First, let me explain what I mean by “tiered password scheme”. Many perfectly smart people I know have one strong password they use for one or two online banking type sites. They’ll then have a “medium security” password they use on sites that kind of important to them (maybe those sites have their credit card info stored), but not critical to day to day stuff. Then they’ll have one or two passwords they use on all the other sites like Twitter, Yahoo!, Facebook, GMail, etc.
Obviously they’re being relatively careful about the important stuff and that’s good, but the flaw in this system is in the perception of pain. People think “wow, it would massively suck if my bank account password got out, but it’s not such a big deal if my Twitter password gets compromised. I can always make another Twitter account.” Or, they’ll say “Why would anyone care about hacking my account? There’s nothing special about it.” And while there’s nothing inaccurate about those thoughts, they’re also totally missing the point.
The thing is that many of those low value sites aren’t even remotely careful with your data. They’ll store your passwords unencrypted on their servers. And while people are unlikely to try and go after your account in particular, it’s not unthinkable that someone might try to hack Twitter (just an example), or even better, one of the myriad tools that you have to enter your Twitter username and password into and are much more likely to be insecure. Now, they’ve got a list of thousands, or maybe millions, of usernames and passwords and because so many people use a tiered password scheme (or worse, only one password) those passwords are going to work all over the place.
Now, most people I talk to say “I can just make another Twitter account.” but It’s not just *that* account. How many hundreds of sites have you used that low value password at? Do you really want to go and change it on all of them? And how would you even know you need to change it on all of them. Considering how many you’ve probably used it at, it’s a safe bet that someone could be using your name and spamming people, or linking to virus ridden sites, or whatever from your account and you might not find out about it for months, if ever. Not because it’s your account, but because your username and password just happened to be in the list of thousands they stole from some site.
It is simply not realistic to claim that, if you somehow knew the password had, or might have been compromised, you are going to change it on all the sites you’ve used it at. And worse, if any of your accounts that got compromised, and probably killed by administrators, were ones where you’d made friends, built up lists of contacts, etc., then you’re going to be experiencing some serious pain and frustration when it comes to figuring out how to contact all those people, telling them that no, that wasn’t really you trying to sell them male enhancement pills, and that you’ve got a new account now…. Gods forbid this happens to your e-mail account.
So, what are you supposed to do? Well, the “simple” answer is that you’re going to have to start using a different password on every site, and, because you’re human, you’re going to have to use a password manager to keep track of them all. There are a ton of password managers out there and while they’ll all get the job done securely, the usability of these apps varies wildly. Typically the process is: load a web page that needs a password, launch your password manager (if it isn’t running already), find the entry for this site in a list, copy the password to your clipboard, switch back to the browser, select the password field, and paste in the password. That’s six steps, two applications, and possible wait time while one of them launches, just to enter a password!
“But Kate,” you say, “my browser remembers my passwords.” And that’s great. It’s going to save you from having to do this all the time, but sooner or later your browser’s cache is going to get emptied, and you’re going to have to go through the process again. Even worse, what if you’re at someone else’s computer? The latter is a strong argument for having a password manager on your smartphone, but the usability is even worse when you’re talking about an entirely different device that you can’t copy the password from to paste into your browser.
So, again, what are you supposed to do? Well, first off, you need a password manager that’s not going to make you leave your browser. This means we’re talking about browser extensions, or maybe a web based password manager. And while there are a ton of choices, some of them are wildly complicated and most of them fail when it comes to usability. If you’re going to stick with this, and protect your identity and passwords the way you should it is absolutely imperative that you use a tool that makes it easy, easy, easy, to get your passwords in there. The act of retrieving your password and entering it into the site you want can’t be frustrating or annoying to you.
[Update: A number of people have felt that I'm trying to promote Passpack below. Passpack just happens to be one of the few services that meets all of my personal criteria, but there are other services out there and I encourage you to explore them. Furthermore, web based services aren't right for everyone. Some of us prefer Firefox Extensions, or apps that live on our phones. Really, I just want you to go find a tool that will help you to practice good password hygene, and am offering up what I've discovered whilst searching for tools for me.]
