Thursday, May 28, 2009

Keeping track of your Web site passwords

I have a dirty secret to share with you all today: until recently, I didn't have a very good strategy for keeping track of my various Web site passwords and logins. Near my desk is a worn set of stapled sheets of paper with various notations about which username, email address, and password I have used to authenticate to its services. Luckily, I work alone, but still it bothers me that if someone were to break into my office, those special pieces of paper would probably be the most important thing to find. I know some of you use PostIt notes for this purpose, and keep them where no one would look, such as under your keyboards.

There is a better way, and I will get to it in a moment, but first I want to take you through what some of the other solutions that I have tried and rejected. Since I do most of my work on my laptop, why not just automate the credentials inside my browser? That is good for some of the sites that I use most frequently, but it isn't very secure should someone get a hold of my laptop.

Another idea is, which is an open-source collection of Web sites that federates your identity, including Yahoo, MySpace, Facebook, and others. OpenID sounds really good, until you start to peek under the covers, and realize that if a phisher ever got ahold of just one authentication of yours at one site, they could pretty much gain access to the rest of your OpenID sites. This is more 'phederated ID' and a hacker's paradise. The problem is that once you authenticate properly on one Web site, you can use your OpenID URL to gain access to anything else.

I have mentioned in previous missives and that attempt to consolidate all of your social networking logins in one place, and be able to update your status messages across the board. But it is troubling when I get emails from Quub mentioning that they have upgraded their system and "had to clear everyone's existing credentials that were encrypted with the old algorithm. Please re-enter your credentials under Settings …"

RoboForm is another solution, which basically automates the credentials and saves it in an encrypted spot on your hard drive. That is great, but what happens if you are using a different PC?

Another way is to use some form of two-factor authentication, so called because it uses something that you – and only you – have on your possession, such as a special and unique SecurID token. I have one for my PayPal account, it cost $5 and is well worth the added protection that it offers. Basically, no one else can use my account unless they use the token to sign in.

But the issue with these tokens is that you need one for each of your accounts. There are some vendors who are trying to get around this issue by using one's cell phone as a second factor authentication tool including and Both require some integration of their tools into your applications, which isn't very good if you want to apply them universally to all of your Web authentications. FireID's solution involves using a special server that sits on my network, while PhoneFactor requires software agents to download to your desktop or to integrate into your Web applications.

So what else can you do? The service that I am trying out now is from Tricipher and called It costs $30 a year per user, and everything is done via their hosted service so there is nothing to download, other than an optional Firefox or IE browser plug-in to handle some tasks. You set up a special Web portal for your company, and then add your credentials to the various sites. It comes with hundreds of pre-set applications and works with either special knowledge questions (what was the name of your third-grade teacher) or with your cell phone. The good thing about MyOneLogin is that you can set it up and forget your passwords, because no matter where you are you can login to the portal and then to your applications. You can mix and match Web and internal apps, such as your VPN login, too, without any programming or installing any servers. And it is also a great solution if a company wants to keep control of these credentials to these sites, so when you leave you can't take your logins with you.

Look for one of my screencast video demos in the near future that will show you more about the service. And you can try it out for 30 days for free if you are interested. Maybe now I can finally toss those special pieces of paper – but first I will have to make sure to shred them!

Wednesday, May 20, 2009

When to defriend and defollow

When I was growing up as a nerdy teen on Long Island, needless to say I wasn't one of the Popular Kids. Back then we called it Junior High rather than the current appellation Middle School and now nerds are now the new cool kids. In my youth, we didn't have reality shows where beauties met their geeks, Bill Gates hadn't yet gone to, let alone dropped out of college, and the Steves were still eating fruits rather than making Macs. We didn't even have computers, phones still had dials on them, and we all watched one of three network TV channels and read newspapers that came in the afternoon. And all of our parents bought American-made cars.

Ok, enough nostalgia. I give this as background, to explain my own behavior when I started getting involved in social networks. My first thought was to collect as many "friends" as I could, to grow my network quickly and add just about everyone that I had an email address for. Now that I have accumulated a bunch of people on Facebook, LinkedIn, Twitter and Plaxo, I have a different strategy.

I want quality rather than quantity. As my networks have grown – and they still aren't as large as my college-age daughter (see, it is that underdog feeling again) – I have seen the "feed" streams that are produced from all these people just burying me in the details and status updates of their lives. I try to dip into this vast, deep flow of information on a daily basis, but it quickly overwhelms me. I run back to the relative comfort of my email inbox, where at least I can hit the delete key and pare things down to a reasonable single screen of to-do and action items and people that I have to return messages to.

