As I prepare for the iPhone training and conference next week, I’ve been paying close attention to all the news I can find about the recently announced iPhone OS 4. Here are some relevant (and not so relevant) links from my news reader:
- iPhone in Business (teaser from Apple re: iPhone OS 4)
- What iPhone 4.0 means for IT (MacWorld speculation re: iPhone OS 4)
iPhone Developer Program (Apple page with link to compare different developer programs)
- Individual ($99) – Must distribute apps via AppStore, cannot create development teams
- Company ($99) – Must distribute apps via AppStore, can create development teams
- Enterprise ($299) – Must distribute apps in-house, can create development teams
And, then there’s this:
The NativeUnion MM01H not only works with the iPhone, BlackBerry and other mobile phones, but can (with an adapter sold separately), be used as a USB headset for use with Skype and other VOIP services on your computer. It looks like the iBatPhone. Of course, I want one.
Having spent much of my career as a consultant, I’m used to tracking my time against customer and project codes. But, in that environment, there is a tangible value associated with entering my time. If I don’t enter it, I don’t get paid.
But, corporate IT time tracking systems don't usually offer users anything tangible in return for their participation. Sure, I could run a report to see where I’m spending my time. But, how much value does that provide me as an individual contributor? (Okay, I suppose it might be helpful during my annual review. Maybe.)
What I’d really like to see is a system that gives me something in exchange for the time it takes me to use the system. For example, I know of a consulting company that implemented a 360 degree project and peer review system on top of their time tracking system. Their inspiration was the Amazon.com product rating system. It worked like this:
When an employee entered their time into the tracking system (which by the way had a very strong search mechanism for finding the right customer and project codes), they were asked to answer a few generic questions about the project, like this:
- How do you feel about this customer? (very good, good, not good, bad)
- How do you feel about this project? (very good, good, not good, bad)
- How do you feel about this team? (very good, good, not good, bad)
Next, the employee was asked how they felt about working with each of the individuals who’d recently billed time to that same project code, using the same scale: very good, good, not good, bad.
Finally, every question also provides space for comments. These were optional as well. Typically they were used to give out kudos. Though sometimes people used it for “constructive” criticism, as well.
Once the user completed their survey, they were taken to a summary page that displayed the current week’s results, including: (Users were not allowed to see the current week’s results until they completed their survey.)
- Your personal weekly peer review rating
- Your personal comments from the weekly peer review
- Your personal peer review rating trend (a graph of your rating over time)
- Weekly ratings for every customer, team and project you worked with/on during the week
- Comments for every customer, project and team you worked with/on during the week
- Rating trends for every customer, project and team you worked with/on during the week
All data in the system was treated anonymously, but all data in the system was available to everyone in the company. So, people felt safe venting, but also knew that everyone could see what they were typing. This kept the comments civil – if not always 100% constructive.
The end result – it took a little longer to use the system, but everyone got something out of it:
- The accountants got the billing information they needed.
- Management got valuable insight into how well their projects were going (way before a traditional status reporting system would’ve provided that information).
- Management got valuable insight into which customers were not worth the trouble, and were able to take proactive steps to disengage from those unhealthy relationships.
- Management got valuable insight into which employees were truly admired (or reviled) by their peers and could take action (bonuses!) accordingly.
- And, individual employees got weekly feedback on their performance.
Why haven't more companies leveraged the eyeballs they're putting on their corporate time tracking systems?
Now that I’ve scared your pants off, you’re probably wondering how in the world you’re going to manage all of those passwords for all of your various surfing needs. In this post, I’m going discuss several options for managing strong passwords. I’ll also discuss the approach I’m planning to take, now that I know better.
Most of us tend to reuse the same password all over the place. But, if you’ve read my previous posts – especially the one that talked about how a cracker can use your personal email address password to gain access to other web accounts – you now realize that this is not a very secure strategy.
