Tuesday, October 14, 2014

Why Web Sites Don’t Need to Store Your Password

It seems counterintuitive, but web sites that require logins don’t actually need to store your password.  And they actually shouldn’t – it is a very bad idea to do so.   We see too many leaks of account databases for it to ever be safe to store passwords in any form, even if encrypted.

So how can a site validate a login if it doesn’t store the password?  The answer is something really cool called a hash function.  I know your eyes just glazed over, but bear with me, the concept is actually simple.

A hash function is a way of processing data that is one-way… you can put data in, and always get the same result coming out, but there is no way to reverse the process to get back the original data.  I won’t get into the specifics of how hashes actually work, but I can describe a very simple hash that will illustrate the principle.

Say, for the sake of simplicity, we are creating a web site that uses a 4-digit PIN as a password to log in.  We know that storing the PIN itself is dangerous because it could be leaked out or viewed by site administrators, so instead we add up the four digits and store that sum.  So if my PIN is 2468, we store 20 (2+4+6+8) in the database.  When we go back to the site to log in, the site can add up the four digits we enter for the PIN, compare that result against the sum in the database, and validate that we know what the correct PIN number is.  A hacker that gets his hands on the database only knows that the sum of the digits is 20… he can’t possibly know that the original PIN was 2468.  They’d have to guess what the original PIN number was by trying different combinations.

Of course this is overly simplified.  This demonstration hash function wouldn’t really work in the real world because it is too easy to figure out combinations that would let hackers in.  This situation is called a collision… 8642, 5555, 8282, 1991, and 6446 all produce the same hash value of 20.  But real hash functions used for account login verification are much, much more complicated, and aren’t normally subject to problems with collisions.  But you get the idea.  Instead of storing the actual password, we store a value that is calculated from the password.  We can validate that someone knows the password without actually storing that password.

This has other advantages as well.  For example, using a hash function there is no limit to the length of the password, because hash result values are always the same length regardless of the amount of data going in.  Someone could enter 6 letters, or 200 random symbols, and either one can be hashed down to a value of a standard length that can be stored in the database. 

Because of this, you can sometimes tell web sites that don’t use hashes to securely store passwords because they enforce a maximum length for passwords.  This isn’t always the case, but it can be one indicator that the site’s security has been poorly designed.  But if you are signing up for an account on a web site and they have a low limit on the length of the password, like 12 characters, you might look for other signs of poor site security or privacy policies.  And definitely don’t reuse a password from another site.  Or just steer clear.

The down side to using hashes is that if you forget your password the site has no way of sending it to you… because they actually don’t know it.  That is why sites generate a brand-new, random passwords that they send to you via email when you forget your password.  They honestly have no idea what your password was, so the only solution is to create a new one and use that temporarily until you create your own.

The whole process is considerably more complicated than I’ve described here – or at least it should be.  Just using a hash isn’t sufficient, either, because we’ve got affordable computers these days that can calculate billions of hashes per second and are therefore capable of brute-forcing short passwords very quickly.  (A 6-letter password, for example, would be cracked hundreds of times over in just one second using a simple hash).  But for a site to use a hash on passwords is one step in the right direction.

Saturday, October 11, 2014

Canon vs. Nikon vs. Sony

We’re all familiar with the expression “the grass is always greener on the other side of the hill.” This applies in many areas of life.  And, of course, that means photography. 

I’m primarily a Canon shooter.  I use a Canon 6D as my primary camera, with several other bodies for backup or other shooting situations.  I’ve currently got 5 working Canon DSLRs, as well as three film bodies, and I’ve amassed quite a large collection of lenses, flashes, and other gear as well.  And I’ve been very happy with all of it.  But sometimes you start to doubt your choices when you start reading articles online about how Nikon’s and Sony’s cameras are capable of producing images with more detail, greater dynamic range of bright vs. dark, and a wider range of colors.  Did I choose the wrong brand?  Am I making a mistake by sticking with what I’ve got?  Or should I sell it all and switch?

