Audrey and me talking about tech news and other timely topics, along with interviews of Recompiler contributors and other “subject-matter experts.” I put “subject-matter experts” in quotes because I intentionally look for folks from a wide range of backgrounds and experiences, many of which might not be considered “experts” by mainstream tech.

We also decided that the Recompiler would have a casual, unscripted structure. We don’t currently broadcast live (although we might in the future). I do minimal editing, focusing mostly on making episodes listenable, rather than having a particular narrative arc. The order of what you hear is most likely the order in which we recorded, with inaudible or otherwise disruptive segments removed.

We aim for episodes to be about an hour long. Episodes always include two people: myself and Audrey, or myself and the person I’ve interviewed. Our target publishing frequency has changed as I’ve become more comfortable with the production process. First our goal was monthly, then twice a month, and now weekly. We don’t always meet this goal, but we’re getting better at it.

How did we make these decisions about structure? Mostly based on my constraints, both in terms of skill and time (both limited), as well as my personal preferences in terms of what I enjoy in podcasts.

To summarize, in thinking about your new podcast, you’ll need to decide:

  • general topics to focus on
  • point of view
  • structure
    • casual or scripted
    • number of hosts and guests per episode
    • target length in minutes
    • whether or not to broadcast live
    • frequency of publishing

The decisions you make regarding structure will determine the resources you need to produce a completed episode. For example, a heavily scripted show will require more audio engineering skill and editing time.

Questions or comments?

Please get in touch or leave a comment below if you have questions, comments, or just want encouragement!

Next post…

The next post in this series is: Making a Podcast, Step 2: Gather your recording equipment.


Making a Podcast, Intro: A Year of Producing the Recompiler

The first episode of the Recompiler podcast posted on February 4, 2016. This means I’ve had nearly a year of experience producing a podcast and in a series of posts, I’d like to share what I’ve learned.

Unlike with In Beta, a podcast I co-hosted with Kevin Purdy, I am responsible for the entire production of the Recompiler podcast: content development, booking, interviewing, audio engineering (recording and editing), publication, and promotion. With In Beta, I was just a host, responsible for developing content, performing the show, interviewing guests, and writing show notes. Staff from 5by5, the network to which In Beta belongs, did all the other audio engineering tasks and already had a publishing and marketing platform in place.

In truth, figuring out how to do the audio engineering was my biggest obstacle to creating the Recompiler podcast. It’s why there was a several months-long gap between our announcement about the podcast and our first episode.

Looking back, of course, many of the things that seemed overwhelming at the time are now routine. In the next series of posts, I share what I’ve learned. In doing so, I hope to encourage any of you who are interested in making your own podcast and give you to concrete tips for getting started.

Next up: Making a Podcast, Step 1: Identify a Topic, Point of View, and Structure.

VidyoDesktop 2.2.x on Linux with PulseAudio 4.0 (Ubuntu 13.10)

Recently I upgraded my work laptop from Xubuntu 13.04 to 13.10. The upgrade went well, except for an issue with audio output from VidyoDesktop. Every other application worked fine. Skype, audio from Flash inside both Firefox and Chromium, gmusicbrower, Rhythmbox, and the system sounds all performed as expected.

After spending a day spelunking the depths of PulseAudio, a co-worker pointed me to this bug report which links to this blog post about making Skype compatible with changes in PulseAudio 4.0.

I confirmed that manually starting Vidyo with the following command re-enabled audio:


And then modified the Exec line in /etc/xdg/autostart/vidyo-vidyodesktop.desktop to this:

Exec=env PULSE_LATENCY_MSEC=60 VidyoDesktop -AutoStart

The non-autostart menu file (/usr/share/applications/vidyo-vidyodesktop.desktop) just needs the following:

Exec=env PULSE_LATENCY_MSEC=60 VidyoDesktop

We’re using version 2.2.x of the VidyoDesktop client, which I believe has been superseded and so you may not need this fix at if you use a later client version.

Leaving Google: Moving email and calendar to Zimbra

Note: This post is part of a series of posts I’m writing about migrating from Google to other service providers. Read Leaving Google: A preface to understand my motivation and goals for this project.

Aside from things like online banking and bill-pay, email and calendar are probably the most important aspects to my online life. They enable me to in touch, transact business and generally know what I am supposed to be doing when. As such, it took me a long time to find an alternative that would work for me.

