My Yahoo account firstname.lastname@example.org seems to have sent out some spam emails today and also on 15th March and 7th March. Sorry if you got one. I’ve never knowingly sent an email from this account, it’s purely for Flickr access.
I exaggerate. I’m not really going to tell you my password but I am going to tell you roughly how I created it. You may find it useful when thinking about your own passwords.
Over the years I got into the habit of using the same weakish password for every website I registered on. This was OK for a while then one of the sites I use got its password hashes published and within a few days they were cracked and my password was there for all to see.
I decided to do the sensible thing and create a strong, unique password for each site I use. The two problems I had are the same as everyone else:
- I wanted the passwords to be easy for me to remember but hard to crack
- I wanted them to be easy to enter on my phone
The second design goal was the one which made my approach slightly different to other ones you see around.
Here’s how I make my passwords:
- To make a password that’s unique for every site you need to incorporate some attribute of that site into the password
- If you have multiple accounts on the site, each should have a different password. So your algorithm needs to take account of your identity too.
- The password must be long enough to be strong but short enough to enter on a phone keyboard
- The password should only use the characters available unmodified on your phone keyboard (it’s too painful to keep changing the keyset for me)
The characters I have available on my Android phone are the lowercase letters a-z and the punctuation keys “,”, “.” and space. Your phone may be different.
Here are the components of my password:
- A word that’s memorable to me, let’s say “fart”
- Some letters from the website’s domain name
- Some letters from my email address
- Some mandatory punctuation
An example. Let’s say I’m signing up to Facebook with the email address email@example.com
My password would be
fart fcbk ae.. ,,
It’s made up as follows
- My memorable word, “fart”
- A space
- The consonants from the web site’s domain name, padded out to a length of 4 by full stops.
- A space
- The vowels from the domain name of my email address, padded out to a length of 4 by full stops
- Some punctuation; a space followed by two commas.
So my password is 17 characters long: not perfect but strong enough for today’s brute force attacks. It uses all the keyspace available without fiddling around on my phone’s keyboard. It’s unique for every account on every website (barring coincidences). It’s easy to remember.
You can obviously vary these elements considerably to suit yourself. For instance you could use the last four letters in the website’s name, maybe reversed or something. Rearrange the elements I’ve used.
This isn’t my actual algorithm, by the way. Just a little bit like it.
- Please don’t tell me about the XKCD cartoon. I know about it. I’m not going to type in a 28-character password on my phone.
- A password using this algorithm doesn’t lend itself to dictionary attacks or even rainbow table attacks. A brute force attack using today’s hardware would take an inordinate amount of time according to this chart:
Assuming Andrew Strauss resigns the captaincy after the current Test and chooses not to tour this winter, my team for the first Test in Ahmedabad in November would be as follows:
1. Alastair Cook*
2. Joe Root
3. Jonathan Trott
4. Ian Bell
5. James Taylor
6. Jonny Bairstow
7. Matt Prior†
8. Stuart Broad
9. Graeme Swann
10. James Anderson
11. Steven Finn
And the rest of the first-class squad:
12. James Tredwell
13. Graham Onions
14. Eoin Morgan
15. Tim Bresnan
Not 100% fit (mentally or physically) so not included: Ravi Bopara, Chris Tremlett
Unlucky: Monty Panesar, Chris Woakes, Samit Patel, Nick Compton
A bit boring and predictable for me, but I think that’s a testament to the good stuff coming from Andy Flower and Geoff Miller.
I’ve been asked a few times recently for general advice about getting a new business or project online. Here’s the skinny.
Any new business or project is going to need an online presence. So you just need to go and register a domain with GoDaddy, right? Stop! First read this handy guide to how to get it right.
You need three basic things
- A registered name
- A way of telling the internet where your services are hosted
- Hosting for your services (web site and email at least)
When you register a domain name, the registrar will want to do all these things for you. That way they get to keep all your money. But there are good reasons for keeping everything separate. Now read on…
Choosing a name
It’s fun choosing your name, but it’s not easy these days because all the good ones have already been taken. Here’s some things to consider that you might not have thought of:
- A .com domain name.
D’oh! Of course you thought of that. But if you didn’t then you should. Plenty of people will try the .com version of your name even if you register it somewhere else.
- A domain name in another top level domain.
