Remembering passwords

When you actively participate in a lot of different online communities, what are you supposed to do about passwords?

Sure, many people just use the “remember me” option and then forget about it. Inevitably, though, you eventually delete your cookies (or your browser loses track of them on its own — it’s happened to me), and then can’t remember your password.

Sure, you can use the password reminder function. But a) it’s a hassle, and b) that’s assuming you can remember what email address you used to register for that site.

So many people opt for just using the same password everywhere. Bad idea. One hacker gets your password from one insufficiently secure site, and next thing you know, they’ve got access into your accounts everywhere.

Here’s my solution… I use a relatively simple algorithm for creating a password that’s based on the name of the site. It’s easy enough for me to figure out in my head, but obscure enough that your typical hacker won’t guess it. Maybe a professional cryptographer would, or someone who’s really, really persistent, but the point is just to encourage them to simply move on to someone else once they realize you don’t use the same password everywhere.

I’m not, of course, going to tell you my particular algorithm, but I’ll give you an example one on which you can base your own.

1. Pick any word, or even a nonsensical series, of 4-6 letters. We’ll use “snrgl”.
2. Look at the third letter of the domain name. Let’s say you’re doing this for Yahoo Groups, so we’ll use “h”.
3. Figure the numerical value of that letter in the alphabet. “h”=8
4. Tack that onto the end of your word. “snrgl8”
5. Now, pick a 4 or 5 digit number — NOT part of your social security number., and preferably something that people won’t obviously see the connection to. I’ll use the address of my childhood home: “2303”
6. Insert your result from step 4 into the number of step 5 as follows: if the domain is .com, add it after the first number; .net, the second; .org or anything else, the third. This gives us “2snrgl8303”.

Your typical hacker is going to go try that on another site or two, see that it doesn’t work, take one look to see if there’s an obvious pattern, and then give up. Remember, they don’t have a series of passwords to try to derive the pattern from. And based on just one instance, it’s nearly impossible to derive the pattern. It will keep you safe, but it will certainly make your life easier if and when you need those passwords.

How to visit sites without sharing your real data

Many websites, particularly media sites, now require registration, usually to gather demographic data about users. If for any reason you don’t want to register but still want to view the site, go to, which offers valid logins and passwords for hundreds, perhaps thousands, of sites.

Via Lee Dembart via Kevin Kelly’s “Cool Tools”

What price privacy?

I’m all for privacy rights. I’m all for sites having a privacy policy. But the new California Online Privacy Protection Act of 2003 is a really, really bad idea.

Why? Because no one seems to have even considered any of the negative consequences, or what a slippery slope we start down when we start letting states regulate internet commerce.

In short, this California law, which goes into effect July 1, requires any web site owners, regardless of their location, to have a conspicuously posted privacy policy that meets certain requirements, if they collect any personal data from residents of California.

This is just dumbfounding to me. The policy requirements are reasonable enough, I suppose, but it will take me, a pretty technically and legally savvy person, a good four hours to have read and reviewed the requirements and implement them. Figure the typical web site owner will have to spend at least that. Multiply that by a few hundred thousand websites, and California has just cost small entrepreneurs across the country tens of millions of dollars in either lost productivity or real expense to outsource the compliance.

Now, here’s where we start to slide down that slippery slope: New York, New Jersey, and several other states have similar (but not identical) laws under consideration. Now imagine multiplying that few hours by 10 or 20 or 50 states that pass such legislation. The cost to web site operators could be in the billions. To the big sites, it’s a drop in the bucket, and most of them already have compliant policies in place. It’s the individual owner/operators who are just trying to build a simple mailing list who will be the hardest hit. The cost of doing business on the web has just jumped an order of magnitude for small sites.

Most astonishing to me is that there has been almost no coverage of this topic, and no critical dialog. A search on Google turns up about 170 entries. For a legal precedent of this magnitude, affecting hundreds of thousands of site owners and millions of users, that’s frightening. And the only objection to the law so far seems to have been from the financial sites who have been selling this information and the direct marketing companies who’ve been buying it.

I love my friends and customers in Caliornia, but tell your legislature to go mind their own business and quit playing internet cop. This needs to be a federal or, better yet, international matter. It’s like one beach trying to tell the ocean what to do. I’ll put this site in compliance, but it’s under protest, not because I oppose privacy, but because I oppose state-level regulation of the internet. This is a dangerous precedent.

