Did you know…

Facebook Saves passwords. Even old ones.

Have you ever tried to log into Facebook with an old password?

Well, if you haven’t, its probably time to change your password!
But more importantly, you will see this graphic (click to enlarge):

old_password

This means:

1. Facebook matched what you submitted with a stored value on their servers.
2. This stored value means they have recorded your old password.
3. We don’t know how long (or how many) they have been storing.

Why does it matter?

A lot of users use the same password for many sites. This alone is major security issue due to the fact that Facebook will CONFIRM an old password that crackers can check against. It can be common practice to save the last known password as some sites use it as a security check to compare against while changing a password. Though usually this logic is at least behind a login, on a profile page. Not the homepage!

But there is something worse here at play: many users cycle passwords. It is an easy way of remembering them.

What is cycling passwords? Well, you have a certain formula, or ‘bank’ of common passwords you use, and maybe you change them around from site to site once in awhile, or you change a value in your formula, say a number here or there. For example, let us say you have a dog named Buddy. And because you won’t forget your dog’s name, you use Buddy8 for your password, then change in to Buddy9 a few months later, or Buddy10 for another site. So now Facebook has a store of not only most (or all) of your major passwords, but a traceable pattern to them.

So theoretically, Facebook can have a database of all (or most of) your common passwords and establish your pattern for logging into sites across the internet.

That you use.

For all sites.

For you data guys:

take 10 people on Facebook for the past 5 years who have changed their password once a year:

Now let us assume there is a security breach – too often a question of ‘when‘, not ‘if‘. We now have not 10 passwords to hack into the most popular site and possible others, but 50! Furthermore, all 50 are linked to a time stamp of when they were changed. Even if the other forty don’t currently work anywhere, they supply a possible formula to find out other passwords, and possible FUTURE combinations. Even if the breach is known quickly and damage control is successful it doesn’t matter. It only provides a false sense of security as the most important data, unbeknownst to the end user, has been leaked.

This is another reason password diversification is imperative. Not only do you want to keep important passwords very diverse, but you need to rethink your strategy if you cycle passwords. There are many programs out there that will help you make a random, thus more secure, password.

So what do you think about Facebook, or any site for that matter, storing your old passwords?

Passwords

In light of FitnessSF’s recent debacle, I am reblogging a post I wrote some time ago regarding passwords. In a list of ‘must dos’ when setting up your online presence, this is the easiest and prolly most important point.

So unless you are George Costanza and are using a foolproof childhood fondness no one can guess for your passwords, you should think hard about what your password for an important login will be.

Common Mistakes

In these days, it is imperative to have secure passwords.  If your password is ‘password’ or ‘qwerty’ or any easily accessible personal information (such as your birthday or pet’s name), you are extremely vulnerable.  A simple Google search will prove that these are the most common passwords.  Make sure not to use a single word, a common phrase or a common sequence.  Common names are also a big no–no.  For instance, “jesus”, “angel”, “iloveyou”, and”123456” are very bad passwords.  And how many people do you know who are named “Michael”?

Secure passwords

An effective password involves combining letters along with numbers and symbols.  You have a whole keyboard at your disposal, so use it!  It is also important to use a long string of character in your password.  For instance, “g7m@” is a lot less effective than “g7m@6ypu2”.  You can also combine letter cases for added security.  “G7m@6yPu2” Is a very secure password, as it is not likely to be pulled out of a hat. After you have choosen a password, choose different ones for  different logins; don’t just use one password for all your logins!

And most important, make sure you have a very different password for your bank login versus your Facebook, as well as other sensitive finiancial sites.

Remembering those passwords

After you have established your password(s), make sure to have a way to recall them.  But fear not, you don’t have to rely on your grey matter to remember weird combinations like “G7m@6yPu2”.  Many use passwords managers (such as Firefox’s remember feature) but I personally like more of a manual system.  Write your passwords down and then change the numbers and or letters to offset the password, with a key only you know.  For instance, you can advance the letters five spaces in the alphabet (looping back to A when you hit Z) and the numbers back one, thus turning “G7m@6yPu2” into “L6r@5dPz1”.  This way you can have a record of “L6r@5dPz1” and you are still secure.

