So I’ve published before about passwords. Now this whole notion of passwords changing is going mainstream. Why do I say that? An article about passwords going away made it into Consumerist. While I don’t think face scanning will necessarily be the security of the future, something will be. Personally, I think that a two-factor authentication method is the most likely option for web sites. For Windows, I’m not sure what it will be. I’m also not sure it matters because if somebody gets a hold of your machine, access is a pretty easy thing.
>I just got a new Android Phone, the T-Mobile G2. And I love it. It’s fast, it’s responsive, and the download speeds are incredibly fast (for a phone) and the phone. The phone is a little on the heavy side but the phone feels so solid, the weight doesn’t bother me. In fact, I would say this is one of the best “feeling” elecontric devices I’ve had in years.
This phone replaces my T-Mobile G1 that I’ve had for close to 2 years. The G1 was nice but it was getting long the tooth. I was disappointed when they didn’t push Android 2.1 to the G1. And, it was starting to feel really slow with some of the applications I use like the Google Navigation app.
So, the first question that comes up is why didn’t I get an iPhone. And there are two primary reasons for that. First, I don’t really want to back to AT&T. I was with AT&T for years, originally with AT&T Wireless, and their custom service had gotten to the point where I thought it was terrible. It is what made me switch to T-Mobile (who seems to have some of the best customer service in wireless around). That plus a family plan similar to my T-Mobile plan would cost me a bit more per month. My second reason for no iPhone is that I hate iTunes and don’t want to install that best on my computer.
I am not anti-Apple though. I believe that Apple with the iPhone has taken the user experience to a new, higher level than it was at previously. And that has forced changes at other manufacturers that have been all cell phones better. I’m guessing that the iPad will have a similar effect on the netbook market.
But back to my G2. I knew I wanted to another Android phone and with T-Mobile, I had a few to chose from. For me, it came down to two phones: the G2 and the Samsung Vibrant (the T-Mobile Galaxy S phone). And there were a few things that made me select the G2 over the Vibrant:
- The G2 is running Android 2.2 today; the Vibrant is still 2.,1.
- The G2 uses the new HSPA+ connection giving 4G connectivity speeds.
- The G2 is a pretty vanilla Android install (which is closer to what I was looking for); the Vibrant includes the Samsung Touchwiz interface. One problem I see with custom interfaces is that they slow down Android updates to the phone (which is why I believe the Vibrant is still Android 2.1).
- More than 4GB of built-in flash memory (with only 1.2GB available – what happened to the rest).
- The ability to uninstall some of the pre-installed Google App’s. For example, Google Goggles and Google Earth are cool app’s that I don’t see myself using on my phone. But I cannot uninstall them.
- Chrome to Phone – This is a WOW feature. I look up an address in maps.google.com, click the Chrome to Phone button and , presto, the map shows up on my phone where, with a simple click, I can use it in the Google Navigation App. Very cool.
- The email, calendar and contact integration with Exchange now exists and is fantastic. On my G1 I had to use a 3rd party app. With my G2, I setup the Exchange server as an email, and everything just automatically integrated.
- The performance and responsiveness of this phone is phenomenal. It responds to touch instantly and everything opens very quickly. Yes, it is “only” an 800MHz chip instead of the 1GHz chips in a lot of other phones (like the iPhone 4 and Samsung Vibrant) but it is also a next generation chip. And most of the comparisons I’ve seen between the G2 and the Nexus One, running Android 2.2 with the 1GHz chip, have the G2 being the faster phone.
>I’m surprised by how many sites and IT departments continue to force users to change their passwords every 30, 60, 90, 180 days. I find this practice annoying and wonder why everybody thinks this is a good idea. And why this is still considered a best practice.
There are now more opinions to back up my thoughts:
- Password Rules: Change them every 25 years
- Password change myth discounted
- Please do not change your password
But, in spite of this, many IT systems still believe that changing your password every 90 days or so makes things more secure.
Don’t get me wrong, security is important. It needs to be job one in every application that stores anything about me and in every IT department. Protecting my data is very important to me and I don’t want to do business with a company that doesn’t believe security is important.
I do believe that you are more secure with a longer password. And I would rather have a long password than be forced to change my password every 90 days. The problem is that sites make the determination for me by forcing me to change my password. Since long passwords are harder to come up with and remember, I end up with shorter passwords because I take the path of least resistance.
Why am I so worried? In a 3year old post, Jeff Atwood, taking about a specific password cracking program in his Coding Horror blog says, “this attack covered 99.9% of all possible 14 character alphanumeric passwords in 11 minutes”. The problem is only getting worse. Some of the new cracker programs take advantage of the massive amount of processing power in the nVidia graphics processor chips cutting the time it takes to crack passwords by 60% or more.
Yet I’m still forced to change my password on some sites. So I go with shorter passwords because coming up with longer passwords is difficult and I don’t want to do that every 3 months. Why is it so hard to get IT people, including myself at times, to acknowledge how security risks have changed and to change our behaviors? And to change “best practices”?
