Nov 172014
 

WordPress was designed for public websites, not private ones, so password protection can be a little clunky. Fortunately there are plugins to help, but (as always) there are trade-offs to be made.

When all you want to do is add a password to stop search engines indexing and outsiders reading the content, but you also want make it as easy as possible for people to use, there’s the Password Protected plugin. As it says, it doesn’t protect the images or other uploaded content.

If you also want to protect the media, you will need to give people an account on the WordPress site (with username and password). Then you can use the htaccess edits detailed at http://www.idowebdesign.ca/wordpress/password-protect-wordpress-attachments/. This works, but in many cases you just don’t want to give lots of people accounts on the system, or make groups of people share an account. So it’s a trade-off – how important is password-protecting the images versus the administration overhead of user accounts with the associated username/password ease of use issues? If you do want to use usernames and passwords, perhaps giving a group of people a shared account, I’d recommend also using one of the plugins that helps with finer-grained access control, such as Members, to stop people being able to change things you don’t want them changing (such as passwords for the shared account).

Oct 272014
 

Two-factor authentication is generally seen as a good idea; there’s a certain amount of hand-wringing over the fact that more people don’t turn it on. The problem is, it’s one of those things where you sign up for disruption over the next few days, for uncertain reward. The reward is uncertain because you can never tell whether turning on two-factor authentication stopped someone hacking your account or not, just like you can’t tell whether having an alarm company sign outside your house dissuades someone from breaking into it. My main email account has been on 2FA for ages, but I decided to add it to one of my secondary accounts as well, given that lots of people seem to mistakenly use that email instead of their own.

Tim suggested I used the authenticator app for my Google account 2FA, instead of using the SMS system. Just a hint: set it up while you still have access to your text messages since SMS is used for the bootstrapping authentication. You need to sign up for Google 2FA in the first place ‘on a computer’ (not specified whether a tablet is sufficient? I used the desktop). You are sent an SMS to authenticate yourself, and then you get another one when you want to authenticate the Authenticator app. After that, you don’t need your SMS system, as long as you have the device with the Authenticator app on it.

But then there are the other apps, which now need application-specific generated passwords. Adium for Google Talk, for example, or email with Thunderbird. Setting each one up doesn’t take long, but I’m sure some time in the future I will have forgotten and be wondering why I can’t log in with a valid password.

And I understand what’s going on, more or less, and think the short-term hassles are worth it. There are lots of people who don’t have a mental model of passwords or authentication, who see only the pain and not the gain (since the gain is only in the absence of a potential future pain). Businesses are supposedly implementing 2FA fairly rapidly, but I’d be surprised if people in general were outfitting their personal accounts with 2FA at anything like the same rate. Mind you, I also suspect those surveys apply mostly to bigger companies in particular industries; anecdotal evidence I’ve heard points to a lower real adoption rate.

Jan 212014
 

In principle I’m in favour of the ‘log in with X’ way of doing things (modulo user experience issues such as trying to remember which service you picked to sign up with in the first place). There is, however, more to it than that in some cases. Example: using the online repository service bitbucket.

Signing up in the first place with one of my Google accounts worked as expected. The next step, of adding a git repository and pushing files to it, was a little more complicated. You need to use a regular password for git push and, of course, bitbucket doesn’t have the password for my Google account. And I didn’t have a regular password for the account, having set it up using my Google account, so I had to go through the password-reset dance to create a new password that bitbucket is allowed to know.

In other words, for these sorts of services I need a password that the service is allowed to know; logging in with other services is an add-on but not a replacement. This isn’t hard to understand when you stop and think about what’s going on (in the browser the service relies on a lot of browser redirects which aren’t available in the command line), but it did take me a minute or two to figure out that I would have to reset my heretofore blank password to get one that I could use. (Bitbucket also supports SSH identities and I’ll probably set that up instead of the password.)

