Password Length Limits

April 7, 2010

I recently signed up to make my car payments online, which by itself is a wonderful thing. When I need to make a payment I simply double check that the money is in my bank account and then I’m a few clicks away from just making the payment. I really don’t enjoy using the postal system mostly because it takes time out of my day to write out the check, fill out the sending information on the envelope and then find a post office box or post office. The other great thing about online bill paying is that I get a lot less physical mail (something I strongly dislike unless it is a letter from a friend or something of that nature). This particular bill paying system (Ford Credit) has a notable limitation on the MAXIMUM length of a password, only 10 characters!

This upsets me for several reasons. The first reason is that all of my passwords are longer than 10 characters (some as long as 25). So, I have to truncate what would be an otherwise secure password in order to use my current password system. Either that, or Ford Credit needs to have its own password which makes it much less likely that I will remember it (though, I have to remember the limitation of it being a 10 character password already). It seems like the 10 character upper limit is fairly arbitrary. I understand that they might need an upper limit it terms of database storage or something, but I assume they run the password through a hashing algorithm in which case the length of the actual password should not be an issue. It is a simple mathematical fact that longer passwords are more secure (exponential growth, after all). So why limit the upper bound.

The other thing that crosses my mind is that their password maximum length squashes the idea of a “passphrase“. I understand that there is a fundamental difference between passwords and passphrases, but I tend to like the idea of a passphrase simply because I find them easier to remember. Yes, I know it’s more typing, but if I have to look up passwords in kwallet I’m already better off time-wise using a passphrase.

To be clear, this isn’t a knock on the actual service offered by Ford Credit. I find that quite easy to use. It is just that the password policy seems rather strange to me.


“The Computer System Says So!”

March 31, 2010

I suppose this post is mostly a rant/reflection of my recent experience at the New Jersey DMV, but I also have some general thoughts about the excuse store employees, support organizations, insurance companies, etc use to get information out of you. What I am talking about is that classic line: “I’m sorry sir, but our computer’s require it”. Oh, well, if that is the case I’ll gladly give you all my personal information! As long as the computer needs it!

This week I set off to try and register the motorcycle I ride under my name. I have been riding it for 2 years, but under my Dad’s registration and insurance. My Dad generously offered to let me have the bike as long as I was willing to pay for everything, which is certainly a more than fair deal. To set this up, you have to understand that I have the following documents: my dad’s registration, my dad’s insurance info, the insurance I put on the bike (because my dad is stopping that now), as well as the current and valid NJ Title for the bike. I figured this was more than enough information to transfer the title and register the bike under my name.

So, a couple days ago I left work on my lunch break to visit the DMV (only 5 minutes from where I work). I give them all the information about the bike, but the VIN number is not 17 characters! *GASP*. Now, you have to understand here, the bike is a 1981 Yamaha XJ650 (pictured below). I am not sure that there were such rigorous requirements in 1981 about VIN numbers on bikes and it definitely does not have a 17 character VIN, assuming it was even called a VIN in 1981. I was told that I would have to provide a _pencil tracing_ of the VIN number in question before I could register the bike. All this despite the fact that I had 4 other, quite legal, documents that had the VIN number on it. The reason I was given: “Well, we switched computer systems and the new system requires the pencil tracing, but going forward you won’t need it”.

Do you think that is a valid reason? I sure don’t. When they transfered the data they couldn’t select, that because this bike was already registered, that this was not needed? Are you kidding? Look, I deal with computers all day, and I’m pretty sure there would have been a way to work around this. In fact, the system must already have an override to indicate that I had a pencil tracing. By the way, they would not accept a digital photograph, only a pencil tracing (humorous given that the pencil tracing is much harder to read).

All that being said, the thing which really upsets me about this is: the computer system was used as the excuse for why I needed the pencil tracing, when, I’m pretty sure that was not the actual problem. I didn’t like it, but I was willing to play along and get the tracing. However, I would have at least liked an honest explanation of why I needed it.

I think this is a more wide spread problem, though. For example, when I called a local insurance agency about the bike they too complained about the VIN number and gave the same reason. I politely let them know that I was no longer interested in getting insurance with them.

