I wasn't planning another post in the password security series, but I felt I just had to. If you read my previous posts you know that I recently went through and changed all my passwords (close to 100) to long complex password. For example, a new password might look like "\mFYZWLbCc:bmf^Pe/cJ"
One annoying problem however, I was shocked by how many online sites would reject these new complex passwords. It's normal for sites to reject passwords that do NOT contain mixed uppercase and lowercase as well as a number, because these passwords aren't complex enough. But a shockingly large number of sites rejected my new passwords because they were too complex, which makes absolutely no sense! For the most part the rejections fell into one of two categories.
1. Passwords were rejected because they contained symbols (oh, got to watch out for those pesky symbols). Seriously, you're rejecting my password because I used symbols like #, %, &, <, etc.? As a user I should be allowed to use any letters, numbers, or symbols I want in my password. The more possible characters to choose from the more secure my password, so they should be encouraging me to use these symbols, not preventing me.
2. Passwords were rejected because they were too long. A lot of sites limited my password to 12, 16, or 20 characters. As I previously said, the longer the better, so they should not only allow long passwords but they should encourage them. One site even limited me to 8 characters as a maximum length!
In both of these cases, these online sites need to take a lesson from Microsoft Windows. Microsoft got password security right. Windows passwords can contain ANY character, including things like high-ASCII characters. Also, the Windows password can be up to 256 characters in length. This is how online sites should be. Obviously they shouldn't force you to have such long complex passwords, but they definitely shouldn't prevent it.
There is one last thing which I just couldn't believe. One site allowed me to change my password to a long 20 character password. After setting my new password, I would always log off and then log back in, just to make sure it worked. When I tried to log back in I got an error message saying "You cannot enter a password longer than 16 characters." Huh, you just let me set a 20 character password, but you won't let me login with anything more than 16. Where is QA at this place? Clearly the right hand doesn't know what the left is doing. And what's really sad, this was a VERY large organization (multi-billion dollar), they should have one of the best systems available. But this didn't exactly inspire confidence in me.
Monday, June 18, 2012
Wednesday, June 13, 2012
Password Security - Tying it all together
Previous I listed the different categories of passwords I have. Prior to that I talked out how programs like KeePass and LastPass are great for storing passwords, and the password manager built into your web browser is convenient but has flawed security. Now it's time to tie it all together and talk about the new password scheme I have implemented to protect me and my privacy on the Internet.
First, I decided each and every site will get a unique password - no more shared passwords. I don't want a compromised password at one site compromising any other sites. Second, each password (with a few notable exceptions) will be a long complex password that is difficult to remember. When I say long complex passwords, I mean something like "f2FQumZoxwP64qMgy2v1." All of these long complex passwords will be stored in KeePass, so I don't have to try and remember them. And even though the password manager built into the web browser has proven weaknesses, I will use it because of it's convenience factor for some of the passwords. I want to keep as few of passwords in the web browser password manager as possible, that way if it is compromised I have limited exposure. So I will only put a password into the web browser's password manager if A) I've deemed that site to be a low security risk and B) it's a site I access frequently. In all other instances I will manually copy the password from KeePass into the browser.
So here's how this scheme affects the categories I previously discussed:
Banking
Banking and financial sites are considered high security. So they will get the longest most complex passwords, none of which will ever get stored in the browser's password manager. When I do need to log in I will copy the password from KeePass.
Online Stores
Just like above, long complex passwords that I will not store in the web browser. I will copy them from KeePass anytime I want to order something.
Utilities
Utilities will be treated the same, long complex passwords that I will not store in the web browser. Since I only login monthly, I will copy them from KeePass anytime I pay a bill.
email
Email is the fly in the ointment if you will. I want a really long complex password because I consider the info in my email to be sensitive, but I want to be able to check my email from any computer which means I need to be able to remember my password. So I've gone with the longest most complex password that I was able to remember. Most of the time I check my email using Thunderbird which handles passwords for me. So I only need to remember the password for checking email from a strange computer.
Social media
These sites will get medium-length complex passwords. I don't use social media that often, so when I do I will manually copy my passwords from KeePass.
Work
Work sites I only access from work (surprise surprise). And the data stored there isn't very sensitive. I will still use medium-length complex passwords, but I will allow the web browser's password manager to remember them.
Forums and everything else
Any finally the bulk of my accounts. I will use medium-length complex passwords for all of them. If I access the site frequently I'll allow the web browser's password manager to remember them, else I'll copy them manually from KeePass.
So that's my new password scheme. All complex and unique passwords, with the exception of email passwords which I need to be able to remember. And most of these passwords are stored only in KeePass, the browser is only allowed to remember passwords for low-risk but frequently used sites. Yes, this new scheme is less convenient. But it protects me better in the event a password is compromised in the future.
