Can you read anything on Kindles?

Now the price is lower, the browser is faster, and getting many forms of content onto the Kindle is easier, especially if used in conjunction with Google Reader.

There are two reasons I bought a Kindle 2 and the larger Kindle DX with their eye-friendly screens:

• to read books and short stories (what the Kindle was built for)
• to see if I could read anything (what I really want)

Below I describe the experience of reading a variety of different types of material – novels, collections of short stories, mixed text/graphics, PDFs, web content, and using Google Reader to read RSS or arbitrary web text. While the only truly original part of this post is how to get any web content onto a Kindle (in the Google Reader section), this post may also be of use for laying out in one place what it is like to use a Kindle for a wide variety of reading materials.

FilterJoe readers know that I have an obsession with wanting to read and get work done without distraction. If I completely forget I’m using a Kindle to read, then it’s working. The more I have to think about the Kindle while trying to read, then the less enthusiastic I am.

The Kindles

I bought from Amazon a refurbished Kindle 2 for $140 (occasionally spotted for $110 in the mid July 2010) and a refurbished Kindle DX for $249. The Kindle 2 has a 6” screen, while the DX has a 9.7” screen.

A newer version of the Kindle DX just became available for $379 which has a higher contrast display and a dark frame. There are rumors that the Kindle 2 will soon be replaced by a higher contrast Kindle 3, with possibly other new features.

Using a Kindle for Reading Novels

Reading text-only novels is where the Kindle shines. It is very easy to use the 5 way controller to navigate to the Amazon store and purchase a book. Many public domain books cost little or nothing, while modern titles typically cost $9.99. Purchased books show up on the Kindle home screen. You click on a book to open it.

Text is chunked by page, and the size of the page will vary depending on font size. Clicking the “next” button takes you to the next page. For reading a novel, the navigational controls work well.

With excellent font and typography, I found the screen as easy to read as a newspaper when outdoors, but more difficult indoors, where some form of lighting may be needed unless natural light is plentiful. At night you’ll need either a bright night lamp or clip-on light.

There is a key devoted to bringing up a menu to change font size if you want something bigger or smaller than the default (though I found the default size reasonable). This same menu includes other appearance options, such as “words per line” which I set to “fewest” when reading novels on the Kindle DX.

For books purchased through the Kindle Store, a key advantage over regular books is that you can read them on whatever device you have in your possession, whether it’s a Kindle, an iPad, an iPhone, a Blackberry, or an Android-based device. Bookmarks, annotations, and last reading place are seamlessly synced among devices if you leave your wireless 3G connection on. So, you can be reading the first three chapters of a book on your Kindle, then continue reading right where you left on your smart phone while you’re on the go.

The Kindle does get in my way a little with page turns. With each page turn, there is a brief delay, a distracting flash, and the possibility that I’ll hit the next button too early by accident. I hit the next key accidentally many times at first, but now make this mistake rarely. I make far fewer accidental page turns when using software such as Stanza on touch screen devices.

Though both Kindles work fine for reading a text-based novel, I prefer the Kindle DX because there are fewer page turns. The downside of a Kindle DX is that it’s too heavy to hold in one hand, which is why many people prefer the Kindle 2 over the DX for reading novels. The difference in feel between the two devices is similar to the difference between a hardback and a paperback.

Using a Kindle to Read Chapter Books or Short Story Collections

Some people read chapter books or short story collections straight through without ever looking at the table of contents or flipping around in a different order. For such people, the experience will be the same as reading a novel.

Personally, I want to be able to look at a table of contents and choose where I want to start reading. I would also like to be able to flip through the book, preferably section by section. And I would much prefer to see stories and/or chapters start at the top of a page.

The good news for Kindle owners is that this works pretty well for books which are formatted to take full advantage of the Kindle. Such books will have a table of contents, chapters which start at the top of the page, and waypoints. Waypoints are little dots that appear on a bar at the bottom of the page, and they typically represent the beginning of a chapter or the beginning of a story. They give you a visual representation of how long each chapter is and how far you are in the current chapter. They also give you the ability to flip through the waypoints one by one, forwards or backward, using the 5 way controller.

I like this system, though I would prefer to be able to access the table of contents in one step rather than having to hit the menu key, click on “Go To,” reposition the cursor to “table of contents,” then click on it. Amazon – if you’re reading this – can you please include an Alt-T shortcut in the next Kindle software update?

The bad news for Kindle owners is that most of the free and low cost books on the Amazon store do not include an active table of contents. So far as I have been able to gather, there is no simple way to shop the Amazon store in a way that only displays books with an active table of contents. You might be able to find out if a book is properly formatted by reading the description or reviews. But only by downloading a sample or buying the book will you know for sure if a table of contents is present. For some public domain books there are over a dozen different versions, most or all of which have no table of contents, so it can be somewhat time consuming to download, examine, and delete numerous samples to examine formatting.

I wish that Amazon had a set of rigid formatting guidelines in place that insured only books formatted to take full advantage of the Kindle could make it to the Amazon Store. Amazon has begun to weed out some of the lowest quality books from the store over the past year but they are not weeding out books without table of contents or waypoints.

Thankfully, there is a better way to get well formatted books for the Kindle. Don’t use the Kindle Store.

By far the easiest experience I’ve had is to download Feedbook’s “Kindle Download Guide” (here) and use it as the primary method for obtaining public domain books. It’s a simple matter to search your Kindle from the home screen for your favorite book or author, click to the book, and then click to download it. These books are all properly formatted with waypoints and tables of contents.

The Mobipocket Guide available here is also pretty good but the few books I’ve downloaded did not include waypoints. It is also possible to use the Kindle browser to download books from a number of different sites. Andrys Basten has a complete guide to free or low cost downloads here, but quality varies.

The downside to skipping the Amazon store is that you no longer have the benefit of Whispersync, Amazon’s system for keeping books in sync among multiple devices. If you read all your books on a single Kindle, then you won’t miss this feature.

Lack of table of contents and waypoints in some books were distractions. But setting these issues aside, chapter or story books which are formatted to take full advantage of the Kindle are easy to read and to navigate. If all Kindle books were formatted as well as Feedbook content, I would actually prefer reading chapter books on the Kindle over paper.

Using a Kindle for Mixed Text and Graphics

I downloaded a few samples of books with a mixture of text and graphics and was very disappointed. The graphics quality was mediocre and text that should have been on the same page as a graphic was often not. Changing font size can improve the experience on the Kindle DX, but the Kindle 2 is generally too small for a reasonable reading experience.

Picture books typically assume that the reader is looking at two pages at a time. I tried out two different samples of Curious George books to see if they would even come close to the experience of the paper version. They didn’t. For now, I’ll continue reading traditional Picture books to my son.

My experience with Kindle Store’s mixed text/graphics content was so poor that I eventually gave up after some fruitless tinkering. I hesitate to buy anything from the Kindle store that contains even a small number of graphics and will not do so unless I can see a sample from the book that includes one of the pages with a graphic (Nook owners have an advantage here as they can browse any part of an E-book at a Barnes and Noble store). There may be some good books with pictures or graphics in the Kindle Store but I have yet to see one.

Using a Kindle for Reading a PDF

Both Kindles include a basic PDF reader. My attempts to read PDFs on the Kindle 2 proved futile, as the screen is too small. Text does not reflow to fit the screen, so the only way to read a typical PDF text document is to zoom in. While zooming allows you to read individual words, it is impractical to read a single column 8.5 x 11 page which is divided into 4 or more rectangles, as you have to flip back and forth for each line of text.

The 9.7” screen of the Kindle DX is barely large enough to read a full PDF page. My experience after reading several PDFs is that documents with large font sizes can be read “as is.” However, most of the documents I read use 10 point or smaller fonts. For these, I had several choices:

• Zoom—not a good option, as described above
• Rotate the screen—practical for many documents, though charts and graphs often get chopped in half
• Reading glasses—the best solution in most cases

There are a number of features I hope Amazon adds to future versions of the PDF reader. First and foremost would be a text reflow option. If this is not possible, I’d like to see more flexible zooming that allows me to center in on a particular chart or graph, perhaps by allowing scrolling. Margin cropping would be another useful option.

