Tuesday, June 28, 2016

Creating Great Passwords

It's common knowledge that using the same password across multiple websites is a security problem, but it's one that few people ever take seriously. When LbNA's database was breached, I knew the reused-password problem was so pervasive, that it meant thousands of accounts on Atlas Quest were compromised as well.

I mentioned that I use a different password on every website, which is how I could immediately tell that the file of leaked passwords I stumbled across came from LbNA. It was the one website on the entire Internet that I ever used it--it HAD to have come from LbNA. Nor was it a simple, easy-to-guess password like "letterbox", "letterboxing" or "password" (which 181, 167 and 106 people used respectively on LbNA--please don't use passwords like this!) My password had lowercase letters, uppercase letters, symbols and numbers. All jumbled up into--at a glance--a random bunch of characters.

And a couple of people commented that they don't have my awesome powers of memorization, which is why they use the same password across a lot of websites. But here's the trick--I don't either! I don't memorize my passwords... I memorize patterns!

I use patterns on the keyboard based on the type of website, the name of the website, and password requirements for the website. For instance, on Atlas Quest, I could have a password of "sw2Q!@t5t". (This is NOT my password--this is for sample purposes only.) While my LbNA password could be ";p0NHY^&aq1q".

The passwords look very different--and they're both great passwords. They have lower and upper case letters, numbers and symbols. They aren't words found in a dictionary or names of relatives or friends. A stranger who stumbled onto this password... would be pretty well stuck with hacking into the one website it's good for.

But they're really easy passwords to "remember" as well. No written notes necessary!

They're patterns on the keyboard. Each of them can be broken down into three segments:
  • sw2   Q!@   t5t
  • ;p0   NHY^&   aq1q
It's kind of like.... a secret code that converts website names into passwords. In both cases, I start with the website name:
  • Atlas Quest
  • Letterboxing North America
In the first sequence of characters, I start with the first letter of the website name and find the key on the keyboard immediately to the right of it. Then I click that, followed by every key immediately above it until I reach a number. 
  • sw2 - "s" is just to the right of "A", then "w" is immediately above the "s", then the number "2" is immediately above the "s". s-w-2... Stop.
  • ;p0 - ";" is just to the right of "L", followed by "p" just above it, followed by "0" just above that.  ;-p-0... Stop.
The next sequence in the group works similarly--except this time I start with the first letter of the next word of the website name, and this time I hold the SHIFT key the entire time and, after clicking a symbol on the numbered keys, I follow it up with a second symbol just to the right of the first symbol.
  • Q!@ - "Q" for Quest, then "!" (immediately above the Q) and "@" (immediately to the right of "!").
  • NHY^& "N" for North, then "H" (immediately above the N), "Y" (immediately above the "H"), "^" (immediately above the "Y"), and "&" (immediately to the right of the "^").
The third group in the sequence likewise follows a similar pattern, but without the shift key and, after I hit a number, I back down one row and repeat the letter underneath it. But I've run out of words in "Atlas Quest"... so I just use the last letter of the last word as my starting point. ("t" in this instance.)
  • t5t - "t" for Quest, followed by "5" then bounce down a row back to "t".
  • aq1q - "a" for America, followed by "q" just above it, then "1" just above that, then back down a row to "q" again.
Put them all together, and you wind up with "sw2Q!@t5t" and ";p0NHY^&aq1q"--seemingly impossible to remember passwords that, at first glance, look completely random.