First, I decided each and every site will get a unique password - no more shared passwords. I don't want a compromised password at one site compromising any other sites. Second, each password (with a few notable exceptions) will be a long complex password that is difficult to remember. When I say long complex passwords, I mean something like "f2FQumZoxwP64qMgy2v1." All of these long complex passwords will be stored in KeePass, so I don't have to try and remember them. And even though the password manager built into the web browser has proven weaknesses, I will use it because of it's convenience factor for some of the passwords. I want to keep as few of passwords in the web browser password manager as possible, that way if it is compromised I have limited exposure. So I will only put a password into the web browser's password manager if A) I've deemed that site to be a low security risk and B) it's a site I access frequently. In all other instances I will manually copy the password from KeePass into the browser.
So here's how this scheme affects the categories I previously discussed:
Banking
Banking and financial sites are considered high security. So they will get the longest most complex passwords, none of which will ever get stored in the browser's password manager. When I do need to log in I will copy the password from KeePass.
Online Stores
Just like above, long complex passwords that I will not store in the web browser. I will copy them from KeePass anytime I want to order something.
Utilities
Utilities will be treated the same, long complex passwords that I will not store in the web browser. Since I only login monthly, I will copy them from KeePass anytime I pay a bill.
Email is the fly in the ointment if you will. I want a really long complex password because I consider the info in my email to be sensitive, but I want to be able to check my email from any computer which means I need to be able to remember my password. So I've gone with the longest most complex password that I was able to remember. Most of the time I check my email using Thunderbird which handles passwords for me. So I only need to remember the password for checking email from a strange computer.
Social media
These sites will get medium-length complex passwords. I don't use social media that often, so when I do I will manually copy my passwords from KeePass.
Work
Work sites I only access from work (surprise surprise). And the data stored there isn't very sensitive. I will still use medium-length complex passwords, but I will allow the web browser's password manager to remember them.
Forums and everything else
Any finally the bulk of my accounts. I will use medium-length complex passwords for all of them. If I access the site frequently I'll allow the web browser's password manager to remember them, else I'll copy them manually from KeePass.
So that's my new password scheme. All complex and unique passwords, with the exception of email passwords which I need to be able to remember. And most of these passwords are stored only in KeePass, the browser is only allowed to remember passwords for low-risk but frequently used sites. Yes, this new scheme is less convenient. But it protects me better in the event a password is compromised in the future.
Password Security - Password theory
This post will be a tangent from my password security thread. I wanted to discuss some of what I consider to be interesting facts about passwords and security.
The "strength" of a password is determined by several factors. For example, a lot of sites require your password to contain lowercase (a-z), uppercase (A-Z), numbers (0-9), and symbols (!, @, #, $, etc.). The more of these different categories you use the more "secure" your password is. If you use a lot of repetitive letters that weakens your password. So "1$eDDDD" is weaker than "aB#d63r" They are both the same length, but because the first repeats the letter 'D' it is considered weaker.
Another aspect that weakens passwords is the use of words and names. For example "3David@" is a weak password, as is "!32House" Passwords like this, with words and names in them, are more susceptible to what's called a dictionary attack. Basically the attacker uses a list of works and names in an effort crack your password.
However, the way to make the strongest password possible is actually overlooked the most. It has been shown that the overall length of a password is by far the best way to improve password security. Let's compare the following two passwords; "e$5Ty_Q" and "chocolate bear house river" The first contains lowercase, uppercase, symbols and numbers whereas the second only contains lowercase. The first does not contain real words whereas the second is nothing but real words. Despite all this, the second password is far more "secure" simply because it's 26 characters long whereas the first only contains 7. Now, if the first password were longer it would be more secure. So "05gFxiTCrpsWADudUckJ" is more secure than "chocolate bear house river" although the second is easily remembered by a human. So what's the take home lesson? If you need a secure password, think less about complexity which is hard to remember, and think more about length.
The "strength" of a password is determined by several factors. For example, a lot of sites require your password to contain lowercase (a-z), uppercase (A-Z), numbers (0-9), and symbols (!, @, #, $, etc.). The more of these different categories you use the more "secure" your password is. If you use a lot of repetitive letters that weakens your password. So "1$eDDDD" is weaker than "aB#d63r" They are both the same length, but because the first repeats the letter 'D' it is considered weaker.
Another aspect that weakens passwords is the use of words and names. For example "3David@" is a weak password, as is "!32House" Passwords like this, with words and names in them, are more susceptible to what's called a dictionary attack. Basically the attacker uses a list of works and names in an effort crack your password.
However, the way to make the strongest password possible is actually overlooked the most. It has been shown that the overall length of a password is by far the best way to improve password security. Let's compare the following two passwords; "e$5Ty_Q" and "chocolate bear house river" The first contains lowercase, uppercase, symbols and numbers whereas the second only contains lowercase. The first does not contain real words whereas the second is nothing but real words. Despite all this, the second password is far more "secure" simply because it's 26 characters long whereas the first only contains 7. Now, if the first password were longer it would be more secure. So "05gFxiTCrpsWADudUckJ" is more secure than "chocolate bear house river" although the second is easily remembered by a human. So what's the take home lesson? If you need a secure password, think less about complexity which is hard to remember, and think more about length.