Overall, reading a PDF on the Kindle DX is worse than reading PDF on a computer and much worse than paper, when the font sizes are small. For documents that use a large font size (12-14pt depending on the font), it works reasonably well, but still not nearly as well as paper. Amazon continues to add PDF capabilities so this may improve over time.

Using a Kindle for Reading a Long Article on the Web

The Kindle browser is faster than it used to be but still slow. So you’re unlikely to use it for general browsing or to read a number of short articles. But it is surprisingly useful for reading long articles on very simple web sites, such as FilterJoe. First turn off Javascript and Images to make the browser faster. Then navigate to where you want to read a web page that has lengthy text. The Kindle may take many seconds to load the page. But once loaded, the entire text is loaded in memory. This means you can read the entire text of the page like a short story, even if you turn off wireless access.

I find myself not using the Kindle this way. It takes too much time to browse and load pages. Many web pages are too complex to be navigated easily (or in some cases, at all) by the Kindle browser. But the main reason I don’t use the browser is because there are easier ways to get chunks of lengthy text onto the Kindle.

Instapaper,  Calibre, and KindleFeeder are three common ways to get content onto the Kindle (which you can read about here, here, and here). All three of these methods require a USB connection or paying Amazon .15 per MB for wireless delivery.

I’ve discovered another way that uses a little known feature of Google Reader, which I describe below. Google Reader can be used as a flexible, free and wireless conduit for getting information from computers onto my Kindle.  I find it so useful that 90% of my Kindle Browser use is Google Reader. Below I explain why and how.

The Basics of RSS

As described in Wikipedia here, Really Simple Syndication (RSS) is a family of web feed formats used to publish frequently updated works, such as blog entries and news headlines. Consider: Would you rather pick up your Pizza or have it delivered? Similarly, would you rather have to spend your time fetching content from your favorite sites, or have it delivered to you automatically? A feed reader can deliver you content like a pizza delivery man delivers pizza, though with far more flexibility.

One of the most popular feed readers is cloud-based Google Reader which can be used on virtually any device, including the Amazon Kindle. The Kindle does support a proprietary system for reading RSS but it is expensive, inflexible, and offers few feeds, so I have not even tried it.

I use Google Reader to track over 100 feeds. While this sounds like a lot, most of my feeds publish less than 1 post per week, and only one more than 3 times per day. Google Reader provides tools for organizing, pruning, and rapidly reading or skipping content. The main downside of using Google Reader is the potential for self-induced information overload (subscribe to many high volume feeds and you’ll see what I mean). Some of the main benefits include a nice reading format, consolidating your news and blog feeds into one place, discussion tracking, search, archiving, and mobile access.

Using a Kindle for Reading RSS with Google Reader

The mobile version of Google Reader is reasonably fast on the Kindle, especially with the Kindle browser in “basic mode” and images disabled. Before you can use it, you’ll need to set up Google Reader on your computer, and add a few of your favorite feeds. Here is an article that can help get you started:

Google Reader Guide

Then you can access the mobile version of the Google Reader from the Kindle, by typing in this URL:

www.google.com/reader/m

Enter your user name and password. Bookmark the home screen, as well as the screen yet get when you click on “tags.” The Tags screen shows you the tags “starred” and “shared” as well as any tags you have assigned to your feeds. Tags work like folders for the purposes of this discussion.

Once logged in, you can see a list of all unread items on Google Reader Mobile’s home screen. You can also see lists of unread items by a specific tag or specific subscription. A drawback of the mobile version of Google Reader is that you can’t view items you’ve already read unless they are “starred” or “shared.” However, using the “starred” and “shared” tags, you can view almost any web text on your Kindle.

The “starred” tag simply displays any Google Reader items for which you assigned a star, something you can do on every version of Google Reader. I tend to star interesting items either to archive them or because I want to read them later. So I may rapidly go through my list of items on a computer, reading shorter items, skimming some long items, and “mark all as read” the rest. But I “star” long, interesting items for reading at another time. Later, I can easily read them on my computer, my phone, or my Kindle. I prefer to read items with more than a thousand or so words on my Kindle DX.

The “shared” tag displays items that you have decided to share with the world in your own public feed. The intended purpose is to share items with people you think will find the items you select interesting, and you can include a note if you want to comment about the content or explain why you think it is interesting. I have actually never used “share” for this purpose. I use it to read arbitrary web content, as follows:

Google has provided a bookmarklet which allows you to share any piece of content from the web. Follow these instructions to set up the bookmarklet on your computer browser. Now, any time you find something on the web that you would rather read on your Kindle, just select the text and click on the bookmarklet “Note in Reader.” You can now read it on your Kindle.

If you simply leave your Kindle’s browser loaded with Google Reader’s Tags you essentially have a way to print to the Kindle. Just select text from a browser, click “Note in Reader,” and the item becomes available on the Kindle. In the Kindle, you need to click on “Shared” then click on the item to open and read it.

So how does all this work in practice? It is more cumbersome than printing to a piece of paper as there are twice as many steps, and the browser is slow. You’ll need to keep battery-draining wireless 3G turned on when navigating Google Reader. And there are some glitches. “Note in Reader” bookmarklet sometimes cuts off text after certain HTML characters, which happened when I clipped a Google 10-K financial document. It is also possible to overload the Kindle browser with a very long item in Google Reader that contains many graphs and charts, which requires a reboot.

However, for text-only documents with basic formatting it works well. It works especially well to accumulate articles and then read a batch of them on the Kindle.

Overall, I find the benefit of reading long posts on a hand held E-ink device outweighs the hassles I just described, but I’m wishing for more. What I really want is to be able to select “print to E-ink” on my computer and it just shows up on my Kindle, as if I had just clicked on it. No limits. No hassles. No Hacks. No complicated setup. Whoever can do this one simple thing well will sell a lot of E-ink devices. Amazon, are you listening?

Conclusion – Can You Read Read Anything with the Kindle?

The answer is no, the Kindle does not quite work as a device to read anything. Both sizes of Kindle work well for pure text novels and properly formatted chapter books. Both work poorly for picture books or anything image intensive. PDFs are barely acceptable on a Kindle DX, and not acceptable on the smaller Kindle 2. But with a bit of effort, both sizes of Kindle can almost read any web text using several possible methods, the most flexible of which I believe to be Google Reader. Overall, the Kindle DX can be used on a wider range of material than the Kindle 2 due to screen size. But “Reading anything” is by no means a seamless experience.

To be fair, “reading anything” is not the intended function of a Kindle. Amazon’s intention is for the Kindle to be a device that makes it easy for people to read books, collections of short stories, and periodicals available on the Kindle Store. This makes sense for Amazon as a business model, as the Kindle store is the primary means by which Amazon makes money off the Kindle platform. Amazon mostly succeeds at this, though there is room for further improvements to the user experience with tables of contents and the average quality level of Kindle store content.

However, I want to be able to read anything on an E-ink screen. For content other than text-only books this is currently cumbersome, and in some cases not workable.

The Future

E-ink devices powered by Android will become widely available in 2011. Some of these devices may make full use of Android’s reading capabilities, including a good mobile browser that can access an Android-optimized version of Google Reader. Third party Android apps such as Evernote, Dropbox, Kindle for Android, and Nook for Android will make it far easier to effortlessly “read anything” on an E-ink screen. The Nook is already based on a restricted version of Android, so Barnes and Noble may choose to take greater advantage of Android’s reader friendly features.

For a very long time I’ve been looking forward to the day when reading anything electronic is comparable in quality and effort to reading traditional books and newspapers. That day is almost here. But not quite.

Chrome is a memory hog because of the way it handles auto refresh on sites such as Gmail, Google Finance and Google Reader. Windows users who monitor memory with the Windows Task Manager can see how the memory increases each time a tab is manually refreshed, or automatically when there are one or more open tabs which auto refresh. I suspect that Chrome does not release caches from refreshed tabs until they are closed—at least not on any of my Windows XP SP3 systems.

There are several workarounds for this issue. The most drastic is to close Chrome and then reopen it. This is time consuming if you need to log back in to several sites. A slightly less drastic alternative is to purchase more RAM. Here are two methods I use that are not so disruptive. Both involve closing and reopening tabs:

Method 1: When Chrome slows down, close all but one tab then reopen them all

1. Type Ctrl-W repeatedly to close all but one tab.
2. Type Ctrl-Shift-T repeatedly until all tabs are back open. This will reopen up to 10 previously closed tabs.

