More secure passwords are hard to remember.

Memorable passwords are easy to crack.

All passwords should be unique (one for each site/service).

Why the heck, in this day and age, are we still attached to the password? I’m sick and tired about hearing stories of mass password dumps from popular websites, of having to deal with people relentlessly trying to guess my password on different sites (and having to deal with the fallout). I’m fed up with having to have a password manager, of trying to remember so many different pieces of information, of feeling constantly jeopardised if some major site announces another leak.

The industry has resolutely failed to tackle this properly. We have half-baked ‘solutions’ like password managers and two factor authentication. We end up with identity managers: Persona, OpenID, Google and Passport come to mind, but these ultimately fall foul of the same password issue as before: you still need a bloody good master password.

Why is my device not authenticating me directly – Web of Trust and all that? Whatever happened to all those fingerprint scanners on laptops – did they not work? If my tablet, laptop or phone can absolutely confirm my identity, that should surely be available to all services and sites that I use on that device – just a thought. This is not a new idea in enterprise networks.

I might not give the ‘right’ solution (I have ideas), but I can observe that I think the current one is wrong. We continue to be failed by a lacklustre and ultimately lazy industry. Every time I see a relative or non-technical friend struggle with passwords, I despair. We collectively need to find a solution that will once and for all rid us of this awful mess of passwords.

After some decidedly choppy performance from the Nexus 7, I decided to factory reset it. Shouldn’t be a problem I thought … everything is saved up in the cloud.

Sure enough, once the tablet is restarted I am presented with a login for my Google account. I give my username and password, however I have two factor authentication enabled. This is a mechanism whereby, once typing your password, you are asked for a six digit code which rotates quite frequently. The app runs on your tablet, your phone or you can receive text messages for the same. It dramatically improves the security of your account.

The sign-in procedure for the tablet can’t cope with two-factor, and redirects me to another (slightly dodgy looking) page where I have to type my password again (it’s not easy – intentionally cryptic, and a pain to type accurately on a tablet).

So, I temporarily turn off two-factor authentication, forgetting the multitude of programs which can’t cope with it need their own passwords (and will undoubtedly complain).

This isn’t right I remind myself We need to be secure about this, so after some progress on the tablet I re-enable two-factor authentication. Now, the tablet complains again – understandably – but I’m met with the same system that can’t understand its own servers … I’m redirected back to the odd-looking webpage (this is genuine Google, it just looks awful).

To make matters more interesting, Authenticator was installed on the tablet before, so I also need to re-enable that. Curiously, selecting the Google account didn’t work (after asking for the password yet again), so I resorted to the 16 character keycode.

Finally, it works. However, I’m left frustrated by the performance. It is concerning that those who might benefit from two-factor the most, the less technical user, are expected to run through the same hoops. Not a chance.

As we stampede ever closer to online lives – our creations in the cloud – the idea that Product A works well with Product B must surely be a fading one?

Why do I care that your app syncs with Dropbox and Box.net? I do care that it doesn’t sync with Google Drive – a service I’d prefer to use.

Your timesheet app sends its data to Freshbooks? Great, but I use Kashflow and I rather like it.

We see something of a solution with Intents, both on the phone and on the web, but I’m sure there are plenty more iterations to come. Like the proprietary file formats of yesteryear, the idea that your app operates by product, not by protocol, means that it’s both limited by scope and complexity.

Incidentally: I don’t necessarily wag the finger at product designers here.

It’s quite evident that shops will up-sell over-priced accessory items when selling a large item at a lower price.

Every type of trade seems to have them. IT people are aghast at the prices high street chains charge for USB cables, those in the know will shop online in technical stores. What might cost you £20 in a well-known purple world of PCs can be bought online for less than £3, often including delivery.

We sometimes have to be careful not to buy too low. I tried some incredibly cheap USB cables (think 50p each) and they were useless. There is a quality associated with these things; high street names will pick good enough and up-charge. You have no such guarantee online – cheap really can be too cheap.

The usual accessories seem to be:

• Camera shops and lens protectors (the little glass add-ons you put in front of your expensive lens);
• Computer chains and USB cables;
• Audio/visual shops and ‘gold plated’ HDMI/audio cables;
• Most high street shops and batteries;
• Printer companies and ink;

Some are about being in the right place at the right time. Computer devices curiously come without cables; many electronic devices come without batteries. Of course, you’re in the shop and you’re likely to buy them irrespective of the price.