Password Security - Part 3
After reading my last post, hopefully you figured out all the passwords you have and entered them into a program like KeePass. For me, when I collected them all in one place, I was surprised to realize I have almost 100 different sites with passwords. The next goal is to group all these different sites into categories. At first I didn't know what the different categories would be, I just had to look at what I had and logically arrange them. Once I had the categories, I considered what level of security I wanted for that category. I also looked at how frequently (or infrequently) I accessed the sites in that category. To me, daily or weekly is considered frequent and monthly or greater is considered infrequent. And lastly, I took into consideration where I access that site from. The vast majority of the time I'm "surfing" the Internet from either my home computer or my work computer. But what if I'm using a friend's computer, a computer in the library, Internet cafe, etc. Do I want to be able to log in to my accounts from these less trusted sites?
Category: Banking
Description: This categories is pretty straight forward - it's banking, credit, and financial sites.
Security: Highest
Frequency: Infrequent (monthly at best)
Location: Home and work only. I wouldn't trust any other computer to log in to these sites. I would hate for a virus or key logger to compromise my banking accounts.
Category: Online Stores
Description: This group is all the online stores I have an account with.
Security: High - most of these sites store credit card info which I don't want compromised.
Frequency: Most infrequently (many of the sites I only have a password because I needed to create an account for a one-time purchase), but a select few are frequent.
Location: Home and work only. I don't order things when traveling or from someone else's house.
Category: Utilities
Description: All of my monthly bills; e.g. gas, water, power, trash, etc.
Security: High - utilities, like online stores, persist financial account info.
Frequency: Infrequently (monthly)
Location: Home only. I'm not going to want/need to pay a bill from a computer other than my own.
Category: email
Description: Like many people I maintain several email accounts.
Security: High - I consider email to be a very high security, probably higher than most people would. Most email sites these days keep all your old emails. That's a lot of personal info about me I don't want compromised, including emails from my banks, utilities, etc. There is easily enough info in there to commit identity fraud.
Frequency: Frequent (daily)
Location: Anywhere - I would like the ability to log in and check my email from any computer; home, work, friend or family, strange computer in the airport, etc.
Category: Social media
Description: Although I don't have many, I have a few "social media" account.
Security: Medium - whereas they don't have financial info about me, typically social media sites do have a lot of personal info which would be useful for someone trying to commit identify fraud.
Frequency: Frequent (weekly)
Location: Anywhere - Like email, I would like the ability to log in to social media sites from any computer.
Category: Work
Description: I have a small number of sites that I access for my job. From a personal standpoint the security level should be low, but I'll bring it up to medium since some of the sites might contain company secrets.
Security: Medium
Frequency: Frequent
Location: Work
Category: Forums and everything else
Description: I have tons of forums, bulletin boards, and other informational sites with accounts to. Often times these are read-only, the site just requires you to create an account to access the info and/or download the files. I consider all of these sites to be low security. Do I really care if someone logs in as me to download trial software from VMWare? No.
Security: Low
Frequency: Frequent (for some of the forums) and infrequent for many of the others.
Location: Home and work only. Most of these accounts are forums, and you can still read posts without logging in. So I can still access them read-only from any computer, but I'm fine only posting from my home and/or work computers.
There you have it, a break down of the categories I came up with. Each of my almost 100 sites fits into one of these categories. In my next post I'll discuss the password scheme I've come up with to be able to access these sites while maintaining an acceptable level of security.
Category: Banking
Description: This categories is pretty straight forward - it's banking, credit, and financial sites.
Security: Highest
Frequency: Infrequent (monthly at best)
Location: Home and work only. I wouldn't trust any other computer to log in to these sites. I would hate for a virus or key logger to compromise my banking accounts.
Category: Online Stores
Description: This group is all the online stores I have an account with.
Security: High - most of these sites store credit card info which I don't want compromised.
Frequency: Most infrequently (many of the sites I only have a password because I needed to create an account for a one-time purchase), but a select few are frequent.
Location: Home and work only. I don't order things when traveling or from someone else's house.
Category: Utilities
Description: All of my monthly bills; e.g. gas, water, power, trash, etc.
Security: High - utilities, like online stores, persist financial account info.
Frequency: Infrequently (monthly)
Location: Home only. I'm not going to want/need to pay a bill from a computer other than my own.
Category: email
Description: Like many people I maintain several email accounts.
Security: High - I consider email to be a very high security, probably higher than most people would. Most email sites these days keep all your old emails. That's a lot of personal info about me I don't want compromised, including emails from my banks, utilities, etc. There is easily enough info in there to commit identity fraud.
Frequency: Frequent (daily)
Location: Anywhere - I would like the ability to log in and check my email from any computer; home, work, friend or family, strange computer in the airport, etc.
Category: Social media
Description: Although I don't have many, I have a few "social media" account.
Security: Medium - whereas they don't have financial info about me, typically social media sites do have a lot of personal info which would be useful for someone trying to commit identify fraud.
Frequency: Frequent (weekly)
Location: Anywhere - Like email, I would like the ability to log in to social media sites from any computer.
Category: Work
Description: I have a small number of sites that I access for my job. From a personal standpoint the security level should be low, but I'll bring it up to medium since some of the sites might contain company secrets.