The requirements and the search

Here are the requirements I defined in a calendar and email solution:

  • hosted and paid, yet affordable ($50-60 annually)
  • decent web interface
  • POP3 and IMAP access
  • ssl/tls enabled
  • ability to use own domain and to add user and domain aliases
  • multiple calendar support
  • ability to share calendars with internal and external users
  • ability to have private and public appointments
  • ability to subscribe to external calendars
  • reasonable disk space (5-10GB) and attachment quotas (>10mb)

Finding a stand-alone email provider was not an issue. Pobox (my favorite), Hushmail, Fastmail and Rackspace all provide reasonable email hosting and there are many others.

What these services lack are the robust calendaring features I need. Both Pobox and Rackspace include calendars with their email, and OwnCloud has a calendar feature. But all three are simple and lack the sharing and subscribing abilities I absolutely need.

Lack of strong calendar features continued to stall my search for Google alternatives until I realized that I was already using a great alternative at Mozilla! There we use Zimbra, a “collaboration suite” developed by VMWare that includes email and calendaring. VMWare offers open source and network editions of Zimbra. If you have sufficient courage, stamina and time to run your own mail server, you can download and install the open source edition for free (although it lacks some features of the paid version).

I have no desire to run my own mail server. Thus began the search for hosted Zimbra providers. I narrowed my list to three: ZMailCloud, MrMail, and Krypt CloudMail, from which I picked ZMailCloud.

The migration

Once my account was setup, the migration process was fairly straight-forward:

  • Update MX records for my chosen domain.
  • Start forwarding Gmail to new email addresses.
  • Add Gmail address as external account in Zimbra via IMAP and start copying messages.
  • Export main Google calendar and import into calendar called “Google” on Zimbra. Start copying relevant appointments to new main calendar.
  • Begin the tedious process of updating email address everywhere.

I had a couple of choices when migrating all of my email messages:

  • Use an email client like Thunderbird to copy via IMAP
  • Add Gmail address as an external account via POP3. The disadvantage to this approach is that you get zero folder information, which is only a problem if you were using folders/labels in Gmail.
  • Not copy messages at all and start with a clean slate!

Also, you might be wondering why I didn’t simply import my Google calendar into my new main calendar. I actually did this at first. Then I realized that all of the appointments were imported with the visibility set to public. This won’t work for me because I want to be able to share my calendar with the public, allowing them to see the details for some appointments (like office hours and public meetings) but not for others.

Progress so far

The migration, begun a couple of weeks ago, continues. Each time I log in to an account I check the email address and update it if need be. I update mailing list subscriptions as I read messages from those lists, and those hosted on Google groups are the most tedious to update.

I also haven’t figured out how to tell everyone who might need to know that I have a new email address. I can’t bring myself to spam my entire address book (and there are probably folks in it I don’t actually want to engage with). So, for the time being, I’m just replying from the new address and letting people or their email clients update my record on their own.

Other solutions?

I’m curious about other possible solutions. For those of you who have switched away from Google mail and calendar, or were never there in the first place, what do you use? Let me know in the comments!



How to install BitlBee (IRC to chat and Twitter gateway) on Ubuntu

What is BitlBee?


BitlBee enables you to connect to chat networks and Twitter via an IRC client and interact with those chat networks in the same way you interact with IRC.

Why would you want to do this? Aside from being neat, being able to connect to chat and twitter with your IRC client means there are fewer programs you have to run and keep track of and it enables you to use the keyboard to issue commands instead of the GUI.

Installation on Ubuntu

This post explains how to build BitlBee from source on the most recent Ubuntu LTS (12.04 Precise). There are packages for BitlBee, but they aren’t up to date.

Note: These instructions are for a single-user setup of BitlBee. If you are installing a server for multiple users, especially ones you don’t know well, please read the documentation to be sure you understand what you are doing and are selecting the most secure options.


You’ll need to make sure the following packages are installed on your system: build-essential, libglib2.0-dev. Additionally, you’ll need an ssl library and I recommend libgnutls-dev (over openssl, which can be problematic). And if you want to support off-the-record chat, you’ll need libotr2-dev.

