My name is Jack Moffett
. I am an Interaction Designer with over ten years of experience. According to Herb Simon
, that makes me an expert, so I must have something worth sharing. I have started this venture as an exercise to spur critical thinking about my chosen profession. I hope that others may find it thought provoking as well.
DesignAday will present a brief thought about Design every weekday.
Kickstarter was the latest company to have to apologize for a security breach. They encouraged me to change my password. So I did. Even though I was already signed in, I had to enter my current password to edit my account. Then, the change password form provided two fields in which to enter the new password. I clicked my 1Password button and had it insert a newly generated password. When I pressed the submit button, 1Password immediately asked me if I wanted to replace the existing password with this new one, and I of course told it to do so. Then I get this:
Yes, even though I had just entered my existing password prior to entering the new password, it again asked me to enter the old password. I had already replaced the password in 1Password, so I couldn’t have it insert it. Luckily, 1Password keeps a history of passwords for each site, so I was able to open the application, find the old password, and copy it into the field.
I understand the need to be secure, but asking for the old password after entering the new one is just confusing.
When I heard about the improvements to Keychain and Safari’s password features in Mavericks, I wondered about the continued viability of 1Password as a product. The more I learned, however, the more I realized that Apple was just adding the bare minimum capability that would improve security for casual users. 1Password has become an irreplaceable dependency for me.
It annoys me when Safari tells me that it won’t autofill a password because a website told it not to. I don’t care what a website says. If I want Safari to save the password, that’s my prerogative. I found a preference setting that will “Allow AutoFill even for websites that request passwords not be saved”. But, when I tried to turn it on, I got the following message.
“Your Mac must have a screen lock to allow AutoFill for websites that request passwords not be saved.”
I’m not putting a screen lock on my personal computer in my own house. That’s ridiculous. Yet one more reason I’ll stick with 1Password.
Um, how am I supposed to enter my secret question answer if I don’t know what the question is?
Apple’s Keychain does serve a purpose, and perhaps is better than nothing. However, it is fundamentally flawed. When it comes to banks and credit cards, I want to use secure passwords, but I don’t want to have to type them in. Random sequences of letters, numbers, and symbols in mixed case are a pain to type. So, to be at all useful to me, a password aid must remember every password, synch them across all of my devices, and enter them for me.
I don’t care what Discover Card requested. I want strong security and ease of use. I can’t rely on keychain to provide that. 1Password has little to fear from Apple at this point.
I was going through the process of registering a new account today, and the site wanted me to enter a “secret question” in case I need to reset my password. I think that’s a much better approach than providing a list of questions, so kudos for that. However, once I typed in my question and attempted to submit it, I was informed that “Your question must be alphanumeric.” Which means that it can’t have punctuation. I had to remove a comma, an apostrophe, and the question mark. Why in the world are there restrictions on the question?
I require my students to write responses to their reading assignments on blogs so that we can all read and comment on everyone’s thoughts during the week. Some of them are using Blogger, and to leave comments, I must decipher the CAPTCHA security. These have become much more difficult as of late, and I’ve found myself requiring two or three tries because the letterforms are too distorted to make out.
The distortion in this one isn’t too bad, but I took the screenshot to point out the photograph that they are now pairing the distorted “word” with. The instructions say to “Type the two words”, but what exactly am I supposed to type? Should I enter “mmec STREET 6 ssuickd”? That’s more than two words. As it turns out, the only thing I was supposed to enter from the photo was the 6.
When it becomes a challenge for people to figure out, it’s no longer serving its purpose.
I just received the 8 GE LED globe bulbs I ordered for the light in my master bath. At $15 a bulb, they aren’t cheap, but they are rated to last at least 8 years, and they will save a lot of energy, using only 2.8 watts a piece. Each bulb came in standard packaging—a plastic bubble sandwiched within a cardboard frame suitable for hanging from a peg. The designer of the packaging was thoughtful enough to include a perforation on the back at a point where there was enough empty space on the inside to poke a finger through, right at the neck of the bulb, giving you enough of a grip to rip it open.