Security: Medium
Frequency: Frequent
Location: Work
Category: Forums and everything else
Description: I have tons of forums, bulletin boards, and other informational sites with accounts to. Often times these are read-only, the site just requires you to create an account to access the info and/or download the files. I consider all of these sites to be low security. Do I really care if someone logs in as me to download trial software from VMWare? No.
Security: Low
Frequency: Frequent (for some of the forums) and infrequent for many of the others.
Location: Home and work only. Most of these accounts are forums, and you can still read posts without logging in. So I can still access them read-only from any computer, but I'm fine only posting from my home and/or work computers.
There you have it, a break down of the categories I came up with. Each of my almost 100 sites fits into one of these categories. In my next post I'll discuss the password scheme I've come up with to be able to access these sites while maintaining an acceptable level of security.
Tuesday, June 12, 2012
Password Security - Password Managers
Last time I talked about the need for better password security. Before you can develop a good password scheme, you need to first identify all the sites and passwords you need to protect. I know some people who write down all their usernames and passwords on a piece of paper which they keep near their computer. Others may do it digitally, keep a text file or a spreadsheet with all the usernames and passwords. Still others may just rely on their memory.
Regardless of your system, the first step is to record all your usernames and passwords in a safe location. For this I highly recommend a program called KeePass. KeePass is an awesome (and totally free) utility for storing usernames and passwords. It stores all this info in a single DB file which is very highly encrypted. Even if someone gets their hands on a KeePass database file, it's very unlikely they would ever be able to crack the contents. I personally recommend version 1.x over version 2.x. Version 1.x is simple, clean, and easy to use whereas version 2.x is more complex and less user-friendly in my opinion. If you find you don't like KeePass for some reason, LastPass is another very common password manager (also free).
So basically what you need to do is visit every single web site you have an account for. For each site, add your username, password, and URL into KeePass. It's a good idea to create folders in KeePass to group similar items; e.g. Banking, Utilities, Forums, email, etc.
There are other password managers out there. For example, most (if not all) web browsers have a built-in password manager. These password managers have one cool feature, when you visit a web site it automatically fills in your username and password. But here's my problem with these password managers. Regardless of what password manager you're using, you're in effect putting all your eggs into one basket. Every password is stored in a single location. So if that one location is compromised, then all of your passwords are compromised. I know that KeePass and LastPast use very good security to encrypt your sensitive data. So again, even if the encrypted file is copied the chance of someone every cracking it open is very slim. But how secure are the password managers inside your web browser? To be honest, I had a hard time finding the answer to that. If the security is weak, the maker of the web browser sure isn't going to admit it. As it turns out, I have reason to question how secure these password managers are. The programs IEPassView, PasswordFox, ChromePass, and OperaPassView are free software from NirSoft that decodes passwords stored in IE, Firefox, Chrome, and Opera. If these programs can decode the passwords in your web browser, who's to say a web site that you're visiting or a plug-in installed in your browser can't decode your passwords as well. I'm not willing to risk that, I don't trust the built-in password managers to keep my passwords safe. But that doesn't mean we can't take advantage of their useful features. More on that next time.
Regardless of your system, the first step is to record all your usernames and passwords in a safe location. For this I highly recommend a program called KeePass. KeePass is an awesome (and totally free) utility for storing usernames and passwords. It stores all this info in a single DB file which is very highly encrypted. Even if someone gets their hands on a KeePass database file, it's very unlikely they would ever be able to crack the contents. I personally recommend version 1.x over version 2.x. Version 1.x is simple, clean, and easy to use whereas version 2.x is more complex and less user-friendly in my opinion. If you find you don't like KeePass for some reason, LastPass is another very common password manager (also free).
So basically what you need to do is visit every single web site you have an account for. For each site, add your username, password, and URL into KeePass. It's a good idea to create folders in KeePass to group similar items; e.g. Banking, Utilities, Forums, email, etc.
There are other password managers out there. For example, most (if not all) web browsers have a built-in password manager. These password managers have one cool feature, when you visit a web site it automatically fills in your username and password. But here's my problem with these password managers. Regardless of what password manager you're using, you're in effect putting all your eggs into one basket. Every password is stored in a single location. So if that one location is compromised, then all of your passwords are compromised. I know that KeePass and LastPast use very good security to encrypt your sensitive data. So again, even if the encrypted file is copied the chance of someone every cracking it open is very slim. But how secure are the password managers inside your web browser? To be honest, I had a hard time finding the answer to that. If the security is weak, the maker of the web browser sure isn't going to admit it. As it turns out, I have reason to question how secure these password managers are. The programs IEPassView, PasswordFox, ChromePass, and OperaPassView are free software from NirSoft that decodes passwords stored in IE, Firefox, Chrome, and Opera. If these programs can decode the passwords in your web browser, who's to say a web site that you're visiting or a plug-in installed in your browser can't decode your passwords as well. I'm not willing to risk that, I don't trust the built-in password managers to keep my passwords safe. But that doesn't mean we can't take advantage of their useful features. More on that next time.
