This cartoon gets brought up whenever someone talks about passwords. Well, it sure looked reasonable. But assuming that something that looks reasonable actually works is not very scientific. A clever cartoon doesn't make something science. Fortunately, we actually _did_ conduct a scientific study on this password-selection scheme. We compared this scheme with system-assigned passwords of equal strength. We found that this xkcd scheme led to usability that was no better, and in some cases worse, than the usability of other system-assigned passwords.

Here's the paper if you are interested in reading it: http://richshay.com/pubs/shay2...

So, InPrivate is to Private as InVisible is to Visible.

Lorrie Cranor was my PhD advisor at Carnegie Mellon. Lorrie is absolutely brilliant. She is energetic to the point of being tireless. Lorrie is a world-leading expert in both computer security and privacy. She will do an amazing job in her new role. The US is fortunate to have her.

This one hits a bit close to home for me. I'm actually just finishing up my PhD in the School of Computer Science at Carnegie Mellon. Within a month, I should be Doctor Atog. Getting an acceptance letter like that can be life-changing. I've spent the past six years of my life in Pittsburgh because of being accepted to CMU. This has been an amazing place and I feel very fortunate for the opportunity to have been here. I've had doors opened because of being here, and I've been able to have some very rewarding experiences. I've learned a lot and I've certainly grown as a person. I still remember first getting that acceptance from CMU. I was overjoyed, and I knew that my future would be different because of that acceptance.

The students getting these false acceptance letters had several hours before there was a correction. Those hours are a lot of time. That is enough time to tell present employers that they are quitting. Enough to tell friends and family the good news. Time enough to tell other schools that they are retracting their applications. In other words, lots of time to make some fairly hefty life-altering decisions based on the news.

Note the specific language being used.

"Yahoo will support the Do Not Track technology for Firefox users, meaning that it will respect users' preferences not to be tracked for advertising purposes."

The Do Not Track tag clearly specifies that the user does not want to be tracked. However, Yahoo is twisting its meaning such that the user is not tracked for advertising purposes. Two very different things. Unfortunately, despite considerable effort, there is no standardized meaning for Do Not Track. All too often, corporations invent new meanings for those simple three words in order to continue making a profit by tracking users who have explicitly indicated not wanting to be tracked. So much for notice and choice.

I'm sure that the HSBC executives will also be arrested for their money laundering soon. Any time now.

Again and again, we see user interface designers copying the popular and trendy interface elements of the day. I have always been able to rely on Slashdot to maintain a good website design, but it appears that this beta abandons all of that to follow the grazing herd. The banner atop the screen insists on stalking me, even as I scroll away from it. The enormous right column dominates the entire page with its worthless blank space. And worst of all, the designers have followed the recent fad of covering the entire page in jittery hover-text, making the website feel unstable and jumpy. In summary, I think that these changes to the design of Slashdot will make it more "hip," more "tendy," and definitely less usable. Not unlike what happened with Digg. I would really hope that, if Slashdot does have the poor taste to execute these changes, they will at least give long-time users such as myself the option to use the "old" and far more solid page design.

I cannot speak for academia in general, but I can provide a bit of insight for how this works in computer science. I have published articles in journals and conferences in computer science, and they are all available for free on my website. In fact, I have found that most researchers in computer science make their work available to the public, on their website, free of charge. Think about it -- we want our work to get out there and be read. Ideally, we would even like it to be cited. And keeping it behind a paywall does nothing to further this.

Some academic conferences, such as the Symposium on Usable Privacy and Security (http://cups.cs.cmu.edu/soups/2013/), explicitly allow authors to post their publications on their websites. Other venues may technically prohibit this practice, but authors in computer science tend to post their research online anyway. In general, I have found computer science articles far more accessible than, say, those times I have been looking for an article in psychology or economics.

You're missing the distinction between an online attack and an offline attack. In an online attack, where the attacker goes to the website and starts typing in passwords, then lockout will do just fine. But when the attacker has stolen the password file, he gets as many guesses as he wants, bounded only by computing power. And in that case, the hashing speed will be a limiting factor in how long it takes him to break the passwords.

Advertising companies make a big deal about "notice" and "choice." Unfortunately, while they claim to give users the ability to "opt out" of Online Behavioral Advertising (OBA), all they really do is give users the ability not to see ads. They don't necessarily give users the ability not to be tracked. Here's an entire paper about it. http://www.cylab.cmu.edu/research/techreports/2011/tr_cylab11005.html

There are two types of attacks one can make against passwords: online and offline. In an online attack, the attacker just goes to the website itself and starts entering passwords.The website can just lock him out after several failed attempts; even if there is a password-reset option, this can still be very time-consuming. However, if more pernicious attack that is an offline attack. In this attack, the attacker has stolen the hashed password file, and he can spend an arbitrary amount of time breaking its passwords, limited only by the number of cycles on his computer.

What makes a change in policy to a maximum of 16 characters absurd is that the strength of passwords really does matter when it comes to how long they will endure these offline attacks. In fact, there is evidence that using a password of at least 16 characters leads to a password that is more difficult for attackers to break.

http://www.cylab.cmu.edu/research/techreports/2011/tr_cylab11008.html

Taiwan uses Traditional Chinese. Mainland China uses Simplified Chinese. So, that wouldn't work. Mao changed the written form of the language some years back.

If I were caught speeding, could I justify that by telling the officer who pulled me over that I was stressed?

Now, imagine that instead of speeding, I were instead violating the Constitution of the United States. For a period of several years.

We have rules and laws to prevent this from happening. But if there are no consequences for the people and agencies who violate our rights, then those rights have no teeth. The people who have done this to us should be prosecuted.

The government is forcing the change. It wasn't that the TV stations, of their own accord, decided to switch. Instead, it is being forced by the government. So, before you get all upset that the government is helping people switch over, just remember that it is the government that is demanding the process in the first place.