After you follow these steps, you will have a secure system for managing your logins. But there’s one more step. Every feew months or so (my time frame is about six months, when I change the clocks along with the batteries in my smoke detector), change your passwords.

Oh, and on second thought, George Costanza’s BOSCO password wasn’t very effective.  Kramer figured it out in mere minutes, and if Kramer can do it, anybody can.

Are you guilty? Maybe it’s time to change a few of those passwords…

Fitness SF

Hacked!

On Wednesday, February 13th 2013, Fitness SF’s site was taken down by a disgruntled vendor. He claims that he was not given the respect nor money due in a project he worked on and decided to take serious action. It wasn’t the courts or the better business bureau, but self help, in an ballsy move.

Frank Jonen posted the following in place of his client’s site:
fitnesssf screenshot

Fitness SF had a reply:

“On Wednesday evening, our domain name Fitness SF was hacked and stolen by an individual named Frank Jonen. Frank was hired on May 16th, 2012 to develop a functional website for our brand. A $5,000 payment was made to him on the same date. In his proposal, he stated that the website would take 10 weeks to complete. He missed numerous deadlines including our brand launch in September. In December, he voluntarily passed the incomplete and non functioning website to our new design firm.
Now, Frank is attempting to portray himself as the victim when truly the victim is Fitness SF as he attempts to get paid for work he did not complete and has decided that blackmail is the way to accomplish that.
Fitness SF”

The Issue

Unfortunately, Fitness SF’s reply begs more questions than it answers:

  • Was the site truly ‘hacked’?
  • Did they change their passwords?
  • Why is the site still down?
  • Who is right?

There are always three sides to every story.

I recall when I first started out freelancing. I put together a fairly simple website for a bar in San Francisco’s Castro district were I was working the door at the time. I charged them peanuts considering the going rate as the job was more of a favor and ultimately a portfolio building piece. You can imanage my dismay when they bulked at the invoice. Rather than argue I just lowered my rate. I won’t say what I did was right, it was a means to an end, I had a good job and didn’t want to make waves. But ultimately, I did myself and every web guy out there a disservice. Many clients seeking out this type of work has very limited knowledge of what’s involved, and with cousins and brothers and next door neighbors that can haphazardly throw together a web presence, people think it should be next to free. Never mind the WYSIWYG tools that are now practically free when you register your domain. To their credit they have gotten much better than they were. Do you remember when they first came out? Shudder.

So back to the case in point, I sided with mister Jonen right out the gate. I understand this was jumping to a conclusion and prolly wrong, but we all love to see an underdog get his day in court. But there’s more in this case. After all, he presents a very good argument on the page. He is clear, concise, and articulate in his argument and his presentation of other projects for FitnessSF is outlined in the links he provides.

Choose your side…?

What I find most fascinating about this debacle is that when I tweeted this:
fitness sf tweet 1
They replied with a ‘please read our side of the story‘ tweet.

Then I tweeted this:
fitness sf tweet 2

Why no screen shot of their tweet to me you ask? Well, when you click on @fitnesssf, a really unfortunate message pops up on twitter:
fitness_suspended

The plot thickens.

My point with this article is not to choose sides. When a falling out happens, people always gravitate to one side or the other, usually based on personal experiences. This situation was handled poorly on both sides, and the take away here is communication and security matter most in client relationships. There was obvious miscommunication, and questionable security practices. On Mr. Jonan’s side, he could have taken a more appropriate action, there are avenues for this sort of thing. On Fitness SF’s side, they could have discussed their unhappiness with the product and lack of progress, not to mention they could have moved their site (the whois on fitnesssf.com shows Mr. Jonan owns the domain and has since February 2012).

Furthermore, this proves their site was not ‘hacked’. Hacked implies control was seized by nefarious means, this site was merely taken down.

Who wins?

Well, no one. But when you have a problem with a vendor, the first thing you do is secure your assets and do everything you can to keep it out of the public eye. Though a this point, Frank Jonen has won the first round via first attack, and Fitness SF’s reply lost them the second. This is a PR nightmare for the club and they will have to wade through the resulting quagmire. With this issue, they had more to lose in a city that is full of techie geeks, a lot who started out small like myself and understand the in’s and out’s of not only running a business, but a tech business.

