Wednesday, October 01, 2008

Keeping Passwords Safe

Keeping your information safe and private in today's online, information hungry world is no mean feat. Give your telephone number to one company and within a year or two you find yourself receiving calls about insurance almost every day.

Give a company your email address and you'll find your inbox stuffed full of recommendations for cheap medications, Russian/Indian business partners, dating websites and of course porn. (At Horizon Web Development we never pass on your email address).

Unfortunately, short of changing your telephone number and email addresses regularly, there is little that you can do to prevent the two above situations from occurring. 

There is however some information that you absolutely should keep private and safe, no matter what - your Internet passwords.

Memory Aids

We all have them, we all have to in order to access the countless websites that we need to use and we all have our own memory aids to track the countless PINs and passwords, simple memory aids so that we can remember them all.

The simplest is of course to use the same password for every site; this is also the most foolhardy.

Many users, when they set up a new account online, will give their email address and a password, those that use just one password will have therefore given the same password that they log into their email with.

While this isn't in itself to much of a concern, should the website ever get hacked, the criminal would not only have access to the unfortunate users email account, but they wouldn't have to be a criminal mastermind to work out their password for shopping or banking websites too.

A recent example of this is the hack of US political commentator Bill O'Reilly whose website was hacked and a list of users, their email address and passwords was published online.

"A case in point is Carolyn Carpenter, 68, of Henderson, Nevada. The list showed she used a six-letter word from the English language to access her account. Early Friday evening, when told she should change all accounts that used the password, she replied: "Oh damn, I use it all over the place."
The Register | Bill O'Reilly's website hacked

No doubt she spent most of the night changing all of her passwords to another six-letter word from the English language, but hopefully she learnt her lesson and used a different password for each.

Other tricks to remember passwords are to use birthdays, a mother's maiden name, football teams or pet's names.

Sadly this is also bad practice as the first technique a would-be hacker would try is, is to go through all the words in the dictionary.

The experts warn us that to combat this, the best passwords are those that are not found in the dictionary, those that combine letters and numbers so rather than Horizon - H0r150n. It just gets a little tricky to remember what letters were substituted for what. Also after a few words, it becomes impossible to keep track.

Password Manager

Another option is a password manager. There are plenty of them around, such as Keywallet, Passpack and Keepass.

These programs create random passwords for you, and more importantly store them, along with the website and username so that they can be retrieved easily. Such programs make it easy to go from using passwords such as rover, to fS8cSh;o.sPiiMGBuZoqmRgdBotS9N which no one is going to guess, or even crack easily.

The ability to have completely random and also unique passwords for every website is extremely reassuring and one of the best ways to stay safe online. Should one password be compromised somehow, all your others are perfectly safe. You just have to remember the Master Password that accesses all of your other passwords in the program.

There are however downsides to password managers; should you decide that you current password manager isn't for you, well changing it may not be easy. Some like KeePass have the option to import and export passwords to and from other programs, however compatibility between programs is patchy.

Even two programs that import/export in the same formats, won't necessarily understand each other's password lists. Which means if you use one, it is best to use it on all your PCs and laptops.

Portable Use

Another drawback of password managers is apparent when out and about and struck by the need to check your email. fS8cSh;o.sPiiMGBuZoqmRgdBotS9N is not a password that is remembered off by heart, especially when you have 30 or more similar ones.

Some password managers, such as KeePass have portable versions that you can use on a USB memory stick. The safety of this however is debatable. The master password has to be something memorable because if forgotten, there is no way to access all those other passwords.

This of course means that the master password tends to be something like a birthday, a mother's maiden name, football teams or pet's names. Which, as mentioned earlier, is easily guessed or cracked. Carrying around a USB stick crammed with passwords, as well as the corresponding usernames and website addresses, would seem a little risky, especially as they are only protected with a simple password.

Web Based Password Manager

There is however another way of generating random passwords, whilst also getting away with using simple, easy to remember memory aids and passwords. Password Chart offers the ability to create long and seemingly meaningless passwords from simple everyday words.

For example, Horizon Web Development would be:


Easy to remember, whilst also being a strong password. Of course this has its drawbacks too, if the site is offline, or Internet access is not available, you're completely lost unless you printed out the chart.

The best solution is probably to use a mixture of passwords and memory aids, and not rely too much on one product, because if that fails, there will be lots of clicking on Forgotten Password links and waiting for the emails, assuming that you haven't lost access to your email too.


Labels: , , ,

Sunday, September 07, 2008

Google and the Cloud

Google's launch of a new browser named Chrome this week has been met with a somewhat muted response. Although it was expected that at some point Google would launch a browser, there is still concern as to just where this new browser would fit into the market.

Firefox has for several years been taking chunks out of the dominance of the Internet Explorer, and if Google's Chrome is going to be taking users from anywhere, it will likely be those that use the likes of Firefox, Opera or Safari.

A different sort of browser

However Chrome isn't intended as a direct replacement for Firefox, or even Internet Explorer for that matter. Chrome is aimed at a completely different market. Chrome's primary aim is to give better compatibility and reliability with some of it's other services such as Google Apps.

"What we really needed was not just a browser, but also a modern platform for web pages and applications, and that's what we set out to build,"
Mr Pichai, VP Product Management.

