All opinions on this site are solely those of the author unless specified otherwise. All affiliations and endorsements will be disclosed if present. If no disclosure, no affiliation exists.

Let Christopher explain it...

It's time to nuke password security questions

I'll come right out and say it - password security questions are not only insecure, they're a blatant security hole. They're worse than not being there at all, and for any of a number of reasons.

First, they're all the same. How many times have you been asked your mother's maiden name, the make or model of your first car, what city you were born in, or the name of your first pet? These answers, if given truthfully, are easy to find out. You've likely blogged the answer at some time in the past.

If I know your Uncle's last name, odds are I also know your mother's maiden name (50/50 shot there, and if I know he's your maternal uncle, I've got it).

At this point, these security questions are no better than a second, easy-to-guess password. And in cases where they're used to recover a password, they become more of a risk than anything else.

The only thing to do here if these questions are mandated is to make up a unique and incorrect answer. Yet another password. Yet another password to remember, and many password managers don't realize that these question fields are password fields to store and protect.

The immediate solution is two-factor authentication. When you log in to a site, the site sends you a one-time code to your phone and you must enter that number. The password is simply to keep people from causing the code to be spammed to your phone and interrupting you while you're in the bathroom. Since everyone has a smart phone these days (a generalization I'm prepared to make), this requires someone who wishes to hack you to have access to your phone. Sure, if they get your phone they get everything, but they still need to know your password to cause the two-factor to fire. It's not perfect, but it's close.

The real solution is an un-replayable biometric solution. A fingerprint reader on every keyboard, implemented in such a way as to make storing and replaying of biometric data impossible. That's a tough nut and might also have to include physical two-party, but I suspect it would work.

If you want into a site, you don't need to give it a name or password. You simply place your finger on the scanner and then wait for your phone to give you the access code which you then type in. The code expires the moment it's used (or in 60 seconds if it is unused). Thus, storing the biometric data isn't really all that useful. And if the biometric data is somehow hashed with an expiring timestamp, storing it won't do much good after a few minutes anyway.

Either way, passwords are dead and password security questions are worse than dead.

(Image: my first pet, "Nonyabizness" - not his real name)

Continue reading
7224 Hits

Time to step it up, Apple

I'm an Apple guy, and while I'm not religious about it, I like that all my devices work together now and are generally portable. The UX works for me and I like having a development platform that is, under the hood, UNIX-based.

That said, Cortana kicks Siri's ass. It's not even a fair fight. What Lisa's Windows phone can do, in terms of an intelligent AI assistant is incredibly compelling.

Apple, your user experience is second to none. Now it's time to kick up the actual heft behind it. Microsoft is eating your lunch in this one, specific area. Step it up.

2625 Hits

Why Stephen Hawking is Wrong

I've always wanted to say that ;)

Stephen Hawking is being quoted in the media as saying that the Higgs Field could wipe out the Universe. His point is that at a high enough energy, it could trigger what's called "vacuum decay," a state whereby a "bubble" of vacuum expands at the speed of light, destroying everything in its path. This could happen if the energy of the field is not constant and eventually changes or, as some media are reporting, if a sufficiently-advanced civilization were to experiment at such high energies.

To do this would require a linear accellerator, as we understand them, the size of the orbit of the Earth. Not something we're about to build any time soon.

Here's why everyone is wrong, at least about the second part: if it could have happened, it would have by now. Indeed, anything that any civilization could do to destroy the Universe would have resulted in such destruction long ago. The Universe is huge. If something could have happened, it would have. To think that in the 13.7 billion years that we think the Universe has been here NOTHING capable of destroying it has happened yet, but just might any day now is the pinnacle of self-importance. The odds just aren't there.

So relax. The Universe will be here tomorrow. I'm prepared to bet on it, in fact ;)

2616 Hits

Linkbait Comes to Television

I spent the evening last night at an Irish Pub (yes, I know, this blog entry can just stop here) watching the Seahawks game. Remember, though I live in Silicon Valley, I'm a Seattle transplant. Go Hawks.

As I and the 50+ fans were enjoying a convincing victory, a commercial came on. It was entitled (and captioned), "The Call," and depicted a woman getting a phone call. She says hello, and her face drops as she listens, clearly being shocked at what she is hearing. I, the viewer, know only her shock - there is no indication of what's actually said.

And then the commercial ends with the call to action to go to a URL to find out what happens next.

No. Just no. Clickbait online is one thing. Doing it in a broadcast television commercial? Sorry, that's farther past a line that's already been crossed.

I encourage everyone to refuse to go to any URL presented in this manner. Please help send a message to advertisers that this simply won't work.

Oh, and get off my lawn.

2653 Hits

Facebook to give away how magic tricks are done

Well, not really, but just as stupid. As reported by Ars Technica, Facebook is now placing a [SATIRE] tag next to links that go off to The Onion. Clearly, Facebook is ruining the fun for those of us with enough brain cells to recognize satire when we see it, and is making the presumption that most of you are idiots.

Rumor has it that next week they'll be threatening to disclose the true identity of Santa Claus to anyone under 13 who lied about their age to get an account.

Hey Facebook? You want to do a little editorializing? How about you flag all of those linkbait sites as [DOG CRAP] while you're at it? Now that would be a non-abusive use of your power.

3389 Hits