LastPass feature request

Ghost in the Shell Laughing Man shirt
Ghost in the Shell Laughing Man shirt

There is no enforced standard for passwords for a web site, so they can be all over the place for requirements. Nor do sites typically explain what are the exact standards before a failure. And then most will state the minimum and types of characters. But, too many leave out the maximum number of characters allowed so I end up experimenting to figure out something as strong as I can get. One of my favorite blogs is Password Requirements Shaming.

Web sites almost certainly record the password to a variable. Hopefully they then encrypt it and store the hash instead of recording the password as plain text. I use LastPass’ password generator to create something typically 40 characters [1] long and try it. Almost always that results in an error that my password is too long and the limit is actually something shorter. There are some frustrations with how sites handle these cases:

  1. It would be nice if more sites would look at the passwords with JavaScript and report if it is too long or too short or have bad characters or do not match both locations. Very rarely do they check that it is too long. Most just check that they match. Letting me know before I submit it, keeps me from wasting my time.
  2. In HTML, maxlength defines how many characters the input element will accept. I sometimes look at the HTML to select what password length to generate, but there is no guarantee that the maxlength is reflective of what will work. It fails to help so much I have gotten out of the habit.

Arbitrariness with password policies probably makes people tend to more insecure practices through simplification. This is The Paradox of Choice.

It occurred to me that LastPass developers could solve this problem for me. If LastPass knew the password requirements for a site, then it could preset the generator to the maximum length that will fit. When I go to create a password for a site, then it could work the first time instead of taking 2-5 tries to find something that finally works. Most users are lazy and would not change the preset, so passwords would tend to be the stronger. [2]

Admittedly, it usually works on the second try once I’ve nailed down the maximum number of characters allowed.

[1] Originally I would try 50 characters, but I eventually relaxed that down a bit. Occasionally, I go through brief periods where I just try 30 or 32.

[2] See Nudge: Improving Decisions About Health, Wealth, and Happiness for how organ donation rates work for how t his would work.

Undercounting Stats

Michael Feldstein posted on Twitter:

Seeing signs that Google Analytics significantly undercounts. Any recommendation for easy, reliable db-based WordPress analytics?

I knew Google Analytics relies on JavaScript to measure what users are doing. Bots typically do not execute JS, so go undercounted. That is OK, probably even great depending on how much they annoy me. It occurred to me browsers now incognito modes, which a desirable feature while in that mode would be to not execute known JS stats.

A response to Michael was:

Maybe try Jetpack? Has analytics built in.

I looked at the HTML for my own site. Jetpack appears to be JavaScript based as well.

Looking at Jetpack’s stats, though, I noticed a significant spike in traffic on September 27th. It got 487 hits compared to around 200 each day two weeks prior and since. Details for that day said my Nationalism post had 267 hits compared to my normal leader the Quotes to Make You Think. This made me curious. So I looked up the same day in Google Analytics. No spike in GA. So I pulled the raw access logs. The hits exist, but almost all were from a single IP. No visits to this page according to GA. Impressively disconcerting. I expected from Google Analytics 1 hit for the DSL user with 200+ hits, maybe 1 for the IP with no reverse DNS, and 0 for the Facebook bot.

Anyway, I looked at various WordPress plugins. I think WP Slimstat is the db-based WP analytics I will check out. It looks mature and seems pretty consistent with what I see in the hits. Too bad I did not add this a long time ago so I can compare Slimstat to GA and Jetpack. Will have to let it collect data and do this again.

Good thing I enjoy this stuff.

Context Menu

Almost everyone using a computer to access the Internet uses the left click on a link to go to its location. Exceptions might be left handers who switch the buttons on a mouse, those using screen readers, or similar small niche users of the Internet.

I tend to multi-task, so I will scan a page and open all potential links I want to check in a new tab. The  way I accomplish this is the browser’s context menu with a right click on the link. In both Mozilla Firefox and Google Chrome, the open in new tab (or window) are the first options.

