Back to previous post: Saint Lucy’s Eve

Go to Making Light's front page.

Forward to next post: T Is For The Tourist Cabin Weekends

Subscribe (via RSS) to this post's comment thread. (What does this mean? Here's a quick introduction.)

December 13, 2010

Gawker’s disaster, Yahoo’s fecklessness
Posted by Patrick at 09:37 AM * 170 comments

As you may or may not be aware, Gawker Media’s network was seriously compromised over the weekend, and hundreds of thousands of login/password pairs have been posted in public. The overwhelming majority of these belong to people who registered on a Gawker-owned site in order to post comments; these sites include Lifehacker, Gizmodo, Gawker, Jezebel, io9, Jalopnik, Kotaku, Deadspin, and Fleshbot. Gawker’s official statement is here.

You can find out if you’re affected here. The instructions look a little initimidating, but just do it; it’s easier than it sounds.

The nut of the matter is, if you ever used your login/password pair on a Gawker site as your login/password pair anyplace else, you need to change your password at those other places in a hurry. Particularly if those other sites might have access to any of your financial information—but really, even if they don’t.

This being the case, it’s notable that as of right now, when you log into Yahoo and follow the link on their account-management page to change your own password, you’re directed to an internal Yahoo “this page doesn’t exist” error message. This also happens if you try to change your password on Yahoo-owned Flickr.

I’ve tried about ten different phone numbers for Yahoo over the past hour. Nine of them don’t have a human answering until 12 noon EST (9 AM PST). The tenth led to a call-center employee who could not understand the problem, would not audibly yield up his name, and refused to put me through to a supervisor.

I dunno, if I were a struggling internet giant and something like the Gawker breach had happened over the weekend, I wouldn’t want to wait until 9 AM West Coast time before hearing that my own change-your-password link was hosed. But maybe it’s just that kind of attention to detail that’s made Yahoo so dominant over its competitors in recent years. Does anyone reading this have any way of contacting a responsible human being there?

(PS: I am not actually vulnerable here; my Yahoo login and password are different from my old Gawker Media pair. The Gawker story provoked me to go through all my accounts in order to replace existing passwords with longer, more random ones generated by the excellent 1Password utility, which is how I noticed Yahoo’s problem. But there are almost certainly thousands of people whose now-exposed Gawker credentials are the same as their Yahoo credentials.)

Comments on Gawker's disaster, Yahoo's fecklessness:
#1 ::: Janice in GA ::: (view all by) ::: December 13, 2010, 10:29 AM:

Interesting. I saw your tweets on this.

I decided last night to change my Yahoo password, just because. It took me a while to find the right place to change it, but it apparently worked fine for me. So either something happened between last night and now, or something else is going on.

What I found most problematic is how hard it was to find where to change the password. From my Yahoo mail, I clicked on the dropdown "Hi Janice" box and selected:

Account info (must reenter password on next screen). A little ways down the page there's a spot to change your password. That's what worked for me last night.

I have a vague memory of another password changing link that was borked, but I could be imagining that.

#2 ::: Patrick Nielsen Hayden ::: (view all by) ::: December 13, 2010, 10:30 AM:

The one that worked for you is exactly the one that isn't working now.

#3 ::: James D. Macdonald ::: (view all by) ::: December 13, 2010, 10:35 AM:

1) Treat your password like your toothbrush: Never share it with anyone, and change it every three months.

2) To remember an eight-digit random numerical string, break it into two dates and remember it that way: 29478209 becomes 2947 and 8209. Anyone can remember two years. (This is the trick to memorizing a bill's serial number at a glance. Secrets of the famous magicians revealed!)

3) To remember a six-character letter-and-number password, think of it as a license plate.

4) Don't use numbers that are significant to you, including birthdays, anniversaries, and social security numbers.

5) The pass-phrase method has a history going back to the Renaissance, and is still a good one. Take a phrase that is significant to you (e.g. Babel's garments we've rejected / And our fellowship is o'er) and take the first letters, second letters, last letters, or some other letters from that phrase to be your keyword (e.g. BgwrAofio). One could also run that generated keyword through a checkerboard to get a numerical password.

6) There is nothing wrong with writing down your passwords with pen and paper and keeping them in your desk drawer. By the time the bad guys are burglarizing your house to get your passwords, you're way beyond the point where mere passwords are going to help.

#4 ::: Joe McMahon ::: (view all by) ::: December 13, 2010, 10:35 AM:

From my experience at Yahoo!, someone would have already been notified and called in by now, but may have not updated the ops status site yet. This guy for some reason doesn't know how to check the ops status site (or it's down too, which would indicate something quite bad has happened).

#5 ::: Janice in GA ::: (view all by) ::: December 13, 2010, 10:38 AM:

@Patrick: I just changed my password again, and it appears still to be working for me.


#6 ::: abi ::: (view all by) ::: December 13, 2010, 10:51 AM:

Jim @3:
Anyone can remember two years.

Almost anyone.

#7 ::: JDC ::: (view all by) ::: December 13, 2010, 11:16 AM:


Well, I can but the years are 1967 and 1995.

#8 ::: Charlie Stross ::: (view all by) ::: December 13, 2010, 11:22 AM:

The hash/checksum calculator at isn't loading -- probably stomped flat by the teeming gawker hordes.

Use this one instead. Worked for me (dammit). Luckily I'd already begun hardening my passwords a couple of months back (generating strong passwords, using one password per site -- financial services first, then sites with access to my credit card information -- and keeping track of them using SplashID, a password/identity management package for Mac/iOS). Also, I couldn't recall which of my regular frequent-use-low-security passwords I'd previously used for Gawker, suggesting I may have been using a random throwaway rather than one shared with any other account.


(SplashID is a cross-platform implementation of the write-it-down-somewhere-safe approach to passwords; it uses an encrypted database with a master password, lets you tailor the format of the records you keep in it, and supports synching with handhelds running the SplashID mobile client. Supports iOS devices -- iphone and ipad -- and also Android, (old) PalmOS, WebOS, and Blackberry. The desktop app runs on OSX. I began using it a couple of months ago and decided to get serious about security -- meaning, partitioning my various online identities so that losing the password to one of them doesn't land me in a world of hurt.)

#9 ::: Charlie Stross ::: (view all by) ::: December 13, 2010, 11:28 AM:

I forgot (and couldn't get through to their website until just now) that SplashID also supports a desktop client on Windows. So it basically covers everything except desktop Linux (and if you're using Linux, what's wrong with rolling your own encrypted MySQL database and hitting on it from the command line?).

I'll stop boosting someone else's commercial software product now, just noting that it works for me because of the cross-platform thing.

#10 ::: LinD ::: (view all by) ::: December 13, 2010, 11:29 AM:

Passwordsafe, available here is free. Downside: no Mac version. There is a list of PasswordSafe related projects, one of which runs on Mac, Unix, Linux, with caveats.

I keep my credit card information in PS. I haven't heard of any cut-n-paste loggers (yet), and so paste my CC number into shopping carts via PS.

And now, PS and I are going to be generating new passwords for all my cryptologically sensitive logins. Happy Monday. Happy Mercury retro! bleh

#11 ::: abi ::: (view all by) ::: December 13, 2010, 11:46 AM:

JDC @7:

Good point. I can remember 1970, 1993 and 2001.

I can also remember phone numbers, so long as they're my current home number, my parents' home number since 1978, or the number of the guy I dated when I was 16.

Wait, wait! I can remember Will Wright's* number from the late 1980's too, because that was my boyfriend's phone number rearranged.

* Yeah, that Will Wright. He lived down the street from us and was close friends with my brother, who pointed out the relationship between his number and my boyfriend's.

#12 ::: David Harmon ::: (view all by) ::: December 13, 2010, 11:56 AM:

My passwords (on Linux) are actually split between two keepers: Firefox's own cache (you want to enable the global password for that), and KeepPassX, which IIRC is truly cross-platform. The advantage of KeepPassX is you can stash non-Web passwords in it.) I've also used Password Gorilla, also cross-platform. Some of the passwords are also backed up on paper.

I do not reuse passwords, which can be a PITA, but this sort of thing happens often enough, to keep me reminded of why it's worth it.

#13 ::: Michael Straight ::: (view all by) ::: December 13, 2010, 11:57 AM:

Is there a reason you trust the 1Password people with all your passwords? Is their code open so that someone can confirm there's no password-harvesting trojan in there?

#14 ::: Clifton Royston ::: (view all by) ::: December 13, 2010, 12:04 PM:

I used to know some highly competent and well-placed people on the email side at Yahoo, but they're all gone now.

#15 ::: nerdycellist ::: (view all by) ::: December 13, 2010, 12:05 PM:

Was able to change the password for my yahoo (sbcglobal) email ID slithytoves, but every time I try to go in and change my nerdycellist sbcglobal account password, it insists I am still slithytoves and claims that the "old" nerdycellist password is incorrect, and wants the "new" slithytoves password.

I don't know why I bother - the yahoo/sbcglobal email is so absolutely bloated with adware and attempted social networking garbage I may as well just start over and transfer everything to gmail anyway.

#16 ::: Janet Brennan Croft ::: (view all by) ::: December 13, 2010, 12:09 PM:

Um, how safe is it to keep your passwords in Outlook but marked as private? My brother, who used to be a library sysadmin, recommended that. The two things I don't do that I should, I suppose, is put a password on my phone in case I lose it, and on my home computer -- my work computer requires a password to wake it up. But this way I can synch them at work, home, and on my phone.

#17 ::: JDC ::: (view all by) ::: December 13, 2010, 12:17 PM:


I remember my S&L account number from when I was 16 as memorizing numbers was the available amusement in my driver's ed class. (Aside from the time the simulator's malfunctioned and clean driving was scored as dangerous and vice versa.)

BTW, I've never been to Amsterdam (stupid Schipol shut on me last Thursday!) but am going to have an incredibly long layover on 3 Jan. Any quick tips for what should I do with, oh, 5 hours (after transit time)?

#18 ::: Teresa Nielsen Hayden ::: (view all by) ::: December 13, 2010, 12:28 PM:

Jim @3:

Anyone can remember two years.
Can anyone remember how many months it takes me to learn a new phone number?

#19 ::: Daniel Martin ::: (view all by) ::: December 13, 2010, 12:30 PM:

I can't imagine trusting the admins at any news site with the password to anything important, or even the password to any other news site. I barely trust them with the password to their own site.