For the canny shopper, though, it’s quite possible to buy online or through smaller traders for the accessories while getting the main item in-store. The usual choice might be Amazon, but is this always the best? I’d like to imagine a website where a user could select the accessory they’re looking for and be pointed in the right direction by reviews. Need batteries? This place is brilliant.

My usual choices for cables (computer and audio) are eBuyer or Amazon. I haven’t bought batteries online yet but I suspect Amazon will again be a good choice (well-known brand or are there lesser-known ones that work fine?)

If you have any suggestions please let me know and I’ll put them on here.

A collection of some recent articles and pages I’ve found interesting…

Cloud vendors name the price to ‘go private’, where it becomes worth considering using dedicated servers – it’s about $10,000/month.

Some interesting thoughts on using Raspberry Pis and Arch Linux for dedicated servers.

Aldermore appears to be a ‘fresh-thinking’ bank in the UK, focusing on savings & mortgages.

Ways to secure your REST API from Stormpath, a user management service for developers.

I’ve been waiting to try this for a while, and this week while on a business trip I’ve finally been able to give it a go.

Presenting my mobile office! A Nexus 7, a plastic stand and a bluetooth keyboard. While I generally travel with a laptop for work, most of the evening is taken up with note-writing, media and Skype. In the spirit of testing out these things I wanted to know whether I could get by with just these devices. I have to say, I’ve covered most bases here, and am very happy not to have to lug about the heavy(/ier) laptop in the evenings back and forward to the hotel.

Very impressed with the Anker Bluetooth keyboard, which works from a couple of AAA batteries. I got the black one for about twenty quid for aesthetic reasons It’s a US keyboard. Unless you’re reaching for the pound sign or double quotes all the time this shouldn’t be too much of a problem (actually the Nexus doesn’t yet support UK keyboards natively anyway). Some of the function keys are iPad specific, but the usual volume up/down and copy/paste shortcuts work. It’s big enough for my fat fingers … I can even touch type on it, and connectivity has been very good so far.

The plastic stand for the Nexus was about three pounds (but currently sold out, so no link) and is fine for the
price. For about a fiver you could probably do a bit better.

Hopefully the Nexus 7 needs no introduction I got mine shortly after they first came out and I can’t imagine life without it now.

Incidentally, in the background you may also see my wireless hotspot. This is the TP-Link MR3040 and put shortly, it’s a wireless router which can route Internet from either an Ethernet cable or a USB modem. I am currently in a hotel which only supplies cabled Internet … pretty useless for tablets! With this device, I can connect to the Internet from my phone, tablet or laptop with ease. I also have a USB 3G modem which I use in the UK (with a Three sim-card) although more often than not I use the Wi-Fi hotspot function on my phone to tether.

I hope to write more about each device in the coming weeks, with practical guides, notes and thoughts. This three-day trip is also not nearly enough to test the setup to completion – I’ll be continuing to try out new ways of working and writing to see what is comfortable and shall report back in due course. Let us be clear about one thing though – this is a tiny yet practical mobile workstation for two hundred pounds.

LinkedIn supports HTTPS connections. If you go to https://www.linkedin.com/ your connection will be secure and your session & data kept private.

This is fine, and works well, until you click View Profile or click on a Notification. At this point it appears the site dives back to plain old HTTP. If you’re not paying attention, you won’t even notice.

Why is this a possible cause for concern? First, this suggests the cookie does not have its secure flag set, which means the authentication cookie is also being sent in ‘plain text’ and is therefore sniffable by a third party.

Second, any website being transmitted over HTTP is susceptible to manipulation. For instance, a third party could act as a proxy on a public wifi network and inject a piece of HTML or Javascript to, say, pop-up a dialog window asking you to re-authenticate.

Note – this is all a fair amount of conjecture – I need to build a proof-of-concept (actually, I’m sure many already exist), and LinkedIn is certainly not the only example. I should also point out that at least this website asks for reauthentication when viewing/editing sensitive data, which is a plus point.

It seems that typing File:/// in a Mac application will crash the Mac (OS X Mountain Lion). Most applications appear to be vulnerable, and this is something to do with URI handlers.

A long time ago, there was a bug in Windows which caused a blue screen … accessing C:\CON\CON\ would immediately cause a BSOD. Something to do with DOS redirects for comms ports.