So far I’ve only found one that I’m really willing to recommend: Passpack. Unlike most web-based password managers it can work offline, if you have Google Gears installed. It’s got a ton of features (probably far more than you need), and while it’s interface can be a bit overwhelming with all it’s options and it’s big grid of icons, it appears relatively easy to use, and most of the time you’re just going to click its bookmarklet when you want to log in to some site you’ve stored the password for. Once you’ve saved a password for a site it’s two clicks the next time you need to retrieve your password and log in. I definitely recommend checking out their video tour. [Update: the icon grid, can be turned off, and will be off by default in the next version.]
When it comes to browser extensions I simply haven’t seen any that get the usability right. Some have daunting management screens, or just bad tools for initiating the action of getting the password and almost all of them finish by copying the password to the clipboard and making you paste it in to the form, which is just brain-dead considering that extensions have access to essentially every feature of the browser. Many (most?) of them are going to leave you screwed if you need to access a site from someone else’s computer. The same can be said for desktop apps. The things the extensions do typically do right is generate good passwords for you, store them securely, and save you from having to open another app. But, all of the ones I’ve seen simply aren’t painless enough when it comes to usability, or management, or both. Actually, there was one exception that got the usability right, but ultimately encouraged users to go with something resembling a tiered password scheme.
[Update] I’m hearing a lot of good things about PasswordMaker from readers. Unfortunately their site does a terrible job of explaining just how simple it’s usage can be. It does have an ugly GUI that’s got way too many options, but apparently you never really have to deal with that, and I hear tale that there’s a web page component that’ll let you generate your password when you’re at someone else’s computer. It sounds like a real win. If only it’s site could convey it’s coolness…
It’s my opinion that a plugin based password manager should be able to get your password into the form you’re currently using with two actions: one click / keypress to activate it and one to get the password into the field you want. I’m not counting authenticating yourself to the password manager, which, theoretically you would only need to do once per session. It should also have a way to securely access, or regenerate, your passwords without installing anything when you’re at someone else’s computer, and create/use a different password for every site. If you can recommend a browser extension (for any browser) that can meet those requirements, and has a nice, simple, user interface please leave a comment.
If I were in your shoes right now, I’d go check out Passpack and accept the sad fact that it’s going to take a while to change your password on all the sites you use, but it’s a task worth doing. Me? Every time I go to a site that requires me to login I just swing over to the change password screen and use my tool. I’ll get to them all eventually, but the important ones I use every day are getting changed first.
THIS BOUNTY IS CLOSED Greg Stoll has come up with a winning submission and receives the prize. I’m going to spend some time tweaking it and then I’ll release it, and it’s source, into the wild.
The Deal I’m offering I was offering a $100 Amazon.com gift certificate or a donation to your favorite open source project to the first person who can write me a Firefox Extension that matches the criteria outlined below. Most of the work has been done for you by many open source developers. It just needs a a little UI wiring (check the mock-up at the end of the post).
Basic Idea Not too long ago someone came up with a good implementation of a password generator (Too Many Passwords) that is easy to use and will generate good passwords for you so that you don’t end up either forgetting them or using the lame shortcut of having only a few passwords for all your sites (a strong one for important sites like your bank, and maybe a couple other less strong ones). PwdHash is a similar idea but as a Firefox Extension. Both are free and open source, and I know that there are other similar extensions and web sites, but nothing I’ve seen so far is as easy to use, or as well integrated with Firefox as I’d like, and thus, I’m posting this bounty. Essentially, I’m asking you to improve upon the idea in the first link (Too Many Passwords), and convert it into a Firefox Extension.
Why Not Do It Myself? Because I know very little about Firefox Extensions and would rather spend my time working on my own projects. It would take me many hours for me to piece together the knowledge required to get this working as I want it, but hardly any time for someone who is already familiar with writing Firefox Extensions, because all of the heavy lifting has already been written by other people. All that’s left is wiring up the GUI. I think it’s worth $100 to me and the community to have this built, and I think that someone familiar with writing Firefox Extensions should be able to finish it in about three hours which seems a fair trade.
Details
Most of the details are covered in “The Fine Print” and the mock-up below. The only other thing, in case it wasn’t blazingly obvious, is that when you launch this via the Tools menu or a Right click it should be a some sort of XUL pop-up window that won’t be blocked by pop-up blockers. It would be best if you could make the JavaScript easy to be separated from the extension so that I, or someone else, can use it to make a web based version, but this isn’t a criteria for winning. If you’ve got questions, or any of this seems a little vague, or you think a criteria should be changed, please contact me.