This is why - except for a few places that I haven't gotten around to updating yet - I handle all my passwords on those "please register with us" places (NYT, slashdot, facebook, etc.) with "Password Composer". It's a browser plugin that lets me have one password on my end, lots of different passwords on their end, and yet nothing ever need be written down or stored in plain text.

#20 ::: Bob with a pseudonym ::: (view all by) ::: December 13, 2010, 12:31 PM:

I trust my collection of passwords to post-it notes thumbtacked to the corkboard in my home office. I wouldn't trust an online service with them, and tracking them in a computer file is secure only as long as the hardware is in my possession.

Yes, this is paranoid, but it's a paranoia that limits damage when something (like Gawker) goes kablooey in a big way.

PS. I'm not Steve with a book.

#22 ::: Caroline ::: (view all by) ::: December 13, 2010, 12:38 PM:

Michael Straight @ 13: No, 1Password's code is not open source. If that's a dealbreaker for you on password-storage applications, there are open-source choices:

KeePass (Windows)
KeePassX (cross-platform)
Keychain (Mac OS)

#23 ::: Patrick Nielsen Hayden ::: (view all by) ::: December 13, 2010, 12:48 PM:

Michael Straight, #13: "Is there a reason you trust the 1Password people with all your passwords? Is their code open so that someone can confirm there's no password-harvesting trojan in there?"

Just so nobody misunderstands, 1Password is a program that stores your passwords locally; it's not a cloud service. It does enable you to share an encrypted master file between versions of itself on the Mac, the iPhone, the iPad, and Windows, and it gives you the option of doing this via your local WiFi network or via DropBox, but that's all.

It's true that there might be a password-harvesting trojan inside the program itself. This is of course also true of Microsoft Excel, or Angry Birds. Unless we're willing to only use open-source software and become expert enough to personally inspect the source code of every program we run, we'll be vulnerable. Like many things in life, there's a trade-off. 1Password has been around for a while and has been used by a lot of smart people. That may not guarantee its probity, but it suggests that it's a reasonably good bet. Life being short, "good bets" are what we usually have to settle for if we're not willing to spend all of our allotted time auditing everything down to the ground.

#24 ::: Patrick Nielsen Hayden ::: (view all by) ::: December 13, 2010, 12:50 PM:

Wow. Several hours later and Yahoo's change-password page still doesn't work.

(And this is checking in from a completely different computer running a completely different browser and OS.)

#25 ::: Cadbury Moose ::: (view all by) ::: December 13, 2010, 12:58 PM:

Janet @ #16

Password protecting your mobile phone is a trade-off.

If the information contained in the phone is more than the value of the phone, protect it but put a contact number/address on the phone so if you lose it a helpful person can return it to you.

If the phone is worth more than the data, put a contact number "Home" in the directory, leave it unprotected and you may get it back.

(This moose has a very cheap PayG mobile with never more than £10 on it, so elects for option 2.)

Obviously if the phone is on contract and a potential thief could run up an enormous bill before you realised it was missing, Option 1 (password the phone) is the way to go - but put some contact details on it anyway.

#26 ::: Evan Goer ::: (view all by) ::: December 13, 2010, 01:09 PM:

Patrick -- So I work for Y!. Can you confirm the specific link that is not working? Is it ? Or is it some other link that is broken?

#27 ::: Patrick Nielsen Hayden ::: (view all by) ::: December 13, 2010, 01:20 PM:

Evan -- I was about to contact you, and then it started working again. Yes, it was exactly the URL you specified.

It's not the technical failure that's aggravating so much as the way that Yahoo, like most internet companies, makes it incredibly difficult to reach an actual human being. (Just ask anyone whose Gmail account has malfunctioned.)

#28 ::: praisegod barebones ::: (view all by) ::: December 13, 2010, 01:32 PM:


2001, but not 200?4? (Mind you, neither my wife nor I are 100% reliable when asked which year we were married in; and have occasionally resorted to figuring it out by asking our daughter how old she was at the time.)

#29 ::: abi ::: (view all by) ::: December 13, 2010, 01:36 PM:

praisegod barebones @28:

Yes, 2001 but not (2010-6=)2004. I calculate my son's age from his year of birth, but my daughter's year of birth from her age.

Go figure.

#30 ::: Serge ::: (view all by) ::: December 13, 2010, 01:45 PM:

Abi @ 29... I remember how long ago we got married by subtracting 2 days from when Challenger blew up. I remember how long ago Challenger blew up by adding 2 days to our wedding's date. For everything else, I stick postits to a calendar at the office.

#31 ::: Evan Goer ::: (view all by) ::: December 13, 2010, 02:10 PM:

Patrick -- really good to hear!

Yeah, as far as I can tell, the customer service problem for giant advertising-based Internet companies is basically intractable, given the economics. Your best bet is to ignore official channels and contact your sister / 2nd cousin / friend from the internet who works at the web giant in question.

Note: the fact that the status quo boils down to, "it's important to be closely connected to a tech-savvy, privileged demographic," is entirely coincidental.

#32 ::: Matthew Brown ::: (view all by) ::: December 13, 2010, 02:49 PM:

It could be worse: Gawker could have used plaintext passwords instead of hashed. Yes, there are sites that do this.

#33 ::: Arthur D. ::: (view all by) ::: December 13, 2010, 02:51 PM:

Janet @ 16, If you put a passcode on your phone, is there a splash screen or someplace where you can display a message saying how to contact you?

Charlie @ 8, I can attest to the robustness of SplashID - I've been using it for several years with various flavors of Mac OS, Palm OS, and iPhone. I like how they've improved it over the years. I should say that 1Password looks promising too, and started out with some interesting features that worked their way into SplashID. I got a license for it years ago as part of a bundle and found it wanting. It seems much much better now. The two things that stop me from jumping to 1Password and seriously trying it are that I'd have to pay to update to the latest version, and that I'd have to reorganize my passwords in SplashID to make the import work out.

One feature worth looking at for any password program is opening a browser to a specific URL and autofilling in logins and passwords. For desktop OS'es, the program is supposed to install a plugin to facilitate this. This is different then letting the browser itself remember logins and passwords, and supposed to be more secure too (but I'm not sure how).

Personally though, I've always typed in logins and passwords. I've never trusted browsers not to be compromised, or at least, never wanted to leave passwords around for guests and visitors to use.

James @ 3, would it be OK to have a common passphrase and combine it with a unique, site-specific passphrase to have a unique password?

#34 ::: praisegod barebones ::: (view all by) ::: December 13, 2010, 03:02 PM:

abi@29: in fact, that makes perfect sense to me - both because there's a lot of things which i remember in similar kinds of ways; and because my cognitive life is pervaded by analogous asymmetries.

For some reason, though, the date that I find easiest to remember beyond the birth of my children and my own is the year I became an expatriate. Though since that's 2000 it's not much of a mental stretch.

And then there's 1066;1789;1453 (which ought, by rights to be 1649;1789;1923; but my memory is clearly less of a republican than the rest of my mind.)

#35 ::: Jed Smith ::: (view all by) ::: December 13, 2010, 03:26 PM:

I wrote the linked tool in the post. I recently changed it to include its own hash calculator, so you don't have to punish another site now.

You might want to update the link - - but there is a redirect at the old location.

#36 ::: Jon Marcus ::: (view all by) ::: December 13, 2010, 03:35 PM:

Not trolling, honestly wondering: Why do I care if someone has my gawker userid/password, which I also use to comment on a number of other sites.

About the worst cast I can imagine is that someone could go post a bunch of nasty comments as "DaBunny42". While that'd be mildly annoying, avoiding that (semi-remote) possibility doesn't seem the hassle of redoing all those passwords. What nightmare scenario am I overlooking?

(I do use different passwords for anything money-related, or more sensitive than posting comments.)

#37 ::: Patrick Nielsen Hayden ::: (view all by) ::: December 13, 2010, 03:44 PM:

#36, Jon Marcus -- Different people have different attitudes about having bits of their online identity suborned.

#38 ::: Patrick Nielsen Hayden ::: (view all by) ::: December 13, 2010, 03:46 PM:

Jed Smith #35 -- Thanks! Link updated.

#39 ::: Jon Marcus ::: (view all by) ::: December 13, 2010, 03:51 PM:

@37: Fair enough. I imagine I'd be more concerned if I actually had much of an online identity, not to mention one tied to my professional life.

#40 ::: heresiarch ::: (view all by) ::: December 13, 2010, 04:06 PM:

I've found that I usually remember long numerical strings by saying them and then remembering what it feels like to say them. Whenever I need to retrieve a number, I mutter it under my breath or at least imagine saying it while writing it down. I can use the same process to visualize the number, but then it rapidly begins to decay--numbers swap places or quietly sidle off. Worse than fifth graders with a substitute teacher, they are. Audio memory, for whatever strange reason, is much more reliable for pure memorization.

#41 ::: glinda ::: (view all by) ::: December 13, 2010, 04:10 PM:

First of all, thank you. I don't *think* I'd ever logged onto Gawker, etc., but I checked a couple of my usual userIDs, just in case.

And, bloody hell, one of them was in the list. So, my Yahoo/Flickr password is now changed.

James D. Macdonald @ 3:

Anyone can remember two years.

Um, no. I (now) have difficulty remembering any string more than two digits long, thanks to the CFS-related cognitive function damage from a few years ago. It took me almost four years to learn my latest phone number. (And I used to be able to memorize my car's VIN, though that got more difficult when they went from just numbers to numbers with letters mixed in.) (I also have trouble remembering a lot of other things, including passwords. Likewise, real problems learning anything new. Or remembering what I read.)

I've got a file with a list of my passwords, on my desktop machine; if anyone can actually get at that, I'm hosed anyway.)

abi @ 6:

Thank you, also.

Not really related, but ObDifficultyRememberingThings: I seem to have hidden from myself one rather small box (maybe 4" x 4" x 6"?) of holiday decorations, the one that *doesn't* get put in the storage locker every year - it's not in any place I'd consider likely. Or unlikely, for that matter. This place isn't that big; I've been collecting these since 1972; I'm resolutely avoiding panic, but... gah.

#42 ::: Avram ::: (view all by) ::: December 13, 2010, 04:13 PM:

Michael Straight @13: Is their code open so that someone can confirm there's no password-harvesting trojan in there?