You can install all of those with:

sudo apt-get install build-essential libglib2.0-dev libgnutls-dev libotr2-dev

Download, configure, and make source and install

tar -xzvf bitlbee-3.2.tar.gz
cd bitlbee-3.2
./configure --otr=1 --msn=1 --jabber=1 --oscar=1 --twitter=1 --yahoo=1 --ssl=gnutls --etcdir=/etc/bitlbee
sudo make install

The configure included above specify the following:

  • inclusion of msn, jabber, oscar (AOL), yahoo, and twitter protocols
  • enable OTR (off-the-record messaging)
  • gnutls as the ssl library
  • location of configuration directory as /etc/bitlbee

Configure BitlBee

Next you’ll need to configure Bitlbee for use.

First, create and then edit the sample conf file:

sudo make install-etc
sudo vim /etc/bitlbee/bitlbee.conf

Here are the important options to set:

  • RunMode: How the bitlbee server should run. Options include: Inetd, Daemon, ForkDaemon.
  • User: The user that bitlbee server should run as. bitlbee makes sense here.
  • DaemonInterface: Which network interface to use. The default should be fine.
  • DaemonPort: Which port to use. The default should be fine unless you’re already using it for IRC or ZNC (bouncer).
  • AuthMode: I recommend setting this to Open and then to Registered after you’ve registered yourself.
  • AuthPassword: Needed to login to closed systems. Generate a hashed password with bitlbee -x hash .
  • OperPassword: Unlocks operator commands. Generate a hashed password (see previous bullet).
  • ConfigDir: Make sure this is the same thing specific in the configure option. In this example, it’s /etc/bitlbee.

Here are the example conf directives:

RunMode = ForkDaemon
User = bitlbee
DaemonInterface =
DaemonPort = 6667
AuthMode = Open
AuthPassword = md5:SECRET_HASH
OperPassword = md5:SECRET_HASH
ConfigDir = /etc/bitlbee

Add bitlbee user

Now you need to create that system user and make sure it can read the conf file:

sudo adduser --system bitlbee
sudo chmod -R +r /etc/bitlbee

Start the server

Now run the server:

sudo bitlbee -c /etc/bitlbee/bitlbee.conf


Connect with your IRC client

Open your IRC client and add the bitlbee server just as you would any IRC server. Here’s what it looks like in X-Chat:

mybitlbee server in xchat
mybitlbee server in xchat

Server password will be whatever you put for AuthPassword in your bitlbee.conf. It doesn’t matter what you have for nickname, user name or real name. These will be used when you register with bitlbee.

Register your user

register <password>

You should then see

<@root> Account successfully created

On subsequent sign ins you’ll need to identify just like you do with NickServ:

identify <password>

Now that you’ve registered your user, it’s a good idea to change AuthMode to Registered in your bitlbee.conf.

Setup your accounts

When you first start BitlBee, you won’t have any chat or Twitter accounts so you’ll need to set them up.

<@christiek> account list
<@root> No accounts known. Use `account add' to add one.

So let’s setup gtalk:

<@christiek> account add jabber
<@root> Account successfully added with tag gtalk
<@root> You can now use the /OPER command to enter the password
<@root> Alternatively, enable OAuth if the account supports it: account gtalk set oauth on
<@christiek> account gtalk set oauth on
<@root> oauth = `on'

Now the gtalk account is configured, but it isn’t turned on:

<@christiek> account list
<@root>  0 (gtalk): jabber,
<@root> End of account list

So we’ll turn it on and follow the prompts to complete the oauth authentication:

<@christiek> account gtalk on
<@root> jabber - Logging in: Starting OAuth authentication
<jabber_oauth> Open this URL in your browser to authenticate: URL
<jabber_oauth> Respond to this message with the returned authorization token.

Visit the BitlBee wiki for instructions on how to setup other chat networks or Twitter.

Time to chat!

Once you’ve configured a chat account and are connected, you’ll see your contacts listed as you would regular IRC users.

To initiate a chat you can use IRC commands:

/query robert.mith

How to Install Firefox and Thunderbird (Including Beta, Aurora & Nightly) on Ubuntu

One of the first things I do when setting up a new machine is install Firefox, Firefox Nightly and Thunderbird Aurora. There isn’t one source for all of these programs, and I always forget where to get each of them and how to make language packs work.

This article explains how to install the various releases of Firefox and Thunderbird on Ubuntu.