The Fine Print
Lock icons:
Mockup
It’s not uncommon for me to wonder if some app is running on my linux box, and while I could pipe together ps and a couple greps it felt silly to keep doing it after a while. So, I applied my admittedly limited bash skills and came up with the following script which I throw that in an executable called “got”. Now I can just type “got tomcat?” (the question-mark is optional). If anything is running with “tomcat” in it’s command it’ll give me the skinny on it. Otherwise it’ll let me know it wasn’t found.
</p> <p>#!/bin/bash<br /> APP=`echo $1 | sed s/?$//`<br /> RESULTS=`ps -A S| grep $APP | grep -v grep | grep -v “got $APP”`<br /> if [ "$RESULTS" != "" ]; then<br /> echo $RESULTS<br /> else<br /> echo “No $APP found with ps -A S”<br /> fi</p> <p>
If you can improve on this, please let me know.
If you’re like me you find yourself sitting at your computer and need to go away, but there’s some page you’d like to read, or continue reading, on your phone. Well, if you’ve got an Android Phone or essentially any phone in Japan you can just use your phone to scan in a QR Barcode from your computer screen and then open the url on your phone. I know for a fact that there are other phones in the US that can read QR Code, but you’ll have to Google around to see if your phone is one of them.
Sound good? Then go here, see the screenshots, grab the bookmarklet, and let me know what you think.
P.S. If you’re interested in seeing what’s going on with 2D barcodes as we start to catch up to Japan you might be interested in checking out the 2d code news site.
I’m all for e-ink books. I hate reading on a computer screen, but e-ink is awesome, and just as easy on the eyes as paper. I’m also totally into the idea of a book-sized device that’ll have access to my whole lib and can offer me discounts on new books as a result of the lower distribution costs. But, there is no way in hell I’m going to buy a Kindle. In fact, I wouldn’t even use one if you offered it to me for free.
Why? Simple. I have books in my library that are over a century old. They may be beat to shit, with cracked deteriorating bindings, but they’re still totally usable. But, you are guaranteed to be screwed sooner or later with any DRM encrypted e-book device. Your device could break, and then you can’t read anything you bought on it until you buy another one. The manufacturer could stop supporting it (and then it’ll break). The manufacturer could switch to a different DRM for future sales, abandoning your old device, or charging you to convert each item you already bought (*cough*itunes*cough*). The manufacturer could cripple your device either intentionally or accidentally, thus making all your purchases evaporate(*cough*microsoft*cough*).
I want any book I buy today to be readable in 20 years, or more. This isn’t an unreasonable request when you’re talking about books. I reread twenty year old books regularly. I’d do it even more if the older half of my library was at my house. Right now, any book you buy on the Kindle is almost guaranteed to be lost money. You’ll be able to read it for a while, and enjoy it, but sooner or later, you’re not going to be able to access it any more, and when that time comes you’ll have to buy it all over again… assuming it’s still available anywhere.
Now, if Amazon, and their competitors, would remove the DRM from their e-book devices, and thus allow me to back up my data, so that when some new, better, device comes out (possibly from another manufacturer) I could read it on that I’d have no qualms about buying one. Well, none except the price. The majority of the books I buy are mass-market paperback which cost about $7.00. If I’m lucky I can get a $2.00 discount by buying the kindle version. At $360 I would have to buy 180 books to even break even. And, while I do buy a lot of books, if I bought two books a week it’d still be less than 2/3 of the way there after a year. How many of you can say you buy at least two books a week? I probably do, on average, but I have a feeling that I’m the exception here. And even then I’m actually worse off than if I’d just bought the paper ones. I’d still be in the hole for money. I wouldn’t feel comfortable walking down the street reading on an e-book reader because if I dropped it I’d be screwed. And yes, reading whilst walking is a major issue for me. I get about 30 minutes worth of reading done every day on my way too and from work. And, I wouldn’t be able to lend any of the books I bought to anyone. I’ve been turned on to so many good authors by books lent to me, and I know my lending out books has turned others on to new authors too.