And did you write your own compiler so that you can be certain nobody is compiling backdoors into your programs?

Seriously, for any level of security, a level of paranoia can be discovered from which that level of security will seem inadequate.

#43 ::: Avram ::: (view all by) ::: December 13, 2010, 04:19 PM:

Jim @3: There is nothing wrong with writing down your passwords with pen and paper and keeping them in your desk drawer.

Well, for you and me, yeah. Got any clever ideas for someone who needs to protect their online activity from another person who has legitimate access to their home? Say, a gay teenager living with homophobic parents?

#44 ::: Don Fitch ::: (view all by) ::: December 13, 2010, 04:45 PM:

My Luddite approach has been to never use the computer for anything money-related -- AFAIK, bank account and CC numbers aren't anywhere on my computer -- and use the same simple-minded password (which I'm cautious enough to not write here) pretty much everywhere (approved as "Yeah, that's acceptable Security-- for you" by Bruce Schneier Himself). I rate the probability of any evil hacker posting anything embarrassing anywhere, under my name, as vanishingly small... and unimportant.

Granted, I may (and should, Real Soon Now) get a PayPal account, with which I'll excercise more caution... and remember Patrick's excellent advice about writing passwords down on that paper stuff.

#45 ::: Clifton Royston ::: (view all by) ::: December 13, 2010, 05:12 PM:

Avram @ 43:

Actually in that case - and fortunately I never had to deal with *that* kind of problem - I think it would be a Very Good Thing to have the sitenames, usernames and passwords for various online identities written down in your desk drawer, and to ensure said identities exist and are seen asking earnest questions about faith, the opposite sex, and witnessing for Jesus (or the parents' equivalent preferences.) Then keep the real usernames and passwords elsewhere, or recorded via some sort of transform on the usernames and passwords written down.

#46 ::: Andrew Plotkin ::: (view all by) ::: December 13, 2010, 05:13 PM:

I do not evangelize any specific level of online paranoia. Situations and preferences vary.

However, the "nightmare" worry for having people posting messages using your identity is bootstrapping. You and your friend Voldemort are both posting regularly on social web site XXX, and one day "you" sent Voldemort a message "Hey, I've started using related web site YYY. My id there is..." Or "you" post publicly to the same effect. Or "you" mention an email address that is not yours.

With care and effort, the attacker can get more people to accept more fake online identities for you, with a higher level of trust than "person I saw commenting on Gawker". Eventually he could be sending email from an account that other people think is you.

Now, depending on your habits, this may not apply to you. Sure. And it's a hand-crafted kind of attack -- the opposite of stealing three million passwords in one gesture. But this is the nature of social engineering.

#47 ::: heresiarch ::: (view all by) ::: December 13, 2010, 05:15 PM:

Avram @ 43, meet Avram @ 42.

#48 ::: Clifton Royston ::: (view all by) ::: December 13, 2010, 05:15 PM:

Gawker runs a whole lot of different websites with different userbases - off the top of my head, IO9 (SF), Lifehacker (productivity ideas), ValleyWag (Bay area gossip), Kotaku (gamers), so you might have used one of those at some time long ago and never realized it had anything to do with Gawker.

A helpful list:

#49 ::: Bob with a pseudonym ::: (view all by) ::: December 13, 2010, 05:20 PM:

Avram@43: There are a number of reversible ciphers which are simple enough to be done in one's head, but robust enough to withstand casual poking by, say, unsophisticated parents. Coming immediately to mind:

1) For numbers, write down the nine's complement of each digit. (means: write down the difference between nine and the actual digit. 0==9, 1==8, 2==7, ... 9==0. For example, 1234==8765. Applying the transformation twice reconstructs the original digits.)

2) For characters, memorize and use rot13. (means: imagining the 26-character English alphabet as a wheel or circle of letters, rotate it 13 positions, or halfway around. a==n, b==o, c==p, ..., z==m. For example, bobsmith==obofzvgu. Applying the transformation letter-by-letter transforms a message into gibberish; reapplying the same transformation to the result reconstructs the original message.)

For protection against more sophisticated attackers, rot13/nine's complement alternate characters only.

For the specific example you give, using only the library's computers might be the best option. Passwords, always committed to paper in cipher form only, can be written on bookmarks, business cards, or similarly ubiquitous urban detritus which are left behind the books on some little-used shelf. Disguise can help; ten numerical digits formatted as a phone number won't get even a second glance when written on the back of a business card. Nor would the digits of a street address, apartment number, and zip code, written on a bookmark.

#50 ::: Clifton Royston ::: (view all by) ::: December 13, 2010, 05:39 PM:

I just remembered that probably a lot of people here are not security geeks and may not be automatically jumping to the worst case as some of us are prone to.

The really big worry, for those who aren't already familiar with the "use case", is the following:

Maybe Joe (the average guy or gal) was having trouble thinking of a password when they created this account, and so Joe used the same one as on their Yahoo/Gmail/Hotmail account, because they could remember it right then. And earlier when Joe was setting up his/her Paypal account (or Google Checkout, or Amazon, or online banking) they used the freemail account because it was handy, and that seemed it should be secure enough because Joe thought to use a different password there.

Now whoever gets Joe's password broken first and linked to a name and address can
1) try that password on Joe's freemail account,
2) get into Joe's freemail account, if Joe did use the same password,
3) look through Joe's old email to see what financial accounts Joe had linked to it,
4) ask Paypal (or whoever) to go through the password reset process, and get:
5.a) immediate access to transfer Joe's money to the attacker's throwaway identity; and
5.b) all the info on Joe's credit card and/or banking details, which they can continue to try to exploit after the initial avenue is shut down.

Out of a half million accounts, there are almost guaranteed to be a number which prove to be exploitable this way, and steps 1 and 2 can be automated and run by a bot-net, making the steps which may require human control or judgment much more rewarding.

If Joe happened to use the same password on Paypal as on Gawker, of course, they can cut out steps 1-4 and go straight for the money.

#51 ::: Walter Hawn ::: (view all by) ::: December 13, 2010, 06:15 PM:

I don't understand the problem, myself. Sign-in to non-financial or non-personal stuff is a security problem for the site, not me. I don't care whether my account at Yahoo is compromised. I use it for nothing but an email spam dump.

Similarly, I don't care if my Pandora account is compromised. and so on.

Any account that may have security implications *for me* would not use whatever it is I used on a Gawker account, if I ever did.

Many sites insist on 'registration' solely as a self-protective thing. Them, I care very little about.

#52 ::: Jules ::: (view all by) ::: December 13, 2010, 06:17 PM:

I have long since given up on ever contacting a real person at Yahoo. They periodically block all email from my company's mail servers to theirs (including the servers that handle all BT Openworld addresses, so this isn't as irrelevant as it might sound), and when they do so I typically spend several hours trying to contact somebody to get the situation resolved. I never seem to be able to, though, and just end up jumping backwards and forwards through automated system after automated system.

Maybe pretending to want to buy something from them would help.

#53 ::: Bruce Cohen (Speaker to Managers) ::: (view all by) ::: December 13, 2010, 06:42 PM:

I've been using mSecure for the last few months. It supports MacOS X and iOS which I use, and Window, which I don't use. It's basic, but it does what I need. I'm still moving all my passwords over to it, as I use them, from a file I keep on my Mac that used to be encrypted on my Newton. The Ne, wton went to the great junkshop in the sky, and I've spent the last 3 years getting my iPod, and later my iPhone, setup with the apps I need to replace it.

Re: remembering numbers. Instead of dates, I tend to use mathematical and physical constants (e, φ, π, etc.) sometimes prepended, appended, or interspersed with alphabetic strings. Of course I don't use these where a really strong password is required, like bank accounts, but they're handy for websites that don't hold any of my sensitive information.

#54 ::: Doug K ::: (view all by) ::: December 13, 2010, 06:45 PM:

hm. I had a Lifehacker comment uid/pwd from the days when Gina Trapani wrote most of it. Not only that uid is on the list, but a couple of others too.

This weekend a Korean logged in to my Facebook account, which uses one of those uids that is in the compromised list.. so this explains that exploit. Thank you, now I know.

#55 ::: Earl Cooley III ::: (view all by) ::: December 13, 2010, 06:50 PM:

Unfortunately, 1Password doesn't support the Opera browser or the Symbian platform. I still haven't found a good, comprehensive solution for my Nokia E73 Mode phone.

#56 ::: Tortoise Prime ::: (view all by) ::: December 13, 2010, 07:20 PM:

Somewhat low-tech, perhaps, relative to the aforementioned approaches, and it doesn't address the issues of storing or remembering passwords, but GRC's Perfect Paper Passwords works for me. I'd suggest picking the "visually aggressive" option, assuming it's compatible with your password requirements, and setting the passcode length to 16 so you'll have fewer spaces to remove. (Surely you'll want a password at least that long.)

#57 ::: Lee ::: (view all by) ::: December 13, 2010, 07:28 PM:

Bob, #49: I would advise against disguising things as an address or especially a phone # in the particular instance under discussion. My parents certainly would have tried to call any number they found in my handwriting on the back of a business card, and they were mostly just nosy! And then there'd have been endless rounds of "Whose number is that REALLY and why are they lying about knowing you?" -- which, while perhaps not as disastrous as them finding out a password to a suspect website, would still be no fun at all, and could lead to unexpected unpleasant ramifications.

For anyone (of whatever age) who needs to keep certain accesses private from snoopy parents, there really is no better way than keeping it entirely in your head. What they can't find written down won't hurt you.

Generally: I know I've made a few comments on various Gawker-owned sites, but IIRC most of them allowed "guest" commenting without having to log in, and that's my preferred mode for such things. However, I've been thinking for some time now that I really needed to change my password structure (which has sort of "just growed" over the years), and this is giving me the incentive to actually get off my butt and do it.

#58 ::: Devin ::: (view all by) ::: December 13, 2010, 08:02 PM:

Re: nosy parents and passwords

There's an intermediate option, too, which is to write down passwords for stuff you don't mind your parents reading. Use different passwords for each, and make them decent.

Then memorize your usernames for the stuff you don't want your parents reading (you probably know them anyway). Use passwords off the list. Now you don't have to memorize any passwords, just which is which.

