Passwords: Secure websites thwart security

I’m so #*&@*$! frustrated with websites which limit the range of characters I can use in passwords.

I’ve adopted the fairly standard approach of creating three username/password pairs: one for high security sites like banks, one for medium security things like gmail, and one for low security sites. This means I only need to remember three sets of things, and if one is compromised, it only compromises sites at similar security levels.

I choose reasonable passwords for each. E.g., fairly long (more than 10 characters), mixed case, including digits and special characters.

However, this only works if all sites accept passwords that are that good. Or, if you’re willing to compromise password strength, it only works if there is a password, any password, that all sites will accept.

Unfortunately there isn’t such a password.

I use sites which variously require:

• No more than a 5 characters. (Think PIN.)
• No fewer than 6 characters.
• Must have a special character.
• No special characters allowed.
• Must have a capital letter.
• Only numbers allowed. (Think PIN.)

So there is no single password which can work across these sites.

You’d think that all bank sites (at least) would allow long passwords of any characters. However banks are typically the worst, frequently requiring a PIN (exactly 5 numbers). (For some reason, their website passwords must also work at ATM’s.)

So not only am I forced to use a less secure password, I’m forced to create more passwords than I need (and than I can remember). So I’m forced to write them down — another insecure practice.

Why are there ANY websites today which disallow long passwords made up of any characters? (Since passwords should really be stored as secure hashed values of the strings, never the actual cleartext, any length string of any characters should easily be allowed.)

Portland Streetcar: Pain, but no gain

Portland has a streetcar.

You can walk as fast as the streetcar. So if the streetcar isn’t there to pick you up exactly when you arrive at the stop, you might as well walk; the streetcar will never catch up with you.

But I always believed that, should the miracle occur that the streetcar is there waiting for you, you should get on. I discovered I was very wrong.

One day while riding the streetcar, we got stuck because of an illegally parked car outside a hotel. The car was slightly blocking the tracks. From talking with the streetcar driver, apparently this happens very frequently outside this hotel!

It turns out that, even though we were stopped, right next to a sidewalk, with no immediate hope of moving, the streetcar driver is not allowed to let us off (since we weren’t at an “official stop”). But neither is she allowed to call the cops to have the car ticketed or towed. (Did I mention she said this happens frequently !!!)

She did what she said she always does: called her Tri-Met boss who called the hotel to ask that they try to get the car moved. And 15 minutes later someone moved the car.

Now think about this for a moment.

I suspect the hotel will never do anything to prevent future abuse. Why should they? They get a nice phone call from Tri-Met when it happens, and the hotel patron apparently finishes their checkin before moving the car. Very convenient for the hotel.

But what about the 20 people held hostage inside a parked Streetcar?!?!?

Instead of being forbidden to call the police, why isn’t the Streetcar driver required to call the police? Why isn’t the car impounded and, in addition to the car owner, the hotel fined or rebuked? I bet that would ensure the hotel clearly marks the parking spots and that, when a new guest enters the hotel, the staff rush to them to ensure they haven’t illegally parked their car.

Oh, and Portland is going to extend and add additional streetcar lines because it’s such a success.

Experiments in Musical Intelligence

Music composed by computer, made to match whatever human composer style is wanted. And it’s pretty good.

The software does musically-intelligent pattern matching. You can read an explanation and listen to various compositions.

This was written by David Cope, professor emeritus at UC Santa Cruz.

Radio Lab podcast

Science meets theater meets fun. How do they make it so fun?

http://www.radiolab.org/ or on iTunes. From WNYC – NY Public Radio.

Amazon vs. iTunes Store

I just noticed that amazon.com is selling DRM-free MP3 downloads, either individually (from $0.89) or as albums (from $4.99). And their downloader helper app automatically adds them to my iTunes library!

Sweet.

I was happy when Apple announced DRM-free downloads, but the reality has been that few, if any, songs I want are available from iTunes DRM-free. :-(

But Amazon’s selection seems good. All of it is DRM-free. And prices are comparable or cheaper than iTunes’ DRM music. (iTunes’ DRM-free music costs even more.)

Try this out quick before Apple decides to “enhance” iTunes to prevent it.