Wednesday, March 08, 2017

 

Tech Thoughts


After a spate of heavier topics, I like to throw a changeup and do something lighter.  These may register as first world problems, and they are.  But I’m guessing some of these opinions are widely shared.

--

Tech writers love to extol the virtues of password managers.  Password managers are programs that store (and sometimes generate) your passwords for you: you just have to remember the master key.  The idea is that many of us reuse passwords from site to site, just to have a chance in hell of actually remembering them, but that means that someone who gets a hold of your password to one site can probably use it against you on others.

Theoretically, of course, the same could be said of password managers themselves.  If there’s a master key password that lets you into all of my accounts, and you get that, I’m in much worse shape than if you just cracked one.  

The companies that make the password managers know that, so they often require “two factor authentication” for the master key.  I use 2FA for my gmail and bank accounts.  When I log on from a new machine and enter my password, it triggers a text from gmail to my phone with a six digit code.  When I enter the code, then I’m in.  That way, if someone managed to get my password, she still couldn’t break into my account unless she also stole my phone, and got the passcode for that.  None of that would stop someone with NSA level access, but it should stop the random opportunist.

Of course, if someone hacks the database of the password manager company, that’s that.  There’s something counterintuitive about securing all my accounts by giving all the passwords to somebody else.  If their company goes bust or their server has a hiccup, I’m out of luck.

I’ve also never seen a password manager that works across enough devices.  As a platform agnostic, my home contains devices running iOS, Android, Chrome OS, Windows, and whatever Kindles and Fire TV devices use.  Dashlane, for instance, doesn’t work on chromebooks.  Some others don’t work on Kindles or Fire TVs.  And some really struggle if you have multiple accounts on the same site, such as gmail.  

A few years ago, I had hopes that biometrics would free us from the tyranny of passwords.  But I’m much more skeptical now.  If someone steals my password, I can change it to a new one.  If someone steals my thumbprint, I don’t have a lot of options.  

So for now I’m stuck with more passwords than I can remember.  Surely there’s a better way.

--

Over the last few months, several possible cable tv killers have emerged.  Vue, Sling, and now YouTube offer variations on live streaming services that could allow people to skip cable packages altogether and thereby save money.

From what I can tell, they aren’t quite there yet.  But I really like the direction.

Cable tv companies have exploited their natural monopolies in exactly the way economics textbooks tell us to expect.  When I moved in 2015 from a place with one cable provider to a place with two, my monthly bill dropped by $100.  That gave me a pretty visceral sense of the level of monopoly rent they were charging, simply because they could.

One major flaw with the new alternatives is that they still largely rely on wifi, which in most areas is delivered only by...wait for it...the cable company.  With the new administration signalling a retreat on net neutrality, I wouldn’t be surprised to see cable companies try to recoup on the back end what they’re losing on the front.  Eventually, wireless speeds and consistency may break the chokehold of cable, but we’re not there yet.  In the meantime, I’d expect to see cable companies grab what they can, while they can.  It won’t be pretty.

But if ever a technology deserved to be disrupted, it’s this one.  The alternatives aren’t fully baked yet, but I’m rooting for them.  When the day comes that I can finally cut the cord, I’ll celebrate with song and feasting.  

Comments:
Your instincts re: passwords are good.

For a password manager, honestly, you can do worse than writing your passwords down on a piece of paper and keeping it in your wallet - https://www.schneier.com/news/archives/2010/11/bruce_schneier_write.html . We've got a pretty mature set of security procedures around "securing small valuable pieces of paper", and if your wallet is lost/stolen you've already lost documents that would help an attacker get access to your bank accounts, etc. This still is very decent security against the attack that is the biggest risk for most of us, which is re-used passwords getting identified in a mass password leak and then used against other accounts.

Using 2FA as you are with email is a _very_ good idea, because email accounts - the places where "forgot my password" links get sent - are especially important to secure. The next step up from text messages would be getting a hardware key like a yubikey ( https://www.yubico.com/start/ ).
 
Re: cable alternatives:
We looked into this a month or so ago, ran all the numbers for all the services (not every service has ALL the channels we watch, so we'd need a variety to get the "same" as we have now).

Turns out that after paying for wifi (so there's that) and the various subscriptions the price is about the same, +/- a buck or two. Not worth the hassle.

C1
 
You're much better off using a password manager than not using one. Most password managers store your passwords encrypted with your master password. If you pick a good master password, it should be very difficult to steal your passwords even if someone hacks into the site where your passwords are stored. If you don't feel safe keeping your passwords with a service like 1Password, you can use KeePass which stores your passwords locally but you're responsible for syncing up your password files and copying them across devices. I've been using KeePass for a few years but I'm planning to move to 1Password.

You should keep your master password and some of your critical passwords (e.g. email, bank) written down at home. If you are worried about someone stealing them there (e.g. the babysitter), you can lock them up. Otherwise, a notebook on your desk is probably fine.
 
LastPass is top-notch and fairly platform agnostic - it is supported on Mac, Windows, iOS, Android, ChromeOS, and Kindle Fire (not sure about the TV one, though). You get one platform free, and the rest for $12/year.
 
I use a self-generated variant of two-factor for some cases where I need different passwords or regularly updated passwords but don't want to write them down. It is really quite simple. Make up a reasonably long text string, based off of a memorable statement, that you will use as the base of a group of passwords. It may or may not be d!s3mv0w3l3d or CaMeL HuMpEd. Then pre-pend or post-pend some variable string that you can write down because it changes on an as-needed basis (like a one-time pad). The primary part is never written down.
 
Post a Comment

<< Home

This page is powered by Blogger. Isn't yours?