“Privacy”

Fingerprint (not mine – combination of this image and this image)

Maybe you’ve noticed that Facebook is separating its messenger application from its mobile application. “That’s strange,” you think, “I like things the way they are. They’re integrated, which works well. Why would they change that?” Good question. According to Facebook, there are lots of reasons that your new experience will be richer and better.

But, according to this article on the Huffington Post, users who download the Messenger app agree to terms of service that are “unprecedented and, quite frankly, frightening.” For example, by installing it, you agree that the Facebook Messenger app can:

• call phone numbers and send text messages without your intervention
• record audio, take pictures, and take video at any time without your confirmation
• share data about your contacts,
• share your phone’s profile information including the phone number, device IDs, whether a call is active, and the remote number you are connected to
• access a log of your incoming and outgoing calls, emails, and other communication
  

Some of these are a bit scary — recording me without my confirmation? who are you, the NSA? But maybe you’re not surprised that Facebook is collecting and sharing your information because users get the app for “free,” which basically means you pay for it by giving over your data. And anyone who agrees to those terms and conditions gets what they signed up for, right? Well what if something similar was happening on the World Wide Web? Spoiler alert: it is.

Think turning off cookies keeps websites from tracking you? Take a look at the Electronic Frontier Foundation’s Panopticlick. Even if you don’t let websites store cookies — small files that websites use to track you — on your machine, it’s likely that the combination of your operating system, browser version, browser plugins, time zone, screen size, fonts downloaded, and a few other configurations are as unique as a fingerprint. And websites recognize you by your device’s fingerprint every time you visit.

In fact, your browser history alone is another giveaway. Think about how links to sites you have visited are purple while links you haven’t are blue, then consider this thought experiment: If a website picked a handful of websites and linked to them on its webpage, it would learn about you when you visited based on your combination of blue and purple links. As the number of links grows, there would be a greater and greater chance that your specific combination would be unique. And, based on your combination of blue and purple, and the demographics of visitors to those sites, some information about you could be predicted. For example, if you have visited Martha Stewart’s website on your computer and I’ve visited Hot Rod Magazine’s website on mine, a website could predict a few ways in which we are different. And, again, the longer the list of links, the more accurate the prediction becomes.

All of this information isn’t intended to cause a panic, but rather to raise awareness. Before you bust out your tinfoil hat, consider other alternatives that are more likely to keep you safe online: Check your browser’s security settings, keep your operating system up to date, and look into antivirus and anti-malware tools. And, be aware that what you are doing online is likely trackable and traceable, so be thoughtful of where you go and what you do there. As a friend of mine recently observed in response to all of this, “It’s a scary world. But also a great one.” Be careful out there.

How Safe Are You?

My dog, whose name is "12345."

The photo above is from a poster I see around Ohio State once in a while.  The caption reads, “Someone stole my password… now I have to rename my dog.”  I think it is an elegant way to state what is a very important message: choose a strong password.

What is a strong password?  One that cannot easily be guessed.  It’s easy to find lists of the most common passwords used online and, invariably, password and 123456 (or similar) is at the top of every list.  When I see this, I’m reminded of the movie Spaceballs, which was released in 1987.  In one scene from this Star Wars parody, Dark Helmet learns that the combination to the air shield around planet Druidia is 12345, which Dark Helmet observes is the kind of thing an idiot would have on his luggage.  The punchline, below, occurs when the air shield’s combination is revealed to President Skroob (Mel Brooks).

Besides being a chance to insert a gratuitous Spaceballs clip, what is the point?  Well, even before we’d ever heard of email, 12345 was a bad password.  Adding a 6 didn’t make it much better.

But even the brightest among us — celebrities — haven’t learned this lesson.  It seems like every couple of weeks, there is a story about how Paris Hilton’s phone, Sarah Palin’s email, or Lindsay Lohan’s MySpace, Blackberry, and Gmail accounts have been hacked.  All of these attacks were due to weak passwords, or easy-to-guess password reset questions (according to Wired, Tinkerbell – password reset answer, Wasilla High – password reset answer, and 1234 – password, respectively.)  Startlingly, trying the top 10 or 20 passwords (and their variants such as 123, 1234, 12345, etc.) could unlock as many as 20% of online accounts, according to John P. on One Man’s Blog.

So, maybe you’re not Lindsay Lohan, but you probably still have information you want to protect.  And gaining access to one account can probably lead to access to all of them.  So even if your Facebook isn’t important enough to warrant a strong password, what information in that account could be used to access your email and then your online bank account?

What makes a strong password?  When students set up their OSU email accounts, I direct them to OSU’s password policy, which requires passwords to be at least 8 characters and some combination of alphabetic, numeric, and punctuation characters.  Also, an OSU password cannot contain the same character three times or more in a row, fewer than four different characters, or easily guessed phrases and words.  You can even rate your new password at the top of the page to see if your password is acceptable.  1234 returns the message “Unacceptable – Your new password is too short.”  (Sorry, Lindsay Lohan.)

Still having trouble?  John P. has some good tips in his article.  One approach is to substitute numbers and punctuation in place of some letters in a word.  This can make your password exponentially tougher to crack.  For example, gobuckeyes could become g08uck3y3$.  But even a n00b knows we could do better.  Instead of starting with a word, consider taking the first letter of each word in a phrase or song to create an easy to remember, but seemingly random string.  For example, the first letter from each word in the first two lines of Carmen, Ohio would give us oclsopastamr.  Now substitute  numbers and symbols for a few of these letters and you have a pretty robust password: 0c1$0p4$t4mR.

(Incidentally, I wouldn’t recommend using that or any of the passwords you read here because any one of the tens of people who read this could then guess your password, but you can see how a strong password could be generated.)

Not feeling creative enough to make your own password?  Another approach is to use one of several password generators available online.  For example, grc.com has a page that generates strings of random characters each time the page is loaded.  Take as many as you need to create a strong password.  Another resource is onlinepasswordgenerator.com which generates 10 passwords at a time and can be configured to include numbers, punctuation, and capital letters, depending on your needs.

One final concern is having to remember passwords for so many different accounts.  Consider creating a simple algorithm that will alter the password slightly for each account.  For example, once you’ve committed 0c1$0p4$t4mR to memory, you could use 0c1$0p4$t4mRe for your email account, 0c1$0p4$t4mRb for your bank, and 0c1$0p4$t4mRfb for your Facebook account.  By adding the letters to the middle of the word and including the number of letters in the name of the account, each individual password would seem even more random, but all of them would be easy for you to remember.

I hope this post helps to make the internet a safer place for you.  If you recognized any of the passwords I’ve included here (especially the ones near the top), go update your accounts.  Or, change your dog’s name.