But, security may not always be your highest priority. Convenience might rank higher in some cases. If that describes you, then just allow me to point out a few things you may not have considered:
Corporate domain account passwords should be unique.
To reuse this password elsewhere would put corporate data at risk, potentially including any customer or employee PII that you can access. Disclosure of this information could have seriously negative ramifications for the company – and your job.
Personal email account passwords should be unique.
Sharing these passwords puts your entire Internet-hosted life at risk.
Financial account passwords should be unique.
No sense taking the risk that someone smart enough to break into Bank of America can also access your 401(k), credit union accounts, and home equity line.
Any account where you post content should be unique.
Do you review products on Amazon.com? Do you use Facebook or Twitter? Do you comment on videos at Hulu? If so, those posts are all a part of your online persona. If a prospective employer or significant other were to Google you and read those posts, would they want to hire or date you? Would you want to give some random cracker the ability to post in your name? I didn’t think so.
Not much. And, that’s my point. You need to use unique passwords just about everywhere.
A significantly stronger approach is to make up a unique pass-phrase for each site. But, how can you remember them all? It’s actually easier than you might think. Instead of trying to remember all of the passwords for all your sites, come up with a formula for creating unique passwords, and remember the formula. Here are a few to get you thinking:
I love Facebook
Adding the web site name to a short password significantly strengthens the password, and makes it unique to the site. This pass-phrase, which contains 15 characters, including upper case letters, lower case letters and spaces, is extremely strong against brute force attacks. Though, it seems like it would be a whole lot less strong against a dictionary attack or a random guess.
Facts About Crime
This pass-phrase was created using the first three letters of the website name: FACebook. It contains 17 characters, including upper and lower case letters and spaces, which makes it even stronger against brute force attacks than the previous password. This pass-phrase also seems stronger against a dictionary attack.
4 the <3 of Facebook
Using “text” shortcuts, like “4” instead of “for” and “<3” instead of “heart” or “love”, significantly increases the strength of a pass-phrase against brute force attacks because it introduces numbers and symbols. Though, as with the first pass-phrase, this one seems a bit easy to guess.
Can you see the pattern here? This is Facebook spelled out using this pattern: Upper, Lower, Number, Symbol, separated with periods. Replace the “c” with a 3, since it’s the third letter. Replace the “k” with an underscore – the eleventh symbol on the keyboard. Granted this would be incredibly slow to type. But, it’s probably also the most secure against dictionary attacks. (The third password is actually stronger against brute force attacks due to it’s length.)
There is one caveat here, though. Finding a single formula that works across all the different web sites out there is probably not possible. So, you may need multiple different formulas. And, then you’re back to where you started.
Password Vaults (or Password Managers)
Don’t think you can remember all those passwords? Why bother when a password vault can remember your passwords for you? Password vaults are nothing more than encrypted databases for your passwords. In order to access the passwords in the vault, you need to enter a master password – to unlock the vault. Some even offer mobile or web-based solutions, so you can always access your passwords, where ever you are.
The key things to consider with password vaults are:
How strong is the encryption used to protect the vault?
You’ll want to make sure that the passwords are encrypted using an industry standard encryption algorithm.
How strong is your master password for the vault?
Remember to create a strong pass-phrase for opening your vault. It’s got the keys to your online kingdom in it, after all.
Can I access the vault when I’m away from my computer?
Some vault programs let you take your vault with you when you hit the road – either on your cell phone or via the web.
Personally, I use a password vault called 1Password, both at home and at work. I store my vault in my Dropbox, so it is automatically synced to all of my computers. Plus, because I can access my Dropbox from the web, and because 1Password builds a web interface into the vault itself, I can access my passwords from just about any web connected device. There’s even an iPhone app (which I don’t use yet).
One final note on password managers: Many of them come with strong password generators. Before using them, make sure that their algorithms are “cryptographically random”. Otherwise, they’re susceptible to dictionary attacks targeted at that specific generator.