Method 2: Keep most pinned tabs closed so that Chrome never gets slow

1. Pin all auto refreshing tabs which you plan to keep open throughout the day. Tabs can be pinned by right-clicking on the tab and choosing “Pin tab.”
2. When you are done using a pinned tab, close it with Ctrl-W. Notice that the favicon becomes dim, a “Phantom Tab.”
3. When you need to use the closed tab, simply click on the dimmed favicon, and it will open back up. Chrome is so fast, that this will usually take less than a second.

I find dim favicons less distracting than bright ones so for that reason I prefer the second method.

Chrome’s memory management issues complicate what is otherwise a terrific browser, whose merits I describe here. Opera and especially Firefox have much more efficient memory management, so these browsers may be more suitable for memory constrained systems. Chrome otherwise suits my needs better than the competition so I’ll continue using it with the workarounds described above.

UPDATE:

Chrome 6 rolled out on September 2 and eliminated dimmed favicons (also called “phantom tabs”) which destroyed method 2 described above. Those in love with phantom tabs should not upgrade to Chrome 6.

Google Chrome has a voting system for bringing back terminated features. Just visit the link below and click the star if you want Phantom tabs to come back:

Phantom Tabs Always

In 2010, the same five browsers continue to dominate the market, but my order of preference has changed. Why?

In a word: Chrome.

Google’s Chrome browser was designed from the ground up to be good at running web applications, with an underlying architecture that is faster, more secure, and more stable than the competition. Chrome succeeded. The competition has responded. Users have benefited.

The latest versions of the five major browsers are all far faster, safer, and more stable than they were in late 2008. All five browsers are good and getting better. But with the recent addition of extensions, Chrome has taken the lead, and in my opinion deserves the “best browser 2010″ award.  I explain why I recently switched from Firefox to Google Chrome at the end of this post.

Browser Reviews

Below are summaries of the strengths, weaknesses, and future expectations of the five major browsers—and what makes each browser distinctive and appropriate for a certain type of user. Though ordered by my personal preference, what’s best for me may not be best for you.

For detailed Windows speed tests, look here or here, and for Macs, here.

1. Chrome 5

Chrome continues to be very fast, secure, and reliable. The uncluttered interface makes it easy to focus on work. Chrome is therefore an ideal browser for running web applications such as Gmail, Evernote, or Facebook. Over the past year, many features were added to Chrome, including support for extensions.

Chrome extensions can use only one tiny icon’s worth of screen space and are restricted in other ways. This purposeful tradeoff sacrifices flexibility and potential capabilities in order to keep Chrome fast, reliable, and uncluttered. Chrome also keeps the user experience streamlined with automatic browser updates, the ability to shrink tabs into small icons, and reduced use of dialog boxes.

Chrome is not for everyone. It is a memory hog, so your system should have 1GB RAM for 5-10 tabs, and 2GB RAM if you routinely keep more than 10 tabs open—otherwise you’ll need to close and reopen your tabs every few hours (see here for a more elegant workaround). Some people don’t like the minimal look and reduced menu access. Some Firefox users may miss the functionality of some of their favorite add-ons. The built-in password manager does not encrypt passwords, so don’t use it (Use a dedicated password manager instead).

Perhaps most importantly, some people feel uneasy about how much of their data Google can see, which can really add up if you use Google search, Gmail, and Chrome. For people who are uneasy about Google’s data collection but still want Chrome’s benefits, there are nearly identical alternatives that don’t collect user data, such as SRWare Iron or other browsers mentioned here.

However, for both the average Joe and the power user, Chrome’s speed, reliability, and uncluttered interface makes it the best browser in 2010 for getting work done. Users have noticed. Google Chrome’s global market share has jumped from 4.6% to 7.0% over the past 5 months.

Major Upgrade: Version 5 was released on May 25, 2010. It is faster, more secure (Flash auto-updates) and now works on Linux and Mac (10.5.6 or later) systems in addition to Windows (XP or higher). Version 6 will be faster still, with a number of additional minor features.  Chrome appears to be improving at a faster rate than its competition.

By early 2011, tablets and netbooks will be available that launch right into the Chrome browser within seconds after turning on. Like Apple’s iPad, these devices are expected to be much easier to maintain and keep secure than today’s general purpose computers.

2. Opera 10.53

Chrome and Firefox attempt to be bare bones browsers, to which you add functionality with extensions. Opera, on the other hand, already comes bundled with many extras that users typically want, such as ad blocking, note taking, data sharing, and sync. While Opera does not support extensions, it does support many forms of customization through third-party add-ons, including plug-ins, skins, panels, as well as separate applications called widgets. Despite the extra included features, Opera is about as fast and uncluttered as Chrome. On top of all this, Opera experiences fewer security issues than other browsers, partly because hackers typically don’t bother with low market share browsers.

So why don’t more people use Opera? A small number of web sites do not load properly, as some developers don’t test their sites with Opera. Some users simply don’t care for the interface. Recent versions of Opera take up a lot of memory when many tabs are open. Perhaps the biggest reason is that few people have heard of it. But Opera is a fine choice for many users, especially for the majority of people who don’t spend much time changing settings, adding extensions, or taking extra security measures.

Of the five major browsers, Opera runs on the widest variety of systems. Opera runs on Macs (10.4 or higher), Linux, and Windows (XP or higher). Year-old Opera 9.64 runs on Windows 98. Opera also has mobile clients available for most mobile devices, which can sync bookmarks and history with Opera on the desktop.

Major Upgrade: With the release of Opera 10.5 in March of 2010, Opera’s speed is comparable to Chrome and Safari. New features added over the past half year include independent widgets, a very flexible framework for sharing any kind of data across devices (Opera Unite), and support for new web standards. The next major upgrade for Opera has not been announced, though Opera 10.6 will further increase speed and stability.

3. Firefox 3.6.4

Firefox continues to be the most customizable browser, thanks to its vast library of add-ons. It continues to work well on Windows (2000 and later), Mac (10.4 and later), and Linux. Its memory efficient design allows multiple tabs to be opened and closed on systems with as little as 512MB RAM. For those who desire or need the highest level of security, nothing beats Firefox used in conjunction with the NoScript add-on.

This flexibility and security is great for the power user who can make Firefox do almost anything. But for the average Joe, there are simpler, alternatives. With no add-ons installed, Opera and Chrome are both faster, more secure, and less cluttered than Firefox. This is not to say Firefox is a bad browser. It is a great browser, which continues to get faster and better with each release. It’s just that lately, Chrome and Opera are even better.

Major Upgrade: “Catching up with Chrome” is the easiest way to describe most improvements to Firefox since the June 2008 release of Firefox 3.0 (private browsing, process isolation, changing themes without restarting, etc.). Firefox 4.0 is scheduled for release by the end of 2010 and promises to close the gap further with greater speed, automatic updates, and a simpler interface. Significant improvements to password management, automated sign-ins, and the ability to sync bookmarks and add ons will also be included.

4. Safari 5

For the last few years, Safari lagged behind Chrome, Opera, and Firefox in terms of speed, security, and flexibility. This just changed. Version 5 (released June 7, 2010) is just as fast as Chrome, and finally offers a framework for extensions. It is not yet clear whether Safari is more secure, but Apple’s approval system for extensions will reduce the chance of security issues arising from rogue extensions.

Though Safari still lacks Full Screen mode, a press of its built-in “reader” button transforms cluttered web pages into an easy-to-read format (similar to the “readability” bookmarklet I describe here). The reader button currently works more slowly and on fewer sites than “readability.”

As the browser bundled with all new Mac systems, Safari 5 will likely be good enough for most users. The pretty interface blends in well with the overall look and feel of a Mac. However, some may prefer Chrome or Opera to reduce distractions (such as cover flow) even further. Others may prefer the flexibility of Firefox with its massive extensions library.

Major Upgrade: Version 5 was just released for both Windows (XP, Vista, 7) and Mac (10.5.8, 10.6.2, and 10.6.3), and is described above. Expect to see a number of officially sanctioned extensions by August 2010. Apple has not discussed what it has in mind for version 6.