Here's another trick I've sometimes used for passwords... Pick a couple of words that are easy to remember, and instead of typing that exact word or phrase, click the key immediately to the right of the actual key. "letterbox" might be the most commonly used password on LbNA, but I can definitely tell you, nobody uses the password ";ryyrtnpc"! This is the word "letterbox"--but it's a very simple substitution code that replaces every letter with the one next to it on the keyboard. It can help if you're a touch-typist and don't need to look at the keyboard for this type of encoding. I just put my fingers on the keyboard where they usually go, shift my hands over one key, then type the word I'm thinking like normal. o vsm yu[r rmyotr drmyrmvrd ;olr yjod brtu wiovl;u@

You'll probably want to have a few different sequences that you use regularly. Some websites--annoyingly--don't allow symbols, so a sequence that includes symbols won't work on these websites. Other websites require a symbol in your password! So you might need to use two different types of sequences to fit both requirements, which might just be the same sequence except you use the numbers where the symbol you'd normally use would be.

Some websites might have passwords that require a minimum length and your sequence causes it to fall short--so have a plan for extending your sequence as needed, which might be nothing more than repeating the first sequence. In my sample above, I ran out of words in "Atlas Quest" to create three groupings, so my fallback was to use the last letter of the last word. (If the website name only had one word, my fall back might have been to use the last two letters of the name of the website. So my Facebook password might have been "gt5O()ki8i".

If you have multiple accounts on the same website, you might try incorporating your usename into the pattern so you can have a different password for each account on the same website.

A lot of corporate accounts often make you change your password every few weeks, which is annoying and probably causes a lot of people to write down passwords or increase the number at the end of it by 1, neither of which are particularly secure. But you might use the "pattern" trick by including the current month in your password pattern, so the last sequence of characters is the first three letters of the month name, shifted to the left on the keyboard. Or something to that effect....

You might also consider how you'll usually have to type in sequences. I will admit, the sequences I use are frustratingly annoying when I'm trying to type them into a smartphone without a proper keyboard. What symbol is above the 5? I wind up typing stuff like "#*#$&@!" which looks more like a bleeped out cuss word than my actual password, but by the time I get my password correct, I've been locked out and am cussing anyhow. =) So if it's a password you'll use a lot on a smartphone, you might design a pattern that fits your smartphone keyboard.

I also sometimes have trouble logging into my accounts when I travel internationally and am using a non-US keyboard so all of the keys are in different locations on the keyboard. I actually drew myself a "cheat-sheet" when I was hiking through France of a US keyboard layout to help me log into accounts!

I also have a couple of different sequences that I use depending on the "importance" of a website. I use a shorter, easier sequence for websites with nothing particularly valuable on it and more complex sequences for bank accounts and such.

The "pattern trick" works for stuff other than website passwords as well. I use a pattern for PINs on my credit and debit cards, so every card has a unique, random-looking PIN that I don't have to write down or memorize. If you ever find my wallet, I can assure you, "1111" or "1234" will not get any of my money out of an ATM. Nor will knowing my birthday, address, social security number, etc. You just have to start guessing, and if you do manage to get lucky and crack one of the PINs (out of 10,000 possibilities, it's actually quite possible to crack it with brute force given enough time), it won't get you into any other card.

That's the trick to creating solid, all-but-impossible-to-guess passwords that are unique to every website you use. Take a little effort to think of two or three different types of sequences you can use, and the security of your accounts increases enormously.

Wednesday, June 22, 2016

Password Security

Yesterday it was discovered that LbNA's database had been breached with a long list of everyone's trail names, email addresses and passwords floating around the Internet. If you haven't done so already, change your password on LbNA and--if you use that password anywhere else (including AQ!)--change the password on those other websites as well. I'm not sure if the LbNA vulnerability has been fixed yet or not, though, so don't use the same password there as you would on any other website. At least until the folks running it give us the all clear, although it's a good practice to use different passwords for every website.

Whenever there's been a security breach, it tends to make me think about security and what more I can do to secure Atlas Quest against hackers. So I spent much of the afternoon yesterday reading up about the best practices for storing passwords (along with what not to do) and realized that while AQ did a lot of things right (storing passwords using a one-way encryption algorithm--definitely good!), it.... had room for improvement as well.