Until you can provide me with an affordable device that isn’t guaranteed to prevent me from being able to read the books I’ve bought for it twenty years later I’m not going anywhere near it. And twenty isn’t an upper bound. I want to be able to pass those books on to my kids.
[Update] Binil has made a good point in the comments that I felt worth summarizing up here. Tech books get significantly more of a discount than $2 and, more importantly, they will become obsolete long before you kindle stops working, and you’ll not want to repurchase them afterwards to reread in 20 years. I’ve got a stack of useless computer books in my house that I’ll never even open again, nevermind read. If you you limit your purchases to computer books that are going to obsolete themselves the kindle will amortize itself much faster and the DRM becomes a non-issue because you simply don’t care if you loose access to the book in a couple years. The trick is to not let the ease and instant gratification aspect of purchasing on it sway you into buying books to read for pleasure.
[Update 2] From the Kindle’s Terms of Service:
Your rights under this Agreement will automatically terminate without notice from Amazon if you fail to comply with any term of this Agreement. In case of such termination, you must cease all use of the Software and Amazon may immediately revoke your access to the Service or to Digital Content without notice to you and without refund of any fees…
Which can be roughly translated as “If you do something we don’t agree with we can stop you from using any of the books you paid us for. ” You may, or may not, own the digital bits, but you apparently don’t own the right to decode them into something readable.
[Update 3] from John Paczkowski:
Rather than argue with the Authors Guild over the text-to-speech feature of its new Kindle 2 e-book reader, Amazon is modifying the device’s software to make it optional. Authors and publishers will now be able to decide if they want the function enabled or not on titles for which they own the rights.
So again, the fact that the content is DRM’d means that they can disable any features on the books you buy without notice, even if you paid for a Kindle specifically for those features.
Photo CC Licensed from pt.
Or, how to treat your customers right.
I’ve had a number of domains with Register.com for years now. They’re not the cheapest, but they’ve got good tools for managing your domains and back when I used to be a freelance web designer/developer I had to call them a number of times to help address setup issues for clueless customers. They were always nice and helpful.
But, I had about seven domain names with them. Roughly three months before every domain expired I’d get an e-mail from them that essentially said “OMFG Yer gonna expirez! Renew Now!!!!” But, nowhere on the e-mail does it actually mention that you’ve still got 3 months left before it does. It’s all about the scare tactic and trying to convince you to sign up for multiple years. “Renew <your domain here> early and save up to $129.” Seven year renewal that… and better yet they’re all “this promotion expires on xxx” except, it’s always effing available.
Then, about a month before your domain expires they’ll call you and be all “OMFG EXPIreS!!” And, to be honest, the people who called were always friendly, but my last conversation went something like this (I’m paraphasing):
“Example.com is about to expire. If you renew for two years we’ll give you x% off.” “Don’t I have that on autorenew?” “Yes.” “So, it’ll just renew itself when it expires right?” “Yes, but we can take care of that right now over the phone.” ….why would I dig out my credit card, read the numbers to you in the middle of my office, wait for you to type it in and repeat it to me when I can just do nothing and let the automated systems take care of it for me?! “Um, no. That’s ok…” “Ok. Anything else I can help you with?” “No thanks.”
“Example.com is about to expire. If you renew for two years we’ll give you x% off.”
“Don’t I have that on autorenew?”
“Yes.”
“So, it’ll just renew itself when it expires right?”
“Yes, but we can take care of that right now over the phone.”
….why would I dig out my credit card, read the numbers to you in the middle of my office, wait for you to type it in and repeat it to me when I can just do nothing and let the automated systems take care of it for me?!
“Um, no. That’s ok…”
“Ok. Anything else I can help you with?”
“No thanks.”
It actually went on for a bit longer than that, but you get the gist. This happened to me about seven times a year. “OMFG reneW!” email 3 months early, followed by an “OMFG reNew!” call. There was probably another last minute OMFG renew email too that I’m just blotting out.
Now, somewhere along the way I registered a silly domain that I didn’t care much about. So, I just went with a cheap vendor that I knew wouldn’t disappear tomorrow, in this case I tried GoDaddy.com. I have to admit that I was a little curious as to what their setup was like too.
GoDaddy’s tools for managing your domain are not slick. They get the job done but they could really be simplified and made much more user friendly. But, I only have to touch them when I set up the domain the first time, and if I ever change who is hosting it. So, essentially never. I, of course, turned on the autorenew on that domain and promptly forgot about it.