A version of Safari is available for the Apple’s iPad which was released in April. Early adopters are nearly unanimous in their praise for how fast and easy this version of Safari is to use, though it doesn’t work on all web sites due to lack of Flash support.

5. Internet Explorer 8 (IE8)

IE8 is a good browser, and it is vastly better than its slower and dangerously insecure predecessors. But it is ranked last because it is slower, less flexible, and less standards compliant than the competition. And it is also slower to improve. Slices, accelerators, and site suggestions seemed like promising new features to help access information like maps or definitions with fewer clicks and keystrokes—but they don’t seem to have caught on in a big way.

IE8 works on Windows desktop versions XP, Vista and 7, and Windows Server versions 2003 and 2008. Despite the fact that Windows XP currently has over 62% market share, IE9 will not be available for Windows XP.

All Windows users have to use some version of Internet Explorer at least occasionally for Windows updates, Netflix streaming or some other IE-only sites. It is the only browser at many workplaces and comes bundled on all Windows systems outside of Europe. For many of these people, IE8 will be good enough. However, given the greater speed and flexibility of the competition, Window users who have a choice will generally be better off with Chrome, Opera, or Firefox.

Major Upgrade: A beta version of Internet Explorer 9 (IE9) will be released for testing this summer. It is expected to be generally faster, more secure, and more standards compliant. Graphics-intensive sites will run many times faster thanks to support for hardware acceleration. IE9 will run on Vista and 7, but not Windows XP.

Conclusions – And Why I Switched to Chrome

Firefox has been my primary browser since 2003. Last year, I began to regularly use web apps like Gmail, Evernote, and Wordpress on a wide screen. The Firefox interface worked well for browsing, but not so well for writing and working. I tried to simplify the Firefox interface with extensions like Tree Style Tab, Tab Mix Plus, and Personal Menu. But once RoboForm’s extension was released for Chrome, I capitulated. I switched to Chrome in April 2010 and haven’t looked back.

The best thing about Chrome is you don’t even have to use it to get many of its benefits. Thanks to the increased competition, you just need to keep regularly upgrading your browser to see big speed, security, and stability improvements, along with an ever less cluttered interface. Your browser may not be as good as the latest version of Chrome, but it may be good enough.

What should you do if you are a Skyrock user? What should you do if you are not a Skyrock user?

Skyrock is a leading social network site and blogging platform in France, Belgium and Switzerland and the seventh largest social network in the world. The number of accounts that were potentially compromised have been variously reported between 30 million and 38.5 million.

Social networks with advanced blogging platforms such as Skyrock are a prime target, because successful attackers can steal your identity, install malware on your account, trick your friends into installing malware, and/or break into any other account you own that uses the same password.

If You are NOT a Skyrock User

If you don’t use Skyrock, you should be concerned. Any Skyrock blog you visit could potentially inject malware into your browser. I discuss defenses for browser-based attacks here. Expect an increase in the amount of e-mails or facebook messages from friends asking you to click a link, watch a video, install something, or send money. If you receive such a message, be very cautious. Verify it is really coming from your friend before taking any suggested action.

If You ARE a Skyrock User

If you are a Skyrock user change your password (mot de passe) immediately. Also change your passwords on all other services for which you were using the same password. If you don’t, there is a good chance that all of your accounts will be taken over that use this password, using the method I describe here.

If you have a different password for each of your accounts, the damage from this attack will be minimal. Simply change your Skyrock password and you’re done.

A Better Way to Manage Your Passwords

Most people use the same password for multiple accounts, because it is hard to remember more than a few passwords. This is not a good idea, as many Skyrock users are about to find out.

Earlier this month, I described an easy way to keep track of a different password for each account, here. Use a password manager to assign unique passwords at least 15 random characters long for all accounts, protecting them all with a strong master password. Sounds hard, but it is actually easy to do, and you save yourself time in the long run.

FilterJoe is not a news reporting site so posts of this type will be rare. I made an exception for SkyRock because it is such a large security breach, U.S. reporting of it has been scarce, and password security has been a recent focus on this site. If a few people improve the way they manage passwords as a result of reading this post, then the exception will have been worth it.

Like personal security, password management is something most people don’t think much about until after something bad happens. Unfortunately, the Internet is not secure. Just as you need to be “street wise” when venturing onto streets, you need to be “net wise” – especially with passwords – when venturing onto the Internet. Because, like it or not, your passwords are currently the main barrier between you and the bad guys.

Most password management advice seems designed to torture you as opposed to help you. For the average Joe with average security needs, password management advice needs to be simple and usable, not just secure. Luckily, there is a reasonably secure form of password management that is simple and usable. That is the subject of this post.

The Four Steps to Simple, Usable, and Secure Password Management

• Choose a password manager.
• Setup unique, random 15 character passwords for every online account. Sounds hard, but most password managers make this easy to do.
• Protect these passwords with a master password that is strong and memorable.
• Use your password manager by typing in your master password each time you start your computer work.  Then use a single click to log in to each account, as needed.

This is all you need to do.

This is not the usual advice you’ll find in formal and informal blogs across the internet, and it will not perfectly secure you against all possible forms of password theft. It is, however, the best blend of security and ease-of-use I’ve been able to come up with after considerable research and thought about the subject.

If you follow the four steps above, you’ll be much safer than the average netizen – comparable to having a home protected by locks, burglar alarms, smoke detectors, and sprinklers as opposed to just a front door lock with a spare key underneath the mat. You will not only protect yourself from the most common threats, but you will also save yourself a lot of time over the long run thanks to automatic logins and form filling.

Read through the entire series to learn why you should take the time to do this, the best way to go about doing it, what security advice you should ignore, and most importantly to become as “net wise” as you are “street wise.”

The complete list of posts:

Contents

• Password Management for the Average Joe (this post)
• Use a Password Manager to Assign Unique, Random 15 Character Passwords for all Accounts, Protecting them with a Strong Master Password
• Which Password Manager?
• Tips for Wise Use of Password Managers – Including Master Password Selection
• Bad or Useless Advice about Password Management
• A Base Phrase Approach to Password Management (forthcoming)
• How Attackers Steal Passwords
• The Usual Way to Manage Passwords and How Attackers Exploit It
• Definitions for Common Password Security Terms

Disclaimers

1)  Passwords are just one form of necessary security. PCs with out-of-date browsers, security software, and/or operating system software frequently get infected with malware. Perfect password security doesn’t matter if malware observes everything you do on your computer.

2)  I have not been paid to create this series of articles, and will receive no payments if you click on any links. The only free product accepted as part of writing this series of articles was 1Password for my wife to test on her iMac. I wrote this comprehensive guide because I have developed a passion for the subject over the past year and felt that someone needed to pull all these password-related concepts together into one helpful reference guide. I welcome specific feedback so that I can improve upon this series of posts on passwords, with the hope that helping people to become more “net wise” will help reduce password theft.

Most thieves are not highly skilled, and even thieves with greater skill prefer easier targets. So locking doors will discourage many thieves, and a big, barking dog will discourage even more.

The same is true with hackers – most are not highly skilled and even those who are prefer easy targets. If you are a typical consumer without data of great value to criminals, then using a password manager as I describe here can act as the equivalent of a locked door combined with a barking dog, an alarm system, and a sprinkler system – which will keep out all but the most highly skilled and determined hackers.

Unfortunately, the way most people manage their passwords can be easily exploited by automated malware or as part of larger attacks that harvest thousands of passwords. Even more unfortunately, the vast majority of advice about password management is either misguided or too complicated. In this post I explain why I believe using a Password Manager (to assign unique, random 15 character passwords for all accounts, protecting them with a strong master password) strikes the best balance of usability and security for the average Joe.

The title of this post sums up the password management approach that I believe provides the most benefit for the least effort. In the rest of this post, I explain why.

Why Use a Password Manager?

It is entirely possible to manage passwords well without a password manager, using a base phrase approach. The problem is, few people do it. And for good reason.

With a password manager, it is very easy to manage hundreds of accounts, each with unique, long, randomly generated passwords. The user simply enters a master password at the beginning of each computer session, and all subsequent passwords are entered with a single click or keystroke. With most password managers, you can also have your address and credit card information filled in automatically when setting up new accounts or making one-time purchases.

