Privacy: October 2007 Archives
That's said so blithely, by so many people. And I couldn't disagree more.
Not posting photos doesn't make the problem go away. It may reduce it, and it may defer it, but one way or the other, your kids will have to deal with unwanted advances—online or off. The moral of the story is that this is an excellent opportunity to teach your kids _how_ to deal with unwanted advances. Much, much better to deal with it the first time in a safe virtual environment, than wait until they are on their own, or facing it in the real world.
Anyone who tells their kids to not post photos and then walks away thinking the problem is solved has just done their kids (and themselves) a major disservice. They've swept the issue under the carpet, and done nothing to educate their kids. I don't seriously thing that Christopher Dawson really thinks that's all that parents should do—he talks about comprehensive education as well. But unfortunately, I think the message that parents will take away from that article is the simplistic moral. And that does more harm than good.
Technorati Tags: privacy, kids, social, technology
Here's yet another article on some site which had thousands of passwords broken.
Unfortunately, technical bloggers casually toss out warnings like that and indicate out stupid users are, without providing any solutions. I mean be reasonable. Over the years I've managed to accumulate passwords to hundreds of sites—how on earth could I manage to keep track of them if every one of them was different?
I'm glad you asked.
Once upon a time I had a two-password model. A “secure” password for sites I trusted, and an “insecure” one for sites that I had less confidence in. There are a couple problems with that, but the biggest one is simply that it's impossible to predict who's going to get broken into next. So let's just forget that idea.
There are two simple solutions out there to this problem. One commercia. One free. Both have slight drawbacks, so you'll need to pick the best fit for you. But either one is better than doing it yourself.
The commercial solution is a product which generates passwords (and fills in web forms) for you. I use a product called “1Passwd”, which runs on the Mac, but there are others (on the Mac and PC). (Feel free to put some references to them in the comments.) 1Passwd generates passwords for every site I visit, and it can remember everything I enter in any form. When I visit a site, I simply hit a hot key and it fills in the password. I don't even need to know what it is. So long as I keep my computer secure (1Passwd stores its password in the Mac's KeyChain, which is locked with my login password), my passwords are secure. And because they are randomized, long, and complex, they aren't likely to get broken by a normal password breaker. And if they are, they don't expose my information on any other site—because every site has a different password.
The drawback to a password generator is that you're pretty much up a creek if you don't have your computer with you. (And you'd certainly better back up your passwords!). Most products have versions for Palm and other handheld devices, and ways to export or print the information. And if you do have to type in your password on some other machine, it's going to be a pain (especially if you're on an iPhone or Treo or some such).
The second solution is far simpler, and more portable. It's called SuperGenPass. It creates a bookmarklet (a small javascript bookmark that you drag to your browser's bookmark area). When you go to a site where you need to generate (or enter) a password, it popups a window prompting you for a master “password”. That password is the same all the time, and it's never stored anywhere—only you know it. It uses that password, in combination with the domain of the site, to generate a pseudo-random password, which it then inserts into the form. If it can't figure out where in the form to put it, it tells it to you instead. This works really easily, the bookmarklet can be installed on just about any browser (including Safari on the iPhone and iPod/Touch). Your master password can be simple and easy to remember—the quality of the final password doesn't depend on the quality of the master password. And if you're on the road without your computer, you can go back to the SuperGenPass site and quickly generate a new bookmarklet.
There are a couple weaknesses to this solution. First, if someone happens to see you type the master password, you've basically given them access to every site you use. Secondly, if the site moves to a new domain you'll need to go to the old domain, have it generate the old password, go back to the new domain, paste it in—because passwords are generating using the domain part of the URL. Thirdly, if you ever have to change your password (as I did, for instance, when Second Life has a security breach) you'll have to use a different master password, and remember that you need to use that particular master password on that particular site. Not the end of the world, but keep it in mind.
Which is the right solution? It's really up to you. How secure is your computer? Are you using shared machines a lot? SuperGenPass might be the best solution. Do you want a really secure password repository, where you can easily change passwords, and you usually access things from your desktop? Then maybe 1Passwd is the right solution. And of course, the two systems aren't incompatible. You can always use SuperGenPass to generate the passwords, and let 1Passwd remember them.
But my final advice is simple. *Don't* hand generate passwords. *Don't* use the same password on multiple sites. There are solutions out there, they are simple, cheap, and effective. Use them.
Technorati Tags: iphone, passwords, privacy, security, social, technology