Burger King ran a promotion not too long ago where they asked people to defriend 10 Facebook friends in order to get a coupon for a free burger. They were swamped with thousands of requests, thereby establishing the value of a friend at somewhere around a quarter. That is pretty depressing. I always thought a friend was worth at least a couple of bucks, if not more.

I also want to grow my networks slower, because like anything else on the Internet, I am concerned about customer retention and my networks are my customers. You are the people that will (hopefully soon, puh-lease) pay me money to speak at a conference, write an article or white paper, produce a screencast video, or do some custom product consulting. So I don't want to just spam you with needless updates about what I had for breakfast or insights about my pets or family vacations, although I did get some interesting feedback when I mention the books that I read in my last missive.

So I have gotten pickier about who I add to my various networks. And while I don't want to be as snobby as that Jr. High clique of popular kids, I do think we all need to take a step back and consider what our friending – and more importantly defriending –policies will be going forward.

Over at Twitter (where my network is still "just" a few hundred followers), there is a lot of activity around third-party apps that will automatically increase your network with all sorts of tricks. This is a bad thing, because those networks become less valuable as their feeds become larger. You will be adding more noise to the signal, and as a result, miss out on the important stuff.

I am still figuring out Twitter, to say the least. But I can tell you that my Twitter activities have saved me a grand total of $140, which is the overdraft fee that Bank of America initially charged me when I deposited a check to the wrong account. Through the miracle of social networks, I was able to tweet my bank, email them the information and get them to call me and correct the problem, and probably keep me as a customer.

Now, I don't have all the answers here. Or even some of them. And I am glad that I don't have to deal with the hyper social strata that are Middle School today. But I can take some small comfort that none of my 20-something children have Twitter accounts, at least not yet.

Monday, May 4, 2009

The new breed of eReaders

The New York Times has a story today about progress that is expected on the next generation of eBook readers, but I have already seen this future thanks to a long-time correspondent and independent software developer Hank Mishkoff. The Times story can be found here:

The Times piece talks about the main supplier to the Amazon Kindle and Sony reader, E Ink, and a new entry to the scene who is also mentioned in last month's Technology Review here:

I don't have a Kindle, but have borrowed a couple of friends' units for a few minutes. It has its own broadband modem that does the selecting and downloading of content and that is why the initial price of the device is so high (around $350). Instead, I have read several books on my iPhone using the Kindle app. You need to go to Amazon's Website using a standard browser and select and pay for which books you want to receive on your phone, and then the download happens relatively quickly once you bring up the app on your phone. I found the iPhone app to be very satisfying for the pulp fiction trash novels that I like to read on planes and other fill-in time when I don't want to drag around my laptop. It is nice to have a book to read "automatically" – without having to carry something else.

But the Kindle and its ilk only do monochrome and static text. They aren't well suited to the hyperlinked world of the Web, and they require specially formatted books for each device – the version that you download for the Kindle will work on both the device itself and the iPhone, but that is about as cross-platform as you get. These books won't work on the Sony reader. And the books aren't free, although Amazon at any specific time has a lot of sales going on, and indeed I found a new series of thrillers by Lee Childs that I have quickly become a fan of, since one of them was available free on Amazon's store. (Great marketing idea, by the way, and yet another way for authors to seed their content to early adoperts.)

So what about Mishkoff's idea? He calls it the "xBook" and incorporates video, full color pictures, and hyperlinks into his reader. The idea being that an inquisitive reader would want to do the same sorts of explorations and Web surfing expeditions that someone who is used to a browser would perform. He has cobbled together a video that demonstrates his idea here:

Note that the xBook is still very much a concept and far from an actual product. Mishkoff wants to try to get someone to help fund a project to build a device, or at least some software that will work with existing platforms.

As many of you know, I am a pretty voracious reader and I welcome these experiments. I still buy lots of books and don't think that will change, even with the Kindle et al. coming of age. And do contact Mishkoff (his information is on his Web site) if you are interested in following up with him further.

About Me

My photo
David Strom has looked at hundreds of computer products over a more than 20 year career in IT and computer journalism. He was the founding editor-in-chief of Network Computing magazine, and now writes for Baseline, Information Security, Tom's Hardware, and the New York Times.