It takes several hours to set up a password manager for the first time and change your collection of passwords to stronger ones. But in the long run, you actually save time and attention as you will no longer have to manually enter passwords or fill forms many times per day. You also reduce the chance you’ll ever have to spend time recovering a hijacked account.

Why Should Every Account Have a Unique Password?

By far the most important advice in this series of posts is to never use the same password for more than one account. There are numerous ways attackers can capture a password. If you use the Internet in a typical way, chances are high that one of your passwords will get captured, perhaps once every 2 or 3 years. It can happen to anyone, even tech savvy, security conscious people like Amit Agarwal or Cory Doctorow. Once an attacker has your password for one account, the attacker has the password for all accounts which use this same password.

But it is often worse. If you used this same password for an e-mail account, even an old, abandoned e-mail account, it is possible to use information contained in old e-mails to break into most or all of your accounts. It is by this means that several high profile break-ins have occurred to corporate networks over the past year, including the well publicized Twitter break-in.

None of this is an issue if you have a unique password for every account. While it will not protect you from getting the occasional password stolen, it will limit the damage to just that one account.

Why do Passwords Need to be 15 or More Characters Long?

Most people don’t realize that user names and passwords routinely get stolen while your computer is off and disconnected from the internet. How? Web sites with many users and weak security are prime targets for attackers who want to steal a password file which lists all user names and passwords. While most sites do not store passwords as clear text, many sites store passwords in a form that can be read using widely available rainbow table software. For people who use the same password on many sites, the theft of this password on one site can be the starting point for an attack on all of your accounts.

You may not care about all the technical details, but the bottom line is that it is very difficult to crack a password that is 15 or more randomly generated characters, either by brute force or using rainbow tables on captured passwords files.

An additional benefit of using randomly generated passwords that are so long, is that passwords composed of just lowercase letters are plenty strong. For passwords that you need to enter into a cell phone manually, 15 random lowercase letters are easier to enter than something like r5!9f#X.

Why do Passwords Need to be Randomly Generated?

Humans are notoriously poor at generating randomness, in passwords or anything else. It is actually possible to devise memorable passwords which are also very strong. It is something you will need to do once, for your master password, and it will probably take at least a few minutes to come up with a really great password. But there is no need for you to remember any of your other passwords when your password manager remembers them all.

While a computer may have difficultly generating random character strings that would satisfy the stringent standards of a mathematician or cryptographer, in actual practice the passwords generated by password management software will not be the weak link in your password security.  Attackers have many easier ways to steal passwords.

The way password cracking software works is to test passwords from dictionaries, proper names, and lists of common passwords. The software may also try minor variations of all of these common words such as adding or inserting an extra digit – since that is how many people construct passwords. If that doesn’t work, then it will try every possible combination of characters up to a certain length – perhaps 8 or 9 characters.

The random password generators included with the more popular password managers will generate passwords that aren’t on any of these lists, and will not construct passwords the way a human would. Combined with 15 character length, and the resulting password is nearly uncrackable by brute force methods.

Why do Passwords Need to be Guarded by a Strong Master Password?

The most common criticism of password managers is that it has access to all of your passwords. In the event that someone gets access to your password manager, they have access to all of your passwords. And this is true.

This criticism scares away many people from using password managers, and many of these people will continue to use the same 2 or 3 weak passwords for all accounts.

The fact of the matter is, it’s not so easy for an attacker to get access to passwords when they are protected by a strong master password. It is theoretically possible for key logging software or hardware to capture the master password or for flaws in the operating system, browser, or password manager to be exploited. But if master passwords were frequently captured, there would be reports of it. I looked but was not able to find any such reports. I was also told by Simon Davis of Siber Systems (makers of RoboForm) that his company has never received a report of someone’s master password being compromised by a keystroke logger. For those working in an environment where keystroke logging might be an issue, Roboform and some other password managers offer an on-screen keyboard option which can not be recorded by keystroke logging software.

Nevertheless, if you use password management software to store all of your passwords, you do need to recognize that all of your passwords are collected in one spot. The way you can protect this collection is to choose a very strong master password, which applies to all of your accounts. I explain master password selection and other password management tips here.

If you’re already using and liking a password manager not mentioned in this post, by all means keep using it so long as it offers master password protection in combination with strong encryption. While most password managers offer password import and export functions, the actual practice of switching password managers and learning a new one is cumbersome.

However, if you’re selecting a password manager for the first time or dissatisfied with your current password manager, you may as well benefit from my efforts to identify the best password managers for individuals. My efforts included extensive use of two password managers and poring through hundreds of reviews, forums, and comments about many others.

Below I describe four password managers with an outstanding combination of features, low cost, ease of use, and well-deserved popularity.

What to look for in a Password Manager

• Security must be a given (master password, AES).
• It should be as easy as possible to get started using the password manager, without sacrificing security.
• It must be easy to securely auto-fill user name and passwords in the more popular browsers.
• It must be easy to capture new login information and associate with one specific site.
• Passwords should be synced and easily available on all the desktop and mobile platforms you use. Keeping your passwords on your phone is more secure than carrying around a printed listing of your passwords, so long as it is protected by a master password.

There are also a few optional features that you may want, such as automatic form filling, secure notes, multiple identities, easy import/export, password generation, USB key support, and additional security features such as virtual keyboards, two-factor authentication, and one-time passwords.

Weaknesses Shared by all Password Managers

So far as I have been able to determine, all password managers will let you choose as weak a master password as you like, some without any warning. Most password managers allow some or all passwords to not be protected by a master password. Furthermore, many password managers ask users to make decisions during setup (or offer options) that require significant knowledge of password security.

By allowing this flexibility, users can be exposed to more danger than if they weren’t using a password manager at all – because all of these unprotected or lightly protected passwords are assembled in one electronic location.

Simon Davis of RoboForm-maker Siber Systems says that users of RoboForm fall into two categories: those who seek convenience and those who seek security. His experience has been that convenience users outnumber security conscious users. Some people do not protect any data with a master password.

I suspect that most users seeking convenience would use a strong master password to protect all passwords if they understood the risks involved of not doing so. I started out as a RoboForm convenience user but changed my habits to a secure user after educating myself about the risks of unprotected passwords.

It is possible to imagine password manager software which does a better job of both warning and educating users about unsafe password practices. It is also possible to imagine a setup process for password managers that asked the user a simple question at the beginning of setup: Do you want to optimize for security, convenience, or half-way in between? At the very least, I would like to see improved, cooperative efforts by the security industry to promote safe password practices.

Best Cloud-Based Password Manager: Lastpass

Cloud Computing is the use of web services to create, edit, and store data on servers located elsewhere. A number of cloud-based password services have launched in the past few years. These password services make it easy for you to access your passwords from any desktop or mobile browser. While many people feel instinctively more comfortable storing sensitive information on their own hard drive rather then some far off server, the developers of such sites explain that they don’t store your master password. It is impossible to view the encrypted passwords stored on their servers without the master password, even for employees of the online password service.

If you’re comfortable with your passwords being encrypted and stored in the cloud, you’ll find that your passwords are easily available and synced across all platforms using browser bookmarklets, plugins, or extensions. For people who use multiple operating systems, browsers, and mobile devices on a daily basis, a cloud-based solution is far more convenient than the desktop-based competition, which is generally compatible with fewer systems. Assuming proper security, the only disadvantage is that the service can be partially or fully disrupted when the server storing the passwords goes down.

LastPass is one such cloud-based password service. Though I have not personally tested LastPass, an examination of reviews, forums and the LastPass web site suggests that users are overwhelmingly satisfied with LastPass. This service is the only password manager system for consumers I’ve come across that includes every optional feature offered by any of its competitors. The “one-time passwords” feature provides a secure means to access passwords from public WiFi. The potential disruption caused by temporary server failure can be mitigated by local password caching for those who use a plug-in for Firefox or Internet Explorer. LastPass maintains an extensive and well organized web site and forums.

LastPass is a free service with basic functionality comparable with RoboForm or 1Password, yet available on a wider variety of platforms. For $12/year, LastPass offers mobile clients, two factor authentication, and emergency phone support. And most people who have tested multiple password managers claim that LastPass is one of the easiest to use.