What that designer didn’t realize was that Snidely Whiplash works for GE’s department charged with insuring that their products aren’t shoplifted. He made sure that there was an anti-shoplifting RFID tag inside every package. Of course, the best place to put it was where it could not be seen, right behind the neck of the bulb, where there was a little space, so he stuck it right across the perforation, making it impossible to push your finger through as originally intended. I’m sure his dastardly plan is to incite wrap rage in all consumers.
Why is it that so many financial sites think that a bevy of questions is a good security precaution? I’m willing to believe that it is potentially an acceptable backup, but I find many of their implementations to be lacking. Take this one, for example, from a credit card company.
They provide a list of 10 predefined questions, from which I am expected to choose five. I have a few criteria for selection of questions:
- It has to be a question for which I have a definite answer. So, questions about favorite color, food, and the like don’t work.
- It has to be a question for which there is only one correct answer. So, asking me where I went to college is no good. I attended two—one for undergrad and the other for my masters. This also loosely applies to things that could be abbreviated, or that have multiple names.
- It has to be a question to which the answer will not change. So, asking me where my office is located is a poor choice. We’ve moved about every five years.
- It has to be a question that I know the answer to off the top of my head. I don’t want to have to look it up, and I can’t rely on having the information at hand.
So, evaluating the provided options, I can immediately discard numbers 4, 7, and 8. Questions 5 and 9 have the same answer, which seems less secure, so I cut one of those. The first one is a little iffy due to a name change at one point and the use of a hyphen. I don’t trust myself to answer it exactly the same way every time. Now we’re down to five, but the last one I would prefer to abbreviate due to the length of the name, which violates criteria number 2.
I much prefer sites that allow me to write my own questions (which are few). I can easily write questions that fulfill all my criteria and are more secure, due to the fact that they cannot be looked up on the web, unlike the name of my high school.
I do not care about copy protection as long as it doesn’t interfere with my lawful use of media that I own (or own a license to—whatever). I get irate, otherwise. I was never particularly concerned with the Fairplay encryption on iTunes music files, because I never encountered any problems caused by it. HDCP, on the other hand, has me on edge.
I purchased a new Apple TV over the holidays. I unplugged the HDMI cable from the old one, plugged it into the new one, powered it on, and got it connected to my network. Everything was working smoothly until my wife and I sat down later to watch an episode of Glee. We got into the show late in the first season, so we had decided to purchase the first season from iTunes and have been slowly catching up on the back episodes. I selected the episode we wanted to watch and was confronted by a message stating that “Apple TV HDCP isn’t supported by HDMI”. Say what!?
After some time spent reading up on the Apple support forums, I tried unplugging the HDMI cable from both the Apple TV and the television and then plugging it all back in. Fortunately, that fixed the problem, and I haven’t had any recurrence. Other people have had to purchase new cables, and some seem to have older equipment that isn’t compatible. Edward Felton, professor of computer science and public affairs at Princeton University, and newly appointed Chief Technologist for the U.S. Federal Trade Commission, wrote “The main practical effect of HDCP has been to create one more way in which your electronics could fail to work properly with your TV,” and that HDCP has been “less a security system than a tool for shaping the consumer electronics market.” (Wikipedia)
There are already methods of hacking HDCP, so as is usually the case, pirates will do as they please, while I have to needlessly suffer the aggravation of additional complexity.
My bank just released their new iPhone app. I don’t know that I’ll ever really need to make a transfer or check my balance from my phone, but I went ahead and got it. So many of the apps I have are there for the “what if” situations. Now that I have it installed and set up, I doubt I’ll ever use it. They require that I login with a password every time I open the app. Now, you might think that sounds reasonable, considering it provides direct access to my bank accounts. However, it is the same login that I use to access my accounts on their website. That password is a secure password that I manage with 1Password. In other words, it is long, completely forgettable, and difficult to enter.
Secure passwords are not acceptable for mobile use, and there’s no way I’m going to change my bank password to something that’s easy for me to remember and enter. I do have 1Password on my phone, so the password is there if I really need it. I can copy and paste it, but that ensures that I’ll only use the bank’s app in an emergency.