What do you think?

2.19.13 – Update:

Looks like all is well again. http://fitnesssf.com/ now points to their site and their twitter account has been reinstated. I can’t find any details online as to the resolution, no explanation is offered. My guess is that someone got a check.

CSS to the rescue!

Let’s say that you are pulling in some data in string format to a div on your site. The only problem is you have no clue of the length of the string, and you have limited space. Often times, with a poorly programmed site, layout breaks when a div holds more characters than was originally intended:

This text will continue outside the box breaking layout

Code:

<div style=”margin:10px 0; padding:5px; white-space:nowrap;width:180px;height:20px;border:1px solid #FF0000;”>This text will continue outside the box breaking layout</div>

Now, it is common practice to set the width of the div and turn your overflow to hidden, but that can have negative side effects:

This string is just cut off in the middle of a word or letter

Code:

<div style=”margin:10px 0;padding:5px;white-space:nowrap;width:180px;height:20px;overflow:hidden;border:1px solid #0000FF;”>This string is just cut off in the middle of a word or letter</div>

A much more user friendly solution is to truncate the text and show ellipsis to let the end user know what is going on:

This text is cut with ellipsis as it continues

Code:

<div style=”margin:10px 0; padding:5px; white-space:nowrap;width:180px;height:20px;overflow:hidden;text-overflow:ellipsis;border:1px solid #00FF00;”>This text is cut with ellipsis as it continues</div>

Even better still would be some JS to pop open a div (on click) that shows the entire string (I threw together a quick example here using the Fancybox Jquery plugin):

See it in action here.

Is Facebook Failing?

Facebook; once our dearest friend we confided in became the annoying younger brother. Severe privacy issues aside, it is a great way of connecting with people. But we made so many connections that we were over sold, and the signal to noise ratio went off the deep end. This isn’t exclusive to just Facebook mind you, sites like Twitter have also experienced this overload of information, only they aren’t in the spotlit aftermath of a lackluster IPO.

There’s so many of us

Facebook brought us all together. It did this in a way that was unprecedented; all of a sudden we had an immediate venue to share our thoughts, feelings, and photos of our families, pets, and lunches.

All of this sharing, after awhile, collapsed on itself. Soon others thought to capitalize on Facebook’s success, creating sites specializing in specific sharing to compartmentalize your preferences. Which, in a way, was needed. Specific sites for specific things: Twitter for short quips, Pinterest for photos, and Google plus for – well whatever was left… I guess.

But all this sharing had another effect we never saw coming. It reminded us all about what we don’t like about each other. That kid we haven’t spoke to since high school grew up to become the adult you didn’t keep in contact with, and well, it was for a reason. But by then, it was too late, we were too invested in what became a play by play of our lives and we needed it as a reference. So Facebook in turn, helped us segregate. They added lists, and then groups, and then close friends… The proof smacked us in the face like a giant metaphorical bitchslap. We were faced with the fact that we are biased, selfish, and just not as popular as we thought we were when we finally did see Joe at the club and he had no clue about our big move we were planning for the past month, let alone that we were even posting about it. We had thousands of ‘friends‘ that knew what we ate for lunch and that we like horses, but never really SPOKE to. And this all made us feel really lonely and empty. This compounded with the evidence of what shits we really are, scared us. And it scared us a lot.

Facebored

Do you know the peak hours of Facebook? During the workday hours. you can test this yourself, post at 11am and then again at 4pm. The same post will receive significant different responses later in the day, mainly less. We realized that Facebook is, in addition to the above, just a way of passing time, all the time lying to ourselves what it really meant. The connection we have with ‘friends’ just isn’t there. It’s not that Facebook cut into productivity, it actually maximized it. Only the task was commenting on pictures of cats and dogs rather than doing work.

The idea that surfing the internet is a way to pass time shouldn’t come as an epiphany to you, but again, it’s quite arresting when that proof smacks you in the face. But how long can we go on commenting about people’s life and still be interested? How long can we go on about Obama before it quickly spirals into a debacle with friends of friends you don’t even know?