Overview of Firefox Builds

At any given time, there are four builds of Firefox available:

  • Release: Highly tested, relatively bug-free and stable. This is the build most people should use.
  • Beta: Needs a few final touches, but is otherwise stable and almost ready for prime-time. This build is for those who want a preview of upcoming features and are will to put up with a few minor bugs here and there.
  • Aurora: Aurora is a pre-Beta build. It’s most stable than a nightly, but not as stable as a beta. Use this build if you want a balance of cutting-edge features and stability.
  • Nightly: The most cutting-edge build you can get. It will have the most recent features, but might not be completely stable. Use this if you have a high tolerance for bugs.


The most current release of Firefox should be available in the official Ubuntu repositories for all recent versions. As of the writing of this post, release from Quantal (12.10) to Precise (11.10) have Firefox 17, which is the current release version. The official repository for Raring (13.04), not yet released, has a beta build of Firefox 18.

Moreover, Firefox comes installed by default for these versions of Ubuntu. You shouldn’t have to do anything to install it. If you’ve un-installed it for some reason, you can install it with:

sudo apt-get install firefox

UPDATE 7 Jan: A commenter mentioned Ubuntuzilla, which I did not know about before. If you’re on a version of Ubuntu prior to 11.10 and want to install the current version of Firefox, this could be a good option for you.


A group called Mozilla Team maintains a repository for Firefox Beta (as well as and Thunderbird Beta).

To install from these repositories, first you have to add the ppa:

sudo add-apt-repository ppa:mozillateam/firefox-next

For Thunderbird, the command is:

sudo add-apt-repository ppa:mozillateam/thunderbird-next

Note: if your system doesn’t have add-apt-repository for some reason, try installing python-software-properties and if that doesn’t work then try installing software-properties-common.

Then update packages and install:

sudo apt-get update
sudo apt-get install firefox

Note: You’ll notice that this package name is the same as it is in the official repository. This means that you can’t have both installed at the same time. You can ‘pin’ a package to a given source and version, allowing you to install a specific version from a specific source. But, as long as the package names are the same, they can’t be installed concurrently. You’ll have to compile and execute one version from the source if you want to do this.

(If anyone knows how to re-name packages within a PPA, let me know how in the comments.)

Aurora & Nightly

Aurora & Nightly packages are maintained by Ubuntu Mozilla Daily Build team and there is one PPA for Firefox and Thunderbird nightlies, and then two other PPAs for the Aurora versions of each.

Installing Aurora versions:

sudo add-apt-repository ppa:ubuntu-mozilla-daily/firefox-aurora
sudo add-apt-repository ppa:ubuntu-mozilla-daily/thunderbird-aurora
sudo apt-get update
sudo apt-get install firefox
sudo apt-get install thunderbird

Note: See note in previous section regarding the limitations of packages with the same name.

Installing nightlies:

sudo add-apt-repository ppa:ubuntu-mozilla-daily/ppa
sudo apt-get update
sudo apt-get install firefox-trunk
sudo apt-get install thunderbird-trunk

You’ll notice that the packages names for both Firefox and Thunderbird are appended with ‘-trunk’. This means you can install and run nightly versions along side release, beta or aurora. In fact, this is what I do. I install and use release and nightly.

Installing Locales / Language Packs

For whatever reason, I’ve had a lot of trouble getting other locales to work with Firefox on recent versions of (X)Ubuntu. I always try installing the relevant language pack from the official repository. Packages like language-pack-de and language-pack-es should install everything you need for those locales, including the language packs for Firefox. But it never works. Here’s a method I’ve found that reliably works, at lease in 12.10.

Install your desired language pack xpi from:

You’ll also need to set your preferred language for displaying pages.

  1. In Firefox, open Preferences > Content.
  2. Under Languages press Choose.
  3. If you don’t see your desired language, click Select a language to add… and add one.
  4. If this doesn’t work, open about:config and set general.useragent.locale to your desired locale.

Almost there. Firefox will select the language pack to use based on what the system language is. If you’re not sure what your locale is, type this in a prompt:

printenv LANG

In my case, I get:


This presents a problem because I don’t want to have to change the language for my entire system just to test another locale in Firefox. Luckily, there’s a solution.