You can add a number to the end, or beginning, or whatever. That'll keep someone who has figured out the username from just trying all the passwords in your desk drawer.

#59 ::: Marilee ::: (view all by) ::: December 13, 2010, 08:29 PM:

Bob with a pseudonym, #20, mine are not on Post-its or stuck to a corkboard, but they're definitely not online.

#60 ::: LinD ::: (view all by) ::: December 13, 2010, 08:36 PM:

Except for a very few websites I log in to regularly, like my email, I generate random passwords in PasswordSafe. Without PS, I have no clue what my own passwords are. Being the paranoid realistic computer geek that I am, I have my PS files on three computers, two external hard drives, and a thumb drive. Each computer has its own PS file, so when I back things up, I don't accidentally overwrite a file I just saved a new uid/pw in. (Only have to do that once, thank you.) A friend once said she could keep all her passwords in her head. Then she saw my list. I have not only mine, but several dozen clients' login information. Ain't keepin' that in my head.

I didn't do online banking for years, not feeling the connection was secure enough. I still don't think it's secure "enough". But when four major banking institutions doing business in California had data leaked, stolen, lost, and I had accounts with three of them, I gave up the cause. I now do most of my banking and bill paying online.

#61 ::: Lyle Hopwood ::: (view all by) ::: December 13, 2010, 08:44 PM:

I managed to contact a real person at Yahoo once, I think. It didn't do any good.

I'm a member of several "Yahoogroups" and they email me the posts so I don't have to go to the web. If an email gets rejected by my email service,, Yahoo switches off all group mailing to that address. (It's called 'bouncing'.)

Recently one of my three emails bounced and triggered Yahoo's switch off, but this time not only included mail from Yahoogroups, but also from all my friends with Yahoo email addresses, and not only mail to the bouncing address but to all three of them. And without any error messages to the senders, so I didn't know until I investigated and still don't know how many other emails I am missing.

I got a human tech at both Cox and Yahoo but predictably they blamed each other and when I pressed them on it they stopped responding to me.

Oh well, it's not like email is ever used for anything important. :(

#62 ::: Alan Hamilton ::: (view all by) ::: December 13, 2010, 08:44 PM:

There are a lot of ways to generate reasonably secure passwords, but that's not the problem. I could get myself to remember al$3Dvq4*ouIq if I had to. The problem remembering one of those for each and every site you visit, and which matches with which ("Amazon -- wait, is that based on the 'everybody must get down' or 'pineapples are free and tasty' passphrase?"). Even if you consider some sites "disposable" and reuse the same password for them, you're still faced with a lot.

[Insert obligatory "But I memorized 50 character random passwords for 100 sites and change them all twice a week. It's easy!"]

Apart from using the exact same password, you can also add some sort of decoration to a standard password -- Aal$3Dvq4*ouIqmazon for Amazon, Yal$3Dvq4*ouIqhoo for Yahoo, etc. This will probably fool automated password testers, but someone looking at a list of X_password_X will figure it out pretty quickly.

Sticky note on the computer works, but not if you're not home. Keeping it in your wallet is dicey.

The password vaults sound promising, but I still get the impression that if your master password gets compromised (such as by a keystroke logger), you're really screwed.

Two factor authentication (like a code-generating hardware token) works pretty well, but few sites support them and each has their own token.

Apart from those who've memorized the 100 random passwords, I don't think there's a really good solution.

#63 ::: P J Evans ::: (view all by) ::: December 13, 2010, 08:55 PM:

I generate a bunch of random numbers from 1 to 26 and use those as a base for passwords.
(Did it just last week, when one of my two passwords at word timed out.)

#64 ::: James D. Macdonald ::: (view all by) ::: December 13, 2010, 08:58 PM:

Avram #43: Got any clever ideas for someone who needs to protect their online activity from another person who has legitimate access to their home?

I have a poster over my desk.

The text on that poster reads "Illustrated Gift Books including DOVER paperbacks Blake's SONGS OF INNOCENCE Beardsley's RAPE OF THE LOCK Dore's RIME OF THE ANCIENT MARINER"

I can extract any number of password/username combos from that text. IGBIDPBSOIBROTLDROTAM is only the first and most obvious.

Of greater concern is the spyware that parents or snoopy others can buy to install on your computer.

#65 ::: LinD ::: (view all by) ::: December 13, 2010, 10:43 PM:

If a keylogger got the password to my password vault, which resides on my computer, the owner of the keylogger would still have to figure out how to log on to my personal computer and open the software.

My password vault minimized after a set time, and can't be brought back to life without the password. I not only don't need to worry about some random person coming by my desk while I'm away and finding my vault open, I'm more inclined to curse at it as it minimizes 2 seconds before I'm going to use it again.

When I had it at work, I would manually minimize it when I got up from my desk. *click* done

On the opposite end of that spectrum, there was a project that had several people needing to log in to the same computers. When corporate decided we *must* change our passwords every month, the group generated a core word, and hung the one digit year and two digit month on it. Every month, I'd send email to the group saying "updated the group password." Didn't even need to tell anybody what it had been changed to.

#66 ::: David Harmon ::: (view all by) ::: December 13, 2010, 10:48 PM:

Alan Hamilton #62: If someone's put logging software on your computer, you're screwed anyway. They can just take the passwords as you type them in.

#67 ::: Sisuile ::: (view all by) ::: December 13, 2010, 11:43 PM:

praisegod @34 - hey, it took me a minute to recognize the significance of 1789, 1923, and 1649...though that might be because my internal instant memory for significant dates has a hard cutoff of 1603.

I do reuse passwords, I am ashamed to say...though usually based on security level, category, and when I set the account up - news sites and random web crap have a couple, places where I communicate have a couple, bills, work stuff, etc...I decided to partition that way, because I don't trust programs, and I don't have a set work area, and while I have my laptop, in any given week I'll use up to 5 different computers, 3 of which are public. It also means when I forget what my login to the LA times is, there are only three options, given that I know I set it up between x and y number of years ago and that it's a news site

#68 ::: Stefan Jones ::: (view all by) ::: December 14, 2010, 12:10 AM:

I got the Gawker warning letter. I've been changing passwords. I came up with a new mnemonic scheme to help "memorize" complex passwords.

#69 ::: abi ::: (view all by) ::: December 14, 2010, 12:51 AM:

Walter Hawn@51:

In the blunt spirit of this, I'd like to just point out that if you genuinely "don't understand the problem" you're neither literate nor that bright.

But of course, that's not what you really meant, is it? You meant you don't have a problem because you're Doin It Rite, unlike all the poor tech-illiterate fools who are now scrambling to change passwords. This may or may not be true, but the question I'm left asking is, why bother to turn up here and say it in that sneering and rather adolescent fashion? What joy, or interest, or invitation to engagement did you offer your fellow conversationalists? What desire to talk to you did you hope to spark? What would have been your ideal response from the thread? Admiration of your wisdom, perhaps? A subthread of other clever souls sharing how they, too, are above the common clay?

I suspect you experienced a momentary flash of self-righteousness by posting that cynical and rather tiresome driveby, but you certainly did not add to your reputation in this community, or in any group of post-adolescent people outside your head. And let's be clear, here: it's not the fact that your password system means you haven't cause for concern that's the problem. It's your smug attitude toward others that makes your comment so jaw-crackingly dull.

Next time, if you absolutely have nothing more interesting to say (and you're a very poor creature if that's the case), try expressing yourself in formal verse.

#70 ::: abi ::: (view all by) ::: December 14, 2010, 12:56 AM:

It is possible that I am getting too little sleep these days.

#71 ::: B. Durbin ::: (view all by) ::: December 14, 2010, 01:23 AM:

Tangential note: The Honors Program had a study house with a keycoded door. There was one memorable mealtime when a friend came up to a table full of Honors students and asked, for legitimate purposes, "What's the value of pi?"

The whole table spontaneously recited "Three point one four one five nine." The friend smiled and said, "I guess I know what the current keycode is." (We went to individual ones some time after that.)

#72 ::: Terry Karney ::: (view all by) ::: December 14, 2010, 01:32 AM:

abi: It's possible.

It's also possible the commenter is an ass. I read your reply, and was momentarily confused. I read the comment and was more than momentarily confused. The level of smug is toxic, and the need for us to be clever enough to adduce that perfection in passwords is his, well it's tiresome.

I'd be willing to bet, actually, that (barring the use of some outside password generator) there are patterns to how the passwords he isn't worried about are generated.

In short, I'm no more impressed than you are.

I am happy to be able to see that I haven't been compromised (I couldn't recall if I'd ever used any of the possible sites).

#73 ::: janetl ::: (view all by) ::: December 14, 2010, 02:18 AM:

#25 ::: Cadbury Moose @ 25: Password protecting your mobile phone is a trade-off. If the information contained in the phone is more than the value of the phone, protect it but put a contact number/address on the phone so if you lose it a helpful person can return it to you. If the phone is worth more than the data, put a contact number "Home" in the directory, leave it unprotected and you may get it back.

When I had a phone that was just a phone, I didn't worry about it. Now I have an iPhone, with my email on it. Without a password, anyone who picked it up would be able to send email as me, and could start changing my passwords. My contacts list would tell them where I bank, among other things. So I have a password on it. I'm sure it's hackable*, but I love the convenience of a smart phone, and I accept the trade-off.

*because absolutely everything is hackable.

#74 ::: j h woodyatt ::: (view all by) ::: December 14, 2010, 02:18 AM:

I wonder how many other large sites are using poorly designed and/or obsolete cryptosystems, with undersized work factors, in their authorization systems as Gawker is reported to have been using. (I mean, crypt(3)... really? Really?)

p.s. Really too bad about those poor peasants, huh? Somebody should do something.

#75 ::: Dave Bell ::: (view all by) ::: December 14, 2010, 02:34 AM:

I think my passwords are adequate.

They're not plain numeric or alphabetic.

One thing I have noticed is the number of sites which restrict the character-set for passwords, without telling you unless you use the forbidden characters.

xkcd may be relevant again.

#76 ::: oliviacw ::: (view all by) ::: December 14, 2010, 03:32 AM:

Another way to write down passwords while disguising them is to encode them as sums. I actually do this with account numbers - I occasionally have need to write down a bank account number (credit card number, etc) and transport it in a way that it won't be obvious what it is. So, on a post-it note, back of envelope, etc, I might scribble something like:

+ 13.98

Where the summed amount is an accurate sum, but the preceding four values, if rewritten as a single string, make up the account number (fictitious, in this example, needless to say). It's harder when you have other characters, but you could create your own mapping scheme.

