Nov 172014

Word­Press was designed for pub­lic web­sites, not private ones, so pass­word pro­tec­tion can be a little clunky. For­tu­nately there are plu­gins to help, but (as always) there are trade-offs to be made. 

When all you want to do is add a pass­word to stop search engines index­ing and out­siders read­ing the con­tent, but you also want make it as easy as pos­sible for people to use, there’s the Pass­word Pro­tec­ted plu­gin. As it says, it doesn’t pro­tect the images or oth­er uploaded con­tent.

If you also want to pro­tect the media, you will need to give people an account on the Word­Press site (with user­name and pass­word). Then you can use the htac­cess edits detailed at This works, but in many cases you just don’t want to give lots of people accounts on the sys­tem, or make groups of people share an account. So it’s a trade-off — how import­ant is password-protecting the images versus the admin­is­tra­tion over­head of user accounts with the asso­ci­ated username/password ease of use issues? If you do want to use user­names and pass­words, per­haps giv­ing a group of people a shared account, I’d recom­mend also using one of the plu­gins that helps with finer-grained access con­trol, such as Mem­bers, to stop people being able to change things you don’t want them chan­ging (such as pass­words for the shared account).

Oct 272014

Two-factor authentication is generally seen as a good idea; there's a certain amount of hand-wringing over the fact that more people don't turn it on. The problem is, it's one of those things where you sign up for disruption over the next few days, for uncertain reward. The reward is uncertain because you can never tell whether turning on two-factor authentication stopped someone hacking your account or not, just like you can't tell whether having an alarm company sign outside your house dissuades someone from breaking into it. My main email account has been on 2FA for ages, but I decided to add it to one of my secondary accounts as well, given that lots of people seem to mistakenly use that email instead of their own.

Tim suggested I used the authenticator app for my Google account 2FA, instead of using the SMS system. Just a hint: set it up while you still have access to your text messages since SMS is used for the bootstrapping authentication. You need to sign up for Google 2FA in the first place 'on a computer' (not specified whether a tablet is sufficient? I used the desktop). You are sent an SMS to authenticate yourself, and then you get another one when you want to authenticate the Authenticator app. After that, you don't need your SMS system, as long as you have the device with the Authenticator app on it.

But then there are the other apps, which now need application-specific generated passwords. Adium for Google Talk, for example, or email with Thunderbird. Setting each one up doesn't take long, but I'm sure some time in the future I will have forgotten and be wondering why I can't log in with a valid password.

And I understand what's going on, more or less, and think the short-term hassles are worth it. There are lots of people who don't have a mental model of passwords or authentication, who see only the pain and not the gain (since the gain is only in the absence of a potential future pain). Businesses are supposedly implementing 2FA fairly rapidly, but I'd be surprised if people in general were outfitting their personal accounts with 2FA at anything like the same rate. Mind you, I also suspect those surveys apply mostly to bigger companies in particular industries; anecdotal evidence I've heard points to a lower real adoption rate.

Jan 212014

In prin­ciple I’m in favour of the ‘log in with X’ way of doing things (mod­u­lo user exper­i­ence issues such as try­ing to remem­ber which ser­vice you picked to sign up with in the first place). There is, how­ever, more to it than that in some cases. Example: using the online repos­it­ory ser­vice bit­buck­et.

Sign­ing up in the first place with one of my Google accounts worked as expec­ted. The next step, of adding a git repos­it­ory and push­ing files to it, was a little more com­plic­ated. You need to use a reg­u­lar pass­word for git push and, of course, bit­buck­et doesn’t have the pass­word for my Google account. And I didn’t have a reg­u­lar pass­word for the account, hav­ing set it up using my Google account, so I had to go through the password-reset dance to cre­ate a new pass­word that bit­buck­et is allowed to know.

In oth­er words, for these sorts of ser­vices I need a pass­word that the ser­vice is allowed to know; log­ging in with oth­er ser­vices is an add-on but not a replace­ment. This isn’t hard to under­stand when you stop and think about what’s going on (in the browser the ser­vice relies on a lot of browser redir­ects which aren’t avail­able in the com­mand line), but it did take me a minute or two to fig­ure out that I would have to reset my here­to­fore blank pass­word to get one that I could use. (Bit­buck­et also sup­ports SSH iden­tit­ies and I’ll prob­ably set that up instead of the pass­word.)

May 012013

I just bought some­thing on the Cana­dian Lowes site and it struck me how much time and thought they obvi­ously put into the UX. The item pages con­tained the usu­al recom­men­ded oth­er items, reviews, etc, that you can see every­where. It was the oth­er inform­a­tion on the item page that caught my atten­tion.

