I’ve been thinking about password security recently. Like many people I generally use one “strong” password for most of my access in cyberspace. The memorable strong password idea is definitely an improvement over the oldskool practice of changing a password every several weeks, which invariably led people to write down their passwords, making security as flimsy as the yellow post-its they were written on.

Hence the memorable strong password. To be considered strong, most recommend a generous mix of the various sets of keys available on the keyboard:

lowercase letters
uppercase letters
numbers
symbols (e.g. $, @, ., <, etc.)

There are many ways of making a memorable strong password… (the one that should be avoided is simply substituting numbers for vowels… there are hacker dictionaries out there that can automatically try p4ssw0rd as easily as password.) Say you have a strong password that’s memorable to you because it combines the year your parents got married, let’s say 1976, together with a phrase you like, such as “Let the good times roll!” It’s easy to turn those ingredients into a very strong, memorable password, such as, 76/L#tr!19 in just a few steps:

1976 Let the good times roll! (the ingredients)
1976 Ltgtr! (the initials of the phrase with the punctuation intact.)
76/Ltgtr!19 (splitting the year and inserting another punctuation mark after the first numerical part)
76/L#gtr!19 (replacing the t for “the” with a symbol)

The latter is an extremely strong password and should be very easy for the user to remember, so it never needs to be written down.

However, it only takes one shady cybercafe or one phishing site to steal your password, which might very well be the same password you use for your banking, email, and more. Is there a way to create many passwords that are just as strong, but customized for each site you use in such a way you can type it almost automatically?

I believe there is. What if you combined your strong password with an element of the site’s name? The sky is the limit on the possibilities, but if the same pattern is always used, each password should be instantly recallable.

Say you have passwords for Amazon, Gmail, and Paypal. You could take the first two letters of each and put them over the last two numbers of your password to keep it relatively short:

76/L#gtr!Am Amazon
76/L#gtr!Gm Gmail
76/L#gtr!Pa Paypal

The passwords are short, quickly typeable, easily memorable, and completley different. Or if you prefer, you could use the first and last letters, or the first two vowels, or some other consistent rule, and put them in a different place in the strong password structure. Just remember to keep it simple for you and impossible for anyone else. Here’s a variation using the last two letters of the site name capitalized and replacing the L# of the strong password structure:

76/ONgtr!19 Amazon
76/ILgtr!19 Gmail
76/ALgtr!19 Paypal

Again, the passwords are all strong, and all so easily memorable they should never need to be written down. But this technique’s true value lies in the uniqueness of the passwords. Should someone learn your Amazon password, he or she will still not be able to login to your Gmail or Paypal accounts.

A couple of closing thoughts… there are unfortunately still many sites that only allow alphanumeric passwords… no punctuation symbols can be used. Just keep the password as strong as possible for these sites, using lowercase, uppercase, and numbers.

Secondly, if you’re a traveler, make sure your password is possible to type quickly on any keyboard of any country you’re likely to be in. Some of the punctuation symbols on the US keyboard layout do not appear on the keyboards of other countries or require “dead keys” to produce which may not register as single characters for password purposes. For instance, our straight double quotation marks are not used in many countries. Symbols like |, [, and ^ also might not appear on international keyboards or could require additional keystrokes to type even if they do. It’s probably best to slightly limit the symbol set for your password to symbols universally used in math or on the Internet, such as # . , @ !  + - / etc. See Wikipedia’s article on keyboard layouts for more information.

Eye candy is pretty, by definition. But too much is too much, and AT&T’s new browser, Pogo seems to suffer from the vast amount of resources demanded by its attempt to make the most mundane Web tasks (finding a bookmark, for instance) a breath-taking overdose of eye-catching beauty. Here’s Ars Technica’s review of Pogo.

It’s an interesting concept, and I don’t want to go back to the days when a copy of Netscape Navigator 1.22 fit on a single floppy disc, but Pogo seems way too far ahead of its time in terms of realistic user resources. And just when you thought 2 gigs of RAM was enough… Pogo!

In honor of CSS Naked Day, styles have temporarily been disabled. They’ll return tomorrow, April 10th, in the meantime, give a moment’s thought to how much CSS adds to the web.

This is a presentation I gave to the Web Standards and Usability Users Group meeting on April 8. The title is way too pessimistic. I should’ve changed it to “Browser Purgatory,” but that doesn’t really have the same je ne sais quoi pas.

To anyone involved in designing with CSS and semantic HTML to support Web standards, Internet Explorer has been the constant thorn in our side. IE5, IE 5.5, IE6, and IE7 have been the seemingly endless source of a Microsoft-generated ocean of frustration:

• deviant box model
• DOCTYPE switching
• no min- or max- widths or heights
• no variable-opacity PNG support
• no SVG support
• inability to serve XHTML as application/XML

and the sad list could go on. Many of these faults have been addressed and corrected, but increased support has been incremental, over the last six or seven years. However, earlier this year, Microsoft announced that IE 8 passed the Acid 2 test, an important demonstration of supporting most key CSS properties. Yesterday, they made that good news quite a bit sweeter, by announcing that the default rendering mode for IE8 will be with their highest support of standards, which reversed a previous plan requiring designers to include special code in their pages to trigger IE8’s standards rendering mode.

See also Microsoft’s announcement.

An excellent tool for regex testing is Regex Coach by Edi Weitz in Germany.  It’s makes one of the most painful coding tasks a lot less odios, thanks to real-time color-coded highlighting of matches, and a simple, intuitive interface. It’s only limitations that I’ve discovered are in character support; strangely, considering its European origins, it doesn’t support the Euro symbol “€”. That’s not likely to be a major flaw for anyone checking the regex syntax, however, and regex is an indispensible aid for that.

I’ve been having problems this past week with Firefox freezing up when I’m using Gmail. Fortunately I found the cure today: If you’re using the HTML Validator extension (and if you’re not, you should be!) right-click on its icon in the status bar, select “Disable for mail.google.com.” on the pop-up window, modify the address to say just “mail.google.com,” click on the “Block” button, and it should populate the large listarea  beneath it. Click “Close” and you’re done! (Solution found at Gmail Help Discussion group.)

Any one who’s worked in Web design can relate to this:
http://www.makemylogobiggercream.com/

I don’t hate Microsoft, per se. But I do hate dirty tricks, no matter who’s doing them. And this is what I found as an ad at the XML Files today: “Linux Reference Center” linking to anti-Linux pages on You-Know-Who’s website. Some of the rotating ads there use another image that says “Linus Reference Center, Sponsored by Microsoft.” Some of the ads link to http://devx.com apparently to give a more neutral appearance to the MS propaganda zone. Was that harsh? Maybe, but I don’t think M$’s “Linux Reference Center,” no matter where it’s hosted, is going to be the place to learn objectively about Linux. Just a feeling.

Ever wanted to just test some simple ASP scripts… or maybe individual functions… without going through the rigamarole of setting up a server on your desktop and explaining to it that no, you don’t want to build a world-eating, enterprise-worthy website right at the moment?

I recently discovered ASP Explore, and it fits the bill. It’s essentially a super-light Web browser that opens ASP files as well as HTML files; perfect for spot-checking ASP files or learning the technology. It also comes with a “setup maker” that allows you to not only bundle ASP files into a package, but make them into an executable file for easy installation on another system.

Since I’m studying ASP now, ASP Explore is a great help. Try it out.