A year later GoDaddy sends me an e-mail that essentially says “Hey, your domain is going to autorenew in five days. Here’s how much it’ll cost. Just wanted to give you a heads up.” then, a smidge later “Hey, it autorenewed. Here’s your receipt.” And then, the bit that blew me away. Maybe a week later I get a phone call (again, paraphrasing).
“Hey, this is GoDaddy.com your domain just autorenewed and we wanted to check that everything is ok, and see if you had any questions or wanted help with anything.” “No, I’m good. Thanks.” “Great. Well, have a nice day.”
“Hey, this is GoDaddy.com your domain just autorenewed and we wanted to check that everything is ok, and see if you had any questions or wanted help with anything.”
“No, I’m good. Thanks.”
“Great. Well, have a nice day.”
I was stunned. Practically staring at the phone after they hung up. They never try to sell me anything. They never try and get me to renew it for an extra year, or six, at some discount, although there is one available. They never try and sell me hosting or mail or anything. They just call to make sure I’m a happy customer. Holy, fucking, shit.
End result? 13 domains all at GoDaddy.com and price never entered the decision to transfer.
P.S. It’s funny how many companies don’t understand the simple fact that customers appreciate it when you treat them the way you’d like to be treated. GoDaddy.com apparently does, and that is why I’ve taken the time to relate my tale to you.
P.P.S GoDaddy.com is a lot like Microsoft in that they engender strong opinions. And, a bunch of you are going to say “OMFG Kate! GoDaddy is teh suxz0rz!” But, I’m not hosting my domains with them, I’m just using them as a registrar. And yes, I’ve heard some bad tales about what they’ll do to your domain if they think you’re a spammer, or doing other bad stuff which I’m not thrilled with, but, for now, let’s just keep this focused on how they handle their customers.
This keeps happening to me. I follow a link from one interesting blogger to another, read some post that sparks a question in my mind. Maybe it’s related to the post, maybe it’s an unrelated question for the poster. Sometimes I’ve tracked down their site because I found a bug in some open source software they wrote… either way, I’m on their site and I’m trying to contact them. But guess what? There’s no freaking e-mail link anywhere, not even on the “About” page. In fact there’s no way to contact them directly at all. Sometimes I’ll find a link to Flickr, which I happen to know lets members send little messages to each other, but seriously?! What is the fucking point of writing posts on your blog if you’re not going to give anyone a way to respond?
If I’m “lucky” they have comments enabled on their blog so if I wanted to be an ass I could leave a “I know this has nothing to do with this post and this really isn’t the place for this question, but you’ve left me no alternative….” comment on some random post.
Usually, these are geek’s blogs, probably sick of getting comment and e-mail spam, which I can totally empathize with, but, if you’re a programmer you are arguably smart enough to figure out one of the many many ways to stick your e-mail address on a site without the bots getting it. You can obfuscate it, you can encode it, or, safest of all, you can just stick it in an image. I should not have to do a freaking whois lookup on your domain name to find a way to contact you!
Blogging is a form of communication. Just spouting off words with no hope of anyone responding is roughly equivalent to wearing a sandwich-board with “Repent! The end is nigh!” in one foot high letters and yelling about how God is coming for us nowwww!!! You’re both spouting off about something you care about and neither of you have any real chance of actually communicating with anyone. The only difference is that you’re not a nutter.
So please, put a fucking way to contact you on your god damn blog or stop writing interesting shit. One or the other. I don’t care which.
Arrgh!
P.S. If you want to contact me. Feel free. I’ve got seven different ways listed on that page, and my phone number’s on my resume, which I’m not linking to because I’m not looking for a new job and because I don’t really want to talk to people on the phone. So :P
P.P.S I’ve always made it a point to make it easy for people to contact me on the blogs I’ve had over the past ten plus years and I’ve never had a problem with it. I use good spam filters on my e-mail and my comments (because I’m not an idiot), and am not afraid of blocking someone on IM, although that only ever seemed to be a problem on ICQ. When someone wants to ask a question, or share a comment about something I’ve written they can, and I treasure the knowledge that I’ve written something interesting enough to spark a thought in someone’s brain worth writing down.