I had learned that even encrypted passwords could easily be broken if the password is an easy one to begin with. People using the password "password" or "12345" is remarkably common. There are lists of the most commonly used passwords all over the Internet, and if your password is on it, you need a new password. But in any case, although AQ would encrypt a password such as "12345", if a hacker had somehow gotten a list of everyone's encrypted passwords, it would be easy to figure out which people were using common passwords because there would be a lot of users with the same encrypted password. If 50 people on AQ have the same encrypted password, it's going to be an easy one to crack!

So I changed the code to "salt" passwords. Now if 50 people use the same password, it'll come out with 50 different results in the database. A hacker won't have any idea which accounts might be easy to crack (or not). But still, if you use a bad password, the chances of being hacked go up enormously! All the encryption in the world can't fix a bad password.

There's also a technical issue for me.... since AQ stores passwords using a one-way encryption, I can't actually update the database to re-encrypt everyone's password. AQ needs to know the original password to do that! So I added a clever piece of code that intercepts a password when you log in and then re-encrypts it into the database to the more secure format. (Along with anyone else using the same password. Every person who logs in--you're helping AQ crack everyone else's password! I can't decrypt passwords, but I can check if other people are using the same password as you. Which, ironically, is the very weakness in the system I'm trying to fix. I'm using AQ's own weakness to make it stronger!)

I also got rid of the password "hint" on AQ. Some of you actually put your actual password in that (and the hint is NOT encrypted!), but while it might remind you what your password is, it can also help hackers crack into your account. So AQ no longer stores password hints. (If you tried to change your password this morning and got an error message, that's because I missed uploading a changed file that was trying to store a password hint even though the database no longer held that data. Sorry about that, but it is fixed now!)

So, that's what's up with password security on AQ. =)

Sunday, June 19, 2016

I Know What You Bought Last Summer....

There are Amazon.com affiliate links on pretty much all of my websites. The "big three" are Atlas Quest, Walking 4 Fun, and The Soda Can Stove--those are the websites that get the most traffic and therefore the most clicks. What happens when you click on a link is that Amazon.com puts a cookie on your computer to track where you clicked from, then if you buy anything from the website for the next day or so, they send me a tiny fraction of the sale price. It doesn't really add up to much, although I'm not actually sure if their terms of service allows me to post precise numbers so I'm not going to. (Sometimes companies are a bit protective in this manner. I know Google AdSense doesn't allow me to post that sort of information.)

Anyhow.... my Amazon affiliate account will also tell me what people bought. So I can see what sells well, or doesn't sell well, or whatever. I don't know who is buying this stuff, but I do know what you're buying!

And I thought it would be fun to share some of the more interesting items that people are buying.... So here's information about what people have bought in the past 30 days.

A lot of the items are stuff that you'd expect from a letterboxing website:

There are other inkpads, linoleum cutters, and obvious letterboxing paraphernalia, but a complete list isn't very interesting.

Some items that appear letterboxing related (or at least craft-oriented, which might be used for creating LTCs, logbooks, etc.) but you might not have guessed:
Most items, you can probably guess what website the link came from.... There's a certain amount of overlap for some, though, such as books about trails. They could have come from The Soda Can Stove website if they were looking to make their own soda can stoves, but they might have come from Walking 4 Fun if they were virtually walking the trail and wanted to learn more about it. Actual guidebooks about a trail, however, I suspect more likely come from The Soda Can Stove. You don't need a guidebook to virtually walk a trail--you need it to actually walk it! But stories about a trail... many people might be interested about those whether they do the trail for real or virtually.

So some people bought books about the Camino de Santiago--both the French and Spanish sections. The same person, I assume, also bought a Michelin map of France. Another person bought a Lake Tahoe and Tahoe Rim Trails book. Another person bought a map and guidebook of Vermont's Long Trail. Another person picked up the fascinating story of the Florida Keys Overseas Railway. (I'm getting tired of adding links to each of the products, so I'm skipping them here!)