As a side note here, I would like to say something about dealing with people that tell you this sort of thing. I really tried my best to politely inquire of these people. Most of them are probably not the person who made the actual decision in question, and it is not their fault that the system was designed poorly, or in some cases that they were not properly informed about procedure. I worked in retail for 3 years and I know very well what it is like to have a customer come up and be in your face for 5 minutes about something you have NO control over. So do everyone a favor — be polite. I think it is fine to ask why, but if it is clear the person does not know (or has no way of knowing), let it go! Often times you can always take your business elsewhere, without being rude about it. In fact, I will go so far as to say that there is no reason to be rude to these people. Raising your voice or not listening to them will just make them want to help you less.

Anyway, the solution? Well, it’s simple, just be honest :) .  Tell people the real reason you can’t do something! Knowing why something can’t be done helps me to bring us to the solution faster. Computers only do what they are told, so some human made a decision at some point that lead the computer to prompt the user that certain information must be entered. You can tell me the computer “won’t let you go further”, but so what. That is all predefined in the code, that doesn’t help me any.


Using a Scanner to Reduce Paper Clutter

March 17, 2010

Ok, this might not be the most exciting subject, but I normally find it easiest to blog about things that are going on in my life. Two weeks ago I completed my 2009 tax return online using H&R Block. To be perfectly honest I had very mixed feelings about doing my taxes completely online, but that is the subject of another blog post. Anyway, ever since I got out into “the real world” I have found myself with an ever increasing amount of paper work and documents that I either “need for tax purposes” or “need to keep for my records”. I absolutely despise clutter because I feel as though it slows me down. I dislike trying to find some cryptic piece of paper in a pile of junk. This large increase in paper work led me to purchase a scanner to store my documents electronically.

The idea is quite simple (and hardly original). You get a document, you scan it in, and you save as a pdf. Then, once it’s on your computer, you can setup whatever directory structure makes sense (I store by year and organization). Further, if you use consistent file naming you might be able to search your files for a document that you need. If you have been reading this blog for any length of time it should not be a surprise to learn that I am a Linux user. Presently I run Kubuntu 9.10 so it was important to me that my scanner work in Linux and that I be able to make said PDF files in Linux. The other consideration is that I wanted a cheap scanner since I am scanning mostly black and while documents. I do most of my shopping on Newegg and using the wonderful comments I was able to locate a Linux compatible scanner (more on the setup of that in a future post, but it was not trivial).

In any case once I had the scanner working, I could scan my documents into GIMP. Once they were in GIMP I saved them as PNG files and used everyone’s favorite “convert” to make them PDF files.

convert sample-png.png sample-pdf.pdf

If the documents were more than one page I used pdftk to make one giant document.

pdftk *.pdf cat output final-document.pdf

The trick to getting the *.pdf to concatenate in the correct document order means prefixing the documents with numbers such as: 00-ImportantTaxThing.pdf, 01-ImportantTaxThing.pdf, 02-ImportantTaxThing.pdf, etc.

The method can be a bit round about, but I'm sure a bit of bash magic could speed things up a little. Perhaps if I'm feeling motivated I'll write a little python graphical front end to all this.

In any case, I have found this to be quite nice and it's really easy to find these documents on the rare occasions I need them. Now, I should mention there is one flaw in my plan which my dad brought up. I don't know what the laws are for needing physical copies of documents if you were, for example, audited by the IRS. So, for any extra special documents I just store them away in a folder that is unsorted on the off chance I might need them. Still, this allows me to keep a very clean desk, and still have access to all my documents.


Doing my Taxes Online

March 13, 2010

This year I decided to do my taxes entirely online. I used H&R Block‘s internet service for doing taxes and overall it worked very well. I don’t know how complex of a tax operation their service can complete, but my taxes are still fairly simple as I don’t have many deductions and own very little. More frequent readers of my blog might be surprised to learn that I used such a service. After all, they have to store lots of personal information about me in order to complete the tax return!

It is true that I had to put a lot of personal information into this service, and I was quite nervous about that. Sure, they use SSL, but so what. If there’s one thing reading security news has taught me it is that a dedicated enough hacker can essentially get any information they desire. The sad reality I came to terms with is that as long as I am submitting electronically, I will already have to send important data over the internet.