If you plan to allow users to make comments on your web site or even to upload files then consider having an alternate domain name that is not subject to US laws.
- A Twitter handle.
Twitter is pretty crowded these days and getting your name as a Twitter handle will not be easy. And Twitter doesn’t have a secondary market in handles so you can’t make someone else an offer for theirs..
Registering your name
You need to tell the gods of the internet that you have chosen your name. You do this through a registrar. Many companies will act as a registrar for you because it’s money for old rope. They will also offer you other services like hosting and email. Here’s why you shouldn’t use the same company for everything.
Your domain names are your branding (and your trademark if you register it). It’s your identity and you should keep tight control of it. If you were a big company then your domain names would be under the control of your legal or marketing department, not your techies. If you outsource your web development, for example, you don’t want the developers owning your brand – what if you fall out with them?
So register the domain names yourself, but don’t buy any other services from the registrar. Keep the credentials for your account at the registrar very safe. Nobody else needs to know them except you. Ever. If they say they do then they are trying to rip you off.
My recommended registrar: Gandi. Many countries have appalling internet legislation that compels internet service providers to pull your domain on the say-so of law enforcement agencies. France, where Gandi are domiciled, is no exception. But Gandi at least have a policy of pushing back when asked to do something that is not in the customer’s interest. GoDaddy, on the other hand, are happy to hand over your data and your domain to the US security services at the request of a junior officer.
You’ll also need to register a Twitter handle. To do this you’ll need an email address, so let’s defer this until we’ve got our domain email services working. Registering a Twitter handle is easy: you’re just creating a Twitter account in the normal way.
Hosting your services
It’s no good having a domain name unless you use it for something. Here’s some of the services you might use it for:
You’ll probably want email addresses at your domain (firstname.lastname@example.org). The easiest way to do this is Google Apps. To complete the setup of Google Apps you’ll need to verify that the domain is yours – we’ll cover this in the following section about the Domain Name System. When you’ve got your email accounts set up, don’t forget to go and register your Twitter handle.
- Website or web application
Traditionally your website would be hosted by a provider that gave you access to a virtual machine. On this machine would be a web server and you could simply upload HTML or PHP pages to create your site. The problem with this way of doing things is that it’s fiddly to keep track of what you uploaded and when. This model has been replaced somewhat by the idea of an application server. Providers like Heroku or AppFog will link to your web developer’s source code control systems to create more effective release control system.
Your blog is just another application, hosted by an application server. There are many companies that will do this for you. I happen to use WordPress software hosted on my own old-fashioned virtual server. But WordPress as a company will host your blog for you if you want.
Tying the bits together
As it stands we’ve got a domain name (good) and email addresses like email@example.com (bleugh!) and maybe a website at http://yourdomain.herokuapp.com (yuk!)
This isn’t what we want. We want emails like firstname.lastname@example.org and our website to be at http://yourdomain.com – how do we do this?
The thing we need is the Domain Name System (DNS). Your domain has name servers. These servers tell the internet where your own services are located. It’s a bit of internet plumbing that we need to use to tie it all together. Bear with me, it’s not that hard.
I recommend using Cloudflare for your name servers. They are specialists at this and they do a free account that gives you all your basic needs, plus a lot of extra value on top. The Cloudflare account setup gives you all the help you need to get your services running on the right domain names.
When you’ve been through the Cloudflare setup you’ll understand it a lot more. But the basic steps are:
- Tell the DNS where your web hosts are
- Tell the DNS where your mail servers are
- Tell your registrar who is running your name servers
The last step is what achieves the important separation of responsibility between your registrar and your other service providers. It gives you the freedom to choose the best-of-breed hosting provider, email provider and DNS provider. You don’t have to be tied to your registrar for these services any more.
If you’re using Google Apps, the final step is to verify to Google that you own the domain. Google Apps setup will help you through this, but it’s very easy with Cloudflare to set up a TXT record containing information provided by Google. You’ll see what I mean when you try it.
Comments and suggestions appreciated.
Hyperlinks don’t have sell-by dates. Stale hyperlinks are a Bad Thing. A company that chooses to break hundreds of links to content that people found valuable is behaving very badly indeed.
I started using Flickr before they officially launched and I got my first Flickr Pro account in 2004 as a reward for testing their site. I’m still a customer today.