You can learn more from these two reviews:

LastPass Review by PC Magazine

LastPass Review by Tech Herald

And from the LastPass web site:

LastPass.com

Best Windows Password Manager: RoboForm

For those people who use their passwords primarily on their Windows systems, RoboForm offers fully featured password management and automatic form filling software for a reasonable one-time cost ($29.95 for the first system, $9.95 for subsequent licenses). An online version of RoboForm with fewer features is available for free. For years, RoboForm received top accolades from PC magazine and other publications, though in recent times the competition has greatly improved.

For those who prefer to store their passwords on their own system, RoboForm remains the best option for Windows. I have used RoboForm for over 5 years and have no plans to switch. Dropbox keeps my 3 Windows systems’ passwords in sync and will soon be able keep my Blackberry synced as well.

While RoboForm has its roots as Windows software, it has versions for most major mobile platforms ranging from the Blackberry (nonsyncing, basic password storage that can be used via copy/paste) to the iPhone (includes sync and 1 click logins). Using an optional, free RoboForm Online service in conjunction with the RoboForm Bookmarklet allows RoboForm to autofill logins on unsupported browsers (Chrome, Opera, and Safari) or unsupported operating systems (OS X, Linux). RoboForm extensions for Firefox and Chrome used in conjunction with Roboform Online means that RoboForm can be accessed from either of these two browsers on any operating system.

RoboForm is very flexible – perhaps too flexible – as it allows users many options to reduce security. For example, the security settings can be set so that 5 hours after you close your browser, log out, and put your computer to sleep, someone could waken the computer, log in to the guest account, and start logging in to all your web sites. RoboForm is not set up this way by default, but why even allow the possibility of such an insecure setup?

Once you do set up RoboForm securely, it has all the required and most of the optional features one would want in a password manager. Its superior handling of a wide variety of web site styles for automatic form filling and login field detection makes it very easy to use, and a big time saver. Additional nice touches include tracking password changes, an optional feature to gracefully handle new account setup, and a customizable tool bar.

Version 7 of RoboForm (currently in Beta) will improve the user interface, add fingerprint reader support, and extend functionality beyond browsers into most other windows programs that require passwords. Also under development is a Mac OS X client, a Google Chrome plug-in (that does not require the use of RoboForm Online), an Android client, and improved versions of the existing mobile clients.

You can learn more from this review:

RoboForm Review by Tech Herald

And a video demonstration of RoboForm that is helpful for those totally new to password managers:

RoboForm Demonstration Video

And the RoboForm web site:

RoboForm.com

Best Max OS X Password Manager: 1Password

1Password is by far the most tightly integrated password manager for Apple’s computers, iPads, iPhones, and iPod touches. It looks, feels, and acts as if were a part of the Mac OS, while also including most of the features found in other great password managers. It is therefore the obvious choice for people who use only Apple devices. It costs $39.95 for the Mac version, and $14.99 for a mobile version which works on the iPad, iPhone, and iPod touch. Less expensive mobile versions are also available that have fewer features and work on fewer devices.

Like all password managers, setting up 1Password requires some learning. Trying to determine which versions of 1Password work on which operating systems for Macs and iPhones is mildly confusing, as is certain choices during setup.

But once set up, logins are fast and integration with Firefox and Safari is seamless. When you change passwords, 1Password prompts you to replace the prior password so you don’t have to do it manually. The product is very well supported, including an extensive web site with forums. Agile Solutions is always very quick to make versions of 1Password available for any new Apple product or operating system (most recently, the iPad).

My wife Karin tested 1Password 2.9.x over the past year with her iMac (Mac OS 10.4.11). Prior to 1Password, Karin had never used a password manager. While Karin expressed reservations both prior to getting 1Password and during the first two weeks of use, it has since become second nature and she has become a fan of the password manager concept in general. So much so, that she recently purchased the 1Password iPod touch version.

Version 3.x was released in November of 2009 and requires Mac OS X 10.5 or higher. It has a number of helpful new features, including an option to make your passwords available to other operating systems and mobile devices, software license management, greater mobile syncing flexibility, and password storage for applications and other services that aren’t used in a browser.  Setup has also been simplified as the user is no longer required to make a decision about how to store passwords—the Agile keychain is now the only choice.

A 1Password client for Windows is under development.

You can learn more from these reviews:

1Password Review by SmokingApples

1Password Review by TechnoBuffalo

And the 1Password web site:

1Password

Best free password manager: KeePass

KeePass is a free, open source password manager first released in 2003. It now has versions available for Windows, Mac OS X, Linux, and a number of mobile devices. An advantage of open sourced software is that it is open to scrutiny, which greatly increases the chances that it will be secure and free of bugs, as compared with its proprietary counterparts. This is especially advantageous for security software such as a password manager which requires a user to entrust sensitive data to a third party.

KeePass is a fully featured password manager that includes random password generation, support for desktop application passwords, and additional security features such as two-factor authentication. Various plug-ins provide additional functionality.

However, using KeePass requires a certain amount of computer sophistication and tinkering. The lack of browser integration requires the use of global, auto-login keyboard shortcuts (auto-type), which works on some sites but requires tinkering to get working on others. The commercial password managers discussed above all take care of automatic logins more gracefully and have superior user interfaces. Therefore, KeePass may not be appropriate for the average Joe, but any article about the best password managers should mention KeePass given its zero cost, its open source scrutiny, and its popularity among more sophisticated computer users. Among the tech savvy lifehacker crowd, KeePass is most popular, though the others mentioned in this post are also popular.

Here is a review of KeePass:

KeePass review by Tech Herald

And the KeePass web site:

KeePass

Honorable mention goes to Password Safe (also free and open source), which is associated with cryptography expert Bruce Schneider. It is much simpler than the other password managers mentioned in this post, requiring passwords to be cut and pasted when needed. For those who prefer free, simple tools, it may be the software of choice.

Password Safe

Built-in Browser Password Managers

Many people use password managers that come built-in to their browser or security suite. There are several reasons not to do this:

• Passwords are not shared everywhere you use them (though Xmarks can partially solve this issue)
• Browser password security is sometimes inferior or buggy as compared with stand-alone products, as it is not the main focus
• Several stand-alone password managers have superior user interfaces and flexibility, making single click logins, form filling, and other common functions a breeze

That being said, for users who log on to accounts using only a single browser on a single computer which nobody else shares, a browser’s built-in password manager protected by a master password would be sufficient. Firefox users should be aware of Sxipper, an extension which adds significant functionality such as single click login, automatic form filling, and multiple personas.

So Which One is Best?

The 4 password managers profiled above are all very good and always improving. If forced to choose which is best for the most users, I’d go with LastPass, because you won’t need to switch to another password manager when changing browsers, operating systems, or mobile devices. Developers for RoboForm, 1Password, and KeePass devote considerable effort to making passwords synced and available on a wide variety of platforms, but the cloud-based roots of LastPass means it will usually be the first to support any new browser or operating system.

For those who prefer desktop software over cloud-based solutions, a great choice is RoboForm for Windows users and 1Password for Mac users. KeePass is a good choice for tech savvy users who would rather tinker than pay, and who prefer to place their trust in open source code that has been closely examined by many developers. KeePass works equally well on Windows, Macs, and Linux systems.

But I can’t say it too many times – more important than which you choose is how you use it. Use unique passwords at least 15 random characters long for all accounts, protecting them all with a strong master password – and your chance of getting multiple accounts compromised will be minimal. And that is something you can do with almost any password manager.

Disclaimers

1)  Passwords are just one form of necessary security. PCs with out-of-date browsers, security software, and/or operating system software frequently get infected with malware. Perfect password security doesn’t matter if malware observes everything you do on your computer.

2)  I have not been paid to create this series of articles or recommend these products, and will receive no payments if you click on any links or buy one of the reviewed password managers. The only free product accepted as part of writing this series of articles was 1Password 2.9.x for my wife to test on her iMac. I wrote this comprehensive guide because I have developed a passion for the subject over the past year and felt that someone needed to pull all these password-related concepts together into one helpful reference guide. I welcome specific feedback so that I can improve upon this series of posts on passwords, with the hope that helping people to become more “net wise” will help reduce password theft.