Additionally, how handy the service is partially convinced me to take such a risk. It is true that they sell software which can be installed on my local computer and in theory, if I mailed in my return, I could keep all of my data roughly within my possession. In fact, I am still considering doing it that way, but I am not sure if that is really that much more secure. However, the ability to just a open a web browser and pick up where I left off is not something to leave out of this equation.

At any rate, the damage is already done, so to speak, and overall I was happy with the process. I still feel a bit uncertain as to whether this will come back to bite me or not, but I suppose we’ll see. At the heart of the matter is the fact that organizations use one’s social security number in exactly the wrong way (credit card companies, banks, etc). It’s true that’s it’s a great unique identifier for a database, but there are other and better ways to do things.


Paypal Password Problems

March 10, 2010

So, last week I was going to purchase a shiny new scanner from Newegg.com so that I might reduce the paper clutter that resides at my computer desk at home (more on that later). When I hit the “Finish” button to complete the transaction all seemed well and good until I got an e-mail from them saying that my credit card could not be charged. Long story short somehow someone had my credit card number and ran it into the ground buying — wait for it — Facebook games (funny, I know). Anyway, I got my new card, and I also thought that this was a good time to change all my passwords.

Most of my password changing went without a hitch. However, Paypal had an interesting process. To change my password I had to provide the number of the credit card I had linked to my account. Well, one problem here, I had cut up and discarded my old credit card because it was no longer active. Not one to let that stop me, I took the next reasonable action, I unlinked the credit card from my account. Honestly, I was happy to do that anyway because I hate linking credit cards to online account. Paypal tried to make it hard for me to not have a credit card linked, but I was able to click past everything.

This is the best part, though. When I went to change my password I was allowed to do it without providing any additional security information. Frankly, I think using a credit card number as a security measure is a terrible idea to begin with so I don’t care that once I log into my account, that password changing is easy. What I think is funny here is that they put in place a security measure that is trivial to circumvent. In other words, not a real security measure.

On the matter of storing credit cards in a database, I think that is also a big problem. If you don’t store the credit card — guess what — even if someone breaks in, it can’t be stolen! I think these companies should use more discretion when storing credit card numbers. I agree that sometimes numbers have to be stored for things like online monthly subscriptions, but short of that, why bother! I think online retailers shouldn’t even offer it as an option and make the customers aware that it is actually for their benefit. At the very least, don’t default to storing the card, make the user actively seek after that.

Anyway, that is my little tale about password changing, which is a practice I encourage everyone to do at least yearly. Also, I encourage different levels of password security. For instance I have one password I use for online retailer accounts (which I avoid creating if I can), one for e-mail, one for the blog, one for work, one for root access, etc. This way, if there is a breach, I don’t have to change all my passwords and just the ones within the security level that was broken.


I’m Leaving the Hosting up to WordPress

March 4, 2010

I recently put a post on the front page of my website stating that I have switched back to just having this blog on WordPress. The decision to do this was essentially dictated by hearing about a WordPress security vulnerability on the Security Now podcast of the TWiT network.

Now, certainly I am not so foolish as to think the WordPress platform can never have a vulnerability, but the problem is that I don’t always have time to sit down and make sure it is updated. My website is meant to be a window into my digital life that I can update from time to time, not something I have to spend hours a week maintaining.

That being said, I have made all the essential redirects and hopefully I haven’t broken too many RSS feed readers or bookmarks to my blog.

Originally, I setup my own WordPress blog thinking I would be all hip and have custom themes and be adding loads of cool plugins. The reality is, though, I didn’t need any of that and I didn’t have time to keep up with it. I’ll be able to get more done and write more if I just focus on the content of blog. It would have also been nice to bring traffic to my site, but that is also a moot point now and I’ll just provide a link to jintoreedwine.com for anyone interested.

Anyway, I don’t want this to sound like a slam on the WordPress platform. I really like WordPress and it has made blogging quite simple. Great job, guys!