Since my exactly what I wanted to check does not persist in memory, opening them all up in their own tab, lets me not have to remember. I can just circle back through the tabs.

So any time a web designer changes the context menu so it is not there, my blood pressure rises.

A decade ago, web designers were terrified of people stealing photos and source code, so they would disable the context menu. Back then, I would turn off JavaScript from running, go to the page, download their images and source code, then email it to them as a proof of concept that all they did was annoy people.

Today, it seems my nemesis is a support portal where the right click on a link operates the exact same as a left click. At least Ctrl+Click still opens the item in a new tab, which is what I want. I did not name the company in hopes it takes them longer to not break my workaround too.

P.S. It appears that they keep track of the last page visited, but updating a ticket does not make it the last one visited. So I end up somewhere else.
🙁

Apple Trying To Poach IE6 Users

Attempted to watch the Transformer’s 3 trailer, but apparently Chrome on Linux was a no-go for the JavaScript which hides the web site and displays the trailer. Fancy but broken. So I thought I would look at the HTML and get the .mov file. I found this snippet of code in the HTML quite interesting.

<!–[if lt IE 7]>
<div id=”ie6-message”>
<h2>You are currently using an outdated browser.</h2>
<p>Please upgrade to a <a href=”http://www.apple.com/safari/”>modern browser</a> to fully experience this site.<p>
</div>

Where most places would have someone upgrade to a newer version of the software they are currently using, Apple is trying to poach Microsoft users. Bravo! Bravo!

How Not To Break a Frame

Correct:

<script language=”Javascript” type=”text/javascript”>
if (top != self)
{
top.location = window.location;
}
</script>

Incorrect:

<script language=”Javascript” type=”text/javascript”>
if (top != self)
{
top.location = “/webct/urw/lc18361011.tp0/logonDisplay.dowebct”;
}
</script>

The problem with incorrect is the address used here is not the address in the location bar.  The one in the location bar has the values required to login. Instead I get something which causes users to be unable to login. Example: So we send someone to http://westga.view.usg.edu. They get redirected to another address in which we provide the glicid, insId, and insName. Correct breaks the frame and gives the browser back the same address. Incorrect breaks the frame and gives the browser back a different, non-functional address. Bad. Bad. Bad.

WebCT Vista 3 used the Correct JavaScript which just passes back the address used. Blackbord Vista 8 for some reason changes what worked to Incorrect.

Yay for first day of classes.
🙁

UPDATE 1:

It gets better… Bb Vista’s Custom Login and Institution List pages are unaffected (aka use the Vista 3 style JS). Only going to the generated logon page, loginDisplay.dowebct, has the issue.

Watermarks

So far I have either been oblivious or lucky. Some people like my pictures which could mean they are downloading them and even representing them as their own. No amount of HTML or JavaScript technology can prevent this. Even watermarks have questionable efficacy as people get better.

Google’s Picasa is my current image editor. With it, I am able to manipulate photographs easily prior to posting them online. For everything it does, Picasa does a fantastic job. One of two things* it lacks is adding a watermark. If it automatically did this at the time a photo was saved, then I would definitely be a happy user. Maybe it will hit the features of Picasa 3?

Years ago, I knew how to do add a nice watermark in seconds with Photoshop 6 and 7. Over the last hour or so I have been playing with GIMP to accomplish the same. This has been slow going. First, in GIMP 2.2.3, the software crashed each time I opened the text tool. Now that I am on 2.4.5, the text tool works. Second, I have not found anything similar to the hand tool.

I followed a GIMP watermarking tutorial for one as it was better detailed than another I attempted to follow and was frustrated at not being able to find what it told me to use.

So, I am curious…. What do you use for watermarking your images?

* The other is splicing together multiple images.

links for 2007-11-23

On the Fourth through Sixth Loops of Ready 2 Wear

I really have to stop listening to the same song played over and over. It may affect my thinking….