Monday, June 11, 2012
Password Security on the Internet
Security and privacy on the Internet is obviously a very important topic. With so much private information about you stored in a digital format, you need to be careful to secure it. I wanted to do a short series of posts on password security and protecting yourself.
This all came about because of the recent news that 6.5 million LinkedIn passwords were compromised. As it turns out, mine was one of them. This has forced me to reevaluate how I use passwords on the Internet. My old scheme was to maintain a small number of moderately complex passwords. Anytime I needed a password for a new site on the Internet, I would use one of these passwords. That way I only have a small number of passwords to remember. For years this worked great. I've been on the Internet since 1994 and never had a compromised password... until last week. Because I use a small number of passwords, since that one password was compromised that puts all the other sites where I used that same password at risk.
Before I get into password security and the changes I've decided to implement, I wanted to talk about how passwords are compromised. The way in which malicious people get their hands on your private information has definitely changed over the years. But I believe they have settled on 4 different approaches:
This all came about because of the recent news that 6.5 million LinkedIn passwords were compromised. As it turns out, mine was one of them. This has forced me to reevaluate how I use passwords on the Internet. My old scheme was to maintain a small number of moderately complex passwords. Anytime I needed a password for a new site on the Internet, I would use one of these passwords. That way I only have a small number of passwords to remember. For years this worked great. I've been on the Internet since 1994 and never had a compromised password... until last week. Because I use a small number of passwords, since that one password was compromised that puts all the other sites where I used that same password at risk.
Before I get into password security and the changes I've decided to implement, I wanted to talk about how passwords are compromised. The way in which malicious people get their hands on your private information has definitely changed over the years. But I believe they have settled on 4 different approaches:
- Good old fashion trial and error. I don't think it's very common, but guessing over and over is always an option. After all if your password is "password" or something really simple, all they need to do is figure out your username.
- The weakest link in computer security is almost always the human. If you can trick the human into giving up their password that is far easier than any other approach. That is why "phishing scams" are so common. Fake web sites designed to look like the genuine thing, bogus emails designed to trick the user - these are just some of the ways in which they try and exploit the human. And it's not always the fault of the human. Sometimes these attacks are so technically advanced that it's near impossible for the person to realize something's wrong.
- The first computer viruses were designed to inconvenience the user by erasing their hard drive and destroying their data. But with the introduction of the Internet, virus writers realized the data on the hard drive is valuable. So now they write virus to extract data off your hard drive. Whether that's your addressbook, personal documents, passwords, credit card numbers, etc. They want it all. So another common way to have compromised passwords is by a virus/malware on your system.
- The final, and usually most difficult, approach is to directly hack into the site. Now I'm not talking about trying usernames and passwords over and over until you find one that works. I'm talking about hacking into the system and stealing large numbers of usernames and/or password. This is what happened at LinkedIn recently, as well as eHarmony. Not to mention the huge Sony Playstation hack from a several months ago. These attacks are not easy and usually undertaken by groups of highly skilled technical people.
I should point out that 1, 2, and 3 can usually be avoided if you, the user, are careful. However, the fourth has nothing to do with you. It has to do with how good the security is at the website where you signed up. So you could be the most paranoid person and take every precaution with your password security, and it still may be compromised.
Friday, June 8, 2012
How to install KB2686509 on Windows
Recently Microsoft released a hotfix KB2686509. Unfortunately every machine of mine refuses to install this hotfix. What's more, the system gets caught in this annoying loop. Because the hotfix fails to install, the next time I go to shutdown it wants to "Install updates and shutdown." Which of course fails so it tries again the next time. Well after lots of searching and experimenting I finally found out how to get this stupid hotfix to install.
The problem here is a custom keyboard scanmap. Or put simple, I have custom mapped keys on my keyboard. This hotfix refuses to install if you have custom key mappings. The solution is as follows:
1. Use regedit and goto HKLM\SYSTEM\ControlSet001\Control\Keyboard Layout. Save a copy of the key, then delete the value "Scancode Map."
2. Reboot your computer.
3. Install the update again. If the update still fails, manually download and install. Visit www.microsoft.com/downloads and search for KB2686509.
4. Restore your "Scancode Map" registry key and reboot one more time.
This worked for me, hopefully it works for you.
The problem here is a custom keyboard scanmap. Or put simple, I have custom mapped keys on my keyboard. This hotfix refuses to install if you have custom key mappings. The solution is as follows:
1. Use regedit and goto HKLM\SYSTEM\ControlSet001\Control\Keyboard Layout. Save a copy of the key, then delete the value "Scancode Map."
2. Reboot your computer.
3. Install the update again. If the update still fails, manually download and install. Visit www.microsoft.com/downloads and search for KB2686509.
4. Restore your "Scancode Map" registry key and reboot one more time.
This worked for me, hopefully it works for you.
Caribbean Cruise part 5 - Cozumel
The final stop on our cruise was Cozumel Mexico. Cozumel was kind of the middle ground of all the stops. Whereas Haiti and Jamaica were foreign (even a little exotic) and Grand Cayman was modern and western, Cozumel felt just like Mexico on the west coast. The people were friendly, and very few of the vendors were pushy like some of the previous ports.