Hopefully I’ll be writing more soonish … :)


Quick Thoughts on Windows 7

June 5, 2009

Early this afternoon I decided, fairly randomly, that I wanted to try out the Windows 7 release candidate. I suppose this wasn’t totally random as I was hoping to check it out at some point. However, up until recently it would have been impossible for me to do so without formatting my XP partition, which I didn’t really feel like doing. I had wanted to run it using VirtualBox, but sadly my ext3 partition did not have enough free space and my 320GB external hard drive was formatted as Fat32 (max file size of 4GB). However, that external hard drive recently died and I purchased a new one which was formatted NTFS. Since I finally trust the ntfs-3g driver I was able to install a few more virtual machines for myself. So, keep that in mind, this is me running Windows 7 under a VirtualBox installation and not installed directly to the system. Alright… disclaimer out of the way :) .

First, a bit about the installation. I was glad to see that, unlike the Windows XP installer, which stops you half way through so you can set the time… , that the Windows 7 installer has you go through some simple options and then does its thing. I must say that it installed surprisingly fast considering that it had the overhead of the virtual machine, but also the overhead of the ntfs-3g driver which seems to be a CPU hog. I don’t really know how the partition manager is because I had fresh space to play with so I was able to simply choose all the defaults.

After the installation one has the fairly standard setup options of choosing a username/password combination and this is also where one sets the time and date. The default account type is administrator, which is a shame, because I doubt many people will know to make themselves a “standard” account for security reasons. Personally, I think the solution to this is obvious. Have the user make their standard account first, then, instruct them to make the administrative account with plenty of warning to only use it when software needs to be installed/settings changed/etc. I can picture Microsoft being apprehensive about this, though, because most people are already used to the “I’m always admin” mentality (even if it’s only on a subconscious level).

I had a bit of trouble getting myself network support mostly due to the fact that VirtualBox doesn’t technically support Windows 7. I eventually found a guide which told me to install the guest additions in compatibility mode for Windows Vista. So, naturally, the first thing I did was open up Internet Explorer. I mean, how else would I be able to download a good browser, like Firefox. As a bit of a side note here, I have used IE8, and it doesn’t do much for me.

So far so good, nothing really that out of the ordinary. One of the first things I noticed after logging in was the new task bar. No text on this bad boy, just little icons, very similar to how Apple does it, actually. Is this a coincidence… I doubt it. I do wonder how the average user, who is used to Windows XP, will like it, but I guess we will have to wait and see. I will say that it does feel rather clean and I like the simplicity of it. However, I do have one complaint with it. By default Windows 7 adds a button for common files like My Documents, My Pictures, and so on as well as a button for Windows Media Player. To me, this blurs the distinction between ‘running tasks’ and ‘icon to launch a program’ and  with all my running programs minimized I sometimes had trouble telling which program was the one I wanted to pull up again. After playing a little more I realized that the running programs pop out a little bit, but it was not immediately obvious to me. A case of user stupidity? Well, maybe, but it still irked me for a bit until I got used to it.

Beyond that I poked around in the control panel, which is often a hobby of mine since I spend a fair amount of time helping other people with their Windows boxes even though I am a Linux user myself. The layout was similar enough to how it was in Windows XP that I felt pretty comfortable going around and changing various settings and looking at how things were configured. This is handy for me because explaining to people how to access different settings over the phone is sort of difficult if you don’t know it very well yourself.

My final note is that I thought it was very funny to see Windows Defender installed. It touts itself as a anti-spyware and malware system. To some degree I find the tool … misplaced? How come Microsoft doesn’t simply lock down Internet Explorer so that people can’t acquire all of this junk in the first place? It’s not exactly a closely guarded secret that most spyware and malware comes from people using Internet Explorer.

Overall I was much happier with Windows 7 than I was with Windows Vista, but it certainly didn’t wow me enough that I will be leaving Linux any time soon. It’s probably to Microsoft’s advantage to get Windows 7 out there as soon as possible, because Vista is just utter rubbish.

Oh yeah… sorry about not having screenshots, but I figure the net is flooded with enough Windows 7 screenshots that me taking some is just a waste of time :) .


Follow

Get every new post delivered to your Inbox.