I often have little sums like this written on other papers around my desk anyway (calculating how much I've spent on a trip, how much a deposit of several checks will be, or how much an online purchase of multiple items might be, etc), so it's not something that would stand out as unusual, in my local environment.

#77 ::: Serge ::: (view all by) ::: December 14, 2010, 06:15 AM:

"I'm fine too, but you can't come in unless you give the password."
"Well, what is the password?"
"Aw, no. You gotta tell me. Hey, I tell what I do. I give you three guesses. It's the name of a fish."
"Is it Mary?"
"Ha-ha. That's-a no fish."
"She isn't? Well, she drinks like one. Let me see: Is it sturgeon?"
"Hey, you crazy. Sturgeon, he's a doctor cuts you open when-a you sick. Now I give you one more chance."
"I got it. Haddock."
"That's-a funny. I gotta haddock, too."
"What do you take for a haddock?"
"Well-a, sometimes I take-a aspirin, sometimes I take-a Calamel."
"Say, I'd walk a mile for a Calamel."
"You mean chocolate calamel. I like that too, but you no guess it. Hey, what's-a matter, you no understand English? You can't come in here unless you say, 'Swordfish'. Now I'll give you one more guess."
"...swordfish, swordfish... I think I got it. Is it 'swordfish'?"

#78 ::: Kathryn Cramer ::: (view all by) ::: December 14, 2010, 06:33 AM:

I got a phishing email, allegedly from Gawker, this morning wanting me to go to a .kr website and change my password.

I also got an email from LinkedIn wanting me to go through the password reset process. That one looked legit, though I don't care enough about LinkedIn to bother right now.

#79 ::: Mark D. ::: (view all by) ::: December 14, 2010, 08:17 AM:

Remembering strings of numbers: I use the diatonic scale, either major or minor depending on the associations. If it's hummable, well and good; if it's not, it's even more memorable.

(Learned as a party trick, turning folks' telephone numbers into piano improvs with commentary.)

#80 ::: Charlie Stross ::: (view all by) ::: December 14, 2010, 08:22 AM:

One of the annoying side-effects of this is that it's made me go round a whole bunch of sites changing passwords just in case. (Not because they share a password with gawker, but Just Because.) One of the sites was the mobile phone company I use for my MyFi dongle in the UK. Just getting the fscking thing to acknowledge my existence was bad enough. Then it turns out it creates separate accounts for each phone -- and I hadn't created one for the MyFi. They use out-of-band signalling to transfer the initial password (an SMS message to the physical device) which is good, but when I get in to try and set a secure password, I get "the password must be between 6 and 12 characters long and contain letters and numbers". So much for my initial, cough, fourteen character string. And then, using a generated password containing unicode symbol characters results in some kind of screw-up between me pasting the password into the browser and their server-side program. Gaah. So I'm stuck with a weak-ish password on an account I probably didn't need, because if it detects I'm coming in from the mobile device in question it knows who I am.

Please. Can we just shoot the web developers now (at least, the ones who don't realize that anything less than a 14-character password is trivially crackable via a dictionary attack if your black hats have thought to write their cracking tool to run on OpenCL and a modern GPU) and have done with it[*] already?

[*] Online security theatre. Less physically intrusive than the TSA kind, but just as annoying.

#81 ::: Sylvia ::: (view all by) ::: December 14, 2010, 09:35 AM:

From Hacked Gawker passwords analysed

And surprise surprise, what was top of the Duo Security list in this particular spillage? “123456”. Followed by the marvellously original “password” (which was also relatively common in the RockYou leak), and then “12345678” – a slight variation on the counting theme.

The fourth most popular password was “qwerty” and then it was “abc123”.

#82 ::: Caroline ::: (view all by) ::: December 14, 2010, 10:11 AM:

Dave Bell @ 75, that makes me crazy. I give it a nice strong memorable password, built from a phrase, including letters, numbers, and special characters, and suddenly I get an error saying it can only contain letters and numbers.

No wonder so many people resort to password1, or $dog's name $birth year.

(My husband often deals with people who've forgotten their passwords. He says "Try your dog's name." When it works, they look at him in fear, because he read their mind.)

On another topic, what I like about 1Password vs. Keychain Access is that 1Password requires me to enter the master password before autofilling user/password on the web. That way, even if someone gets physical access to my machine with the screen unlocked, they can't log in to my bank account without knowing my master password.

Yet another topic: My husband and I have been considering how to make our passwords available to each other in the event of an emergency. We don't know or want to know each other's passwords in general. I have too many passwords already; no way I want to keep track of his! (Plus, you know, it's a matter of trust and privacy.) But if something happened to one of us suddenly, we'd want the other to have access.

At the moment we're thinking of putting password-vault master passwords in a fire safe, maybe also in a safe deposit box. That could be easily updated when we change master passwords, or if we change software or stop using a password vault.

Any other suggestions?

Obviously this only works when the other person can be trusted not to abuse the access. Some possible workarounds when they can't be trusted are discussed above. (This is also why I like the existence of Private Browsing mode. The jokes are easy, but consider an abused spouse who needs to secretly access resources on how to get out, or a gay kid in a violently homophobic household, or....)

#83 ::: Alex ::: (view all by) ::: December 14, 2010, 10:57 AM:

LinkedIn seems to have searched for all their user e-mail addresses, password hashes, and perhaps also names in the dump, and forced a password change for all of them.

(I know this because I'm fairly confident that I never signed up for anything Gawker with my work e-mail, but I do have a profile using my throwaway password, which I also used to sign into LinkedIn.)

#84 ::: Charlie Stross ::: (view all by) ::: December 14, 2010, 12:19 PM:

This probably explains the 2-3 friend requests I've had from LinkedIn members in the past 96 hours.

(FWIW I have zero use for LinkedIn and find the incessant join-the-borg spam annoying enough that I flag any and all messages from LinkedIn as "spam" in Gmail.)

#85 ::: Tom Whitmore ::: (view all by) ::: December 14, 2010, 01:16 PM:

janetl@73: the ability to remotely wipe all info on your iPhone (which is much less of a problem if you've been syncing it regularly with your home computer) makes it much more secure than most home systems. Someone would have to take your phone with the intent of hacking you, and do it quickly, to get around that useful feature. Of course, it's also possible to wipe it if you've merely forgotten where you put it....

#86 ::: Lee ::: (view all by) ::: December 14, 2010, 01:19 PM:

Well, it appears that I must have created an account on at least one Gawker-related site, because I got their alert message. It appears to be legit; it's a description of the problem and a warning that I should change vulnerable passwords, but doesn't suggest that I go to any particular link to do so. Password changes are in progress. I wish I knew which password I'd used for whatever site it was; none of the sites listed are in my Hints file, and there are at least 4 (with variations, more like 8) that I use in multiple places.

abi, #70: Nope. That's pretty much exactly what I thought, only more politely worded.

B. Durbin, #71: That's only a legitimate conclusion if there's no other reason for anyone in the Honors Program to know pi to 5 decimal places. And I can think of several non-math-related reasons why someone might know that offhand, of which the Vulcan Academy Cheer is only the most obvious.

Caroline, #82: I have Abine on my laptop, which does much the same thing -- you have to enter the master password before it will auto-fill your other passwords anywhere. It's worth the extra step IMO for the security in the event of loss or theft.

#87 ::: ddb ::: (view all by) ::: December 14, 2010, 01:37 PM:

Sure, I can remember two years. What I can't do is add two MORE years, and two more, and two more, and then keep track of what they all relate to.

However, the idea of remembering all my online passwords passed under the bridge over a decade ago. Once you've made that jump, making them all different and as strong as possible is easy.

I'm a happy user of KeePass; I use Windows, Android, and Maemo versions of it. It will generate passwords (of specified lengths, using specified character sets). It gives you indications of password quality (I haven't reviewed their algorithm for that).

I also use the password database in Firefox (with a master password).

KeePass or other encrypted password database product works fairly elegantly in combination with something like DropBox (free 2GB cloud storage, works on at least Mac, Windows, Linux, Android, and iPhone).

I'm currently remembering more passwords than I would have said I could 10 years ago, including at least:

Home security system
ATM card PIN
Work voicemail PIN
Work KeePass database key
Personal KeePass database key
Firefox master password (Work / home desktop / home laptop)
Personal private key password
Work private key password
Work corporate LDAP password
Work Linux LDAP password
Home fileserver password
TrueCrypt password for private volume at work
TrueCrypt password for private volume on thumb drive
Emergency gun box combination
Gun safe combination
Pistol strongbox combination
Briefcase combination lock (this is more in the line of an old thing still occupying brain cells; but since I know where the briefcase is I might as well claim credit for knowing the combination)

(those are all reasonably good passwords, at least so far as allowed; the two PINs are indeed PINs, short).

The laptop has a built-in fingerprint scanner, and is protected with that (and has a small encrypted disk area protected that way as well).

I can also tell you the password of the toy sheet metal safe I owned in 1963, and a Master combination padlock I had shortly afterwards. (Since I no longer have either, I actually will tell you those: 12-22 and 8-10-7, respectively.)

My KeePass database has a couple of hundred username / password pairs in it.

#88 ::: Terry Karney ::: (view all by) ::: December 14, 2010, 02:22 PM:

re passwords for other people.

Escrow. The easy way (for some values of easy) is to find an attorney, pay her a retainer, and deposit the information; in a sealed envelope, with instructions on when/how to release it.

The attorney need not know what is in the envelope; and snooping isn't really possible (on the part of the party for whom they are intended). If you can't trust the lawyer, well that's the problem of trust isn't it?

#89 ::: Carrie S. ::: (view all by) ::: December 14, 2010, 02:54 PM:

That's only a legitimate conclusion if there's no other reason for anyone in the Honors Program to know pi to 5 decimal places. And I can think of several non-math-related reasons why someone might know that offhand, of which the Vulcan Academy Cheer is only the most obvious.

Indeed, I know pi to several more decimal places than 5, and I can never remember the Vulcan Academy Cheer. Plus I'm an English major. (Was an English major?)

#90 ::: Linkmeister ::: (view all by) ::: December 14, 2010, 03:08 PM:

I wish there was a way to erase from memory numbers I no longer need to remember.

