Blog of a Long Distance Worker Tech

The blog about mobile tech

Tag Archives: Online Service

Password Management – Epilogue

It has been a little over a week now since the Twitter password hack, which we now know to have been hack allowed by a system design flaw in the authentication system used by them, combined with human factors. A standard dictionary attack was used with a list of known words (combined with single or double numbers) to gain access blindly to a system administrator account on Twitter. This was a further confirmation that having a password strategy as I described last week is a damned fine idea, particularly with online services which unknown to you may have the same flaw – a susceptibility to dictionary password attack. Remember, not words…

Password Management

The recent Twitter hacks and the password change that ensued brought to mind approaches that are followed for password management. Now please forgive the heresies I am about to commit.

passwordsThe standard approach to password management is to have a complex and different password per service and change it often… like once a month. This turns into a complete nightmare today with the growth of the cloud and online services. Even the least evangelical technology user has got to have more than 10 different logon credentials, and to be honest I bet that almost all have a single password for every single one of them… except where technology forces difference such as differing reset periods and different formats (some allow four characters, some require eight, some need upper and lower case with numbers etc). Of course you can keep a account/password list protected by yet another password but that just stays off the problem. What about OpenID and other single sign on technologies? Nope, that is not working either as their are still too many different systems in use.

So what is better? And this is where I am going to commit the second heresy.

Firstly a word about the passwords themselves – they just have to not be words and be made up of pool of characters that is sufficiently big to make it hard to guess. All this numbers and symbols stuff that you see off people is not always required to do this – heresy number One. I find a good way is to make up the password from a set of syllables which makes it easier to remember, because writing them down is both a pain and a major risk – for example:

tor – ver- nop

Anyway to reduce complexity, the better approach is to simplify your account/password usage and do a bit of risk and impact assessment in there as well setting a password for low, medium and high impact/risk services. So what do I mean exactly?

First create the Low Risk one – one you shall use for all services that you have to register with but that are not a real life problem if you have it hacked. These are things that do not involve money, that are just for storing preferences or similar. This password never changes unless you feel the need to. This should work for 80% of all web site access in my view. Making it around 7 to 8 characters with an optional single number (for those sites that do insist) is what you need.

Next create the Medium Risk one, for those sites that involve some risk to your financial or reputation well being – a much smaller number of sites, probably the next 19% of them. This password, being less trafficked, becomes more secure and you can also decide how often you want to change this one. Changing it on a small number of sites is so much less of a chore, and I do recommend a minimum period of one month and a maximum of three months.

Next create the High Risk one, for those sites that involve major risk to your financial or reputation well being, the final 1% of all the sites you visit that require authentication. This password being seriously less trafficked is also then more secure and easy to change often (probably monthly). Also in the event of a breach or accident, you can change passwords quite rapidly for this small number of sites.

Of course, you also have the seriously High Risk sites – these will still require a unique password and are such things as banking or company network access or even the main logon that your Home Router uses with your Internet service. To be honest most of these will have another control involved such as a hardware logon device – or at least I hope so.

You will need to always assess each new service for financial, functional impact or reputation well being to decide which password to use, but in the end you will end up with a small number of passwords to go with the user account names for each service. In fact, you could end up with two active passwords for 99% of all your Internet usage, and feel reasonably safe. Remember, not everyone has to live in Fort Knox, you only have to leave your gold in there. What do you think?

News Clipping Service

Recently I was contacted by a company who wanted to sell me access to a news clipping service. I have no idea why or how they selected me, but they did the hard sell and in response to my rejections threw a free trial at me and they promised to call me after a week to see if I had found it useful. They would then sign me up – at least they hoped they would.

Now those who read this blog know that I value the capabilities of Google Alerts for obtaining live information about whatever subject I want. So it was interesting to compare the service with the ‘freebie’.

Well I can say now that newsclipping services are on the deathlist with the availability of Google Alerts and that pretty much all news and other information is now being published online. The service just provided me the same links that Google Alerts provides with the addition of fancy graphics, a different interface and a bill. I never checked how much the news clipping service would cost me, but frankly anything more than free would have been too much.

These services can only survive in the future by providing something else of value but I cannot identify what that something else could be – certainly correcting for the odd false positive is really not worth the money. Google Alerts is the thing.

Google Alerts: Tracking Reputation and Events

The Internet is a big place and there are times when you want to know about something as quickly as it has happened. This can be news about a specific company, a person or a technology. You want to know everything as it happens. googlealert

How can you do that? Well apart from scouring the Internet and/or tracking people via Friendfeed or Twitter or any other social sites/aggregators, there is some help out there. It is Google centric, but then Google is most of the Internet these days. The tool is Google Alerts.

Google Alerts offers you a mechanism to create a Google Search as you would via the standard dialogue box, but this search fires either once a day or continuously as Google indexes all those web sites, and sends you the information in either an email or via an RSS feed (a new feature by the way, which I have not got into yet).   googlealertresult

The secret is in picking the right search phrase, exactly as the issue is with Google Search. This in fact points you into how to optimise your search, by setting the search to deliver the right information and then taking a copy of what is in the search bar and placing it in the alert as you set it up.

As I said, the search can fire once a day or as the index is made. I find that latter as being best for the sorts of information I track, which is mainly specific key individuals in my industry or specific companies. This also points to one of the best uses of this service – following your online reputation.

Set yourself up a Google Alert with keyphrases that match your name and/or normal handle. You will get some false positives (particularly if you have a more common name) but this is worth it to track if anyone is posting some old rubbish about you or your company, or both. This is an invaluable service.

The only downsides are the time taken to read the posts, the fact that there can be a lag between info being published and the notification getting to you, and also the degree of false positives that you have to deal with. I also use it for various members of my own family, and this has proven very worthwhile during a time when a relative was having false nasty posts being made in their name, and also when the local paper published some photos of my children – managed to get the photos notified to relatives before the newspaper had even officially published them :-)

So get out there and use this valuable service to find what you need to know, and protect your reputation online.

Online/Small Business Leave Management

Whos Off Leave

Whos Off Leave

This sounds like a diversion from the main point of this blog but it really is not. If you are a small business owner or a consultant/contractor who needs to manage a number of other people then you can be left out in the cold in terms of managing sickness and leave. What I have used in the past and do recommend is the service provided by Whosoff. Whosoff provides a basic free service that gives you a basic workflow for managing the time off that the people you work with do have/need. The major advantage of the system is that this is web and email based, available to all, with a good selection of resources for managing leave entitlement.

It does not have full Outlook or iCal integration but that just has to be a matter of time.

Obviously you do need to ensure that you handle the Dataprotection issues that apply, but this is a very effective system.