Keys and padlocks appear in red in this wax cloth print, against a gold background.
Keys and padlocks appear in red in this wax cloth print, against a gold background.

Make Your Passwords Stronger

I originally wrote this security advice piece for Tactical Tech’s Data Detox Kit; it’s adapted here with permission and thanks.

Do you find yourself reusing the same password for all or most of your online accounts? Because strong passwords can be so hard to memorize, you may tend to reuse the same one over and over. Or you might use simple passwords, which are weak.

And that’s how accounts get hacked. It’s not by code, or specialized hacking skills. Just easy-to-guess passwords.

When a so-called “hacker” tries to get into accounts, all they have to do is have a computer and try every known password. Or, if it’s someone you know trying to get into your account, they just make a few guesses until they get in — maybe they know important dates, teams, pets, or people in your life, or they just know the password you use on some other site. …

Black, red, and white ankara wax cloth print shows a lock and a key in ornate frames.
Black, red, and white ankara wax cloth print shows a lock and a key in ornate frames.

I originally wrote this security advice piece for Tactical Tech’s Data Detox Kit; it’s adapted here with permission and thanks.

Although it may seem like taking care of your digital life is something that only happens online — in your email, the cloud, or a cell phone tower someplace — protecting the devices you hold in your hands is just as important. What could someone learn about you if they had access to your phone or computer? What could they do with your files, contacts list, social media profile, or financial account? …

Image for post
Image for post

In 2016, I wrapped up a study of people’s conceptions of how email works, with the assistance of Renee Hobbs, Arne Renkema-Padmos, and Blue Ridge Labs. While I have previously spoken informally about the findings of this study, due to editorial logistics and time constraints I was unable to release this technical report until now.

The full report is now available here. A forthcoming summary will be published soon on the website of Simply Secure, which funded this research.

This article was originally published on the ThoughtWorks Insights blog.

When I talk to people about how to protect themselves against security problems, often the first feeling they express is guilt or shame. That’s what I heard from my friend Lindsay the other day when I exclaimed to my old high-school crew about Meltdown and Spectre.

Lindsay is a trained opera singer, a mom, and the wife of a pastor — about as refreshingly far as you can get from the daily grind of the tech industry. She thanked me for letting her know about the urgency of patching. “I’ve been putting it off,” she said, “but not for good reasons: my internet often cuts off in the middle of an update, and I don’t continue. …

The release of the OWASP Top Ten digital security threats gives us a moment to consider: What can designers and other UX folks do to support security?

This article was originally published on thoughtworks.com.

Human error is one of the toughest things to guard against when planning digital security. It’s the single biggest attack surface in digital systems. And yet, security and user-experience (UX) design are generally not considered in tandem — in fact, security and usability are sometimes seen as enemies. That needs to change.

The emergence of cross-functional development teams, in particular, demands security and UX should sit together. Neither design nor security should be add-ons or afterthoughts to the development process.

The release of the 2017 Open Web Application Security Project (OWASP) Top 10 presents a good moment to consider how design and security can work together to reduce risk. OWASP formed as an independent, open space to raise awareness about digital security threats and help improve everyone’s defenses. Their Top 10 is a list of the current most critical web application security risks. …

Image for post
Image for post
How do we know where FancyBear came from? (this logo, at least, “was derived from fancybear.net, a website created by “Fancy Bears’ hack team””, per Wikipedia. Used here for purposes of illustration.)

On the human-factors side of the infosec community, we are at the mercy of those more technical than we are. Those of us who are better at writing grants, improving interfaces, or training journalists and activists must work hard to understand the complicated technical strengths and weaknesses of the tools we fund, recommend, and make easier to use. We have to trust security analysts to explain how attacks work, and where they are coming from.

From the beginning of my time in this field, this has troubled me. What if members of the tiny, elite group of technologists we trust were wrong, or, worse yet, exaggerating or lying to us? …

Image for post
Image for post
Robert Stribley’s interface mockup for GridSync.

Activity: “Lean”-style workshop to develop a more usable new interface for an open-source distributed file-sharing system.
Takeaways:
Refine background materials thoroughly for short events. Talk about conflicting assumptions to make progress.

Working with open-source secure tools developers, I have had few opportunities to bring design and user needs to early stages of development. Many tools are already well-established. GridSync, a GUI for the Tahoe-LAFS file sharing system, presented a rare chance to bring user needs to the development process at an early stage.

With GridSync, I was eager to try out the collaborative design methods used in lean development. Collaborative design brings designers and user advocates into the development process early, and has them work with developers to try out new features, identify potential mistakes in the team’s assumptions, and clarify and test ideas about who the tool’s users will be and what they want. …

Originally published on the OpenITP Secure User Practices blog, on November 3, 2014

The gathering and use of data on software users is currently a hotly contested public issue. Companies like Facebook and OkCupid have attracted a great deal of public criticism for not only gathering and selling users’ information, but also using it to manipulate users’ moods. Credit card companies and major retailers have not proved immune to massive attacks on users’ financial and personal data.

Free software to protect security, privacy, and anonymity has to a great extent been developed in response to concerns like these. Developers of open-source secure tools have gone out of their way to ensure they gather no data that could be used to pinpoint users’ locations, sketch out their social networks, and otherwise put them at risk. …

Image for post
Image for post
Pixelated’s logo.

Activity: Usability testing on an encrypted webmail client.

Takeaway: In trying to balance the expectations of new users and experienced users of encrypted email, make information about what is being encrypted available when users look for it, with greater or lesser detail depending on the use case. An extra warning is in order when there is a risk users will accidentally send messages in the clear.

About these user tests

I conducted three user tests of Pixelated, an encrypted, browser-based email client, at the Chaos Communications Camp in August 2015, and three at the Internet Freedom Festival in March 2016. Participants were primarily European and North American adults; there was one African participant. …

Image for post
Image for post

Activity: Usability testing on a mobile VPN for circumventing censorship.
Takeaway:
Simple, well-translated language is critical to users’ first impressions of a tool.

Psiphon is a secure VPN which allows users to tunnel either their whole device or just the traffic in their browser. It is currently available for Android and for Windows and Linux desktops. Psiphon makes it possible for users in censored regimes to get their software by sending an email to get@psiphon3.com, which auto-responds by sending copies of the software.

This report makes references to
annotated screenshots of the Psiphon Android interface
and a
mockup of proposed changes to the interface.

About

Gus Andrews

Security and usability researcher and designer. Past portfolio: http://gandre.ws/portfolio/wp-content/uploads/2012/07/1207-GBA-Research-Portfolio.pdf

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store