For more details on the law, its history, and a look at the pros and cons, see my California Online Privacy Protection Act of 2003 Issue Page at

Blog survey results on expectations of privacy and accountability

MIT doctoral candidate Fernanda Viégas just posted the summary of her findings in her blog survey on expectations of privacy and accountability. Among the key findings with a few of my comments interspersed, particularly regarding blogging in a business context:

– the great majority of bloggers identify themselves on their sites: 55% of respondents provide their real names on their blogs; another 20% provide some variant of the real name (first name only, first name and initial of surname, a pseudonym friends would know, etc.)

Of course, in a business context, anonymity doesn’t really serve you very well.

– 76% of bloggers do not limit access (i.e. readership) to their entries in any way

I know of a couple of business bloggers who limit access to their blog, or even charge for their content. It all depends on your purpose for your blog. If you’re trying to build visibility, it doesn’t make much sense. If you’re trying to create an air of exclusivity—an inner circle—then it makes a lot of sense.

– 36% of respondents have gotten in trouble because of things they have written on their blogs

– 34% of respondents know other bloggers who have gotten in trouble with family and friends

– 12% of respondents know other bloggers who have gotten in legal or professional problems because of things they wrote on their blogs

– when blogging about people they know personally: 66% of respondents almost never asked permission to do so; whereas, only 9% said they never blogged about people they knew personally.

– 83% of respondents characterized their entries as personal ramblings whereas 20% said they mostly publish lists of useful/interesting links (respondents could check multiple options for this answer). This indicates that the nature of blogs might be changing from being mostly lists of links to becoming sites that contain more personal stories and commentaries.

I don’t think it’s that so much as just a semantic issue. The distinction between blogs and diaries/journals has grayed, “blogging” has had more media attention, and a lot of people who a few years ago would have called themselves journallers/diarists now refer to themselves as bloggers.

– the frequency with which a blogger writes highly personal things is positively and significantly correlated to how often they get in trouble because of their postings; (r = 0.3, p < 0.01); generally speaking, people have gotten in trouble both with friends and family as well as employers.

I find this fact very interesting, even if it’s intuitively obvious. Definitely a lesson there.– there is no correlation between how often a blogger writes about highly personal things and how concerned they are about the persistence of their entries

– checking one’s access log files isn’t correlated to how well a blogger feels they know their audience

– despite believing that they are liable for what they publish online (58% of respondents believed they were highly liable), in general, bloggers do not believe people could sue them for what they have written on their blogs.Again, this is just a summary of her findings. I highly recommend reading the whole report.

Spoke extends privacy safeguards

Later today, Spoke Software will announce important new privacy functionality in both their Enterprise Sales Suite and their public network.

The Spoke Corporate Privacy Suite enables “Enterprise Safe” searching of information and protects end users more effectively from intrusive behavior by giving them greater control over the accessibility of their information.

For their public network, Spoke has announced the creation of a Personal Information Review:

The new Personal Information Review features give people who are discoverable through the Spoke Network the ability to enhance, correct or remove information that can be seen by others simply by contacting Spoke and providing a digitally signed request for authentication.

In order to understand the importance of this, a brief of explanation of how Spoke works is in order. Unlike most of the other public social networks, Spoke does not rely on explicit confirmations of relationships, but builds them implicitly based upon e-mail communications. This allows Spoke users to identify connections to other people who may or may not be Spoke users themselves, and the intermediaries may not be, either. The nature of Spoke only requires that at least every other link in the chain be a Spoke user.

How does this work? Simply put, if I’m trying to connect to Person A, but I don’t know them, if there is a Person B who both of us have exchanged e-mail with, Spoke indicates that there’s a connection chain, even if B is not a Spoke user:

   Me ==> Person B ==> Person A
(Spoke         (Not a            (Spoke
  User)     Spoke User)          User)

It could even go one degree further and connect me to someone who’s not a Spoke user:

   Me ==> Person B ==> Person A ==> Person D
(Spoke         (Not a            (Spoke           (Not a
  User)      Spoke User)         User)        Spoke User)

Now, some people think this is great, because it reflects your real-world connections with a minimal amount of effort on your part. Because your first-tier connections do not have to become Spoke users, you may easily have hundreds or even thousands of connections, as opposed to the few dozen that one typically gets on other sites. With other Spoke members doing the same thing, the likelihood of a given person being found somewhere in the Spoke network, and the odds of you having a shorter connection to them, increase

On the other hand, this raises major privacy concerns for other people, because Person A has put the e-mail address and other information about B and D onto this public server without their permission. (My personal opinion on this is that having it on Spoke is little or no different than having it on any other third-party service provider one might use to host one’s own data, such as a CRM or online contact management system. A detailed explanation of why is more than I want to go into here, though.)

