Friday, July 29, 2011

Another reason DDG is awesome: URL parameters

I cleared out my cookies and I was really bummed that everything I had set up in DDG was undone, but then I discovered that you don't even need an account to save your settings: just a URL. Just set all your settings and scroll toward the bottom where it will have a custom URL that will automatically set all your settings. Awesome when it comes to when you're on the go or if you clear your cookies.


COPY YOUR OWN URL FIRST to back it up, then CLICK THIS FOR MINE, if you want.

-Bry

Wednesday, July 20, 2011

Absolutely terrible, terrible TOS

I really loved Mint.com for a while because it helped me keep track of my finances. Eventually I had to turn away, mostly because it would never update. It's supposed to send you updates when your account balance is low, but it only updates your accounts when you are logged in....so kinda useless. In addition to that, it either takes 10+ minutes to update (no exaggerating) or it won't update at all and give you a vauge error message.

....anyway, I'd pretty much given up on finding an online service, especially one that syncs with your bank, until I found MonkeyPeanuts on AlternativeTo. It looked very promising:
It's free and anyone can join
Supports all major US banks and credit cards
...
Directly connects to your bank
...
Extensive use of AES encryption
Bank credentials are never stored online

Sounds awesome, right? Of course, it does handle my banking info and whatnot so I try to look into it a bit further, and I happened to run across their terms of use.

We've done our best to make this site as safe, secure, and reliable as possible.
While we strive to provide you with a safe, secure, and reliable service, we do not and cannot guarantee the safety or security of any information or data that you hand over to us.
By signing up and logging in, you've agreed to release us of any liablities that may result from the usage of, or is somehow related to the usage of our service, MonkeyPeanuts.com.
If this is unacceptable to you, please immediately delete any accounts you've registered with us and clear your browser cookies.
Thank you for your consideration, and we hope you enjoy MonkeyPeanuts.com.

Never mind the fact that they spelled "liabilities" wrong or that they use the term "hand over to us"...they start off by saying "safe" and "secure",  then they go into saying that they cannot guarantee the "safety" or "security." They're saying that they tried to do something, but they can't guarantee that they did it.

In order to compare this, I tried to read through Mint.com's TOS, and while it's written in legalese, I never see any part in it that says "You can sign up with us, but we don't promise that your data is secure or that we won't just sell it off or use it ourselves."

Social networking sites get in enough crap for leaking things like e-mail addresses and passwords. Imagine if they leaked your bank information. There's no question about it, sites that have to do with money HAVE to guarantee your safety. This is not leaking your Farmville information, this is leaking your identity, and while it's true that they can't truly promise safety because you never expect a security flaw, they at least have to take responsibility for it. They have to guarantee that your data is safe, knowing that if somehow their security is compromised, they're going to held responsible. Otherwise, what makes the user want to join? Obviously the developers don't care much about security because they don't have to care much about security: they told us that straight out!

Maybe it's just poor phrasing, but this put off so many bells and whistles. I was really stoked by the screenshots and the features listed, but with those Terms Of Service, I'm not even going to register an account to try it out.
-Bry

Saturday, July 16, 2011

Thoughts on creating a strong password system

Ever since TechSnap launched on JupiterBroadcasting, I've started worrying about my online privacy. I've not been the best about creating unique passwords for every site, unless the site is important. Plus, over the years, the passwords I use change so I will often forget the password to a site I haven't used in a while, give it a few guesses, and then eventually have to reset the password (which can be a hassle, since I may have signed up under any of 5 different e-mail addresses).

So I've been trying to think of a good way to create passwords that are easy to remember, but also very strong and different from one another. Most sites just suggest how to create a strong password, which is fine if you only use one site. It's really not hard to create a secure password: mix in numbers and symbols, don't use all lowercase and try to avoid using words period if you can. But if you have literally over 100 sites you've signed up for over the years (like me), from forums to e-mail accounts to social networking, it's a little more important that they are both secure and convenient to remember.