The license plate number for our 1959 white Oldsmobile was California TAN 169.

#91 ::: Tom Whitmore ::: (view all by) ::: December 14, 2010, 03:13 PM:

Linkmeister @90: those old numbers (though not that one any more!) can make excellent passwords -- because there's really very little to connect them to you other than your memory. Fiddle around with capitalization, and you've got something that's about as secure as any password of that length.

#92 ::: Stefan Jones ::: (view all by) ::: December 14, 2010, 04:18 PM:

#90: Tell me about it.

The string to instruct a Western Digital 1002 controller card to start a low level format of an attached hard drive is G=c800:5

I haven't used that knowledge in 20 years and will likely never use it again.

#93 ::: Ginger ::: (view all by) ::: December 14, 2010, 04:25 PM:

Stefan @ 92: The boot sequence for my brother's Apple IIe was PR#6. I haven't used it in more than 25 years -- but can I remember passwords that I occasionally use now?

#94 ::: SeanH ::: (view all by) ::: December 14, 2010, 04:36 PM:

I'm interested (and slightly alarmed) that a number of people's online banking system is protected only by a password! My bank's system involves sending me a little card-reading device with a keypad. When I want to log in to my account, I have to put my bank card in the reader and enter my PIN, which prompts it to spit out an 8-digit one-time code, which I enter on the website to be allowed access. Is this security theatre? It seems as least as secure as using a cash machine.

#95 ::: Steve C. ::: (view all by) ::: December 14, 2010, 04:52 PM:

My bank prompts me with one of my security questions if I'm logging on from a computer I haven't used before (or in a while).

#96 ::: Lee ::: (view all by) ::: December 14, 2010, 05:12 PM:

Tom, #91: Good point! Perhaps I should start using some of my high-school friends' phone #s as passwords. I still remember them, so I ought to get some use out of them.

SeanH, #94: My bank's security system is a 2-stage log-in. First I enter my username (which is not the same as any other ID I use), and if I'm on an unfamiliar computer it prompts me with one of 3 security questions; then it presents me with a picture I selected from a large database, and a phrase underneath which I devised. If either of those are incorrect, *I* know that something is wrong, and can back out before entering my password. It's a very secure system AFAICT, and they adopted it before having any sort of security breach.

#97 ::: Tom Whitmore ::: (view all by) ::: December 14, 2010, 05:23 PM:

If those old phone numbers had letter prefixes, they're even better, Lee @96 -- and frequently those letter prefixes stood for words that are long enough to make a relatively secure password.

#98 ::: Linkmeister ::: (view all by) ::: December 14, 2010, 05:29 PM:

Tom @ #97, kinda like Beechwood 45789. (Quick, somebody, hum the tune to get us started!)

#99 ::: Bruce Cohen (Speaker to Managers) ::: (view all by) ::: December 14, 2010, 06:34 PM:

Tom Whitmore @ 91:

I still use the address I lived at when I was 12 as a password; it's now 52 years and 3,000 miles away.

Hmmm, wonder if it's still there? Quick, to the GoogleMobile! Interesting, Street View shows the house is still there, doesn't look a lot different. That's a little surprising; it was the cheapest house on that end of the street, a duplex with a renter living on the other side. I would have expected someone to buy it up and bulldoze the house to put a McMansion there. Not that I'm complaining.

#100 ::: Roy G. Ovrebo ::: (view all by) ::: December 14, 2010, 06:37 PM:

SeanH @ #94, Lee @ #96:

That's not dissimilar to what my bank uses - first stage is the "personal number" (Norwegian equivalent of social security number - not at all secure really) - second stage is a card-reading thingamajig that gives a six-digit one-time code _plus_ you enter a personal password.

And one thing they got very very right: When you log in you get told the last time someone logged in to your bank account, or tried to. If it wasn't you that time, there's something wrong...

For secure passwords, there's always stuff lying about - the model designation on an old hard drive, or on a remote control or something. There's enough random letter/number combinations printed on stuff in the average household.

#101 ::: Nicole J. LeBoeuf-Little ::: (view all by) ::: December 14, 2010, 08:28 PM:

Lee @96: Bank of America implemented that about 3 years ago or so.

abi, possibly getting too little sleep @70, I think I shall commit your 69 to print, to file, and to memorization. Along with key phrases to Patrick's post that you linked to.

"This doesn't affect me (thus I don't have to care) because I, unlike you cretins, am Doin It Rite"


"I don't see why you're so Surprised (and I can tell you're Surprised because you are Outraged; meanwhile note well my Superior World-Weariness that insulates me from giving a damn*)"

...have got to be two of the most obnoxious things in discourse on or offline today.

*related: "When I was Your Age I got offended by that too (but now I am too mature and enlightened to take offense as easily as you do, poor little thin skinned person; but don't worry, one day you'll Grow Up to be Mature Like Me and you'll feel the way I do)."

I need shorter summaries of my pet peeves.

#102 ::: Nicole J. LeBoeuf-Little ::: (view all by) ::: December 14, 2010, 09:16 PM:

Oh, and Dave Bell @75,

One thing I have noticed is the number of sites which restrict the character-set for passwords, without telling you unless you use the forbidden characters.

And sometimes they don't even tell you then.

I went to set up online billing with a local utility company. The very first time I tried to log in after creating my username and password, I failed and failed. Frustrated, I used the "Forgot your password?" link and went to reset my password.

This time I paid more attention as I typed in my preferred password. Each letter became an asterisk on the screen. And when I got to the non-alpha-numeric character? No asterisk showed up. They were silently excluding forbidden characters, thus causing me to create a password that was unknown even to myself.

Not Cool, People.

#103 ::: Serge ::: (view all by) ::: December 14, 2010, 09:20 PM:

Nicole @ 102... Aren't you shocked, shocked, to find that some computer processes appear to have been designed by drunken baboons?

#104 ::: Rob Rusick ::: (view all by) ::: December 14, 2010, 09:35 PM:

Nicole J. LeBoeuf-Little @101: "When I was Your Age I got offended by that too (but now I am too mature and enlightened to take offense as easily as you do, poor little thin skinned person; but don't worry, one day you'll Grow Up to be Mature Like Me and you'll feel the way I do)."

Billy Joel's 'Angry Young Man' and (to a lesser extent) 'We Didn't Start the Fire' hit this note for me, which is why I don't care for either of the songs.

#105 ::: Lee ::: (view all by) ::: December 14, 2010, 09:39 PM:

Rob, #104: I hear "We Didn't Start the Fire" as almost exactly the opposite of that -- more of a "Hey, look in the damn MIRROR when you say that!" from the younger generation to the older one.

#106 ::: Elliott Mason ::: (view all by) ::: December 15, 2010, 12:50 AM:

Another great source of already-remembered information for reasonably-secure passwords: fictional proper nouns, especially belonging to the kinds of high-fantasy cultures or alien species who believe punctuation is a great way to write down phonemes, or that there should be no arbitrary top limit to the number of vowels or consonants one can string together in a row and still have a usable word. :->

At least it avoids dictionary-lookup exploits. Sometimes you can chain multiples together. And it leads to a great way of leaving yourself nonobvious reminder notes.

Hypothetical, fairly-insecure example: you could write "Amazon: mentorship" on your password-hints sheet, for a password actually consisting of "G4nd4lfY0d4".

Both those works are really too popular to be on the list of appropriate sources for this generation system, imho. Best if it's some obscure 1970s weird novel or other, famous to fans but unknown to anyone else. Ideally, out of print. :->

#107 ::: abi ::: (view all by) ::: December 15, 2010, 01:07 AM:

Remember, if you L33t your vowels, you can always increment your l33ted vowels, or nines-compliment them (l44t them, or l66t them).

#108 ::: janetl ::: (view all by) ::: December 15, 2010, 02:09 AM:

Tom Whitmore @ 85: the ability to remotely wipe all info on your iPhone (which is much less of a problem if you've been syncing it regularly with your home computer) makes it much more secure than most home systems. Someone would have to take your phone with the intent of hacking you, and do it quickly, to get around that useful feature. Of course, it's also possible to wipe it if you've merely forgotten where you put it....

With my brand new iPhone 4, I have signed up for a free service that lets me remotely locate it on a map, lock it, or wipe it. The reason that I have a brand new iPhone 4 is that I misplaced my iPhone 3. After hunting high and low, I bought a new phone. I found the old one 24 hours later, in the pocket of a different coat than I remembered wearing. I clearly have too many coats.

That sort of app is available for Androids, too. The Apple one is only free for the new 4.

Even with the ability to lock or wipe as soon as I notice I've lost the phone, I still like having it password protected all the time. This kind of behavior is reinforced by working in an office where I'm required to lock my keyboard every time I walk away from my desk, and chain up my laptop if I leave it on my desk overnight. The culture seems to have slacked a bit lately, but it used to be encouraged to snatch and hide laptops that weren't chained, and to send startling emails from laptops that were left open and unattended.

#109 ::: Gray Woodland ::: (view all by) ::: December 15, 2010, 04:49 AM:

Elliott Mason @ 106: I have a soft spot for proper names from my own stories - specifically, stories I've never shown to anybody. I then mangle them through an unvarying personal algorithm which I shall not specify.

Perhaps my favourite of these password-bases is the True Name of a certain character, which I can never forget because of its relation to her English-translated use-name, but which does not appear even in the draft MS, since nobody in-book is ever going to use it.

I have yet to come up with anything half as secure that I have the remotest chance of remembering.

#110 ::: Jacque ::: (view all by) ::: December 15, 2010, 12:30 PM:

...And then, of course, there are the sites that send you acknowledgement emails, with your username and password in freakin' cleartext.


#111 ::: Tom Whitmore ::: (view all by) ::: December 15, 2010, 01:52 PM:

Janetl@108 -- yes, password protection is a Good Thing. It slows down the casual person who might want to grab your info after stealing your phone; but as the default password thingy only allows you to use four numerical digits, it's hardly very secure. Secure enough to slow most casual thieves down long enough for you to wipe it. And the locating service allows you to check to see if you'd just left it at home....

#112 ::: Ralph Giles ::: (view all by) ::: December 15, 2010, 01:53 PM:

I note in passing that won't serve the account settings page over https, and so sends one's updated password in cleartext over http.