So why is this new Personal Information Review so important? Simply put, because it lets B and D (and A and Me) correct their information or even remove it entirely from the Spoke database. This overcomes a significant barrier Spoke was facing for mainstream adoption. It is also a major step towards meeting the European Union privacy requirements, which otherwise would have prevented adoption of Spoke throughout Europe.

Spoke also announced the creation of a Chief Privacy Officer “to oversee all efforts around privacy policy, architecture and functionality, and interface to various stakeholders including users, customers, Spoke and the community at large.” The lucky winner hasn’t been announced yet.

UPDATE: Here’s the official release from Spoke

Blogging draws attention

Many new bloggers don’t realize the impact that back-end technologies like Technorati and Trackback have on the nature of blog communication. While on the service, they appear to be a one-way communication medium—just a simpler way to do web publishing—they are, in reality, a conversation.

Joi Ito points out that many people are surprised to find out that what they think of as a semi-private journal to share with a few of their friends may actually be creating attention they don’t want. As he says

One of the things that some of us forget is that it’s not all about attention. Most people want a little more attention than they get, but they usually want it from the right people and only when they feel like it.

So, while blogging is a tremendous tool for increasing your web visibility, keep in mind that it’s completely public. To update an old saying, “Don’t post anything in your blog you wouldn’t want on the cover of the New York Times.”

More Publicity = Less Privacy

Following up after a recent speech I gave to his group, one attendee contacted me via email and said that while networking online sounds interesting, and even possibly effective, it can also have some downsides if legitimate information being exchanged between the online networkers can get into the hands of “undesirables”. He was very concerned about privacy issues in the context of networking online.

I decided to prove a point to him that if you want to become well-known in your field, to Get Slightly Famous, then you have to accept that your life is going to become much more public. Now, I’m no private detective, and definitely not a hacker, but within five minutes, I knew his address, his phone number, his approximate age, his income bracket, two former employers, the position he held at them, and his bosses’ names there.

Have you typed your phone number into Google lately? Odds are it produces a map to your house. Or your name and city? Unless you’re unlisted (and have been for some time), it produces your phone number, address, and a map. Now, you can request that this information be removed from Google, but that same information is still available on dozens and dozens of other sites, each of whom has to be contacted individually. If you have your own web site, your address, e-mail, and phone number are most likely available to the general public. Once they’ve got your address, many local property tax authorities have all their records online, and people can find out who owns the property you live in.

And that’s just if you haven’t tried to be in the public eye. If you’ve been prominent in your field, your name is probably scattered across dozens, if not hundreds, or even thousands of Web sites. Now, maybe not a lot of personal information is in those references, but the names of your former employers, college, and even high school very likely are. Combine that with the information above, and you can see that unless you’ve been a hermit, your life is already probably more public than you realize.

Given this, you have three possible choices:
a) Don’t worry about it at all.
b) Do everything you possibly can to protect your privacy.
c) Strike some sort of sensible balance in which you take reasonable, low-effort precautions and just get comfortable with the rest of it.

I choose option (c). For me, one of the keys to making peace with this is to realize that none of this information really ever was private in the first place – it just took a lot more work to make the connections. Reverse telephone books were around for years befor the popularity of personal computers. CD-ROMs with that capability were first published in the late 80’s, shortly after the invention of the CD-ROM. Other records have been available at the courthouse or the public library for anyone so inclined to go find it.

The second key was knowing that even as easy the Web makes it to find out personal information about me, it’s just as easy for them to find it out about someone else. It makes me no more likely to be a target than anyone else.

And the third key was to understand that it’s just as easy, if not easier, for criminals to target you in the real world as online. If they want to know when you’re home and when you’re not, they’ll case your house, not try to learn what meetings you go to online. In most cases of credit card fraud, the numbers are stolen by store clerks, not hackers.

Once you’ve come to terms with these limitations on privacy, here are some simple steps you can take to maintain a reasonable degree of privacy:

  • Protect your Social Security Number. There is almost never a valid reason to give it out online.
  • Make sure your home phone is unlisted with your local phone company.
  • Don’t list your home address, home or cell phone numbers in online résumés or other publicly viewable Web sites.
  • If you’re job hunting, especially if you’re currently employed, you should seriously consider whether you want your résumé on the large job boards like Monster at all. If you do post it, be sure to date it.
  • If you office out of your home, get a post office box and use it for your business correspondence, domain name registration, etc.
  • Don’t mention your spouse or children by name in a public forum.
  • Use forms on your website for visitors to e-mail you,rather than direct links to your e-mail address.
  • Use a different e-mail address for public postings than you use for private, trusted correspondence. This is commonly known as a spam-catcher.

With a little effort and thought, you can protect your personal privacy while still maintaining a highly public personal business presence.