• Resource Consumption (time and bandwidth) – it’s makes the web faster
• Ads Mostly Suck (and are equally ineffective)

First, let me say that rather than adding adblocker software or plugins, I use Dan Pollock’s host file: http://someonewhocares.org/hosts/. Instead of blocking ads directly, it redirects ad server domain resolution to localhost. It’s fast, it’s free and it doesn’t take up resources running any extra processes.

A note from his file explains a bit of why it’s useful:

# Use this file to prevent your computer from connecting to selected
# internet hosts. This is an easy and effective way to protect you from 
# many types of spyware, reduces bandwidth use, blocks certain pop-up 
# traps, prevents user tracking by way of "web bugs" embedded in spam,
# provides partial protection to IE from certain web-based exploits and
# blocks most advertising you would otherwise be subjected to on the internet.

I started using this when I moved to Germany and ended up with a mobile internet connection for my main line, which is dirt slow. I couldn’t afford to waste my 5GB/month capped usage on ads–or slow down my general use with waiting for all the analytics and ad servers to resolve and load (yes, I block analytics too but that’s another post with a whole new topic).

But now that I’ve been using the hosts file for a while I’ve started to think that this is like when I abandoned television in favor of the internet for viewing videos. I got sick of the commercials. So much that I joined a revolution in a new medium that allowed me more fine-grained control over what I consume and how I consume it. I can’t watch TV anymore–the commercials are insufferable.

Yes, I’m a Web Developer, and yes, I use ad services on my sites–and I feel genuinely icky about it (but it pays for my hosting and gives me pet-project freedom). So, please, block my ads. If you don’t want them, I don’t want you to have to suffer them. You probably aren’t the person who makes me money on my ads anyway.

But here’s the kicker: When I find that there’s an ad company I like, who does things right, I allow them through my hosts file filter. Sadly, I haven’t found a decent service for sporting ads that don’t suck on my websites.

Commercials need to be better. Ads need to be better. Ad services need to be a hell of a lot better. A few ad agencies have caught onto this, creating viral advertising that people actually WANT to consume. I’m sure you remember the Sonia Bravia superball video. People didn’t block it. Instead it got passed around.

Here’s another one that gives me goose bumps that I found at the end of a TED.com talk by Nokia:

In closing, if you don’t want people to block your ads, make them not only worth consuming but sharing, make the ad servers fast and don’t put them in the way of what users actually want to consume.

follow on Twitter

Website Passwords

If a website ever sends you an email with your password in it, they are doing something very, very wrong. Actually, they might be doing more than one thing wrong–but I’m just going to focus on the biggest issue:

The fact that the website/company has the ability to show your password to you in any form means one of two things (either are very bad):

1. Your password is being stored unencrypted, in plaintext, in the database.
2. Your password is being stored encrypted in the database but can be unencrypted (back into what you type in your keyboard) using a key that is stored somewhere in the website code.

Obviously, the first case is worse–but I’ve seen it in small startup companies.

In either case, anyone with access to the database (and, for #2, the codebase) will have the ability to see your email address, username, password and any other information you’ve given the website. Generally, with web startup companies, this means anyone who works at the company–at the very least it means that the development team has access to it.

This is really bad for you if you use the same password for all websites–especially if you use this password for your email account, which is part of the plain data available. If you are this kind of person and you sign up for a site that treats passwords like this, a malicious (or curious) worker or data thief can simple see your current username,email,password combination, then go to Facebook, Twitter, or any other service they think you use and try those same credentials.

Website Triage

When creating accounts on the web, which is something I do quite a bit, I triage sites like so:

Email

Your email account is the primary gateway to almost all of your other online accounts. If you lose your password (or claim to have lost it), most sites will send instructions to your email account with a simple way to reset your password–often times without needing to supply any other information.
Thus, your email account needs to be hyper secure:

1. Always use https:// when checking webmail and always use SSL to connect to your email server from clients like Thunderbird, Outlook or Apple Mail.
2. Make a really strong password for your email account–and make it totally unique! Do not use this password for anything else!

Personally Identifyable + Financial

This includes Facebook, Twitter, Banks, Credit cards, Investment sites, Amazon, LinkedIn… basically, anything that either identifies you to your social groups, work, etc or has the ability to cost you money if compromised.

These accounts need to be extra secure. Unfortunately banks and credit card companies tend to restrict the security of passwords for no good reason. However, luckily, they employ other authentication mechanisms for login and password retrieval.

Now you might think, “What? You treat Facebook with the same password security requirement as your bank?” But I assure you, that doesn’t mean I let my bank password slip, it means I keep my Facebook password strong. It’s bad for someone to compromise your finances but it can also be a nightmare to have someone impersonate and damage your identity.

Everything Else

These would be sites that would only have my email, username and a password but no more personal information–generally services that mean very little to me and would be very easy for someone to forge on my behalf anyway (so I’m not concerned about someone getting in–or of a password leak from another low level site exposing access to this site). An example might be creating an account for a forum or a gaming site, where you need to login to get some info or post a comment. These are throw away accounts that all share the same login information.

Creating Strong Passwords

Gibson Research has an online password generator, along with information regarding the purpose and use:
https://www.grc.com/passwords.htm

After generating passwords of this size, which are generally absurd to imagine memorizing, you can store them in a password keychain. There are many desktop and mobile applications available for this. However, I’ve always been weary of using these programs because essentially, you are putting all of your passwords in a single location, protected by one single password, which is usually weaker than the passwords you can’t be bothered to memorize.

How to Remember a Unique Password for Every Service

If you don’t trust storing all of your passwords in a password keychain tool and you also have trouble remembering passwords, there’s another way.

Consider this simple algorithm for creating decent passwords, which involves only memorizing a single string that you can reuse for generating all of your passwords:

1. Generate a random character string (6-8 characters is good enough)
2. Take some portion of the name of the service
3. Combine

Example:

1. e$L9wa
2. Facebook.com – taking ‘book’ (but you could take Face, face, Book, b00k, B00k, cebo, etc)
3. Password possibilities:
   • e$L9wabook – one after the other
   • booke$L9wa – same as above but reversed
   • eb$oLo9kwa – the every other letter method (a little more difficult for a password thief to realize what your password might be for other services)

Now, when you go to Facebook.com, you can remember your generic random string, look at the name “Facebook” and think about what part of the name you would have used, then try the combination tactic that you think you probably used to create your password. If one doesn’t work, try another. Generally, you will find that it is incredibly easy to recall your password with ease–and after a few times of doing it, you will have effortlessly “memorized” your unique password.

NOTE: if you use an algorithm like this, you run the risk that if someone gets one of your passwords, they can infer a password for another service.

and using numbers and special characters to replace parts of the service name, which will make it much more difficult from a brute force perspective. Even so, this is way better than using the same exact password for every service, which would automatically allow an attacker to steal all of your online accounts. But there are ways to mitigate the risk of one password leak exposing your other accounts.

For more security:

1. Generate a longer random string
2. Change that random string regularly (once a week, once a month, your call–but more often is more secure, up to a point)
3. Choosing odd parts of the service name (rather than “Face” or “Book”, choose “cebo” from the middle to make your algorithm less obvious to someone who captures one of your passwords)
4. Come up with different rules for each service for integrating the name with your memorized string

follow on Twitter