A lot of backpacking gear tends to show up in the list as well, which I assume most of those links come from The Soda Can Stove:
  • 3M High Temperature Flue Tape (used to make soda can stoves)
  • Coghlan's Backpackers Trowel -- A whopping eight of those were sold! Must be a boy-scout troop heading out into the woods!
  • Klean-Strip GSL26 Denatured Alcohol (1-gallon) -- Denatured alcohol is used for fuel in soda can stoves, but even I was surprised that someone would buy a gallon of it. That's a lot of fuel. I could probably hike the entire Appalachian Trail with that much fuel! Two other people were more moderate in their purchases buying the quart-sized option.
  • Sawyer Squeezable Pouches -- Used with the Sawyer water treatment filter. I love my Sawyer Squeeze. Although I don't treat water on most of my hikes, I used this on the Arizona Trail extensively and never got sick. And trust me, that water was nasty! The squeezable part eventually failed and started leaking, though. I suspect whoever bought this had the same problem! The filter might last all-but-forever, but the container for water doesn't!
  • Solo Stove with Backup Alcohol Burner -- Obviously purchased by someone who decided that buying one for NINETY DOLLARS (!?!?!?!?) was better making one themselves for almost nothing. Heck, I'd have been willing to make him one myself for half that price!
 Then there's a random assortment of stuff which could have come from anywhere, really.....
Anyhow.... so that's some (most) of the stuff y'all bought in the past 30 days. About 60% of the purchases come through Atlas Quest. The Soda Can Stove brings in about 25% of the total, while Walking 4 Fun brings in the remaining 15%.

In all seriousness, thanks for supporting Atlas Quest!

Sunday, June 05, 2016

The Latest Last Big Update

Mobile-friendly searches!
How's that for a title? Those of you who read the message boards know I thought long and hard about what to call this update.... ;o)

ANYHOW! So this morning, I took AQ down to do a massive, enormous update! There were thousands and thousands of new, modified and even deleted code. And the end result is.... well, mostly cosmetic from your point of view.

This update was initially supposed to be a long-needed update of the message boards. That--did not happen. I started with modifying the code that moderators use to move threads then got sidetracked with a nagging smartphone display issue on that page--a page that only moderators would see!--which veered me off course into a massive update the AQ search engines.

But still, that hit upon 3 of the top 20 visited pages on AQ--which I "mobilized" to work better on smartphone. Better, as in no need to zoom in or out to navigate and read text, and no horizontal scrolling to read anything. There's always room for improvement, but it's vastly better now.

The three pages are:
  1. The Advance Search page.
  2. The search results page. (For instance, Seattle, WA.)
  3. The logbook pages
From a technical standpoint, each of them are actually multiple different pages internally. Each search type has different search options and information to display. When I updated the Advanced Search page, it has to handle all of these types of searches: All box types, traditional boxes, hitchhikers, travelers, postals, LTCs, event boxes, "other" boxes, all trackers, traditional trackers, postal trackers, LTC trackers and "other" trackers, events, groups, themes, blogs and last (but probably not least!)... trips. Of course, there is some amount of overlap between all of them, but there's a lot of stuff happening in just one page!

The code running all this stuff was old and decrepit and needed a through reboot. It's much easier to maintain, edit and update. I created over a thousand new unit tests to check the new code for issues and problems. It's a lot of good stuff... but none of it is really visible.

But you probably don't care about the technical stuff.... you probably want to know--what is new?! And the answer is... not much, really.

There are some minor modifications. The Advanced Search page no longer sets any defaults. That seemed to confuse people when someone would search for a box but it didn't show in the results because the option to hide un-clued boxes was automatically set. Now, if you want to use a setting, you have to explicitly select it. (Defaults still apply to simple searches, though.)