This, compounded by said privacy issues over the years, has left us with a bad taste in our mouths and generalized non interest. We are only salivating for the next big thing.

The IPO

Amid rumors it was going to flop, many still kept Facebook’s IPO was going to be the next great investment, and even I thought it stood a chance. Nevermind that the stock was overvalued to begin with, as this is common practice of the underwriters of such a deal, there are three main factors why Facebook didn’t do so well:

  1. Zynga Facebook’s first cousin, the maker of all those video games we blocked from our feed, went public before Facebook that only foreshadowed big brother’s fate. It turns out that the general public is still ramping up to the idea of investing in video games. When they didn’t rake in the bucks, investor’s took notice.
  2. The Social Network Whether true to life or not, the movie about Facebook’s fearless leader did anything but paint him in a positive light. And everyone saw it. Though it did educate the public as to Asperger’s.
  3. General distrust Privacy issues on top of more privacy issues combined with hard to find controls only pushed disenchanted users over the edge. The icing on the cake was when everyone realized Facebook was gathering their data. Users felt duped into a non transparent parent now holding all their information, and using it!

The Future

So like a lot of the big web companies, they start gobbling up smaller ventures, all in the goal of amassing their empire. Monster did this, as did Amazon. The future? A very large database. Larger than you can imagine. All those photos of your dinners have tags on them. The tags are stored. It has linked you to how much you like spaghetti, and when you like it. Not only that, but the mere hours you are awake posting about it.

Take a second to think about the marketing potential of this. We now know what we do and when and how. And it doesn’t stop there. Our friends and correspondence represent our own demographic. Furthermore, we willingly gave this information.

Nothing New

This large database about all your habits can provide for a specialized experience on the web. After all, I like a nice deal on a pair of shoes I have been eyeing. But we also cannot stop that nagging feeling akin to a real world 1984. Only in this dystopia, we don’t have to be watched, we will perform for the camera. I’m not dissing Facebook, they are smart in their actions, and I would have done the same in Mr. Zuckerberg’s shoes. It is important to know this all is nothing new, it’s just a faster and easier way of amassing the data. Other companies have been doing this since the earliest days of supply and demand. But some people are downright terrified that this information is being gathered and stored. Others could care less.

What about you?

Give your product the site it deserves

So you have a great product, and it’s time to sell it! What better way to do that than on the web? Anyone can get to it and a conversion is just a click away! Perfect! Then why do so many great, high end products have such a shitty representation online?

Case study: Maker’s Mark

Like most, I indulge in a relaxing cocktail now and then, and one of my favorites happens to be Maker’s Mark (specifically Maker’s 46).

www.makersmark.com is a very simple and clean design, and I praise them for this. It’s easy to navigate, your social media links are always visible, and it’s colorful and engaging.

But try this: click on the second navigation link labeled ‘Live Feed’. Now click on the eleventh link labeled ‘Embassy’. Holy Moly! What was all that?!? Whew, I’m glad I’m not drinking while surfing this site! I may have lost my dinner!

The mad scrolling that happens when you click non-adjacent links is not only jarring, but they have the absolute effect you do NOT want to sell on your site when it comes to a product such as alcohol. The effect is totally unnecessary as well; the developer could easily add some script that would make the transitions a bit more user friendly, maybe through a dissolve effect on the slides (They actually aren’t slides, but merely one long vertical site), or minimally just adjust the easing.

The easing is seriously compromised by the following: click on a different link, any one. Click on that same link again. Sometimes a re-scrolling effect happens (particularly in Chrome). The site will go to a different slide and reload the current one. Now after you have clicked twice on said link, now click on a totally different link. Did the slide load? The answer is yes and no. There is a delay on the slide load which makes you think the site isn’t responding. Do you know what happens when your user doesn’t think your site isn’t responding? They bail. Fast.

Case study: Gunnar

I’m a big gamer, and us gamers love toys that give us an advantage. Gunnar markets gaming glasses to help your eyes during those long caffeinated gaming sessions. I’ve never used them, but I guess they could be good for some of us.