The best site I've come across so far in my searching is an article on About.com titled Passwords: Creating and Maintaining a Strong Password System. They recommend splitting it into three parts: A common part, a "type" part, and a site-specific part. I think it's a good idea, especially because this makes it easier to remember and I even started dividing the sites I'm on up by categories.

...but it seems like it has one gaping flaw: what if someone were to obtain two passwords from the same type? They could quickly recognize that they were alike except for the last three characters were the same, which means that they just reduced having to guess a 14 character password to a mere 3. Now by doing a quick count on my keyboard, it looks like there are ~100 possible characters for each of those three, which still makes it 1,000,000 different combinations (if I did my math right...I was always bad with possibilities).[Yeah, you could totally include Unicode characters or other non-standard ASCII, but most people aren't going to want to dive into the Character Map or memorize a bunch of Alt codes just to log into a website.]

That may seem a little impressive, but then remember that those three really aren't going to be anything, they're going to build off of the site name, then trade out only one of those for a random symbol/number. So if we took Gmail, for example, two of the letters are going to be from gmail, and they are going to be in the same order as "G-M-A-I-L" ('L' won't come before 'A'). That means character...
  1. Can only be 'g/G', 'm/M' or 'a/A'. That's only 6 characters.
  2. Can only be 'm/M', 'a/A' or 'i/I'. Again, only 6 characters.
  3. Can only be 'a/A', 'i/I' or 'l/L'. Again, 6 characters.
But one of those is going to be random, but only a symbol or number, because having a random letter in there is going to make it confusing. So after another quick count, there are only 35 characters and numbers on my keyboard.

We add that up: (35*6*6), we only get 1,260 possible combinations for your password. "Gmail" is a rather short site name so sites like "Jupiter Colony" would definitely fair better, but really if you're going to try to be able to conjure up these names without looking at a list, you're probably going to pick the first letter of the first word -in this case "J"- and then probably go from there, most likely including something from the second word resulting in something like "JuC".


That's definitely my main concern, without even considering how you'd remember what symbols you stuck where for every site and type. (If you "assign" a symbol to a letter, that drastically decreases the strength and possible combinations -in thee case above, it would drop it to 6*6*6 = 216.) It seems like it's more along the lines of "security via obscurity" because you're betting that no one will figure out the method you're using but if they do, they've basically broken in.


Another one of the fears I've had about it is sites that store the password in clear text. Mostly small forums and such over the years, but I have noticed that some will actually send you your current password in an e-mail when you do a reset, which is a nono because that means they have a 2-way hashing algorithm, or they store it in plain text. To me, that seems just ripe for the picking for naughty people seeking passwords and the more of those they are able to get, the easier it will be to start seeing patterns in the method.

I'm not sure if there's really a better way to do it though. I realize that all "systems" you might invent mostly use obscurity just because you have a basic algorithm that you used to derive them, but it just seems like this one is less secure than I would hope. The only true way to make it actually a truly secure is to use a randomly generated password for every single site you use and keep track of them in a TrueCrypt volume on a PC not connected to the internet with a password on the BIOS and a TrueCrypt encrypted drive......

My point is, there's always going to be some weakness, it just depends on how much you feel comfortable with it. I definitely don't feel comfortable using the same password for every site, but I'm not quite sure I feel comfortable with this method either. I definitely don't feel comfortable picking a category for "banking", as they suggested, because if you're going to use the same password minus three characters for all the sites that manage your money, you might as well go ahead and just make the check out to "Nigerian Princess Scammers" right now.

If you want to correct or even make a suggestion, feel free.
-Bry

Month: Close but no cigar.

Almost a month ago today, I said I was going to take a month's "vacation" from my computer. Well, I almost made it. I moved out with my brother which was very time consuming and we didn't have internet for almost a week, so that probably helped. Even after we got internet again, I didn't boot into Mint for almost a week as well, but then I needed to do some homework, which works best with g++, so I booted into Mint....and the rest is history.

Anyway, I was very close. Kinda nice, I'll probably try to do it again.

-Bry