So I’ve spent a bit of time reading up on what the advantages and disadvantages of the different brands are.  I even bought a Nikon camera and couple of lenses so I could see what they offer.  I’ll save my conclusion for the end, so bear with me for a bit.

I’m making all comparisons between similar models… so, for example when I make a statement about a feature, I’m referring to competing models between brands… I won’t compare features on high-end models of one brand to low-end models of another brand.  I’m trying to be as objective and honest as I can be.


If I were to go by specifications alone, both Nikon and Sony produce camera bodies that have more detail in terms of resolution, dynamics, and breadth of colors.  The numbers are pretty clear on that.  As far as Nikon goes, they’ve stuck with the more traditional SLR design, with an optical viewfinder and reflex mirror that moves out of the way of the sensor when shooting an image, whereas Sony is producing basically all mirrorless designs, relying on electronic viewfinders.  I won’t really get much into the reflex vs. mirrorless debate here, but I do prefer the optical viewfinder because of its significantly higher resolution and lack of delay.  Someday mirrorless designs may make up for those issues, but as someone who usually shoots with manual focus, the highest resolution viewfinder is essentially a must-have for me.

In terms of autofocus ability, each brand has standout models.  I don’t really believe that any brand has an inherent advantage over another.  Having used both Canon and Nikon bodies, I prefer the way that the Canon models work.  Especially in low-light situations.


As of today, Sony probably has the advantage of the best looking video when comparing models with similar feature sets.  Canon is the other standout here, with its pretty amazing DualPixel autofocus on the 70D.  Both Nikon and Sony produce images with more detail.  Nikon still seems to have trouble with the “Jello” effect more than the other two brands, though they have gotten better.  Certain Canon models have more moirĂ© issues than the others, so that needs to be considered as well.


Here’s the make-or-break for me… whatever brand I go with has to have good quality lenses, and a wide variety of them, at affordable prices.  I’ve found that sticking with OEM lenses usually gets you the best results when compatibility, affordability, and autofocus are taken into consideration. 
So here’s the bottom line… Sony’s selection of lenses pales in comparison to both Canon and Nikon.  The difference is huge.  There are less than a dozen lenses for the Sony “A” series, which is really the only line I’d potentially be interested in.  So, for me, Sony is out.  They have some amazing lenses, but being limited to just a few (especially considering their cost) isn’t viable for me.  For people without sophisticated lens needs, and significant budgets, Sony could be a great choice.  I use a really wide variety of lenses, especially primes.  I really don’t think I’d be able to give that up. 

So I’m back to the traditional Canon vs. Nikon debate.  What I’ve found, though, when researching this (primarily on dxomark.com, though many YouTube review videos are being taken into consideration) is that unless you’re willing to spend a lot of money on Nikon lenses, that Nikon’s image quality really suffers relative to equivalent Canon lenses.  Nikon produces just a handful of lenses that autofocus on the less expensive bodies under $1000 that are rated to give more than about 10 megapixels of resolution, whereas Canon has a lot to choose from.  Comparing Canon to Nikon lenses, in almost every case the Canons do better in terms of sharpness.  Which for me is the most important thing.  I don’t want to spend time taking images only to come home and find out that they are always soft.  It is especially true with prime lenses, where Canon has a huge advantage.  Canon’s lenses often resolve nearly twice as much detail as the Nikon equivalents.

Take the Nikon AF 50mm f/1.8D vs. the Canon EF 50mm f/1.8.  The Nikon gets a 8 MP score for its sharpness, whereas the Canon gets 14MP.  And the Canon is cheaper.  And it autofocuses on all bodies, not just the high-end models like the Nikon (Nikon “AF” lenses do not autofocus on the D3xxx or D5xxx series of cameras – you have to step up to “AF-S’' lenses or a more expensive body for that).  The difference in performance between these two lenses isn’t at all atypical comparing equivalent models. 