The weather continued to be hot and humid. The original plan was to do some light snorkeling in the morning, but I wasn't in the mood so we instead decided to walk up the road towards downtown. We walked as far as the old light house before returning to the ship. After lunch we had scheduled a tour at the Cozumel Chocolate Factory (google it and you'll find it). Wow, that was fun and informative. It's a small mom and pop shop that makes high-quality chocolate right there before your eyes. You learn about the history of chocolate and the region. You also get to make and taste your own chocolate. And they have chocolate bars for sale to take back with you. By far my favorite bar was the 2012 Limited Edition bar. This was a semi-sweet bar (I think 60%) but what made it special was the additional of ground up chunks of cocoa beans. The raw cocoa beans are in effect 100% dark chocolate, so this makes the bar less sweet and more dark than a standard 60%. But the ground up bits add a very nice crispy crunch to the chocolate. It's almost like eating a Nestle Crunch bar, that crunchiness, but the crunchiness is from chocolate itself. Getting to and from the chocolate factory is going to require a taxi. It cost us $10 each way for our group of 3. That $10 cost is for the group not per person.
The weather continued to be hot and humid. The original plan was to do some light snorkeling in the morning, but I wasn't in the mood so we instead decided to walk up the road towards downtown. We walked as far as the old light house before returning to the ship. After lunch we had scheduled a tour at the Cozumel Chocolate Factory (google it and you'll find it). Wow, that was fun and informative. It's a small mom and pop shop that makes high-quality chocolate right there before your eyes. You learn about the history of chocolate and the region. You also get to make and taste your own chocolate. And they have chocolate bars for sale to take back with you. By far my favorite bar was the 2012 Limited Edition bar. This was a semi-sweet bar (I think 60%) but what made it special was the additional of ground up chunks of cocoa beans. The raw cocoa beans are in effect 100% dark chocolate, so this makes the bar less sweet and more dark than a standard 60%. But the ground up bits add a very nice crispy crunch to the chocolate. It's almost like eating a Nestle Crunch bar, that crunchiness, but the crunchiness is from chocolate itself. Getting to and from the chocolate factory is going to require a taxi. It cost us $10 each way for our group of 3. That $10 cost is for the group not per person.
Caribbean Cruise part 4 - Grand Cayman
The next stop on our Caribbean adventure was George Town on the island of Grand Cayman. Whereas Haiti and Jamaica are very poor countries, that cannot be said of George Town. Have you ever heard "I have an offshore account in the Cayman Islands?" Well what they mean is they have money in a bank in the Cayman Islands to avoid taxes and laws here in the US. This also means Grand Cayman has a lot of banks and a lot of money. So it's easily the most developed and modern on our trip.
In Grand Cayman, our plan was to spend a lot of time snorkeling in the water. We'd heard it was some of the best snorkeling in the world. We ended up going snorkeling twice. Just north of the pier where you get dropped off is the wreck of an old ship. And a 1/4 mile south of the pier is a place called Eden rock that we went to. Both were incredible sites. We saw tons of fish including schools of 5' long tarpon, barracuda, cuttlefish, flatfish, and huge sea snails. I definitely recommend snorkeling these sites if you go. The water is very clear and warm (although a degree or two cooler than Labadee).
The only thing we saw other than snorkeling was a church across the street and just south of the pier. I don't remember the name of the church, but it was constructed some 100+ years ago by a ship builder. This was awesome and well worth seeing. The ceiling of this church was gorgeous beams with a very dark and shinny finish on them. The inside was worth seeing, but be warned, because of the lack of airflow the inside of this church was the hottest part of the whole trip.
Speaking of heat, just like all the other stops George Town was hot and humid. I continued to sweat a lot, so drink lots of water. It looked like it was going to rain on us, but it never did.
In Grand Cayman, our plan was to spend a lot of time snorkeling in the water. We'd heard it was some of the best snorkeling in the world. We ended up going snorkeling twice. Just north of the pier where you get dropped off is the wreck of an old ship. And a 1/4 mile south of the pier is a place called Eden rock that we went to. Both were incredible sites. We saw tons of fish including schools of 5' long tarpon, barracuda, cuttlefish, flatfish, and huge sea snails. I definitely recommend snorkeling these sites if you go. The water is very clear and warm (although a degree or two cooler than Labadee).
The only thing we saw other than snorkeling was a church across the street and just south of the pier. I don't remember the name of the church, but it was constructed some 100+ years ago by a ship builder. This was awesome and well worth seeing. The ceiling of this church was gorgeous beams with a very dark and shinny finish on them. The inside was worth seeing, but be warned, because of the lack of airflow the inside of this church was the hottest part of the whole trip.
Speaking of heat, just like all the other stops George Town was hot and humid. I continued to sweat a lot, so drink lots of water. It looked like it was going to rain on us, but it never did.
