My latest iPhone app, LandMarked, has been steadily climbing the charts of many nations’ App Stores and today a first has happened for me. LandMarked made it to 5th place in Israel’s Navigation apps category (225th place worldwide)! This places it in the first 25 apps list and just on the fold of the App Store’s listing.
Not bad considering that I only release formal PRs to Apple related news sites and don’t engage in banner image advertising of any sort.
I want to thank all the iPhone and iPod touch owners in Israel for helping LandMarked climb so far this fast!
A lot of opinions about what makes a password strong have been thrown about lately. Unfortunately, a lot of them are wrong.
If you only take away one thing from this article let it be this… Don’t believe everything you read about password best practices. Today I’m going to dispel some of these myths and I want to tackle 2 approaches in particular that concern me.
Correct Horse Battery Staple – http://xkcd.com/936/
This comic has been linked to a lot since its release and at least gets points for trying. The only problem with it however is that it relies on common dictionary words. According to Oxford Dictionary there are 171,476 words in current use in the English language. If we were to assign a unique number to each of these 171,476 words and use a 4-word combination of them we’d end up with a truly staggering amount of combinations to exhaust! Problem solved right?
No. The average English speaking person can’t even spell “hippopotamus” correctly and is limited to a vocabulary of 25,000~50,000 words (this number varies depending on demographics, education level etc… and is still disputed). And of these, most people limit themselves further to words dealing with their daily lives: “coffee”, “office”, “stapler”, “fire” and other equally common words. That is if they are not completely lazy and go with “password123″.
What we end up with is maybe 500 highly common words that would form the pool from which to construct such pass phrases. 500 words in 4-word combinations is just under 62.5 trillion combinations. Sounds great right? “My little brother will have to pass the work onto his grandson before my password will be discovered!” I hear you say. Except with a technique called brute force searching, 62.5 trillion combinations can be computed in significantly less time. In fact, the more patterns a hacker can discern from your word choice the smaller the search space and the process will speed up accordingly.
Furthermore this approach does not scale. There are only so many nonsensical word combinations a person can remember. After a while they begin to diverge and soon you can’t tell if it was “house ball sky dog”, “ball cucumber torch pin”, or “house pin sky torch”.
Memorable Passwords – http://lifehacker.com/184773/geek-to-live–choose-and-remember-great-passwords
First let me say that I have a tremendous amount of respect for Gina Trapani. But this time I’m afraid she is wrong. Why? Again, patterns.
What makes the password memorization technique she advocates easy for you to use makes it equally insecure for hackers who anticipate that you’ll follow her advice. Using public knowledge like a spouse’s name or your anniversary date is questionable at best. If I know you, chances are I know your spouse. Even if I don’t know you I can dig through your trash and find out.
The only way this excels compared to the XKCD approach is that it’s easier to associate a password to a web site because there is an underlying pattern uniting them, not that this is a good thing remember. It’s just harder to get confused.
What Makes A Password Safe?
The short answer: randomness.
The long answer:
Remember, from whom are you trying to keep your password safe? Your nosy siblings and coworkers? Or somebody more nefarious like a hacker? Your password is only as safe as it is unknown to people who would attempt to discover it. Understanding the discussed tools and knowledge they possess should demonstrate why just about all the advice flying out there is flat out wrong.
But It’s Still Too Hard To Remember “e$-UqPs3″
That IS hard to remember, there’s no contesting that. But again, what makes it hard for you to remember makes it more secure. A hacker is still going to pull out the brute force search here and will perhaps arrive at your password. However this password is stronger if for no other reason than it has no discernible patterns.
Moreover, if you occasionally change your password it becomes a moving target. By the time the hacker finds your password, you’ve already moved on to a new one!
How should you remember this password? Don’t. There’s an iPhone app for that! All you need to do with this app is create one memorable login password behind which all your hard-to-remember passwords are protected. This memorable login password is encrypted with an algorithm called BCrypt which is extremely resilient against brute force attacks because it takes an inordinate amount of time to encrypt each password. So even if you lose your iPhone the likelihood of your login password being discovered is near zero.
There is no magical solution that will result in memorable and safe passwords. But we can up the ante against hackers by equipping ourselves with the tools and discipline to combat theirs.
I have been testing the solution proposed by StackExchange user ‘shipmaster’ for obtaining a MAC address as a device ID.
I’m a private person, as everybody knows, so I won’t be posting the MAC addresses of my various iOS devices but I will say that I was able to confirm the the MAC address’ suitability as a UDID replacement.
How I conducted my testing
Across two iPhone 3GS units and one iPod touch 4th gen unit with two apps (KEYBOX and KEYBOX lite) I was able to reliably retrieve the per-device MAC addresses across distinct apps regardless of whether using Wi-Fi, 3G (only tested on iPhone 3GS as iPod touch doesn’t do 3G) and in Airplane Mode.
I do not own an iPad or iPad 2 with which to test but I suspect MAC addresses will make for reliable UDID substitutes there also.