To be fair, Nikon also offers a 50mm AF-S f/1.8G lens, which does autofocus on all bodies, and gets a 15 MP score, but it is more than twice as expensive as Canon’s ($220 vs. $100).  And it is the only one of a few primes in Nikon’s lineup under $1000 that gets a score over 10 MP.  Every one of Canon’s prime lenses scores 14 MP or higher.  Performance with kit lenses included with camera bodies is similar… Canon’s are all better.  For all of the love that Nikon gets from its owners, I was shocked at the difference.  And choices on the Nikon side become much more scarce if having autofocus on a lower-end body is a requirement. I think there are only two AF-S Nikon primes under $1000 able to resolve 14 MP of detail or better.  Canon has over a dozen.

One could argue that you don’t have to go with OEM lenses.  And that is true.  My own experience with third-party lenses, though, has been disappointing.  Not necessarily in terms of image quality (though they do often lag behind), but of build quality.  Every third-party lens I’ve ever bought has broken on me.  Every single one.  But I’ve never had anything go wrong with any of my OEM lenses.


So what does it boil down to for me?  I’m sticking with Canon.  Having cameras with the best available sensors would be awesome, but if the options for the glass to put in front of it aren’t as good, I’m afraid I just couldn’t make a switch.  It would be nice if you could put Canon glass on front of a Nikon, but without complicated adapters which inherently have to reduce image quality that just isn’t possible.  Or if I was insanely rich and could afford boutique lenses, the story would probably be different.  But I’m very much on a budget, so I’ve got to stick with more affordable choices for now.  And for today, that still means Canon.

So it boils down to this: Nikon’s choices for someone who likes to shoot prime lenses with the highest quality image are weak compared to Canon.  And Sony doesn’t even show up for that contest.  Those are the deciding factors for me.

I know that there are going to be a lot of people upset with my conclusion.  And they’ll even use DxOMark’s data to try to make their point.  Keep in mind that I’m making my decision based solely on achieving the best quality image while keeping lenses affordable.  If budget goes out the window, then the decision very likely could be different.

Sunday, February 16, 2014

Best Kept Secret in Technology

Every once a while a technology product comes along which is just an absolute bargain.  And very often those bargains are unknown to the general public.

The one that I want to tell you about today is the Nokia Lumia 520 (or 521) smartphone.  I’m sure you’re thinking, “but I already have a smartphone!”  But I’m suggesting this not as a replacement for your current smartphone, but rather something that is neat to own in addition to your smartphone.  But it would be a great thing to own for anyone who doesn’t already have a smartphone of their own.

Most of the time when you buy a cell phone you have to buy it with a contract, or pay out the nose for it up front.  Most smartphones, if you buy them outright, will cost $500 or more, and if you don’t pay that out-of-pocket it is figured into your monthly bill one way or another.  The Lumia 520 and 521 are inexpensive (both are easily less than $150) and don’t require you to sign a contract or even activate the phone.  But why would you ever do that?

Well, consider all of the things that people like to do with their phones… browse the web, check for email, listen to music, watch videos, play games, get driving directions.  Imagine being able to do all of that without a monthly payment.  Zero.  None.  No contracts, no monthly payments, ever, unless you want to.  That’s what’s great about these two models of phone.

A few scenarios…

Much of the time when you want to listen to music, it is music you already own – you don’t need an active Internet connection to stream it.  Maybe you have an iPod Touch that you listen to music on.  But those start at $229.  The Lumia 520/521 play all of your music just like the iPod Touch does – and in my opinion does a better job of it.  And they are a lot less.  And with an iPod, if you run out of storage you have to buy an entirely new device.  With the Lumia 520/521, if you run out of storage you can buy a Micro SD Card (up to 64 GB) and pop it in.  The Lumia 520 + a 64GB of storage is less than half the cost of the cheapest iPod Touch.  And it has an FM radio too, which the iPhone does not.
Music + Videos Hub
Now say you want directions from A to B.  Yes, I know that smartphones already do that.  But to do that they nearly always require Internet access and a data plan.  Because the Lumia 520/521 runs Windows Phone 8, you can pre-download maps (state-by-state or country-by-country) at home over WiFi before you leave, and store them on the device for use even when you don’t have Internet access.  You get door-to-door directions, like a dedicated GPS unit, for a lot less than a dedicated GPS unit.  And unlike the budget GPS units, it even knows how to pronounce street names so directions are specific – “turn right on Juniper Avenue” instead of “in 300 yards, turn right.”  If you do activate the device as a phone or tether it over WiFi to a smartphone or tablet, you even get up-to-the-minute traffic information, so it can route you around problems.  And I actually believe that Nokia Drive is the best navigation software out there for any smartphone.  It’s fast, accurate, and touch-friendly so it works great in the car, and best of all, it’s totally free.  And since it doesn’t require a data connection, it works in the middle of nowhere when your cell phone won’t.  (Nokia, incidentally, owns Navteq, which easily has the best map data anywhere – easily besting Apple [cough] and Google – and this is where the map data for Windows Phones comes from.)