>Unfortunately, a few weeks ago, I found out my current employer is closing it’s doors at the end of the year. So yesterday I got to go to outplacement training offered by my employer. I want to be fully prepared to start a job search and thought this training could help. I have to admit though, I wasn’t looking forward to it. The training was scheduled for a full day and I didn’t know how much I would get out of it. Ultimately I decided to go since I thought my resume could stand some improvement.
>So I started looking at some of the new things available with HTML 5 by going through the slideshow found at Html5Rocks. There’s some pretty cool stuff coming. I don’t think it is that far away. But it is definitely not immediate. To prove that, just go to the site with IE. The main HTML5Rocks site works in IE but the slideshow doesn’t.
The slideshow should work fine in IE once IE9 comes out. But why do we have to wait? Mozilla and Google managed to update their browsers to start supporting HTML 5. Why can’t Microsoft do the same? Why must we wait for IE9 (and then for adoption of IE9) before we can start taking advantage of many of the features of HTML5? Seems to me that a position like that just slows down adoption of these great capabilities which will make development easier. Making it even more ironic is that word is already starting to get out about how to add support for HTML5 to ASP.NET MVC (http://www.deanhume.com/Home/BlogPost/asp-net-mvc-html5-toolkit/29).
But I digress; I meant for this post to be about the new capabilities coming, not about Microsoft taking so long to support them 🙂
So, here are my favorite features coming with HTML5:
- The new input types for date, time, email, color, number. Yes, many of these aren’t yet supported. And the richest support is only in Chrome. But when these come, it will be nice. It will make validation easier and it will make things more consistent across web sites. At least, once everybody starts accommodating the new types.
- Easy, easy ways to add audio and video to your site with the new audio and video tags.
- The new CSS selectors will make lot’s of things easier. And no more jQuery to get different backgrounds on alternate table rows!
- The TextStroke, Opacity, Rounded Corners, shadows and Gradient support is fantastic. Especially the gradient support. I always hated the “hack” of using a 1px wide image to get a gradient color in a background.
- I can see the local storage changing the game a lot. Today, if I have a multi-page “wizard”, I have to send and save the data on the server between pages. With this capability, I could store the data locally and send it once when the user has hit a Save button making my process use less bandwidth and be a bit more crash proof.
>I continue to be amazed not by the quantity of spam but by the social engineering aspects and how well it seems to work. And how we tend to treat those people.
In my full-time job, part of my responsibilities are providing desktop support (we are a small shop so we all have a lot of roles). In that role, I’ve seen how well some of these spam and nasty emails seem to work. For example:
- We’ve seen a lot of “fake” retail invoices going out. I’ve had people click on the links contained in those emails which take advantage of some IE holes and install some nasty software. I’m personally surprised that the emails work even though there are issues with the email that make me spot it as a fake almost instantly.
- We’ve had a few emails arrive talking about us being in violation of copyright. The email is “sent” from a real law firm. But again, the content of the email make me believe it is a fake almost instantly. This email, in fact, has been a big enough problem that the law firm had to put a message on it’s website letting people know that they did not send the copyright violation email.
These instances got me thinking. How am I able to spot these fakes but many other people can’t? Granted I am a much more sophisticated computer user than most. But why when I see the issues I think it is fake and many other people don’t draw the same conclusion.
For example, many of these emails were sent to an email address that didn’t match the name in the message. For example, Jane Public would receive an email that was addressed to John Smith. To me, this mismatch says to me “fake”. But John Smith sees this and sends it to Jane Public because he is worried her order has a problem and she won’t know about it otherwise.
So, why do these types of emails work? And what can we do to make them not work as well?
We’ve all given the “be suspicious of emails” talk. Everybody has heard not to click on links in emails you don’t recognize. So the spammers get around this by sending emails from places people do recognize. When the email is from a place people do business with, many people will overlook minor issues and believe the email is legitimate.
How can we change the tools to help people identify a legitimate email from Amazon versus the fake? The spam filters don’t catch them, at least not right away. The mail programs display the email as legitimate. The email looks legitimate. But it’s not. And the tools do nothing to help people identify these as fake.
We in IT don’t help the situation when we blame the user for clicking on these links. We act like the people that click on these links don’t listen or don’t understand when we tell them how diligent they need to be. If this problem was caused by another person instead of an email, we’d call the person who fell for the plea too trusting or gullible. So why do we deride these people for believing an email that looks legitimate?
>I was excited to see the announcement on Scott Gu’s blog about ASP.NET MVC v3. And I was even more excited to see that they are greatly enhancing the validation processing. Specifically, they’ve added a way to perform model level validations. And with the way it looks like it wraps the validations so that you don’t have to create Controller methods specific for you validations, this could be a huge improvement over what was introduced in v2.