Once I discovered how weak my personal passwords were, I went on a quest to inform myself. These posts are my way of remember everything I learned. I hope you find them useful, as well.
Allow me to turn that question around: “How valuable is the information that you are trying to protect with a specific password?” The more valuable the data, the stronger the password you should use. Let’s take a look at a few examples:
Your Corporate Domain Account Password
At my company, policy dictates that my password be at least 7 characters. But, I am not required to use complex passwords (with both upper and lower case, or numbers, or symbols). So, in theory, I could use a short, simple password. But, as we learned in my previous post, short, simple passwords are trivial to crack, taking less than an hour of a computer’s time.
Of course, our corporate policy also requires me to change your password every 60 days. So, I might feel safe enough with an 8 letter password containing lower case letters, numbers and symbols, which would take an average of 1 year to crack.
That said, the advice from the author of the open-source Jack the Ripper password cracking software is to use pass-phrases rather than pass-words, whenever possible:
“Yes, for operating systems, applications, etc. which do not have a low limit on the length of passwords they accept, I recommend the use of passphrases instead of passwords. For even better security and/or to have fewer characters to type, both approaches can be combined: separate some words with punctuation rather than spaces, embed numbers and other characters, etc. Ideally, the passphrase should be something you can remember or derive again, but it must not be based on information that is known to others (e.g., your name, a quotation, a piece of the output of a Unix shell command, etc. - those are all to be avoided).”
Your Personal Email Account Password
As I mentioned in an earlier post, reusing your personal email account password across the web is a gigantic hole in your personal information security – not because your email with your Mom about her casserole recipe is particularly valuable, but because your personal email account can be leveraged by a cracker to change your passwords on other systems. In other words, the “information” you are trying to secure with your email account password is every password to every account you have. For that reason alone, I recommend using the longest, most complex password (or passphrase) possible under your email provider’s authentication mechanism.
And, whatever you do, NEVER reuse your email account password on other systems!
I was guilty of this until recently. Never again!
NOTE: Google Gmail requires 8 letter passwords and provides some good advice regarding how to create strong passwords. Microsoft Live only requires 6 letters. Who do you think values your security more?
Your Other Web Passwords
So, what about all those other passwords you have to create for use across the Internet? Well, as with Gmail and Live.com, policies differ wildly from site to site. For example, here are the password policies for four sites I use frequently: AmericanExpress.com, CapitalOne.com, Facebook.com, and Twitter.com. (Can you guess which is which?)
- Do not use the same password that you use for other online accounts.
- Your new password must be at least 6 characters in length.
- Use a combination of letters, numbers, and punctuation.
- Passwords are case-sensitive. Remember to check your CAPS lock key.
- Be tricky!
- Your password should be at least 6 characters.
- Your password should not be a dictionary word or common name.
- Change your password on occasion.
- 8-15 characters
- Not case sensitive
- Aa-Zz, 0-9, ( - ), and ( _ ) only
- At least 1 letter and 1 number
- No spaces
- Contain 6 to 8 characters
- Contain at least one letter and one number
- Not case sensitive
- Contain no spaces or special characters (e.g., &, >, *, $, @)
- Be different from your User ID and your last Password
I ordered the sites in the order I consider to be the the strongest password policy to the weakest.
Note that the first two, while only requiring six characters, both allow you unlimited flexibility in the characters you choose. So, while they allow short passwords (insecurely short, in my opinion), they don’t prevent you from using longer, more complex passwords. (I prefer the first one because it recommends using letters, numbers and symbols – the green line on my graph.)
The third policy is fairly week due to the lack of case sensitivity or the ability to use most symbols.
That final policy is extremely weak. It has me seriously considering my options there. Either I’ll need to start changing that password regularly. Or, I’ll need to take my web browser elsewhere. Fortunately, the site takes other precautions with my data – such as only displaying the last four digits of sensitive numbers, and asking a series of personal questions before allowing me to change my password.
So, which of these organizations values my personal information most?
One more post to come…