It would be great to hear from iPad owners who have tried this technique. Please contact me at email@example.com.
TechCrunch’s Erick Schonfeld is reporting today that iOS 5 comes with a big surprise in that developer access to the UDID, the device’s unique ID number, is being deprecated.
What does this mean?
As early as i0S 6 perhaps, we developers will no longer be able to uniquely identify devices. These are good and bad outcomes of this. Developing user profiles based on the apps downloaded and ads clicked begins to get a bit creepy and this will now be thwarted. But some of us developers use the UDID in ways that are not evil per se.
What about KEYBOX? Is it impacted by this change?
KEYBOX lite uses the device’s UDID to detect when a user is importing an export secret file onto the same device that generated it when the secret file is obviously older than the install date. In other words, cheaters who thought they could back up their secrets, uninstall KEYBOX lite and reinstall it and get another free 30 days of use.
KEYBOX lite then issues a stronger recommendation to purchase the full edition. After all, anybody who loves KEYBOX enough to go through the hassle of reinstalling it over and over ought to just purchase it and support further development.
At no time was this UDID ever transmitted in any form to my site or any other by KEYBOX or KEYBOX lite. In any case I will phase out this check in KEYBOX release 2. I don’t like relying upon deprecated functionality in my apps.
As a result of prMac’s promotion of KEYBOX, the August 6-7 weekend was the best sales weekend to date since it was released a few weeks ago.
Thanks to all of you who purchased KEYBOX! And a special thank you to those who took a moment to rate KEYBOX in the AppStore for your fellow users!
This weekend showed an equal increase in e-mails from customers and prospective customers. The road to releasing KEYBOX to the public has been a long one and it’s great to be able to talk with you and hear all your feedback. One of the recurring themes from these e-mails has been when KEYBOX will be on the iPad/Mac/Android/Windows Phone? Although I like to keep things under wrap (so as not to disappoint anybody) I think it’s time to discuss KEYBOX’s future on different platforms.
Let’s start with the easy ones:
Unless the market share for this platform grows I won’t be able to recoup my investment. As of today, it’s rapidly losing market share, not gaining it.
Android phones and tablets
Never say never but yeah, probably never. Among its many problems Android is too fragmented a platform (different display resolutions, memory and CPU specs, etc…). The original KEYBOX appeared on Vodafone Japan’s (now SoftBank’s) J2ME platform and was a victim of fragmentation issues. I am not keen on going back to that.
The iPad could be perhaps in some respects an even better device for using KEYBOX than the iPhone. I’m seriously considering supporting it. Currently KEYBOX works on an iPad in iPhone compatibility mode and if/when an optimized for iPad version is made it’ll be a universal app so that current iPad KEYBOX users won’t need to pay twice. If/When iPad is supported I intend to raise the price to reflect the benefits afforded by the platform.
Mac OS X
KEYBOX on the Mac would perfect the trifecta (phone, tablet, desktop/laptop) in that it could make backups/syncing all the easier. This would obviously be a separate download from the iOS version and the price would be inline with the features/benefit afforded by the Mac platform.
For the time being taking KEYBOX on iPhone further is the highest priority. Release 1 was about locking down the security and giving it in a simple and clean UI. There are so many great features that didn’t make the first cut and it was difficult to to draw the line but I had to ship KEYBOX at some point. There is a lot in store and I’m thrilled so many of you have joined along for the ride! I value your contributions, and continued feedback and your praise has been a source of inspiration for me!
So thank you! ありがとうございました！ Merci! Gracias!
Before starting, I want to thank my wife and son for their frequent weekend sacrifices over the past year. They literally made KEYBOX possible. I’d also want to thank the reviewers at Apple if for no other reason than their job is a thankless one.
What is KEYBOX?
Privacy is a topic near and dear to me. I wrote the original version of KEYBOX to scratch a personal itch back in 2005.
My apartment was broken into and many of my and my wife’s belonging were stolen, even using our bags to haul it all away. Worse of all the thief left us a note showing off how proud he was. This was not our home anymore and everything we thought was private was no longer. Only after becoming victims did we start to invest in dimple keys and other preventative measures.
For myself, it didn’t stop there. I was compelled to take my privacy very seriously from that moment onward. The original version of KEYBOX was the culmination of careful design and development to address this.
2009 and 2010 were years that presented challenges to protecting people’s privacy. I wrote KEYBOX for the iPhone in response to this changing lanscape.
I don’t believe privacy is a dying concept as Mark Zuckerberg would have us believe. Privacy has never been more important. As we move more of our lives onto the cloud we open ourselves to more security risks. Who we are and what we do is no longer tucked away safely in a drawer in our homes. It’s now sitting on a 24h accessible server on the Internet and we are no longer in full control of our privacy.
How KEYBOX works and what distinguishes it from alternatives is a bit too much for this post. I’ll be discussing the design, development, marketing decisions behind KEYBOX and where the app is going in the future in future posts.
If you are serious about security and your own privacy you can learn more here… http://www.jayfuerstenberg.com/keybox/