Watching movies is easy too.  Since you can pop a Micro SD card in, you can store a lot of video for the kiddies to watch in the car.  It isn’t the biggest or best screen, but it’s more than adequate.  And at 800x480 pixels, a lot higher resolution than you’d get from an Android device in the same price range.  Most of those are 320x240 – or maybe VGA if you’re really lucky.

Say you’ve got a kid that is bugging you about wanting an iPod Touch or iPhone to play games on, but you’re not excited about the cost.  These two Nokia phones do an excellent job of playing games.  It’s true that you won’t get the same selection of games you get on an iPod, but you also aren’t shelling out a ton of money for something that is probably going to get lost, broken, or stolen and have to be replaced over and over.  If one of these phones gets lost or broken, it isn’t that big a deal because they’re so inexpensive.

Games Hub
And of course whenever you’re in range of WiFi you get all of the benefits of a smartphone that you’ve come to expect.  It will check your email (best email client on a smartphone I think), it will browse the web (not the best browser, but certainly more than serviceable).  And play games.
So why a Windows Phone?  Well, because in this price range nothing else comes close.  Apple doesn’t make an i-device for less than $200, and anything in that price range running Android is just, well, a downright ugly experience.  The 520/521 might be the slowest Windows Phones out there, but they aren’t slow.  They feel very fast.  They’re certainly a lot faster than anything running Android at three times the price, and faster than any Apple device more than a year old.  And they don’t feel cheap like many similarly priced devices do.  They feel well built so they should hold up to the abuse that you or your kids throw at them.

The only difference between the two is that one is sold by AT&T and the other is sold by T-Mobile.  You don’t have to have an account with either carrier to buy one – just order it from Amazon or pick it up at Wal-Mart.  As of this writing, the Lumia 520 is only $59.99 at Amazon, and the 521 is $119.99.  Again, you don’t sign up with the carrier if you don’t want to.

These two phones are absolutely the best deal on technology out there today.  You get the functionality of a good smartphone at a tiny portion of what it would cost you to get it otherwise.  Nothing else even comes close right now.

The one thing to note is that these phones are locked to either AT&T or T-Mobile.  Which means you can’t just pop in a SIM card from the other carrier and have it work.  If you want to use one as a phone, only AT&T SIMs will work in the 520, and only T-Mobile SIMS will work in the 521.  So if you want to have one as a backup phone, buy the one that is tied to your carrier.  But, again, you don’t have to be (or become) an AT&T or T-Mobile customer.
They also only come with 8 GB of storage.  So you probably will want to consider getting a MicroSD card for additional storage.
Is this the perfect device?  Certainly not.  But for the price, nothing else even comes remotely close.
Bonus tip: If you do happen to be a T-Mobile customer, go to their web site or one of their stores and sign up for a free tablet account, even if you don’t have or plan to buy a tablet.  You get 200 MB of 4G data every month at no cost (and if you go over that data allotment they just slow you down – there are never any overage charges).  You can then use that SIM card in the Lumia 521 and use it to access the Internet on the phone without paying for a phone line – you won’t have to pay a dime in service charges, ever.  You won’t be able to make phone calls (unless you use an app like Skype over the 4G connection), but you can do everything else you'd be able to do on a smartphone, and it won’t cost you anything to do so.

Google Search