Caribbean Cruise part 3 - Falmouth Jamaica
The second stop on our Caribbean cruise was Falmouth Jamaica. Falmouth is a relatively new stop in the Caribbean. I guess they completed the new pier in early 2011. As such, they town is far less touristy than many other stops in the Caribbean. This can be both bad and good.
On the good side, it gives you a chance to explore a foreign country and see the culture and the people as they truly are. So many ports cruise ships visit are so westernized that you don't really get to experience the real culture. The downside to this was how poor and underdeveloped the town was. I've been to a number of poor cities in Mexico so I thought I knew what poor was - but I feel like Falmouth topped them. The town looked and felt very poor.
While in Jamaica we took a self-guided walking tour of Falmouth. It only took us a few hours to see the town, which isn't that big. There were several neat buildings with a lot of history behind them. There were two churches in town that were neat to see. The weather in Jamaica was very hot and humid. I was sweating like a pig during our walk.
Without a doubt my least favorite part of Jamaica was the pressure tactics of the local vendors and taxi drivers. Literally (no exaggeration) every 5 feet as you walk down the street a vendors and/or a taxi driver will employ high pressure tactics to get to to buy from him. This gets old quick, and to be frank makes you not want to be there at all. It's unfortunate too, because most of the Jamaicans were nice people. As our walking tour brought us further into the town away from the vendors near the port, the people were friendly and helpful. But near that port, those people gave the town a bad name.
On the good side, it gives you a chance to explore a foreign country and see the culture and the people as they truly are. So many ports cruise ships visit are so westernized that you don't really get to experience the real culture. The downside to this was how poor and underdeveloped the town was. I've been to a number of poor cities in Mexico so I thought I knew what poor was - but I feel like Falmouth topped them. The town looked and felt very poor.
While in Jamaica we took a self-guided walking tour of Falmouth. It only took us a few hours to see the town, which isn't that big. There were several neat buildings with a lot of history behind them. There were two churches in town that were neat to see. The weather in Jamaica was very hot and humid. I was sweating like a pig during our walk.
Without a doubt my least favorite part of Jamaica was the pressure tactics of the local vendors and taxi drivers. Literally (no exaggeration) every 5 feet as you walk down the street a vendors and/or a taxi driver will employ high pressure tactics to get to to buy from him. This gets old quick, and to be frank makes you not want to be there at all. It's unfortunate too, because most of the Jamaicans were nice people. As our walking tour brought us further into the town away from the vendors near the port, the people were friendly and helpful. But near that port, those people gave the town a bad name.
Thursday, June 7, 2012
Caribbean Cruise part 2 - Labadee Haiti
The first stop on our cruise was Labadee Haiti. Never heard of it? I'm not surprised. Labadee is owned by Royal Caribbean and is a private resort. In other words, guests don't leave and locals don't come in (except a select few vendors to sell goods). As such, I wasn't expecting much from Labadee, but I was pleasantly surprised. The resort itself was very nice. Those picturesque settings with a beach chair and/or hammocks under palm trees and umbrellas on white sand beaches just inches from the water - that was Labadee. The weather was nice (albeit warm and humid), and the water temperature was perfect. It wasn't the best for snorkeling as it was mostly sea grass and not many fish, but still enjoyable.
By far the best part was lunch. Since it's a private resort, they prepare lunch on the island for you, or you can walk back to the docked ship for lunch. Before we left we heard a lot of people complaining about the lunch on the island and recommended returning to the ship. Well these people couldn't be more wrong. One of the specialties at lunch was pork ribs (which I love). Pork ribs can either be really good, or really bad. So initially I only put one or two on my plate. Well these were easily some of the best ribs I've ever had! They had the three qualities that make awesome ribs. 1) They were fall-off-the-bone tender. Since they were BBQ'ing ribs for 3,000+ people, I wasn't expecting such tender ribs. They must have been par-boiled ahead of time. 2) The BBQ sauce was really good, and there was plenty of it. They didn't skimp when it came to sauce. 3) They were very meaty ribs. Pork ribs have a tendency to be lot of bone and little meat. But these pork ribs had the most meat I've ever seen on pork ribs. I ended up eating 15 to 20 of these awesome ribs.
So if you ever find yourself on a Royal Caribbean ship headed to Labadee - do yourself a favor and be prepared to enjoy some ribs!
The only downside to Labadee was the "pressure" tactics of the few local vendors. They do everything short of grab you by the arm and pull you into their little shop. I'm on vacation, I don't want to be hassled literally every 10 feet as I walk down the street. Granted they want to make money, but if they weren't so forceful I would have actually gone into their shops and looked around. But they hassle you so much all you want to do is get away from them.
By far the best part was lunch. Since it's a private resort, they prepare lunch on the island for you, or you can walk back to the docked ship for lunch. Before we left we heard a lot of people complaining about the lunch on the island and recommended returning to the ship. Well these people couldn't be more wrong. One of the specialties at lunch was pork ribs (which I love). Pork ribs can either be really good, or really bad. So initially I only put one or two on my plate. Well these were easily some of the best ribs I've ever had! They had the three qualities that make awesome ribs. 1) They were fall-off-the-bone tender. Since they were BBQ'ing ribs for 3,000+ people, I wasn't expecting such tender ribs. They must have been par-boiled ahead of time. 2) The BBQ sauce was really good, and there was plenty of it. They didn't skimp when it came to sauce. 3) They were very meaty ribs. Pork ribs have a tendency to be lot of bone and little meat. But these pork ribs had the most meat I've ever seen on pork ribs. I ended up eating 15 to 20 of these awesome ribs.