Dave Gorman has brought to light an issue that has existed without my knowing it since the US Digital Millennium Copyright Act came into force in 2009. Non-US users whose content is the subject of a DMCA takedown notice get their photos removed. For ever.
The most recent Internet Archive record of Dave Gorman’s original page is here:
Sadly, this is what it now looks like.
Dave Gorman successfully appealed the takedown and Flickr graciously allowed him to repost his photo. But the URL has changed. All the inbound links are now broken and the comments now go back to March 2012 instead of January 2006.
Flickr doesn’t work like this for US users. They get their photos restored as they were before (so Flickr can do this if they want to). They are choosing not to do so for me and all other non-US users, and as far as I can see they are not explaining why.
So goodbye Flickr after 8 years. I won’t delete my account because that would break all the links to my photos, but I will stop being a customer. My new photos, and my money, will go elsewhere.
Harriet bloody Harman made me write to my MP, Jim Fizpatrick, today. FWIW.
Dear Mr Fitzpatrick,
Given your comfortable majority I doubt you’ll be too worried at the loss of one vote, but can I briefly give you my reasons why I, as a lifelong Labour voter, could not vote for you at the last election and will not be able to do so next time either?
I was never too worried about civil liberties until a few years ago. I’d actually be happy if there was a national identity card, for instance. I don’t think I’m a paranoid libertarian nutter (fingers crossed). But I was dismayed by a number of measures introduced by the last Labour government starting in the climate of fear whipped up after the major terrorist incidents of 2001 and 2005.
Successive Labour Home Secretaries seemed to want to prove themselves more macho than their predecessor, and more tough on crime (rather than its causes) than the Opposition. Police were given more powers and used them to kettle protestors and prevent photography in public places. The UK acquiesced in the torture and long-term imprisonment without trial of British citizens. All this was not something that affected me personally so I noted it without allowing it to change my long-term loyalty to the party.
But then in the dying days of the government the Digital Economy Bill was introduced and passed without adequate debate. If there had been time to organize a coherent opposition to it then it would probably have suffered the same fate as the US SOPA and PIPA bills. But despite the help of people like Tom Watson, it was not possible to raise public awareness of the consequences of passing this bill until too late. It became the Digital Economy Act, the party lost the election (for unrelated reasons sadly) and we were stuck with it.
By contrast with the policing and security measures, the Act deals with something I know a little about: technology and the internet. I am a former technology director of an investment bank and am now the Chief Technology Officer of a financial services startup company.
My company’s success depends on being able to respond in an agile way to the changing business environment. We can do this much faster than large corporates, however much they spend on R&D. We can certainly do this much faster than regulators and legislators, no matter much lobbyists spend on influencing them. But we are left standing by the bad guys, who can innovate before a legislator has even heard of the problem.
My contention is this:
- It’s not possible to anticipate everything the bad guys might do, so you can’t legislate for their future exploits.
- If you write over-broad legislation to counter this problem then you stifle legitimate business and prevent beneficial innovation.
- If you give broad powers to law enforcement agencies they will use them for purposes for which they were not originally intended. Sad but true.
- The law already makes crime criminal. More law will not actually change this.
- The central problem is a failure of established businesses to give the customer what they want nowadays.
The last point is key. Perhaps I could include some comparisons between the user’s experience of piracy compared to a legitimate purchase:
Just to reiterate, I’m not supporting piracy. I’m saying if the content owners gave customers what they wanted, made it as easy as pirating it, and didn’t try to retain an inappropriate level of control over what the customer did with the content then they might still have a business model.
I could go on; I’m quite angry about this. The Digital Economy Act will have no effect on piracy (or child pornography or anything else it’s supposed to fix). I can think of ten ways of defeating its measures, so the bad guys can doubtless think of 100. Harriet Harman (and by implication your party) appears still to think otherwise: http://j.mp/zyvlFC
The Digital Economy Act reinforces the principal of a censored internet and adds disconnection for suspected infringers. What legislators should actually be doing is ensuring a free internet with access provided on a the same basis as other utilities.
I’d vote for a party that supported that.
I just wanted to get this idea out of my head so I can think about something else.