These glasses are about the $100 price point, which isn’t an ‘oh my lord’ amount of money, but it’s enough to hit it out of the impulse buy ballpark. The problem here is they are selling a premium product, yet their site – this particular page geared toward Call of Duty fans –  http://www.gunnars.com/shop/Call-Of-Duty-MW3-Gaming-Eyewear.html has some navigation issues.

The main problem with their navigation is the hit space on the links. The first ‘products’ link is fine, but then it gets askew as it goes horizontal. Notice that ‘How they work’ gets cut off by the last two letters. You can see this as your mouse pointer changes over the r and k in ‘work’, or on mac, you can see this visually via the outline that gets put around the navigation link:

gunnar

gunnar

The other link’s outline is skewed as well:

gunnar

 This is due to image map (in a table no less!) coordinates being off as well as the the elusive outline CSS property. Here is how to fix the latter:

outline: none;
-moz-outline: none;
-webkit-outline:none;

Easy huh? So easy, you wonder why they don’t fix up their navigation. A little polish will go a long way.

Now click the red GUNNAR banner. After the site loads, click your back button and go between the two pages. Notice how the navigation jumps? The margin is different on these pages (courtesy of the cart implementation), as well as other pages within the site. This is a minor issue, but it’s just plain annoying. There is just no need for it.

For an added treat, open the following page in Firefox (I tested this on a PC): http://www.gunnars.com/advanced-computer-eyewear/ as you scroll, you will see divs jumping up and down a few pixels.

Again, these are minor issues, but if you want to sell a premium product, you have to have a premium site to reflect professionalism.

Parallax sites

These are kind of the ‘new thing‘ in web design, and it is basically a layering effect where the background of a site moves at a different rate of the content. I personally find these sites extremely jarring, but a lot of companies are jumping on this bandwagon. Vodka maker Grey Goose is one example of this, similar to the Maker’s Mark site as a vertical scroll. You can see other examples of parallax sites here. Given that this type of design annoys me, I wouldn’t spend much time if any on the site, let alone buy something, and caution against the use of them.

Our feelings guide us

We as humans respond to visuals more than anything. Simple effects influence our behavior and can lead to buying a product or abandoning a shopping cart. In turn, this feeling we form about a product influences our real world actions. For example, for a web geek such as myself, I will associate Maker’s Mark with a bad site design when I’m shopping at BevMo. If I was ambivalent about their product, it could be the one thing that tips the scales out of favor.

Bottom line: do not underestimate how your online representation influences real world actions.

Often times, the problem is not the product or even the company itself. It is the agency that has handled their advertising for so long has not taken into account the idea of user experience. Many agencies are rooted in a print industry, which doesn’t translate directly to a web space when selling a product. Often times you will have executives with printouts and screenshots in their hand in a meeting about the website, but who never actually play with the site themselves, clicking every link or crowd sourcing what they have built. It looks great, but fails on experience.

Click on your links. Navigate around your own site. What experience are you associating with your product?

Social media contests

Freebies are a great way to drive traffic. Whether you are one of the top three CRM companies or an artist scraping out a living, nothing helps you more than offering something for free. There are several ways to do this, one being a contest. And who doesn’t love to win a prize?

What not to do

This:

This is a good idea as far as getting people on board to follow you, but what are you communicating to the first 999 followers? In an essence, you are ignoring those who have been with you all this time.

Ask yourself: What is their reward?

What to do

Offer a reward that all of your followers have a chance of winning. And you can do this in a context of an event, whether it is an physical event or just a celebration of your thousand follower.

The DeYoung museum in San Francisco has occasional trivia that can score you tickets, or maybe a DVD or book if you are the first to tweet the answer to them. With this type of contest, you are engaging your followers in a fun game and rewarding all of them.

The DeYoung also hosts other contests such as voting:

This in turn drives traffic to other sites where you have a presence (this one happens to cross pollinate with Flickr).

This is crucial as you should be on every social media site possible. You never know where your next client/customer/web developer/investor/marketer is going to come from, and these avenues are there for you to take advantage of – So do it!

Follow

Get every new post delivered to your Inbox.