Yet Another Blog

If you have an account with any website, they should be making sure the password you use is nice and secure, so if any hacker comes by and breaks into their website your password (which you’ve probably – like everybody else – used on a hundred other websites) won’t be revealed.

One way the website can protect your password is called ‘hashing’. Instead of storing your password, the website stores a ‘hash’ of it. You type your username and password in the usual way, and the website does some clever maths behind the scenes to hash your password for you. The mechanics are pretty dull, but all you need to know for now is that your password is never kept on the website, so nobody can steal it. Nice and secure.

If you’ve ever forgotten your password, the website might offer a link “I’ve forgotten my password”. What happens next will give you some big clues as to the kind of security they use.

If they send you an email with a nice, long link to click ‘Reset my password’ this is usually a good sign.

If however, they send an email with “Hello, your password was kittens45” be warned. This means that the website kept ahold of your password all along. Good news for somebody looking to steal a bunch of passwords.

This might not seem like a big deal. So what if some hacker breaks in to that website, steals all the passwords and runs off laughing? Not too serious if it was just a cookery site or an online kitten album.

However, an awful lot of people use the same password for their GMail, Yahoo or other accounts. They might be using it for their utility bills online. The hacker now has your password. Suddenly that password leak becomes a bit more serious – your email might give other details about you, like your bank account or even more passwords to other sites. The hacker knows your username, your password and can probably now get to your mail, private photos, documents and other websites.

So, we know websites should be at least keeping your passwords safe and hashed. If they’re not doing that, you have to wonder what other security lapses they have made. People invest enormous chunks of their private lives online, and we have precious few indicators of how seriously websites take the issue of security. Some are surprisingly relaxed – and it’s your personal data they’re toying with. Oh, if only I could tell you some horror stories…

Next time you use a website, quickly try the ‘Forgot my password’ link. It (usually) doesn’t actually change your password, and the email they send to you can give an immediate clue about their attitude to your security.

* Notes for the technically minded:
– If you hash, make sure it’s a good one. MD5 is weak and easily cracked.
– Determined hackers might also interfere with the login page and capture the password from there, but most recent cases have shown the password tables to be much juicier pickings.
– The website might be encrypting the password rather than hashing it. I’ve yet to find a ‘regular’ website that does this though – all that I’ve challenged where a password has been returned have simply been keeping it in the clear.

The menu of our local café enthusiastically gives the phone number, email and Facebook page on the front cover. No website.

Our local butchers had an event recently. “Photos are on our Facebook page.” Their website has become a neglected feature which basically serves to redirect the user to Facebook. Their world now happens in Facebook. All roads to that business lead inside.

A quick search elsewhere reveals this is not uncommon at all, and it’s hardly surprising. Facebook had undoubtedly made the barrier for publishing content much lower than ever before – connecting with customers is now a trivial task with instant feedback and gratification.

However, at the risk of sounding like an anti-social-network, Facebook bashing lunatic, I urge these businesses to consider two things. First, can people find the information they need if they don’t have a Facebook account? Second, if Facebook closes its doors or loses its appeal, how easy is it to pull all that content back out and place it somewhere else?

The first issue can be tested. Log out of Facebook and try visiting your own page. Can you see everything? Could a visitor contact you without needing an account? If not, you may be dissuading those customers who have no interest in signing up to Facebook – they’ll simply go elsewhere.

The second is rather more theoretical. Facebook is currently in good health and isn’t likely to be replaced any time soon. It does happen though – Google displaced Altavista. Netscape used to have the dominant browser. Myspace was a hugely popular website but is now largely a memory.

Business owners (like most people) will tend towards the easiest option. Facebook allows the humble user to become an instant publisher: photos, videos and messages are all easy to distribute; interaction with users becomes an incredibly straightforward task.

We could say Facebook has made publishing on the web easy – I think it’s rather more that the current alternatives are too weak, or that they don’t engage well enough with the customers. If we – the do-gooders genuinely believe that Facebook is an evil walled garden (do we, really?) then we ought to be working to lower the barriers for its competition rather than simply sounding the impending doom of all those who follow it.

This blog should now be served over HTTPS. As of today, I’ve switched all traffic coming in on regular ol’ port 80 to its more secure cousin, 443.

In human terms? Most websites use ‘HTTP’ – your computer asks for a page (or an image, or anything else) and the server dutifully sends it back. In most cases, nothing is encrypted which means that everything you see and do on a webpage can be viewed by a third party.

If you’re in your local coffee shop using their free wifi, somebody could well be watching everything you do.

HTTPS is the secure version of this. By using this, everything between your computer and the website itself is encrypted. Nobody in-between can tamper with, or listen in on what you are looking at.

Why is this important? It’s just a blog.

Quite right – most people probably don’t care that they can now read this site over a secure connection – they’ve nothing to hide. 🙂

However, anybody making comments or registering an account here will potentially be giving their email or other personal details as part of the process. Furthermore, I write articles on this blog from various locations and I want to ensure my own details and credentials are not stolen.

What are the downsides?

For starters, HTTPS slows down websites a little. It’s not much (maybe a tenth of a second) but it is a measurable side-effect.

Second, the technique used does not work for Internet Explorer users on Windows XP (and a few other cases). This is potentially still quite a big audience, but the stats for this blog show that it’s of little concern in my particular case.

Third, it costs a bit of money to get a certificate. Not a huge amount, but greater than zero.