In my foolish youth days, I turned this into a bit of a cruel prank against some friends, by sending them a link to a website which would then attempt to open the above path. Sure enough, it would crash Windows. I then stupidly fell for it myself …

Anyway, it seems this is fine in Chrome and Firefox, but it looks like Safari is vulnerable. Can any Mac users confirm (once you’ve saved all your files!) if the following link successfully crashes the browser? Here it is.

I don’t have a Mac to test, but it looks like the bug is more to do with text entry than anything else … so perhaps creating an INPUT type=text field and autopopulating the field would also work?

I bought a new car recently. I kept the old car for a few days while I decided how to get rid of it. Good grief, car insurance in the UK is a mess. Various cancellations, new contracts, payments and refunds – not to mention about eight different letters, and we’re finally sorted. This got me thinking about my ideal insurance company, and what I’d expect from it:

1. Absolute clarity on premiums. Everything is rationalised and explained to the customer. Getting this car will cost you £x more. Driving an extra 5,000 miles per year will cost you £y. Probably need to work on a fixed profit margin, but you’re a business (maybe a co-operative?) and I accept that. Seems to work for the utility companies.
2. Allow instant feedback, so the customer can make decisions. The car will cost £x more? Okay, I’m willing to accept that but I’ll keep my mileage down and take the train more often.
3. No charges for changing details. Ever. It’s a penalty on the facts of life – worse, I’m willing to believe otherwise honest people are discouraged from keeping their records true and up-to-date because of this.
4. On the same basis, and to keep those admin costs down: everything updated online (and, per point 1, the interactive estimator is online as well).
5. Get rid of this stupid policy of rewarding new customers and screwing loyalty. I get a premium increase next year but Joe Bloggs joins and gets 10% off?
6. Make it absolutely clear what effect No Claims Discount has on the price. Insurance companies in other countries have clear rules on what percentage discount is applied with NCDs. Ours are smoke and mirrors.
7. Make the idea that “to get a good deal, you need to shop around” redundant. See point 5. Many people I know shop around each year to renegotiate their insurance.  I’d rather not be in a position where this is necessary, and it shows how little importance companies seem to put on loyalty. Give me your best price first time, every time. Stop the rigmarole of phoning around every year.
8. Remove the fear from claiming. I’m not sure how to tackle this but there is an implicit problem when people avoid claiming because they can’t be sure what effect it’ll have on their premiums. Even if you have protected NCD, can you be sure they won’t increase your premiums for the next few years (points 1 and 6 may help…). I dread to think how many people resolve their issues with cash rather than going the “proper” way, simply because of this fear and the associated hassle.

Case in point: To change my existing insurance was going to cost a lot more (20%+); to cancel then start a brand new policy (with the same company) turned out to be much less. I don’t care much for the whys and hows … this is a ridiculous, time-consuming and unpleasant way of doing business.

Reading through this article on the BBC about over-familiar websites, I was reminded about how there appears to be an increasing over-familiarity in communication in general.

One business colleague in particular grew quite annoyed at the widespread use of “Hi” at the start of (business) emails, and I have developed a tendency to agree. In client-supplier emails, for instance, the use of such relaxed greeting is (in my mind) both inappropriate and unprofessional.

My mobile provider, for instance, routinely sends out emails: “Hi Sven, we thought we’d just let you know your bill is available.” Great! You want to go for a beer this evening? Play a few games of pool?

Of course, it’s not even a human at the other end. The company probably send out thousands of these messages each day; the idea of familiarity is entirely fabricated.

Even the supermarkets are at it. My local supermarket clearly went through a stage of instructing its cashier staff to ask “how is your day?” as if they would be genuinely interested to hear a cheerful itinerary of my most recent activities. Of course not, and for all the time they’re asking the question behind fake smiles and feigned interest, I can’t help but imagine some marketing person thought this was actually a good idea, and that we enjoy being forced into conversation with somebody we’re never likely to meet again.

Of course, I take the negative view on this stuff. Maybe most people do enjoy the little artificial contact from the otherwise faceless corporations, which would explain why I ended up in a rather awkward conversation the other day when calling up a service provider. The person at the other end cheerfully spoke, “Hi Sven. Hope you’re having a good day. Can I call you Sven?” to which I rather bluntly replied, “No, I prefer Mr Latham.” I don’t think he was expecting somebody to actually object to that cosy relationship, and it put a bit of a downer on the rest of the conversation.

I wonder if he put the phone down at the end and genuinely despaired about losing a friend, but I doubt it.  I  never knew him before – he never knew me and we’ll probably never speak again.