We had another node crash due to the Sun JVM issue. Our start script failed to make a file in /var so the node did not become fully operational as expected. While waiting for those with permission to delete some stuff to free up space, I went looking for what I could delete myself. Naturally /var/tmp seemed a likely place. I found 1,171 files named Axis#####axis. (Replace the #s with well… numbers.) They used up only 42MB. Most were small. Looking across all our machines there are thousands of these dating back to February of this year.

I love the Unix file command. It will tell you what kind of files are there. So I used file | sort -k 2 to sort by the type. Almost all of the files were either plain text or JPEG or GIFs. One file, called a “c program file” turned out to be a JavaScript (based on the C syntax). I downloaded a JPEG file locally, renamed it to have the .jpg extension, and opened it in an image viewer. It opened correctly. Seems its a graphic of a table.

It would seem our Blackboard Vista 3 has been collecting these files for months. They do not take up very much space. There are not nearly enough files to represent a download of content by all users. Our /var would fill up hourly in that case.

Axis is an Apache SOAP project. Vista’s exposed APIs use Axis, I believe. So, the running hypothesis is several of our campuses are using a product which is contacting the APIs to upload content. Its spread out enough that all four clusters are affected. Its something that started about February.

Suspect #1 Respondus – Chosen because we know it hits the APIs to upload content. Discounted because the content is lecture materials. Respondus works with assessments (aka quizzes, tests, exams).

Suspect #2 Impatica – Chosen because the JavaScript file references PPT. Impatica compacts PowerPoint (aka PPT) files and allows them to play without needing a PPT player. Their support pages teach users how to use the Campus Edition 4 user interface to upload content into a course. O-kay….

Suspects #n Softchalk, Diploma, Microsoft .Learn, etc. – I haven’t really investigated any of these. They are just names to me at the moment.


UPDATE: So… There is a bug in Axis which dumps these files into the file system. The files can be deleted as long as they are not current.

Joke: Security Via JavaScript

So, you are a teaching an online class. Students cheating naturally is a concern. How does one prevent them from stealing answers?

  • Code in the online class system? Unfortunately, the makers of the learning management systems lag behind the creativity of cheaters. Plus, they can only control their systems. How do they enforce security in the web browser, desktop / laptop, cell phone, classroom, or any other environment?
  • JavaScript? This is the most laughable solution. I’ve known how to disable JavaScript in browsers I use since 1999. I’ve never met a JS security solution I could not beat by simply turning off JavaScript. With Firefox and the Web Developer toolbar it literally takes two clicks. People like it because its cheap. I guess you get what you pay for in this case.
  • Code in the operating system? Dozens of software applications are designed to prevent cheating by controlling what can be done with the desktop or laptop. Certainly this appears to be the most comprehensive solution. However, it often means students go to a proctored environment. What’s the point of taking a class online if I have to go to a classroom?
  • Cameras? The only solution that deals with the possibility of face-to-face or cell phone type collusions. These operate by the students exhibiting suspicious behavior. Students will have to figure out how to act naturally.

The better the solution, the more expensive and less likely to be purchased. Instead, we’ll use cheesy JavaScripts because students are dumb. They’ll never figure it out. Unless by never you mean with a simple Google search.

Once Through the Firewall

Sites like eMessenger are often very useful. I once memorized the URLs to AOL’s and and Yahoo’s web-based IM clients. When I started keeping my bookmarks online that made it easier. Occasionally I have found myself needing to chat without being able to start up a client. For instance, going off to a training or workshop somewhere with limited a wireless network. The HTTP port (for the web) is so ubiquitous that no one would block it. Which means services like this would work.

eMessenger

What is e-Messenger? e-Messenger is a web application that enables you to chat with your MSN, AOL and Yahoo buddies without having to install any program or Java applet. All you need is a JavaScript enabled browser and you’re set to go and use e-Messenger, even if you’re behind a firewall.