I hate passwords. I love the security they bring but having to remember them, manage them and above all type them in on some of the devices I use drives me to distraction.

While it’s not a perfect solution I have found one tool that allows me to use my Windows Mobile phone as a secure physical token to control access to my PC.

The Rohos Logon Key is one of the best sorts of utilities. It’s almost invisible once you set it up!

It allows you to store a “key” that you can use to unlock your PC on a USB Flash key, a memory card, a YubiKey or best of all (if your PC has Bluetooth support) a bluetooth equipped Windows Mobile phone or other smartphone.

When you have installed the utility and defined a key simply making it available to the machine will log you in – so by plugging in a USB key and entering the PIN, or placing the Mobile Phone in proximity so the ID can be read.

No more typing, fumbling and cursing!

You still need to update your password on a regular basis (as it can still be used to log in without the device) but it means you can choose longer, more complex and hard to guess ones without having to learn to type them every time.

It doesn’t help with things like syncing the changed password to your phone (for instance if you need it to access your Exchange server for Outlook Mobile via ActiveSync) or if you need to type passwords into web or network logins… maybe one day.

Oh, and the USB support does also include provision of an encrypted partition for you to store files on so even if you lose the key your data is still protected.

“Huge Web hack attack infects 500,000 pages - Microsoft's IIS Web server may be to blame, says researcher” read the headlines today.

But it looks like he’s jumped the gun with his finger pointing…  This particular attack like so many before it (but admittedly at a much higher scale than many previous attempts) is due to a compromise known as a SQL Injection Attack.

The vulnerability is due to poorly-written SQL code that does not properly examine user input from a Web page form and allows commands to be “injected” and execute directly against the database with the same privileges as the sites own code.

What scares the heck out of me though is it’s spread to half a million pages already (though one attack targeted at, say, a shopping site with 10,000 pages would rack up a pretty big number very quickly!) because it implies a lot of fairly sloppy code is in production and not being maintained very well.

This attack – typical symptoms include pages with the code <script src=http://www.nihaorr1.com/1.js> embedded somewhere on them – is particularly neat because it’s self contained… the server is hit with a modified URL, the code is injected and updates the server all in one hit (so very hard to look out for and track). Older injection attacks normally looked for a vulnerability and then came back to exploit it.

The researcher in question seems to have jumped to a conclusion looking for some sensational PR coverage – which does make me a little skeptical about any claims they make around the level of protection they can offer ;) SQL Injection attacks are equally likely for MySQL, Oracle, SQL Server or any other database if the queries you feed to them are not sanitized. It’s not a new problem, and there has been good advice around for a long time to help developers avoid the problem.

The Register has a good write-up outlining the scale of the problem, and how hard it’s going to be to clean up…

One thing that it does go to prove though is that for users you can’t really trust anywhere you visit on the web – there’s always a risk than an attack will find a way to compromise a page you think is safe. If you don’t keep your system up to date with security patches for your client operating system, and run current anti-virus / anti-malware / anti-spyware (call it what you will) then you’re taking more risks than you need to. Personally I’m a fan of OneCare but NOD32 is another really good package. If you don’t want to pay a few bucks for insurance AVG Free does a really good job.

Update Apr 27: Read the update from the Microsoft Security Response Center on this issue, some recommendations on how to avoid SQL Injection attacks and some more handy tips from Bill Staples (the head of the IIS team, so he should know what he’s talking about). Also if you want a good background on why security matters and should be part of the initial design, not some random after thought you should read this blog.

Thanks to Michael for pointing this out.

Your Windows Live ID is your passport (no pun intended) - it’s the key to a world of services (not just Microsoft – a number of third parties use LiveID as an authentication method) and you should treat it as carefully as your ATM PIN.

The Windows Live team have posted some pretty straightforward bits of advice to help keep you safe – check it out before you next log in…

Some services – such as Microsoft HealthVault – enforce some of these requirements, and sites like PayPal are encouraging users to play it safe.