Possible API structure
Let’s take currency data as an example:
which gives you the details of Antigua’s currency in JSON format. This would be the latest version of the format, and the current currency used in Antigua. For a specific data format you can add a version number, and for a specific data in history you can add a date:
As well as JSON, data would be available as XML or semantic HTML (the default), possibly as a microformat.
The API would try to be as smart as possible, like http://cricdata.org. So, you could specify antigua or USD or renminbi and it would try to give you an appropriate response. If ambiguous (e.g. dollar) then it would return a list of matching currencies.
Some data, like the currency example, is available for free from an authoritative source (in this case http://www.currency-iso.org/dl_iso_table_a1.xml).
Other data is available from a reliable source such as http://opencorporates.com
But some data might need to be mastered here. In which case a wiki approach could be taken. In this case a reputation-based system would be good so that vandalism could be countered algorithmically. In other words, if you spot some bad data then you can flag it up (possibly anonymously, although an identified person’s flagging would be taken more seriously than an anonymous one). Somebody whose contributions are flagged as bad will have their reputation compromised. Data contributed by somebody that is not flagged as bad will increase their reputation depending on how often it is eyeballed.
As a consumer of data you can choose to have all data, regardless of the reputation of the contributor. Or only high-reputation data. Or only authoritative data.
- Currency pairs
- Second-level domains
- SIC codes
Obvious things like ISBNs, stock tickers, ISINs are actually fraught with licensing issues and generally poor design. But some attempt could be made.
The Labour Movement for decades aspired for the workers to own the means of production. Turns out it was better in private hands during the 20th Century. The Labour Party in its guise as New Labour recognised that in the mid-1990s when it dropped Clause IV from its constitution (better late than never).
I think it’s time we seized control of something just as important in the 21st Century: the means of communication. Here’s the story:
Sometimes I help people out with web servers, email servers and other internet-related stuff. I often have to explain how we control what happens when you type in www.example.com or email@example.com.
Here’s my simple guide to how internet domains work.
When you type www.example.com into a web browser, how does it know where to go to get the web page? As many people know, the answer is the DNS system. This translates www.example.com into the address of a web server. More mysterious stuff happens to connect your browser to that address, but we don’t need to know about that today.
Your domain has a set of DNS records that say where on the internet your domain’s resources (email servers, web servers etc.) actually live. You can change these records yourself, it’s quite easy.
Here are the DNS resource records you might need to change:
Address records (A): If your web server is at the internet address 188.8.131.52, for example, then you need to create an A record for www.example.com that points to that address.
Synonyms (CNAME): If there’s a resource on a server that already has a name then you can simply tell the DNS that your resource is on the same server. This is how Google Apps creates a webmail site at mail.example.com; you simply create a CNAME record that points mail.example.com at ghs.google.com.. That’s all you have to know.
Mail servers (MX): Your email is transferred by mail servers. These are the servers that actually move mail around (not to be confused with your webmail site). For Google Apps mail, the settings for the MX records are specified in Google Apps help pages.
Domain registration & name servers
Where are your DNS records kept? This is determined by the domain’s registration setup.
When you first registered the domain you will have used a registrar like GoDaddy or Network Solutions (or Gandi, the registrar I recommend). For an annual fee this company will maintain your domain’s existence on the internet and one other thing: determine where the domain’s name servers are (the name servers hold the DNS records).
When you first registered the domain, the registrar will have used their own name servers for your domain. This is to make it easy for you, but also because they are control freaks.
This is important. Many registrars try to hide the fact that you don’t have to use their name servers. In fact there are advantages in using a separate DNS provider from your registrar:
- The domain registration should be managed by your organisation’s legal or administrative department. This is the master key: in the event of a problem then the name servers can simply be changed to regain control of the domain.
- Management of the DNS records can be delegated to a technical person, but it’s really not difficult to do this yourself.
- Specialist DNS service providers often add extra value: for instance Cloudflare will cache your web content and speed up web access for all your users.
So in a nutshell:
- Your domain is registered with a registrar. Your account at the registrar controls where the domain’s name servers are.
- The name servers manage the DNS records for the domain. You should have a separate account with a DNS service provider to manage them.
- Your web server will be controlled by an A record in the DNS setup.
- Your webmail server will be controlled by a CNAME record in the DNS setup.
- Your mail servers will be specified by MX records in the DNS setup.
If this isn’t clear please leave a comment.