Regardless of it's main focus, there are plenty of raised eyebrows at the thought of a Google browser.


Google does not have a good record when it comes to privacy, up until recently it kept search data indefinitely, now Google says that it would only be keeping search data for up to two years.

Many have questioned just why the search company needs to keep this data at all, let alone for two years, and the EU and Norway have launched investigations into this type of data retention.

The data kept by Google includes the search term typed in, the address of the internet server and occasionally more personal information contained on “cookies”, or identifier programs, on an individual’s computer.

It is quite worrying the amount of data that Google, and other search engines are able to glean from simple searches, and it is not clear whether after two years the information is in some way randomised, or deleted entirely.

Peter Fleischer, European privacy counsel for Google, has said that the company..

"...needed to keep search information for some time for security purposes – to help guard against hacking and people trying to misuse Google’s advertising system."

Even so, two years is a long time to keep information on the off chance of misuse.

Google's advertising system has also come under fire for its privacy issues, with AT & T saying:

Advertising-network operators such as Google have evolved beyond merely tracking consumer web surfing activity on sites for which they have a direct ad-serving relationship. They now have the ability to observe a user's entire web browsing experience at a granular level, including all URLs visited, all searches, and actual page-views.

If this wasn't the case before, with Google having its own browser, it is likely to be the case now. A browser automatically tracks the sites that a user visits, as well as storing cookies. Normally this isn't too much of a concern except on a shared PC, but if Google's Chrome sends this information back to Google....

There are already concerns regarding Google's Omnibox:

Provided that users leave Chrome's auto-suggest feature on and have Google as their default search provider, Google will have access to any keystrokes that are typed into the browser's Omnibox, even before a user hits enter....A Google representative told CNET News that the company plans to store about 2 percent of that data--and plans to store it along with the Internet Protocol address of the computer that typed it....In theory, that means that if one were to type the address of a site--even if they decide not to hit enter--they could leave incriminating evidence on Google's servers.

Quite a surprising feature and again we must ask if this is really necessary. There is an option (Incognito mode) that prevents the sending of information, but it is unclear how well this mode is labelled and whether the average user will be aware of it. As in all aspects of personal privacy the options should be the other way round, Incognito mode should be enabled by default and turned off by users that wish to, as the vast majority of users are likely just to use the browser as is.

The Cloud

There is of course another area in which Google is competing with Microsoft, the cloud. The cloud is where services are provided as web based applications, in other words where no software is purchased or downloaded, the user simply needs a web browser to use the applications. Many companies are moving into providing services in 'the cloud'; Adobe for instance provides a stripped down version of its Photoshop application for free as a web based service.

Google provides Google Apps, also for free - at least for basic use, as a web based service, directly competing with Microsoft's Office program. Admittedly the cloud appears to be a very useful way of using software at first glance. Previously those using multiple computers have to carry around flash memory cards or USB sticks containing their information and documents. Even then they had to make sure that the same software was installed on every PC they were intending to use.

Google Apps, and other services like them, make working on the move much more conveinant and remove the hassle of trying to open an important document on a PC that doesn't have Microsoft Office installed.

Along with the pros, there are a few cons; this move toward providing a service rather than the actual software means that the user has nothing tangible to rely on. Should the internet or even just the service provider fail, they are lost.

Then of course there are the costs, at present many of these services are free with premium paid for subscription services an option, but once the dominance of the likes of Microsoft is broken, what is to stop these service providers charging everyone? Moreover, what is to stop them setting whatever price they want to, once you have become tied in to their services?

Add to this the privacy issues concerning someone like Google, who have access to your search records and information; with GMail, your emails and content; with your browser, the websites you visit and your browsing habits; and with your documents and accounts they may well have filled in the last gaps in your private information.

Of course this is a cynical view, but a slip up the Chrome EULA provided the cynics with quite a bit of ammunition:

"By submitting, posting or displaying the content you give Google a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, publicly perform, publicly display, and distribute any Content which you submit, post, or display on or through, the Services."

This was of course later altered when it was pointed out, but it does bring up another important point, few people actually read EULAs and this article shows why perhaps they should do.

The Future

Google envisions a move toward the cloud in most aspects of every day computing, and in fact this view is nothing new. Bill Gates said many years ago that he believed computing would move toward a subscription service, where Microsoft are paid every month, just like other utility providers. Now such a reality is closer than ever.

However a complete move to remote computing is unlikely, what with the prevalence of cheap flash storage and with laptops and netbooks being so cheap and open source software being so freely available, there isn't a desperate need for such a solution.

Should Google resolve its privacy issues, it will be an excellent option for many people, and that of course is what is key - choice. It would give users a variety if options of how to use software, so they aren't tied to just one method, particularly those on the move. The smart people would have a laptop and/or a flash card and perhaps use Google Apps too, just in case one should fail.

Google's Chrome is an interesting move, Chrome isn't yet the answer to anyone's prayers, but it will certainly push forward browser development and open new avenues. If the fears over Google and privacy turn out to be wholly unfounded, then it may help enable a much freer computing environment for everyone.

Technorati Tags: , , , , , , , , ,

Labels: , , , , , , ,