So if you ever find yourself on a Royal Caribbean ship headed to Labadee - do yourself a favor and be prepared to enjoy some ribs!
The only downside to Labadee was the "pressure" tactics of the few local vendors. They do everything short of grab you by the arm and pull you into their little shop. I'm on vacation, I don't want to be hassled literally every 10 feet as I walk down the street. Granted they want to make money, but if they weren't so forceful I would have actually gone into their shops and looked around. But they hassle you so much all you want to do is get away from them.
Carribean Cruise
Last week we took a week long vacation and went on a Caribbean cruise. I think cruising has the stigma of being a vacation for old people, but this couldn't be further from the truth. Modern cruise ships are so big and packed with tons of activities, so much so that anyone could find what entertains and relaxes them.
This was our third cruise; the previous being a week in Alaska and a week in Mexico (Pacific side). We sailed out of Florida on the Freedom of the Seas, one of Royal Caribbean's largest ships. We had stops in Labadee Haiti, Falmouth Jamaica, George Town Grand Cayman, and Cozumel Mexico.
All and all the vacation was a great time. The only downside (for me) was the weather at the various stops. I hate heat and humidity and that's exactly what we had at every stop. Although it could have been a lot worse.
Instead of listing all the activities on bound our ship (and sounding like a spokesman for Royal Caribbean) instead I'll compare and contract this ship and cruise with the previous ships we've been on (Mariner of the Seas and Serenade of the Seas). The Freedom is vastly different than the Serenade, but nearly a clone of the Mariner (despite being a different class of ships). The pool deck of the Freedom was much larger and nicer. And my favorite part were the two cantilevered spas that stick out from the ship on deck 11. The view was incredible, and the spas were quite large and rarely, if ever, packed with people. Another feature I was looking forward to ahead of time was the flowrider, a standing wave machine for boogie boarding and surfing. Unfortunately, half of the machine broke the day before we boarded, so they were only running one side of the machine. This meant boogie boarding only, plus one long line instead of two shorter lines. We ended up not ridding it, but it sure was fun to watch other people riding it.
Another aspect of the cruise is the onboard entertainment. This cruise was top-notch. Our cruise director was hilarious, and most of the onboard shows were right up my alley.
And of course there is the food. Although I haven't cruised another line, I've heard other lines have, at best, average food. But Royal Caribbean continues to have incredible food - and all buffets to boot. When I got back I was honestly expecting to have gained 10 pounds, although when I weighted myself I only gained 3 pounds. This is probably due to the fact that we never took the elevators. And running up and down 13 stories multiple times a day for 7 days is definitely a workout.
I'm already looking forward to our next Royal Caribbean cruise. The only question is where will it be?
This was our third cruise; the previous being a week in Alaska and a week in Mexico (Pacific side). We sailed out of Florida on the Freedom of the Seas, one of Royal Caribbean's largest ships. We had stops in Labadee Haiti, Falmouth Jamaica, George Town Grand Cayman, and Cozumel Mexico.
All and all the vacation was a great time. The only downside (for me) was the weather at the various stops. I hate heat and humidity and that's exactly what we had at every stop. Although it could have been a lot worse.
Instead of listing all the activities on bound our ship (and sounding like a spokesman for Royal Caribbean) instead I'll compare and contract this ship and cruise with the previous ships we've been on (Mariner of the Seas and Serenade of the Seas). The Freedom is vastly different than the Serenade, but nearly a clone of the Mariner (despite being a different class of ships). The pool deck of the Freedom was much larger and nicer. And my favorite part were the two cantilevered spas that stick out from the ship on deck 11. The view was incredible, and the spas were quite large and rarely, if ever, packed with people. Another feature I was looking forward to ahead of time was the flowrider, a standing wave machine for boogie boarding and surfing. Unfortunately, half of the machine broke the day before we boarded, so they were only running one side of the machine. This meant boogie boarding only, plus one long line instead of two shorter lines. We ended up not ridding it, but it sure was fun to watch other people riding it.
Another aspect of the cruise is the onboard entertainment. This cruise was top-notch. Our cruise director was hilarious, and most of the onboard shows were right up my alley.
And of course there is the food. Although I haven't cruised another line, I've heard other lines have, at best, average food. But Royal Caribbean continues to have incredible food - and all buffets to boot. When I got back I was honestly expecting to have gained 10 pounds, although when I weighted myself I only gained 3 pounds. This is probably due to the fact that we never took the elevators. And running up and down 13 stories multiple times a day for 7 days is definitely a workout.
I'm already looking forward to our next Royal Caribbean cruise. The only question is where will it be?
Subscribe to:
Posts (Atom)