May 012013
 

I just bought something on the Canadian Lowes site and it struck me how much time and thought they obviously put into the UX. The item pages contained the usual recommended other items, reviews, etc, that you can see everywhere. It was the other information on the item page that caught my attention.

I found the item through online search, but it was easy, with obvious breadcrumbs, to find related items. The ‘shipping included’ was prominent but not overpowering (for a large item, I prefer it to be shipped to me but don’t want to pay a fortune for shipping). The page included links, near the ‘Add to Cart’ button, to both the shipping and return policies, and the estimated shipping date was easy to see, even before adding the item to the shopping cart.

The big changes that I noticed came next. Where so many shopping sites ask you to create an account, login, etc, this one simply re-configured the checkout workflow. After the usual steps (fill out shipping address, pay through paypal/credit cards) there were two things I noticed. First, the return page gave the option of adding another email address to have the notification sent there as well, suggesting I not close the page until the email notification arrived (which it did, promptly). And second, it was only after the transaction was completed that the site asked me if I wanted to add a password so I could track the status of the shipment. I can track the status using a link in the notification email but I added a password anyway. So now I also have a Lowes account, created with very little friction.

This seems a sensible time to encourage the site visitor to create an account. I’d already bought something, it’s quite likely I’ll buy other large items in the same way, and it didn’t take much time or decision-making. Kudos to Lowes for listening to their UX people.

Feb 052013
 

The latest Twitter password hack did affect me, but fortunately I had already switched to the one password per site philosophy. I store all my passwords in LinkeSoft’s Secret!, along with other information that I want to keep on my computer and on my phone in an encrypted form. I just wish the Mac version synced with Android.

One bright spot in the issue was the fact that I didn’t have to change anything in all my apps that use my twitter account, since they all have their own tokens, independent of my twitter password. OAuth is usually said to be good since you can revoke access for any application at any time; this was the first time it became obvious to me that the other advantage is that you can change your main password at any time without needing to update any other client. Can other applications that have web access and smartphone app access please take note?

OAuth is not necessarily the easiest of protocols to understand, or implement, but these days there are lots of libraries out there that do implement it. When I teach OAuth at the XML Summer School, I always recommend people use existing libraries if possible, to let others do the hard work of debugging all the little details. Another thing I recommend is to get the O’Reilly book “Getting Started with OAuth 2.0” (full disclosure: they sent me a review copy) to understand the concepts. You need to know about various types of tokens and credentials, and how they fit into the multi-layered authentication/authorization protocol dance for the different use cases. Once you have a decent understanding of the concepts, then go and read the actual specification for the details. The specification has lots of information in it, but it’s immensely easier to understand if you already know how the pieces fit together, and that’s where the O’Reilly book is well worth reading.

Nov 202012
 

I’m sure there are people who like having Evernote track where they recorded some note, but there are also some of us who don’t. Yes, I tend to be slightly privacy-oriented, or even more than slightly at times. If you’re in that category, here’s one way to delete the locations.

First off, they often come in when you have the Evernote app on your phone. On Android, to turn off the auto-location, you need to go to the Evernote app on your phone, go into settings, and click on “Other Options”. You should see something that says “Location for new notes” with two possible options underneath, one for GPS, and one for wireless networks. Make sure they’re both turned off. You might like to turn off Auto-title while you’re there, especially if you don’t like Evernote reading your calendar to find an appointment or date to write in that title. Yes, I know, I’m sure there are people who find this useful. I don’t.

Having done your best to ensure locations aren’t added to future posts, let’s get rid of the already-existing ones. These instructions are for Evernote 5.0 on the Mac. Find the note, and double-click on it to open it in the editing window. Click on the italic ‘i’ in the top right corner. Then click on the arrow head next to the location field. That gets rid of the location. You may be asked to update the location to your current location; I only needed to say ‘no’ once. Close the editing window and you’re done! Yes, this does reset the updated date, so if that matters, copy it before making your changes so you can change it back again.

There may be a programmatic way to do this, but I only had 5 notes with location information on them, so I didn’t need it.