New premium member search option!
It also wasn't clear which options were for premium members or not, so I added some information about that. (Non-premium members, obviously, won't see this change since there are no premium member options you can use, but premium members can now see exactly which options they have access to and might reduce confusion when a non-premium member can't find the option you told them about.) Premium members have a few new search options they didn't have before like excluding boxes with the fee-area icon or compass.

I turned the blue diamond and Box of the Week search options into premium member perks. I resisted the blue diamond search option for a couple of years when I first introduced blue diamonds because they were already controversial to begin with, but eventually caved a couple of years later at repeated requests for them. But here's the thing.... I never really liked those search options either. I don't mind people taking a closer look at blue diamond boxes when selecting what boxes to hunt for, but I never really liked the idea of not even looking at boxes without blue diamonds. So I liked the idea of ditching those searches completely, but decided just to restrict the feature instead.

Note to premium members: I left some posts on the Premium Member Only board about some other hidden search options as well. ;o)

The search results page largely dumped the table layout it has always used since large tables don't fit well on smartphone at all. Now the rows "collapse" to fit the width of whatever device you are using. On a wide desktop page, it look fairly similar  to before, but I stuffed more information into it such as the last found date and the owner of the box. (Okay, the owner used to be there, but only if you hovered your mouse cursor over the box name. Now no hovering is required!)

I made the links that used to hide out in the upper-left corner of the page more prominent since it seemed like people were always overlooking them.

And the editing of current search is now at the bottom of the results rather than the top. I have to admit, I was a little torn about which way to go with it. I didn't usually edit my searches, but it's handy at the top when I did want to edit it. Fill up space with options I rarely used, or make it easily accessible for those times I did? I'm still not sure which way is best, but if you have a strong preference, do let me know. I could be convinced to change it.

That "quick edit" option is much more powerful than before as well. It'll let you remove or edit pretty much every search option that's being used! Typed the name of the box you were searching for incorrectly? You can change it from right there. You can change tags, attributes, statuses... pretty much everything! So it didn't become a giant advanced search page in itself, however, it mostly just shows options that were enabled so you can edit or remove them. If you want to enable an option that you hadn't initially used, you'll have to edit your search. (There's a button for that at both the top and bottom of the results!)

And the last major page I updated was the logbook pages. To be honest, I did a pretty lame job of it. I had to mess with it because my changes to the searches broke the logbook (which uses the search features of the Advanced Search page--almost all searches on AQ are attached to it!). The logbook pages really needed a major update as well, but mostly I just wanted to fix it just well enough to get them working again. The code there still sucks, but is at least a bit cleaner. =) Someday, I'll need to sit down and do a serious update of that section. I did tweak the layout to have the "collapsible" rows (like the search results page) so it works better on smartphones.

It does, however, include more information such as last find dates for plants which numerous people have asked for over the years. And, like the search results, will show the owner of the box without requiring one to hover their mouse cursor over the box name. (You won't see the owner name on someone's plants list, though, unless it's different than the person who planted it.)

What else... what else? Hmmm... *thinking*

Since I have pretty much re-written the entire search engine subsystem from scratch, it affects a lot of other places on AQ. Widgets on My Page use the search engine, apps use it--even registering a new account uses it! (AQ automatically creates a few favorite searches based on the person's location.) The changes broke code all over the website! I spend solid weeks testing and re-testing changes with thousands of tests, but there are undoubtedly bugs that slipped through. Several have already been found, reported and fixed throughout the day, and I doubt that's the last of them.

I checked out the changes on Firefix, Chorme, Internet Explorer, Opera, Microsoft Edge and Safari and as far as I can tell, it all seems to work well with those major browsers. I've tried them with my desktop and my smartphone, and it seems to work well. But there are so many devices and sizes and such out there, I can hardly claim it's comprehensive. If you see a page that doesn't appear to format correctly, let me know. (Be sure to include what kind of device you are using and the browser!)

So keep your eyes open! If there's something that looks like a problem, let me know! =)

I probably forgot something important, but that's all I can think of for now. Happy trails!

-- Ryan