Fortunately, relevant humans are easier to reach in this case. :)

#113 ::: albatross ::: (view all by) ::: December 15, 2010, 02:26 PM:

abi: Don't you mean lcct them for complementation?

#114 ::: Caroline ::: (view all by) ::: December 15, 2010, 02:27 PM:

Linkmeister @ 98, or PEnnsylvania 6-5000, which is still the local telephone number for the Hotel Pennsylvania.

#115 ::: albatross ::: (view all by) ::: December 15, 2010, 02:30 PM:

Charlie Stross:

Yeah, it's bizarre that so many sites have limits that weaken passwords, and frustrating as hell that many different sites have weird additional password rules for no apparent reason. (No more than 8 characters, no special characters, no dictionary words, at least one number, one uppercase, and one lowercase, etc.)

There are related and even more frustrating problems with lots of other information--ZIP codes, SSNs, credit card numbers, etc. I mean, I can see why in 1998, you needed to roll your own credit card data entry screen. But by now, the problem has been solved in many intelligent ways. So why in God's name is it still commonplace to find that spaces aren't allowed in entering the credit card number, or that they're mandatory, or....

#116 ::: Charlie Stross ::: (view all by) ::: December 15, 2010, 03:36 PM:

Albatross @115: why in God's name is it still commonplace to find that spaces aren't allowed in entering the credit card number, or that they're mandatory, or....

* Headdesk*

Circa 1997-2000, when I was writing credit card settlement servers for Datacash (who were absorbed by Mastercard last month: immortality of a kind), I learned really fast that folks like to type spaces or dashes in their credit card numbers because -- who knew? -- 16-digit numbers are hard to check by eyeball! And it took two extra lines of code on the server side to strip out spaces or dashes before sanity checking the input (after stripping out the dashes and white space, is what I'm left with a 16-digit number? Do the leading four digits correspond to a recognized card type and issuer? Is the final digit a valid Luhn checksum?).

This stuff is not only not rocket science, it takes the developer about a couple of hours to document, implement and test (even on a system that overall took them person-years to build). It's trivial.

But don't get me started on idiot web form content filtering; the number of online stores I've met that won't accept the first line of my address as a valid street address ... it is to weep.

#117 ::: Steve with a book ::: (view all by) ::: December 15, 2010, 03:38 PM:

Nicole J. LeBoeuf-Little@102:

This time I paid more attention as I typed in my preferred password. Each letter became an asterisk on the screen. And when I got to the non-alpha-numeric character? No asterisk showed up. They were silently excluding forbidden characters, thus causing me to create a password that was unknown even to myself.

Not Cool, People.

Not cool at all... but: it's not as though the password field is deliberately trying to hide the number of characters you've typed and simultaneously making efforts to distract you while you're typing. I'm looking at you, Lotus Notes, you evil replication-save-conflict-generating pile of extruded quasi-database product. Look at the animation in the link, and shudder.

#118 ::: David Harmon sees gun-control spam ::: (view all by) ::: December 15, 2010, 03:46 PM:

Albatross #115, Charlie #116: Bruce Tognazelli dubbed that sort of thing "let's you save me some trouble" (meaning the programmer's attitude). An amazing amount of trouble could be avoided if reading through his site was required to get a Programming License. ;-)

#119 ::: Jeremy Leader ::: (view all by) ::: December 15, 2010, 03:58 PM:

albatross@115: I think it's a form of cargo-cult security:

To get a secure system, some rules are needed, and some of them may cause inconvenience or restriction.

Therefore, the more rules, and the more inconvenient and restrictive they are, the more secure the system must be, right?

#120 ::: DavidS ::: (view all by) ::: December 15, 2010, 03:59 PM:

Lee writes "First I enter my username (which is not the same as any other ID I use), and if I'm on an unfamiliar computer it prompts me with one of 3 security questions; then it presents me with a picture I selected from a large database, and a phrase underneath which I devised."

My bank uses this system as well, and I'm confused as to what the advantage is. It seems to me that, if someone were mounting a man-in-the-middle attack against me, they could grab the picture and the passphrase just as easily as they could grab my account information. Could someone explain what sort of attack this defends against? I've always been curious.

#121 ::: joann ::: (view all by) ::: December 15, 2010, 04:14 PM:

David #118:

Still needs to reset his username ...

#122 ::: Serge ::: (view all by) ::: December 15, 2010, 04:39 PM:

Charlie Stross @ 116... This stuff is not only not rocket science, it takes the developer about a couple of hours to document, implement and test (even on a system that overall took them person-years to build). It's trivial.

It definitely is. One finds though that, when the work is being done not by programmers, but by code crunchers to whom the system is a black box, people get scared of straying from the path that goes thru ObviousLand.

#123 ::: gun-control spam sees David Harmon @ #118 ::: (view all by) ::: December 15, 2010, 05:22 PM:

When you look at the spam, the spam is also looking at you.

Or something.


#124 ::: David Harmon ::: (view all by) ::: December 15, 2010, 06:01 PM:

joann #121: Gaah. I tried changing it back, but apparently it didn't stick. Firefox needs a right-click menu item for "clear form history"...

#125 ::: Jacque ::: (view all by) ::: December 15, 2010, 06:24 PM:

David Harmon @124: But not entirely a bad thing when it prompts things like @123 (providing a laugh much needed today).

#126 ::: Jeremy Leader ::: (view all by) ::: December 15, 2010, 07:36 PM:

DavidS@120, I think the point isn't to defeat man-in-the-middle attacks, but just to defeat much simpler (and apparently more common, based on the spam I get) static phishing sites.

#127 ::: Linkmeister ::: (view all by) ::: December 15, 2010, 07:47 PM:

David Harmon, Shift+Delete removes extra names from your suggested list in Firefox.

#128 ::: Stefan Jones ::: (view all by) ::: December 15, 2010, 07:56 PM:

If Yahoo had handled the situation better, would we consider them feckfull?

#129 ::: Mike McHugh ::: (view all by) ::: December 15, 2010, 08:05 PM:

Serge @122: even if the work is being done by programmers, the spec they're working from could originate from, well, levels of Executiveness that map quite neatly to Hell. I've seen form input fields in flames^W^W with bugs filed against them because a VIP was/was not able to put a space in his phone number.

#130 ::: David Harmon ::: (view all by) ::: December 15, 2010, 08:20 PM:

Linkmeister: Thank you!

Jacque #125: #123 is cute, but I fear my sense of humor is currently impaired by trying to make sense of the Medicare site. (My current plan is being discontinued this year. :-( )

#131 ::: Tom Whitmore ::: (view all by) ::: December 15, 2010, 11:20 PM:

Stefan Jones @ 128: fecundity, not feckfulness, I think.

#132 ::: shadowsong ::: (view all by) ::: December 16, 2010, 04:28 AM:

Stefan Jones @128 and Tom Whitmore @131: says they're not related. "Feckless" comes from a Scottish shortening of "effect"; "feckful" is the opposite but never made it out of obscurity. (Effect comes from latin "ex (out)+facere (to do)", as in what comes out of action).
Latin "fecundus" made it to English virtually unchanged - the root "fe-" is associated with fertility and is also used in "fetus" and "female".

#133 ::: Dave Bell ::: (view all by) ::: December 16, 2010, 05:59 AM:

There are worse things: error messages from Microsoft email systems when the central server system for a UK government department is down.

#134 ::: Serge ::: (view all by) ::: December 16, 2010, 10:11 AM:

Mike McHugh @ 129... Actually, the specs used by code crunchers to whom the system is a black box tend to be written by people to whom the system is a black box.

#135 ::: Mike McHugh ::: (view all by) ::: December 16, 2010, 11:31 AM:

And, as we all know, bugs like the dark. (Which would turn QA into bringers of light, and so we arrive here.)

In The Fairytale Of The Well Specced Project, the third coder to undertake the task drinks from the Well Of Knowledge with the Custodian Of The Facts, where their predecessors relied on mere maps.

#136 ::: Jacque ::: (view all by) ::: December 16, 2010, 11:40 AM:

David Harmon @130: I fear my sense of humor is currently impaired by trying to make sense of the Medicare site. (My current plan is being discontinued this year. :-( )

I suppose it's no consolation at all that Mercury is in retrograde and It's Going Around. Hell, even my boss commented on it yesterday. (We just had two new software launches in the last two weeks, and the user population is, how do we say this, Not Happy.)

(And I got reprimanded yesterday for not arguing with them that things could have been—better.)

#137 ::: Jacque ::: (view all by) ::: December 16, 2010, 11:43 AM:

Oh, slick!

In my previous post, I accidentally put a start-ital <i> at the end of the quoted text, so when I hit Preview, the text in the "Write here:" field came up with two stop-itals </i></i> Then, when I corrected my stop-ital, the two added stops disappeared on the next Preview.

Technology is very cool, when it works.

#138 ::: David Harmon ::: (view all by) ::: December 16, 2010, 11:55 AM:

Yeah, I'm hardly the only one feeling a little ragged lately. I do try to keep things in perspective.

#139 ::: Tom Whitmore ::: (view all by) ::: December 16, 2010, 12:09 PM:

Shadowsong @132 -- has anyone ever told you the best way to kill a joke was to try to explain it? (The meanings are so intensely different, it's hard for me to imagine that anyone who has both words in their vocabulary would consider that anything other than a pun...)

#140 ::: Earl Cooley III ::: (view all by) ::: December 16, 2010, 12:24 PM:

Ever since my college days, I've planned to one day write a coffee-table book called "101 Best Jokes Ruined (Illustrated)".

#141 ::: Lee ::: (view all by) ::: December 16, 2010, 01:49 PM:

Ton, #139: If that was supposed to be a pun, you were stretching it to the breaking point. It didn't look like anything but a non-sequitur from here.

#142 ::: Lee ::: (view all by) ::: December 16, 2010, 01:51 PM:

Agh, the ohnosecond! That was supposed to be Tom @139...

#143 ::: ddb ::: (view all by) ::: December 16, 2010, 02:28 PM:

albatross@115: Well, a number of your "strange" rules come straight from best-practices advice for picking secure passwords circa 1995 (and most are still true; or a stronger generalization of the same advice is still true).

It's the sites that reject passwords that conform to best-practices for secure passwords that massively piss me off.

