Wednesday, May 3, 2017

A Plea to Web Developers

There’s a growing trend on web sites that require a login, and it is getting annoying.  And I can’t see any real upside to the decisions that web site designers and developers are making.
What I’m referring to is sites that attempt to disable password managers.  They’ll use all kinds of tricks, ranging from a simple ‘autocomplete=”off”’ to JavaScript that clears the form, to building form elements dynamically so they aren’t picked up by browsers or password managers, among others. 

I believe that they are thinking that this increases a site’s security by preventing unauthorized logins.  You know, someone other than the authorized user logging into the site, being able to do so because the password is automatically filled in.  While that makes sense, the bigger issue is that they are actually reducing the site’s security with this behavior.

Why do I say that?  Because it forces people to use really, really bad passwords.

In today’s world, there is basically no such thing as a “good” password generated by a human.  People notoriously pick passwords that are way, way too easy to crack.  Even when we think we are being clever, some hacker somewhere has already been just as clever and coded the method that we think is unique into a password cracking library.  Basically every method you’ve come up with for creating a password, a hacker has already done it.

So the only good passwords are those that are generated completely randomly.  Using what we call a cryptographically secure pseudo random number generator.  Only passwords created by a PRNG can be considered secure enough to thwart hacking.  They should also be long too – 12 characters at an absolute minimum.  These passwords are virtually impossible to remember, especially considering that every web site we visit should have its own unique password.  Honestly, could you remember your passwords if every site’s was unique and they looked like x^HsNpeGo}V%Xd~, [lfGY%KW$4McJ(3l, or Jo@Rl-p4Vc7Esy?  I seriously doubt it.  So people using good, secure passwords use password manager software to generate and remember these kinds of passwords for them.

(I can honestly say I have no idea what my passwords are on 99% of the web sites I visit. In most cases I’ve never actually even seen them.)

Unfortunately it seems that many web site developers think you can remember these kinds of passwords.  Otherwise they wouldn’t be trying to disable password managers.  They are intentionally trying to force you to remember your passwords.  So they’re forcing people into using passwords like “monkey123” or “k3lly@96” which they can remember, but would be cracked by a hacker in a matter of seconds (or even milliseconds), and since people are bad at remembering passwords they’ll reuse the same passwords on multiple (if not every) site(s).

So while their intended effect is to prevent unauthorized logins, what they’ve effectively done is make their user’s accounts much easier to hack.  Not only are their user’s passwords bad, they’re probably the same as another site that has already been hacked. 

Intended effect: improved security, actual effect: horrendous security.  The law of unintended consequences strikes again.

So, please, if you are in charge of designing or developing a web site, resist the urge to prevent users’ browsers or password managers from filling passwords in for them.  The site will be far more secure if you actually allow users to use secure passwords.

(While I’m on the subject, having a site suggest a secure password when a user creates an account isn’t a bad idea either.  It should be displayed on the page so they can see what it is, as well as pre-filled into the password fields.  Most browsers and password managers will automatically pick up on data pre-filled into those fields and save it for the user.  Oh, and always use HTTPS for any page that requests or displays account data.)

P.S. You can always get a truly random password from my web site.  The passwords aren’t saved anywhere, and only you ever see it.

P.P.S. If you aren’t using a password manager, you should be.  The one I like is LastPass.  If you’re concerned about your passwords being accessible to someone, just choose a really, really good password for your account.  These sites include your account password as part of the encryption key, so nobody can get to your password data without it.  And you can make it even harder to crack by turning on Two-Step Authentication too.

Thursday, March 16, 2017

How I’ve Eliminated Spam Emails

Spam (junk) email is a pretty serious problem.  I haven’t seen a statistic lately, but the last time I did, it was that more than 90% of email being sent on the Internet is spam.  Yikes!  That’s absolutely awful.

You Have MailI feel a little disconnected from the problem, though.  I don’t get spam.  At least not more than a couple times a month.  And the funny thing is, it actually wasn’t that hard to eliminate it.  Without having to worry about any real email being flagged as spam, ever.

Before I jump into my solution, let’s talk about why spam is such a problem.  It basically boils down to the easy access that spammers have to email address lists.  It is trivial for someone who wants to send out mass emails to find a list of email addresses on the Internet.  They are available all over the place.  And if your address happens to be on the list, well, unless your spam filter is exceptionally amazing, you’ll be getting at least some of it.  And once your address is on a list, there’s no way to take it off.  So as long as your email address is still valid, you’ll keep getting more and more of it.

Where do these lists come from?  Based on my own experience (you’ll understand how I know this in a minute) they tend to come from web sites that have been hacked.  Many, many websites have been hacked over the years, some of them even major players – Yahoo, Adobe, LinkedIn, Dropbox, and MySpace just to name a few.  And chances are that you’re using at least one of those sites, so your email address is in a spammer’s database.  And there is, unfortunately, nothing you can do about that.