 

All in, I do think the benefits outweigh the negatives and, while the use on a blog is of marginal benefit, I have plenty of other sites and web apps which I am also trialling on SSL.

More secure passwords are hard to remember.

Memorable passwords are easy to crack.

All passwords should be unique (one for each site/service).

Why the heck, in this day and age, are we still attached to the password? I’m sick and tired about hearing stories of mass password dumps from popular websites, of having to deal with people relentlessly trying to guess my password on different sites (and having to deal with the fallout). I’m fed up with having to have a password manager, of trying to remember so many different pieces of information, of feeling constantly jeopardised if some major site announces another leak.

The industry has resolutely failed to tackle this properly. We have half-baked ‘solutions’ like password managers and two factor authentication. We end up with identity managers: Persona, OpenID, Google and Passport come to mind, but these ultimately fall foul of the same password issue as before: you still need a bloody good master password.

Why is my device not authenticating me directly – Web of Trust and all that? Whatever happened to all those fingerprint scanners on laptops – did they not work? If my tablet, laptop or phone can absolutely confirm my identity, that should surely be available to all services and sites that I use on that device – just a thought. This is not a new idea in enterprise networks.

I might not give the ‘right’ solution (I have ideas), but I can observe that I think the current one is wrong. We continue to be failed by a lacklustre and ultimately lazy industry. Every time I see a relative or non-technical friend struggle with passwords, I despair. We collectively need to find a solution that will once and for all rid us of this awful mess of passwords.

After some decidedly choppy performance from the Nexus 7, I decided to factory reset it. Shouldn’t be a problem I thought … everything is saved up in the cloud.

Sure enough, once the tablet is restarted I am presented with a login for my Google account. I give my username and password, however I have two factor authentication enabled. This is a mechanism whereby, once typing your password, you are asked for a six digit code which rotates quite frequently. The app runs on your tablet, your phone or you can receive text messages for the same. It dramatically improves the security of your account.

The sign-in procedure for the tablet can’t cope with two-factor, and redirects me to another (slightly dodgy looking) page where I have to type my password again (it’s not easy – intentionally cryptic, and a pain to type accurately on a tablet).

So, I temporarily turn off two-factor authentication, forgetting the multitude of programs which can’t cope with it need their own passwords (and will undoubtedly complain).

This isn’t right I remind myself We need to be secure about this, so after some progress on the tablet I re-enable two-factor authentication. Now, the tablet complains again – understandably – but I’m met with the same system that can’t understand its own servers … I’m redirected back to the odd-looking webpage (this is genuine Google, it just looks awful).

To make matters more interesting, Authenticator was installed on the tablet before, so I also need to re-enable that. Curiously, selecting the Google account didn’t work (after asking for the password yet again), so I resorted to the 16 character keycode.

Finally, it works. However, I’m left frustrated by the performance. It is concerning that those who might benefit from two-factor the most, the less technical user, are expected to run through the same hoops. Not a chance.

As we stampede ever closer to online lives – our creations in the cloud – the idea that Product A works well with Product B must surely be a fading one?

Why do I care that your app syncs with Dropbox and Box.net? I do care that it doesn’t sync with Google Drive – a service I’d prefer to use.

Your timesheet app sends its data to Freshbooks? Great, but I use Kashflow and I rather like it.

We see something of a solution with Intents, both on the phone and on the web, but I’m sure there are plenty more iterations to come. Like the proprietary file formats of yesteryear, the idea that your app operates by product, not by protocol, means that it’s both limited by scope and complexity.

Incidentally: I don’t necessarily wag the finger at product designers here.

It’s quite evident that shops will up-sell over-priced accessory items when selling a large item at a lower price.

Every type of trade seems to have them. IT people are aghast at the prices high street chains charge for USB cables, those in the know will shop online in technical stores. What might cost you £20 in a well-known purple world of PCs can be bought online for less than £3, often including delivery.

We sometimes have to be careful not to buy too low. I tried some incredibly cheap USB cables (think 50p each) and they were useless. There is a quality associated with these things; high street names will pick good enough and up-charge. You have no such guarantee online – cheap really can be too cheap.

The usual accessories seem to be:

• Camera shops and lens protectors (the little glass add-ons you put in front of your expensive lens);
• Computer chains and USB cables;
• Audio/visual shops and ‘gold plated’ HDMI/audio cables;
• Most high street shops and batteries;
• Printer companies and ink;

Some are about being in the right place at the right time. Computer devices curiously come without cables; many electronic devices come without batteries. Of course, you’re in the shop and you’re likely to buy them irrespective of the price.

For the canny shopper, though, it’s quite possible to buy online or through smaller traders for the accessories while getting the main item in-store. The usual choice might be Amazon, but is this always the best? I’d like to imagine a website where a user could select the accessory they’re looking for and be pointed in the right direction by reviews. Need batteries? This place is brilliant.

My usual choices for cables (computer and audio) are eBuyer or Amazon. I haven’t bought batteries online yet but I suspect Amazon will again be a good choice (well-known brand or are there lesser-known ones that work fine?)

If you have any suggestions please let me know and I’ll put them on here.

 

A collection of some recent articles and pages I’ve found interesting…

Cloud vendors name the price to ‘go private’, where it becomes worth considering using dedicated servers – it’s about $10,000/month.

Some interesting thoughts on using Raspberry Pis and Arch Linux for dedicated servers.

Aldermore appears to be a ‘fresh-thinking’ bank in the UK, focusing on savings & mortgages.

Ways to secure your REST API from Stormpath, a user management service for developers.