You can start Firefox from the command line and specific the LANG environmental variable:

LANG=es_ES.UTF8 firefox

If you want to change the menu and/or or launcher command, you would use:

sh -c "LANG=es_ES.UTF8 /usr/bin/firefox-trunk %u"


I tested the above procedures on Xubuntu 12.10 with both Firefox release and nightly (trunk). If you have trouble with other configurations, let me know.

If you install a language pack that renders Firefox unable to start, start it in safe mode and remove the language pack. From the command-line, issue:

firefox --safe-mode

Securing Your On-line Life with a Password Manager and Two-Factor Auth

The Internet was ablaze last week with discussion of the hacking of Mat Honan. For those not up to speed about what happened, hackers were able to use social engineering and weaknesses in the security policies of Apple and Amazon to obtain access to Mat’s on-line accounts and to reset all of his Apple devices. Scary stuff!

With this incident on everyone’s mind, I thought it would be a good idea to share the techniques I use to secure my on-line life. I encourage you to adopt these practices if you haven’t already.

Use A Password Manager

My favorite password manager is LastPass. It’s cross-platform and cross-browser. There is a free version and a very affordable premium version at $12/year.

Other options include KeePass and 1Password.

With LastPass, your data is stored online in an encrypted format. To access your information, you unlock your “vault” with a master password. On the desktop, LastPass isn’t a stand-alone program. Rather, you use it as a browser plugin. On mobile platforms there is a stand-alone program that includes an integrated web browser. Because your data is stored online, it is synchronized across and available from multiple computers. This is great if you use more than one system, which I do. LastPass also offers the ability to access your vault when you’re off-line (though two-factor auth is limited in this case).

LastPass allows you to securely store:

  • passwords for all your sites
  • secure notes, which you can use to store misc information like server logins, credit card and bank account info, passphrases and more
  • form data, including credit card information (makes online buying a snap)

It also provides a password generator.

Here’s an example of what it looks like to retrieve passwords in LastPass:

Free Image Hosting at

And here’s how I login to sites that I have saved with LastPass:

Free Image Hosting at

Using a password manager, be it LastPass, KeePass, 1Password or another solution, allows you to easily follow the best practices I outline below.

Use a Unique, Strong Password for Every Site

You should never re-use a password. Use a unique password for every account that you create everywhere. This limits a security compromise from spreading to one site to another.

Make sure you pick a strong password. Better yet, use a computer generated password rather than one you make up on your own. Many password managers, including the ones I have mentioned in this post, have a password generator built in. Use it!

Here’s LastPass’ generator:

Free Image Hosting at

How Do I Remember All These Unique Passwords?

At this point you might be asking, “how will I remember all these difficult passwords?” You won’t! The only password you’ll need to remember is the master password for your password manager.

Stand-Alone Password Generators

Don’t like or want to use the built-in password generator? There are plenty of stand-alone options.

My favorite password generator is actually the one that ships with OSX. It’s a bit difficult to get to, however, because you have to open the keychain and then click on some additional buttons. However, this app will call the password generate dialog directly.

If you’re on Windows, there’s pwgen-win. If you’re on Linux, try apg or pwgen.

Don’t Use Real Information in Security Questions

Security questions are those additional questions you fill out when you set up web accounts, especially for on-line banking. Some examples:

  • childhood nickname
  • name of first pet
  • first school attended
  • place where you met your spouse
  • favorite sports team

Most of the security questions I’ve encountered are absolutely terrible in that answering them honestly does nothing to protect your account. Why? Because we live in the age of social networking and answers to these questions are almost always readily available to anyone who’s willing to spend a few minutes searching on Google.

The solution is to provide bogus answers. Favorite Sports Team? The Bangalore Bananas. Or xFLXw99X62ONsPFU. There’s no way someone can use social engineering to come up with answers like these (unless you post them online for some reason). In order for this strategy to work, don’t rely on your memory. Instead, use your password manager to save the security questions and answers just as you do with unique, strong passwords. LastPass makes this particularly easy because on any webpage with a form you can use the “Save All Entered Data” to capture your questions and answers.

Enable Two-Factor (or 2-Step) Authentication Wherever Possible

Two-factor authentication means that in order to login to a site, you need to provide two pieces of information instead of just your password. Most two-factor authentication schemes involve providing your password and a unique code generated by a separate program, usually on a physical device.