Most companies that provide email services take a reactive approach to try to eliminate spam.  That is, they put a lot of time and money into coming up with intelligent filters that will try to detect spam and delete it, or at a minimum mark it as such and stick it in a folder for you to review later.  It works – kind of – but not without a few legitimate email messages being detected as spam when they shouldn’t be. So they have to keep most of the spam around for you to review manually.  It’s an ugly solution.

So what can be done if your address is already on their lists and it can’t be removed?  How can we fight back?  There isn’t much you can do, honestly, once they have your address.  There’s no way to edit those lists.  But I came up with a solution to the problem more than a decade ago and it has worked flawlessly that whole time.

The trick is that I have my own internet domain name just for my email.  There’s no web site or any other server there – it’s just for email.  I won’t disclose what it is publically for obvious reasons, but for the sake of discussion we’ll say it is secretemail.tld.  And on that domain, I accept any email sent to any address.  (It’s called a catchall.)  So doug@secretemail.tld, junk@secretemail.tld, xyzxyzxyz@secretemail.tld, jane@secretemail.tld, etc. are all valid email addresses that all go to the same email inbox.  I get all of it, in one place.  I don’t have to create a new account for each address I give out because anything in front of the @ works.

Because anything in front of the @ is valid, whenever someone – anyone – asks for my email address, I give them something unique, usually based on who it is that is asking.  For example, if I’m creating an account at Amazon, the email address I give them is amazon@secretemail.tld.  Google? google@secretemail.tld.  Apple gets apple@secretemail.tld, and so on.  They can all send me email, and I will get it. 

(I do get some strange looks occasionally when I do this.  Or questions like, “Do you work at Target?” when giving a Target cashier that address.  Or, “Do you have an email account setup just for Jamba Juice?”  [Well, I kind of do…] They don’t get it, which is to my advantage.)

So here’s where this all pays off, though… these addresses are disposable.  And since spammers all use the same email databases over and over again, if one of those @secretemail.tld addresses that I’ve given out is included in one of those lists, I block all incoming email sent to that one particular address.  The address is thrown away and never used again.  So if LinkedIn had linkedin@secretemail.tld as my email address when it was hacked, I’ll log into the site, change the email address in that account to something else (maybe even as simple as linkedin2@secretemail.tld), then add linkedin@secretemail.tld to my block list.  LinkedIn can still communicate with me, but now the spammers that have that address cannot.  If they try, they get an “email address doesn’t exist” error before they can even try to send the body of the message. Anyone that tries to use that original, leaked email address is rejected outright, no matter what they are trying to send me.  Once the address has been compromised I block all attempts to use it.

Using this method, I get no more than a couple junk email messages per month, if that.  It is very rare.  If I do happen to get one, it is very easy to prevent the email address they’ve used from ever working again, thus cutting them and anyone else that has that address off forever.  The other upside is that I never have to worry about legitimate email messages being tossed into a junk mail folder.  Because I don’t have one – at all!

The other upside to this is that companies that intentionally share my email address also get blocked.  And they don't get a new email address from me, so I never have to hear from them again.  Anyone that abuses the privilege of having my email address loses it permanently.

I know what you’re thinking… if I accept anything sent to any address at that domain, wouldn’t that open me up to tons of spam?  Because anyone can send anything to any address at that domain and it won’t get blocked?  Well, you’d think so… but in reality that just hasn’t happened.  So far none of the spammers out there have figured out my trick, or at least if they have it isn’t worth their time to try to circumvent it.  I keep my fingers crossed, obviously…  but if someone someday does figure out my trick, I’ll find another way to keep them out… perhaps creating a simple list of addresses that I’ll accept.  But in reality, though, it isn’t worth their time to figure out a workaround.  I’m not the low-hanging fruit and their efforts are better focused elsewhere if they want a return on their investment.

Google sort-of does something similar, but it doesn’t actually help.  Anyone with a Gmail account can give out a unique address.  Google ignores anything after a plus sign in a gmail address, so if your Gmail account is mygoogleaccount@gmail.com, you can give out mygoogleaccount+yahoo@gmail.com as your email address and you’ll still get the message.  The bad part about that is that spammers know this, so all they have to do is strip anything after the plus sign and they have your real email address, and there’s no way for you to know where they got your address.  So this trick doesn’t necessarily help in eliminating spam, but it can help you in identifying where someone got your email address (sometimes).

In terms of my solution, it’s kind of amazing that something so simple has worked so well.  But the truth is, that it has worked.  I still have a couple other spam protection tools installed on my server, but they just aren’t ever kicking in, and I still don't get spam.  Having a list of addresses to block that have leaked has cured the problem.

The spam problem overall isn’t going to be going away any time soon.  As long as even a handful of people click on the links, it is totally worth it to spammers to keep doing what they’re doing.  It costs so little to send out millions of emails that even if 1% of 1% click on a link, it’s worth the spammer’s investment.  And since we can’t convince that 1% of 1% to stop it, it’s just going to keep coming.  At least to everyone but me. :)

If a solution like this interests you, I can give some guidance on how to set it up (you’d need your own server and technical knowledge of how to administer it, though if you already have all of that you could probably figure the rest out on your own), or even give you some space on my server for a small fee.  Reply below and I’ll be in touch.

Google Search