I found the item through online search, but it was easy, with obvi­ous bread­crumbs, to find related items. The ‘ship­ping included’ was prom­in­ent but not over­power­ing (for a large item, I prefer it to be shipped to me but don’t want to pay a for­tune for ship­ping). The page included links, near the ‘Add to Cart’ but­ton, to both the ship­ping and return policies, and the estim­ated ship­ping date was easy to see, even before adding the item to the shop­ping cart.

The big changes that I noticed came next. Where so many shop­ping sites ask you to cre­ate an account, login, etc, this one simply re-configured the check­out work­flow. After the usu­al steps (fill out ship­ping address, pay through paypal/credit cards) there were two things I noticed. First, the return page gave the option of adding another email address to have the noti­fic­a­tion sent there as well, sug­gest­ing I not close the page until the email noti­fic­a­tion arrived (which it did, promptly). And second, it was only after the trans­ac­tion was com­pleted that the site asked me if I wanted to add a pass­word so I could track the status of the ship­ment. I can track the status using a link in the noti­fic­a­tion email but I added a pass­word any­way. So now I also have a Lowes account, cre­ated with very little fric­tion.

This seems a sens­ible time to encour­age the site vis­it­or to cre­ate an account. I’d already bought some­thing, it’s quite likely I’ll buy oth­er large items in the same way, and it didn’t take much time or decision-making. Kudos to Lowes for listen­ing to their UX people.

Feb 052013

The latest Twit­ter pass­word hack did affect me, but for­tu­nately I had already switched to the one pass­word per site philo­sophy. I store all my pass­words in LinkeSoft’s Secret!, along with oth­er inform­a­tion that I want to keep on my com­puter and on my phone in an encryp­ted form. I just wish the Mac ver­sion synced with Android.

One bright spot in the issue was the fact that I didn’t have to change any­thing in all my apps that use my twit­ter account, since they all have their own tokens, inde­pend­ent of my twit­ter pass­word. OAu­th is usu­ally said to be good since you can revoke access for any applic­a­tion at any time; this was the first time it became obvi­ous to me that the oth­er advant­age is that you can change your main pass­word at any time without need­ing to update any oth­er cli­ent. Can oth­er applic­a­tions that have web access and smart­phone app access please take note?

OAu­th is not neces­sar­ily the easi­est of pro­to­cols to under­stand, or imple­ment, but these days there are lots of lib­rar­ies out there that do imple­ment it. When I teach OAu­th at the XML Sum­mer School, I always recom­mend people use exist­ing lib­rar­ies if pos­sible, to let oth­ers do the hard work of debug­ging all the little details. Another thing I recom­mend is to get the O’Reilly book “Get­ting Star­ted with OAu­th 2.0” (full dis­clos­ure: they sent me a review copy) to under­stand the con­cepts. You need to know about vari­ous types of tokens and cre­den­tials, and how they fit into the multi-layered authentication/authorization pro­to­col dance for the dif­fer­ent use cases. Once you have a decent under­stand­ing of the con­cepts, then go and read the actu­al spe­cific­a­tion for the details. The spe­cific­a­tion has lots of inform­a­tion in it, but it’s immensely easi­er to under­stand if you already know how the pieces fit togeth­er, and that’s where the O’Reilly book is well worth read­ing.

Nov 202012

I’m sure there are people who like hav­ing Ever­note track where they recor­ded some note, but there are also some of us who don’t. Yes, I tend to be slightly privacy-oriented, or even more than slightly at times. If you’re in that cat­egory, here’s one way to delete the loc­a­tions.

First off, they often come in when you have the Ever­note app on your phone. On Android, to turn off the auto-location, you need to go to the Ever­note app on your phone, go into set­tings, and click on “Oth­er Options”. You should see some­thing that says “Loc­a­tion for new notes” with two pos­sible options under­neath, one for GPS, and one for wire­less net­works. Make sure they’re both turned off. You might like to turn off Auto-title while you’re there, espe­cially if you don’t like Ever­note read­ing your cal­en­dar to find an appoint­ment or date to write in that title. Yes, I know, I’m sure there are people who find this use­ful. I don’t.

Hav­ing done your best to ensure loc­a­tions aren’t added to future posts, let’s get rid of the already-existing ones. These instruc­tions are for Ever­note 5.0 on the Mac. Find the note, and double-click on it to open it in the edit­ing win­dow. Click on the italic ‘i’ in the top right corner. Then click on the arrow head next to the loc­a­tion field. That gets rid of the loc­a­tion. You may be asked to update the loc­a­tion to your cur­rent loc­a­tion; I only needed to say ‘no’ once. Close the edit­ing win­dow and you’re done! Yes, this does reset the updated date, so if that mat­ters, copy it before mak­ing your changes so you can change it back again.

There may be a pro­gram­mat­ic way to do this, but I only had 5 notes with loc­a­tion inform­a­tion on them, so I didn’t need it.