Got this in an email this morning…
This weekend we discovered that Gawker Media’s servers were compromised,
resulting in a security breach at Lifehacker, Gizmodo, Gawker, Jezebel,
io9, Jalopnik, Kotaku, Deadspin, and Fleshbot. As a result, the user name
and password associated with your comment account were released on the
internet. If you’re a commenter on any of our sites, you probably have
Why yes, I do have some questions…
- Why are you storing passwords in a form that means people can “release them onto the Internet”?
- Why am I being told on Tuesday about stuff that happened on Saturday?
It’s a bit poor that websites devoted to telling people common-sense manage to fail at it themselves. It’s very very simple do not store user passwords in plaintext. User forgets their password? You send them a time-limited token to allow them to reset it.
This is also why it’s bad to type in your Facebook/Twitter/Googlemail details into those “import your contacts” forms on websites.
Never mind, nobody is daft enough to use the same password on multiple websites, right?
Look quickly at the above image and tell me what you would type in the second textbox. Yes, it’s the password box, to go with the “Apple ID” above it. But if you look at the dialog, what’s going on with the confusing radio buttons and icons to the left? Am I supposed to click the radio button next to the Apple logo and then type in my Apple ID, leaving the bottom one empty because I’m not an AOL user. If I’m an AOL user, do I click the circle next to the AOL logo and type my details into the textbox next to it, leaving the Apple one empty? After all, in most dialogs the textboxes have labels to the left, rather than above.
Wouldn’t it look better if the AOL/Apple choice was above the textboxes, making it clear they have nothing to do with the boxes themselves? It’d also be good if the “Forgot password?” link was more obvious and didn’t look identical to the “Example: firstname.lastname@example.org” text which you can’t click on. Like this:
After all, it’s a well known thing that people don’t read things properly, and instead just look for the most obvious buttons to click on.
I’ve finally made it home after spending the past six months in an aeroplane (or so it felt, really, I can’t quite put the memories together in a sensible way any more). My experiments into sleep deprivation ended after 30 hours when I fell asleep on my bed while trying to read a book.
After arriving in Frankfurt we walked most of the length of the airport, escaping many long lines of people actually trying to get into Germany and ended up in a line of our own. Once again I was security scanned and my stuff x-rayed just to make sure I’d not slipped anything naughty into my hand luggage between getting scanned in the US and sitting on a sealed plane for seven hours.
Then we went to the gate where I was once again security scanned to, once again make sure I’d not somehow constructed illegal fireworks from the contents of the duty free shops. This laptop has been X-rayed so many times I probably shouldn’t sit with it on my lap 😉
The flight to Birmingham was quite easy with free food and an irritating child sat behind me. Curiously to enter the UK they didn’t want to security scan me again, and merely stared at me, stared at my passport, stared at me again, scanned my passport and let me back in.
The best bit was that despite being a day late, the carpark didn’t charge me any extra, so we got into the car and drove back to Rob (my cousin)’s house just outside Derby. After a break I then set off to get back home.
I arrived home (after stopping at a services due to me going cross-eyed and filling up on coke and sugar, and then making an emergency pit-stop at the local Sainsbury’s for a pee) and found everything as I left it, with the added bonus of all my plants still alive and no bad smells.
Got to use next week to get sorted for work the week after, but since tomorrow is a Bank Holiday, it can wait.
Following my mess with online banking yesterday I decided to do something constructive. Originally all my passwords lived in my browser and were synchronised between machines using Google Browser Sync. Now this is no more and once again I was forced to either remember them, or write them down somewhere. Writing down passwords is a silly thing to do, so following a recommendation I downloaded and installed KeePass Password Safe.
It works very nicely, I’ve even got the password database stored in my SVN server for safe keeping. I also installed it on my Mac (using KeePassX) and after a quick svn co I had the database on my Mac too, all working.
Shame there’s no Nokia Internet Tablet version, it’d be perfect then. Oh well, I’m happy with 99% perfect 😉
For fuck’s sake.
Last week I managed to mess up while logging into my Natwest online banking. For some reason the system forgot who I was and wouldn’t let me in, instead suggesting I re-register. So I did, choosing a new password and suchlike.
Because I’d just re-registered they needed to send me an activation code through the mail to unlock all the extras that the online banking can do. Fair enough, the letter arrived yesterday.
Today I try to log in and … it doesn’t know who I am again! I’m fairly sure I got my password correct, but either there’s a big cockup with my account or I didn’t.
I will now have to re-re-register and await yet another stupid authorisation code. This time I will take the highly insecure action of writing my password down on a bit of paper and keeping it safe. Online banking – you have failed. You’re asking for too many codes and bits of password and sequences of numbers to veryfy that I am me. You gave me a two-factor authentication device that I have to use when making bank transfers. Why not use that?
Produce a challenge code that I have to key into my authorisation machine, and then provide my response as another code? If my card’s PIN is secure enough for withdrawing cash, and physically having the card is secure enough for buying things online, then the system should be good enough for online banking, no?
Or just ask for random parts of my personal details each time, it’s what you ask when I forget my password… why bother with making me remember something extra that I have to write down because I am too overloaded to fit it in my brain?