For example, when I log in to Google, I first login the usual way and am then prompted for a verification code:

Free Image Hosting at

And then I open Google Authenticator on my phone in order to retrieve a special code:

Free Image Hosting at

Enabling two-factor authentication adds an extra level of security because it means a hacker can’t login to your account even if they have your password. They’d also have to have the physical device that generates the second authentication factor.

In this post I’ll cover enabling and using two-factor authentication with Gmail and with LastPass.

Enabling Two-Factor Auth for Google

To enable two-factor authentication for your Google account:

  • Login to your account and navigate to your Account page.
  • Navigate to security settings.
  • Click ‘edit’ next to 2-step verification.
  • If you haven’t already verified you’re phone, you’ll need to do so now.
  • After this, 2-step verification will be enabled.

Free Image Hosting at

You should now set how to receive your verification codes. You can enable one or more of the following methods:

  • Mobile application (Google Authenticator, for Android and iOS)
  • Backup phone (not your Google voice number)
  • Print backup codes (keep in your wallet or somewhere else safe)

Free Image Hosting at

I recommend setting all three, especially if you have a smart-phone or tablet. The method I use most often is the mobile application.

When you select mobile application, you’ll see the following screen. Scan the QR code with your phone or table. You’ll then be given a key to enter into the form to verify your device.

Free Image Hosting at

Note: You can install Google Authenticator on multiple devices, but you  must do so at the same time. If you wish to add a device later, you’ll need to turn off 2-step authentication and go through the whole process again. You do not need to do this in order to add another Google account to Authenticator, however.

Generating Application-Specific Passwords

What happens if you want to use an email client like Thunderbird, or Outlook? Or a chat client with your gTalk? You still can, but you have to generated application-specific passwords. What this means is that for each application you would like to allow to access your mail or chat, you generate a password for. This password is revocable at any time should you loose control of that application (e.g. you loose the laptop on which it’s installed) or suspect that the password has somehow been compromised.

Free Image Hosting at

Enabling Two-Factor Auth in LastPass

LastPass offers a few options for two-factor authentication:

  • fingerprint reader
  • grid authentication
  • Yubikey
  • Google Authenticator

I selected Yubikey. A Yubikey is a USB device that generates a unique, one-time password. Once you link a Yubikey to your LastPass account and enable two-factor authentication, you need to use your Yubikey along with your regular password each time you want to log in (although you can specific which computers are trusted and therefore do not require secondary authentication).

I bought 2 Yubikeys and an additional year of LastPass service for $50. Because you can associate your LastPass account with multiple Yubikeys, I have one for regular use and one for a backup in case I loose the first.

Here’s what it looks like when I log in to LastPass with Yubikey authentication enabled.

First I’m prompted like usual for my LastPass email and password:

Free Image Hosting at

And then prompted from my OTP from Yubikey:

Free Image Hosting at

Have a Recovery Email That is Not Easy to Guess and Keep it Private

Both Google and LastPass allow you to specify a recovery email address. I strongly recommend that you setup a second email account that is dissimilar to your regular, public email address, keep it private and use it as the recovery email for your critical accounts (like Google and LastPass). The reason for using a private, separate email is so that hackers are less able to guess your recovery email and be able to launch an attack against it.

Also, if you are uncomfortable having all your on-line eggs in one basket like I am, consider paying for a backup email account from a service like FastMail, HushMail or Pobox.

Change Important Passwords Periodically

You should change the passwords on your critical accounts on a regular basis. Quarterly is probably a good target. Even twice or once a year will be better than never. For best results, link it to some other deadline. Self-employed? Change your critical passwords when you send in your quarterly estimated taxes.

What are critical passwords? Your Google account and password manager, certainly. Probably also your on-line banking, too.

Check Access Logs Frequently

Most systems provide access logs that you are able to check. You should periodically examine this information for anything that seems strange. Look for connections that don’t match your usage because this could be a sign someone is accessing your account without your permission or knowledge.

To see your Google access logs, log in to Gmail, scroll down to the bottom of your inbox and look for “Last account activity.” Then click on details.

Free Image Hosting at

You’ll see a screen like this where you can see which IP addresses have been connecting to your account:

Free Image Hosting at

Make Regular Backups

The above steps are not a guarantee against your data being compromised. You should make sure you’re regularly backing up any data that’s important to you, including your password information.