I also get very pissed off by sites that tell me that my name isn't a valid human name. It's not like hyphenated names are anything new! (Mine comes down from my great-grandfather.)

There are a number of sites at which I am some variant of "illegalname" because no version of my real name that I'm willing to accept is accepted by their site.

#144 ::: ddb ::: (view all by) ::: December 16, 2010, 02:32 PM:

Gray Woodland@109: I then mangle them through an unvarying personal algorithm which I shall not specify. Mmmm, yes. I have a fairly clever scheme for frequently-updated passwords (such as are required at work currently), which the security on this website is not high enough to contain.

I always wonder what people who write articles about clever password-forming algorithms actually use for their own passwords.

#145 ::: Lenora Rose ::: (view all by) ::: December 16, 2010, 02:39 PM:

So far I refuse to write my passwrods down at all; however, I have a file on my computer listing all the websites for which I have passwords. Because if anyone but me can figure out the actual password from the remarks "Fish!", or, "A lycanthrope or an artist, extra capital on the point of anguish", they'd have to be closer to my brain than my husband or my best friends can get.

However, I still need to generate a few new ones. I still have a six letter string on at least once barely-secure site. Nonessential stuff, but still...

I had the most fun, though, coming up with answers to the special security questions for changign a password; things people who live with me would be able to use if I were out of commission, but which have "other" answers that are more common. A favourite that's now out of use and thus safe enough to admit to, was the question, "Who Sings 'Oops, I Did It Again?'" (Patrick can almost certainly get it in one.)

#146 ::: Tim Walters ::: (view all by) ::: December 16, 2010, 03:00 PM:

Lenore Rose @ 145: "Who Sings 'Oops, I Did It Again?'"

Richard Thompson, of course! I don't think I've ever heard the original...

#147 ::: Lenora Rose ::: (view all by) ::: December 16, 2010, 03:17 PM:

Sigh. THREE syllables, please. (Sorry. I'm still sore that I had to remind someone this week at a workplace I've been at off and on for a couple of years.)

There's apparently another cover of the song that's even weirder (Punk or thrash or some such), but I can never remember the band.

#148 ::: Dave Weingart ::: (view all by) ::: December 16, 2010, 04:47 PM:

Tim @146, the cover is far, far superior to the original

#149 ::: praisegod barebones ::: (view all by) ::: December 16, 2010, 05:24 PM:

This one? (Possibly particled here before, since I can't imagine where else I would learnt of its existence)

#150 ::: Tim Walters ::: (view all by) ::: December 16, 2010, 06:05 PM:

Lenora Rose @ 147: Sorry about that!

#151 ::: TexAnne ::: (view all by) ::: December 16, 2010, 06:12 PM:

PGBB, 149: That's brilliant! It was new to me...and ooh, did you see his "Ballet in a Box"? It starts with a danced fugue! I'm going to remember Daniel Pi. His aesthetic is right up my alley.

On the topic of Yahoo's fecklessness, they seem to have decided to shut down So...what do they still have that's useful? Is Flickr it?

#152 ::: David Harmon ::: (view all by) ::: December 16, 2010, 07:22 PM:

Lenora Rose #147: the side panel from praisegod's link offers both Britney's version and one by "Children of Bodom". I haven't listened to the latter yet, but does that sound familiar?

And yeah, Daniel Pi's video is cool, though I have to agree with one of the commenters -- three of him talking at once is totally unintelligible.

#153 ::: Bruce Cohen (Speaker to Managers) ::: (view all by) ::: December 16, 2010, 07:24 PM:

Stefan Jones @ 128:

I just think of them as constantly fecking up.

#154 ::: TexAnne ::: (view all by) ::: December 16, 2010, 07:30 PM:

David Harmon, 152: That was the point! He was explaining fugues WITH A FUGUE. You can't follow each individual line of a fugue--you just have to enjoy the whole, snatching bits of the theme as you go.

#155 ::: David Harmon ::: (view all by) ::: December 16, 2010, 08:04 PM:

Texanne: Oh, I got the point, but that trick works better for music than speech!

Also, "Children of Bodom" -> Ow, my ears! I guess that's "thrash", but my tastes are old-fashioned enough that I'd drop a "redundant" letter from that....

#156 ::: Allan Beatty ::: (view all by) ::: December 16, 2010, 09:25 PM:

Mike McHugh @ 145: Custodian of the Facts: Also known as a Subject Matter Expert. Value them when you find genuine ones. But as for the ones who are just making it up as they go along, well, you can do that for yourself.

DDB @ 143: Some newspaper site wouldn't accept my email address, for whatever reason I forget. So I'm known to them as

Texanne @ 151 asking what Yahoo is still good for: Yahoo Groups suck differently than Google Groups.

#157 ::: cd ::: (view all by) ::: December 17, 2010, 04:26 AM:

David Harmon, #155: Children of Bodom generally tend to be classified as death or black metal by those who care about such things - the subdivisions of the metal genre are manifold and varied! But à chacun son goût, as they say.

#158 ::: shadowsong ::: (view all by) ::: December 17, 2010, 05:45 AM:

Tom Whitmore @139: Oh, definitely yes. :) And that people who destroy jokes by over-explaining are usually referred to as pedants, hence my close-pedant tag. Mostly I just looked up feckless on Etymonline to see where it came from, and felt like sharing.

#159 ::: shadowsong ::: (view all by) ::: December 17, 2010, 06:19 AM:

Lenora Rose @147: Doll Factory is the band I thought of (post-punk/electronica/industrial), but it turns out I was remembering their cover of "Hit Me Baby One More Time". It was quite fun watching goth kids, hearing it for the first time, realize why it sounded so catchy and familiar.

#160 ::: Kevin Reid ::: (view all by) ::: December 17, 2010, 10:12 AM:

Charlie Stross #116: I heard, once upon a time, that the reason you couldn't type spaces in credit card numbers was that (a) the credit card company wanted to receive 16 digits and nothing else, and (b) the merchant was obligated to not transform the data before sending it on.

Is there any truth whatsoever to this, anywhere?

#161 ::: ddb ::: (view all by) ::: December 17, 2010, 11:34 AM:

Kevin Reid@160: When I was setting up online credit card processing (from the merchant side, and somewhat more recently than Charlie was on the processor side), the company we worked with didn't convey to me that I wasn't allowed to transform the data in any way. I don't remember exactly what they'd accept, at this point (or at least I'm not confident about my memory).

#162 ::: Tom Whitmore ::: (view all by) ::: December 17, 2010, 02:17 PM:

Shadowsong @158 -- smile back. And maybe the fecking maroons out there will smile too....

#163 ::: Charlie Stross ::: (view all by) ::: December 17, 2010, 02:38 PM:

Kevin @160: the merchant was obligated to not transform the data before sending it on.

There was nothing about that that I recall in the APACS protocol specifications in the mid-to-late 1990s. (APACS: what UK banks use as a standards agency for coordinating payment systems. Visa and Mastercard don't operate payment networks in the UK; rather, they're franchises businesses, and the high street banks operate the payment networks.)

#164 ::: abi ::: (view all by) ::: December 17, 2010, 02:57 PM:

Completely beside the point of credit card processing: APACS sent me flowers once.

#165 ::: Lis Riba ::: (view all by) ::: December 17, 2010, 03:14 PM:

Just a tangent regarding the writing down of passwords.

It may be valuable to keep some kind of record of your account credentials in a secure location, and inform someone you trust where they are.

Heaven forfend anything should happen to incapacitate you, but if something bad does occur, you might want somebody else to either access accounts on your behalf or close them out to prevent unauthorized access.

Just a thought...

#166 ::: Bruce Cohen (Speaker to Managers) ::: (view all by) ::: December 18, 2010, 12:20 AM:

Just to show how contemptuous some programmers are about the needs and requirements of users, I once worked on a project where a bug report was entered stating that a particular business requirement for the product catalog creation web app we were working on was not being implemented correctly. I looked in the code at the place where it should have been, and found a comment from the guy who'd worked on it1 to the effect that he disagreed with the requirement and wasn't going to implement it, despite that the business analysts had labelled it a critical item for the release.

1. A person I'd never had any respect for, whom the management for some reason believed could do no wrong. I probably don't need to tell you that I spent much of my time on that project cleaning up after him.

#167 ::: Glenn Hauman ::: (view all by) ::: December 18, 2010, 04:27 PM:

Kevin @160 & Charlie @163: the merchant was obligated to not transform the data before sending it on.

I remember that there were some ugly hoops you had to go through in the early days-- we had to pull credit card numbers off of the internet encryptor and then run them through a phone line for verification, then reverse the process once approved. This is what the great heroic early days of the web were like.

I do vaguely remember the 16 digit no space requirement, but it could be due to the mists of memory, and I dumped all of the tech docs after the legal deposition that informed me I'd missed out on being an Internet millionaire five times instead of just three.

#168 ::: Earl Cooley III ::: (view all by) ::: December 18, 2010, 05:28 PM:

A business requirement with which I disagree? I would have filed that as a Tier 0 design flaw in the bug-tracker.

#169 ::: Steve Halter ::: (view all by) ::: July 20, 2011, 12:26 PM:

I changed my yahoo password when this came out--and since.

Welcome to Making Light's comment section. The moderators are Avram Grumer, Teresa & Patrick Nielsen Hayden, and Abi Sutherland. Abi is the moderator most frequently onsite. She's also the kindest. Teresa is the theoretician. Are you feeling lucky?

Comments containing more than seven URLs will be held for approval. If you want to comment on a thread that's been closed, please post to the most recent "Open Thread" discussion.

You can subscribe (via RSS) to this particular comment thread. (If this option is baffling, here's a quick introduction.)

Post a comment.
(Real e-mail addresses and URLs only, please.)

HTML Tags:
<strong>Strong</strong> = Strong
<em>Emphasized</em> = Emphasized
<a href="">Linked text</a> = Linked text

Spelling reference:
Tolkien. Minuscule. Gandhi. Millennium. Delany. Embarrassment. Publishers Weekly. Occurrence. Asimov. Weird. Connoisseur. Accommodate. Hierarchy. Deity. Etiquette. Pharaoh. Teresa. Its. Macdonald. Nielsen Hayden. It's. Fluorosphere. Barack. More here.

(You must preview before posting.)

Dire legal notice
Making Light copyright 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017 by Patrick & Teresa Nielsen Hayden. All rights reserved.