Tips for Standard Use of a Password Manager

15 Character Passwords

For each account, use your password manager’s random password generator to generate passwords that are 15 or more characters long, and make sure your password manager stores it. Usually you will want to generate passwords that include upper case, lower case, numbers and special characters to increase password strength. But for passwords that you sometimes enter manually into cell phones or other devices without full-sized physical keyboards, you can generate 15 random lowercase letters. 15 random character passwords are very strong even if restricted to lower case letters.

Unique Passwords

Do not reuse passwords for more than one account. This is especially important for all financial, e-mail and social networking services. I could provide you with a list of reasonable exceptions to this rule, but why bother? Your password manager remembers and enters all your passwords.

Turn on Master Password Protection and Keep it on for All Passwords

All password managers offer a master password to protect your account login data. Always have the master password enabled to protect all current and newly created login data. Most password managers have an option to require new login data be protected by the master password – make sure this option is turned on. Turning off your master password protection is very risky, equivalent to leaving your key chain hanging on the outside front doorknob to your house.

Select a Strong Master Password

Choose your master password wisely and never share it or write it down. It should be at least 15 alphanumeric characters, very hard for anyone to guess, yet very easy for you to remember and enter. Pass phrases containing a mixture of words and numbers work well for this purpose.

Passwords constructed out of obvious personal information (i.e. MySonIs4YearsOld) should be avoided, because password cracking software may try such passwords.  On the other hand, a lie or intentional misspelling (i.e. MySunIs444YearsYoung) is not something password cracking software will have enough time to try, as the number of possible 15+ character lies and misspellings is far greater than the number of true and obvious personal facts.

Following are some weak and strong examples:

Weak:

mybirthdayisJanuary7—guessable as this phrase (or 364 others like it) applies to all people.

antidisestablishmentarianism—long but terrible because it is in the English dictionary. A phrase should have at least three words and 1 number.

4scoreand7yearsago—easily guessable as it is the start of a very famous speech by Abraham Lincoln, and is likely to be in some password cracking programs.

Strong (but don’t use these specific phrases, obviously):

FredAusterlitzwasbornMay101899inOmaha—though in some ways similar to above birthday password it is much stronger because it is longer, unrelated to your life, and it’s not even clear who it refers to, even though it’s easy to remember for fans of Fred Astaire. If it takes you a long time to type out this 37 character password then go with something shorter and with fewer capital letters – you don’t want a password that is really annoying to enter, as you may then be very tempted to abandon a strong master password.

Ireland1871Wales1920disestablished—though inspired by the Wikipedia entry for antidisestablishmentarianism, this is much stronger because it has three separate words divided by 2 numbers.

AIisnolongerthe76ersAnswer—obscure, yet an easy phrase to remember for a 76ers fan who knows that Allen Iverson, nicknamed “The Answer,” no longer plays for the 76ers.

Fred’sPorsche911Turbo–If a minor acquaintance of yours owns a Porsche 911 Turbo, this is a good  password: 19 characters, fairly easy to type, very easy for you to remember, but too obscure for someone else to guess.  If Fred is your husband, though, this is a less good password, because the password contains obvious personal information, which is something password cracking software might try.

And here are a few more examples of strong but memorable passwords from the book Perfect Passwords by Mark Burnett:

• 2+2+3 isn’t five
• staying “interconnected”
• (999) dog-walk
• 1-900-go-NUTS
• 43 O’Clock is late
• Dr.Seuss@greeneggs.com

The examples I provided are long and will take 5-30 seconds to enter, depending on how fast you type. But you’ll only need to type the master password at the beginning of each computer session.  This is minor overhead in return for an enormous security benefit.

Expire Your Master Password

After you first enter your master password, you can then log in to online accounts (with a single click each) for the rest of your work session. However, you want your master password to expire as part of your natural work flow—you don’t want someone to walk up to your desk and start logging into your various accounts. Go to your password manager’s security settings to make sure that the master password will logout automatically when you close the browser, put your computer to sleep, go into screen saver mode, and/or after a certain number of minutes of inactivity. Most password managers provide options to customize these sorts of settings to suit your own circumstances.

Open Web Sites Directly From Your Password Manager

Security expert Robert Chapin has criticized password management software for making it too easy for users to automatically login to a fake web site, which then steals the user name and password entered by a password manager. To thwart this technique and save yourself a click, you should only log in by using your password manager to open password-protected web sites directly. Simply select the web site from within your password manager, and you will be taken to the web site and automatically logged in.

Some password managers have an option to automatically log you in if you just happen to visit a site whose name is the same or similar to the one stored by the password manager. Do not enable this feature. You don’t want to automatically be logged into a fake site.

Test Memorized Passwords After Opening a New Account

Password managers can be awkward to use when you open a new account. They will memorize login information for the account registration screen but then might not work for the regular login screen. The best way I’ve found to deal with this is to NOT have your password manager record the password when setting up a new account. Keep the username and password somewhere temporarily. Logout of the new account immediately after setup. Then log back in using the regular login screen and have the password manager record your information as usual. RoboForm has a new account feature to make this whole process easier but it doesn’t get it right for every site, so even with RoboForm you should still test the recorded information by logging back in right away.

Test Changed Passwords

Some password managers don’t deal very gracefully when changing passwords on an existing account (though both 1Password and RoboForm usually get this right). As with new accounts, after changing an account password be sure to temporarily record the new password, then log out and log back in with the new password to make sure the new password was properly recorded.

Backup Your Passwords

You must back up, sync, or print out password files regularly. If you lose your password data due to hardware failure, loss, or theft, or any other reason, then you’ve lost all your passwords and you will only be able to get them back from any backups you’ve made. If you already have a backup system in place, be sure that your password files are part of the backup set. A reasonable low tech solution is to print out your passwords and store them in a safe and hidden off-site location.

For those who regularly use multiple computers, having access to your passwords on every computer can be very handy. “Sync” solutions can do this while simultaneously taking care of backup as well. Web-based password managers such as LastPass do this automatically. Some desktop based password managers offer syncing via an online service or via proprietary syncing software (RoboForm offers both). Yet another option is to use a sync service like Dropbox to sync data among multiple computers.

Any of these options can work. Just make sure these backups are done automatically, or at least frequently. Apart from your master password, you may not actually know any of your passwords, including the new one you just created last week . . .

Use AES

Some password managers offer a choice of encryption algorithms. Be sure that AES is selected (AES 128, 196, and 256 are all fine). This algorithm has withstood extensive scrutiny and as of 2010, breaking AES encryption without the key is so difficult that it is rare for an attacker to even try. AES is the default encryption used by these four password managers.

Tips for Extra Password Security

Everything in the previous section should be considered standard password security procedures. The next few steps are for those who want to be even more secure, but the incremental extra security comes with a significant hit to convenience and usability. So you’ll have to be your own judge as to how much of this is necessary.

Empty the Clipboard

If you use your computers clipboard to store passwords temporarily (for example, when setting up a new account or changing passwords), be sure the clipboard is emptied. Some other passwords managers have an option to empty the clipboard automatically upon logoff or a few minutes of inactivity. Enable these options.

Purge the Newly Generated Password

Similarly, a newly generated password is temporarily held in memory. Some password managers have an option to purge this password upon logoff or a few minutes of inactivity. Enable these options.

Enter the Master Password Using a Virtual Keyboard

Keystroke loggers can and do get installed on some systems, and you won’t know they are present. You can thwart most keystroke loggers by entering your master password using your password manager’s virtual keyboard, and only when all browsers are closed. While the chance of your master password being recorded by malware is small, it is even smaller if you follow these steps.

Use Two-Factor Authentication

Two-factor authentication (an option available for KeePass and LastPass) is an even stronger way to thwart keystroke loggers. With two-factor authentication, you will need both a master password (something you know), and an additional factor such as a USB stick or fingerprint reader (something you have) in order to access your passwords. Current implementations of two-factor authentication are somewhat cumbersome to set up and require you to carry something extra in your pocket. Perhaps some day it will be easier to set up and will use something you always carry anyway such as your cell phone.

Store Passwords on a USB device

Some password management software offers an option to store passwords and the software on a USB flash storage device. When the USB device is in physical possession of the owner and not inserted into a computer, it is impossible to steal the passwords. If you choose to follow such an approach, you still want your passwords backed up so that you don’t lose everything if the USB device is lost or destroyed.

Store Encrypted Notes

Most password managers have a feature that allows users to save encrypted notes, protected as usual by the master password. Use this for bits of private information that are not online accounts, such as the username and password to your router, logins to your Windows account, your burglar alarm code, etc.

Periodically Change Your Password

Many claim this is necessary. However, if you use long passwords (15+), never share them, and are a typical home user with average security needs, then the answer is no. The time to change your password is right after you temporarily share it, if it is short, if it is weak, if it is used for more than one account, or if you have even the slightest suspicion that the password has been captured. In fact, an argument can be made that a policy of changing passwords frequently weakens password security, because this cumbersome requirement will cause people to simplify their password management. Common, unsafe tactics people use when faced with periodic password change include:

• Write down the password, perhaps on a sticky note posted near the screen
• Use the same password for multiple accounts
• Use short passwords
• Change the password by 1 character each time

Do Not Use Password Management Software

This advice is often part of a long list of security precautions. The reason cited, if a reason is given at all, is that an attacker who steals your master password through keystroke logging or some other means will have access to all of your passwords. While this is certainly possible, try searching for instances of this happening to average consumers using one of the 4 password managers I profiled here. You won’t find any. If anyone can cite an actual example, please let me know in the comments and I’ll update this post.

Two-factor authentication can at least partially address this concern by adding an extra layer of security, which makes it much more difficult for an attacker to gain access to the master password. LastPass and KeePass are two consumer-grade password managers that provide this capability.

There is actually a legitimate concern around password managers which I rarely see discussed: They can easily be used insecurely. Many people use password managers without a master password, especially if using password managers built into a browser. The passwords are then stored in clear text that can be scanned by malware. And, as I detail here, several steps are required to insure that a password manager is being used in a secure manner. However, if used correctly, password management software can greatly reduce the possibility of password theft for the average Joe. Hopefully the various posts in this series can help make that happen.

Strong Passwords Require a Mix of Numbers, Special Characters, and Both Lower and Upper Case Letters

This is not true. Length and randomness of password are far more important than the mix of characters. If there are certain accounts you need to input manually on a device without a keyboard (i.e. cell phone), you may as well use passwords composed of 15 lowercase letters, which will be much easier to type.

A random jumble of 15 lower case letters, if it is protected by a typical, strong encryption algorithm such as AES, is for all practical purposes uncrackable. I have seen many advice articles that are against the use of password managers, yet insist on passwords that include a random jumble of alphanumeric and special characters. These difficult-to-remember passwords cause people to circumvent security by doing things like posting sticky notes on their monitors with the password or using the same password for every account.

The following Mandylion spreadsheet is a terrific tool for showing you how long it would take to crack randomly generated passwords by brute force:

Brute Force Attack Time Estimator by Mandylion Labs

Plug in a purely random combination of 7 Alpha/Numeric/Special characters and you’ll see that it would take less than 79 days for an average computer to crack the password. This is far stronger than a password composed of 7 random lowercase letters (less than 15 minutest to crack), but is much weaker than a password composed of 15 random lowercase letters (over 5 million years to crack). And, as I have mentioned here, your passwords stored on web sites in encrypted form are often susceptible to rainbow attacks which can easily obtain all passwords that are less than 9 characters, and in some instances even passwords that are 14 characters long. This is why 15 character passwords make sense.

Wikipedia has a nice chart showing you password strength based on length and character types. You can see that a 64 bit-strength password is very strong and can be had with 14 lowercase letters or with 10 Alpha/Numeric/Special characters.

Simply put, password length is much more important than mixing in numbers, special characters, or capital letters.

Unfortunately, some web sites (especially banks) limit password length to less than 15, so for these sites you’ll need to use special characters and numbers to make up for the lack of length.

For users of password management software, it is no harder to automatically log in using passwords composed of a mix of special characters. So for passwords that you will never enter on cell phones, you may as well use the special characters. Some computer services do a poor job of encrypting data or use a weaker form of encryption than AES – in these cases the more diverse mix of characters may help resist some forms of attack.

Final Comments

The reason people use such terrible passwords is because manually having to manage strong passwords is hard. Periodically changing passwords or using passwords like ;iq3*;@%t will be a nuisance for the typical person, and likely circumvented.

Store unique 15-character passwords for all accounts with your password manager, protecting them all with a strong master password – and the chance of getting multiple accounts compromised will be much lower than that of the average user. Use the auto-fill features of your password manager and you’ll actually save time in the long run despite the better security.

It is better to have pretty good security that is easy for all, rather than perfect security that is never truly implemented because it is too onerous for the average Joe.

#1:  You Hand it Over Voluntarily

People frequently hand over their passwords via phishing, other forms of social engineering, or when a person or entity asks for temporary use of a password.

Protection: The simplest defense is to NEVER share your password for any account with any person, organization, or web site. An additional good defense is to develop “net smarts” analogous to “street smarts” to avoid phishing scams or other forms of social engineering. If you must temporarily share your password (i.e. to import contacts into Facebook), then change your password immediately after its temporary use is complete.

Damage Control: Your damages are limited to one account if you have a unique password for each account. Immediately change the password of the affected account.

#2:  You Hand it Over Unknowingly

This overlaps with the previous attack. You think you are on the web site you intended but you actually mistyped it by one character, you clicked a bad link to get there, or you were tricked by tabnapping.  So you end up on a fake or spoof web site that looks legitimate. When you log in, it collects your credentials then passes you on to the real site. A variation on this theme is an attack which layers extra fields over a legitimate web site.  You are tricked into typing private personal information such as birthday, mother’s maiden name, social security number, etc. and then this information is used to “recover” your account (see #6 below).

Protection: A good defense against this ploy is to only login to web sites by selecting it from your password manager’s drop down menu (even if the tab was one you thought you opened yourself). This will automatically log you in to the correct site, which the password manager stores. Another type of defense is for your browser to use a security service that warns you when you might be about to open a hazardous web site – but this may slow down browsing.

Damage Control: Your damages are limited to one account if you have a unique password for each account. Immediately change the password of the affected account.

#3:  Mass Theft of Password Files

Most people don’t realize that user names and passwords routinely get stolen while your computer is off and disconnected from the internet. How? Web sites with many users and weak security are prime targets for attackers who want to steal a password file which lists all user names and passwords. Recent examples include Monster.com and RockYou.com. While most sites do not store passwords as clear text, many sites store passwords in a form that can be read using widely available rainbow table software. For people who use the same password on many sites, the theft of this password on one site can be the starting point for an attack on all of your accounts.

Protection: A simple and effective defense for users is to only use long, randomly generated passwords. How long? 15 characters. Rainbow tables easily crack passwords 8 or fewer characters long and in some cases up to 14 characters.

Damage Control: In the unlikely case that a rainbow table attack manages to crack one of your 15 character passwords, at least your damages will be limited to one account if you have a unique password for each account. Change the password of any account that becomes compromised due to mass theft.

#4:  Brute Force

Brute Force refers to discovering passwords through trial and error, similar to trying every possible combination on a lock. The most well known form of brute force attack is for password cracking software to methodically try millions of passwords on one specific user name on a specific account. A typically weak password can be cracked in less than a day using this method.

Security conscious online vendors like banks or e-mail services provide some protection against such brute force attempts by denying access if there are too many attempts per hour. However, different forms of brute force can be used to get around these safeguards. A common example is software which automatically logs in to millions of different accounts per day by combining popular user names, passwords, and web sites (i.e. try password1 at Jsmith@gmail.com, 123456 at dj@facebook.com, qwerty at Mrodriguez@yahoo.com, etc.). As such methods becomes more widely adopted, it would not be surprising if nearly all accounts with short user names and short passwords get compromised.

Brute force is also used as a supplementary attack after a first password is captured. For example, if the password badpassword1 for was captured by phishing, brute force can be used to try similar passwords on other accounts.

Protection: Brute force attacks are highly unlikely to crack very strong passwords. So just use strong passwords. I suggest randomized 15 character jumbles.

Damage Control: Your damages are limited to one account if you have a unique password for each account. Immediately change the password of the affected account.

#5:  Eavesdropping: Keystroke Logger on Your Browser

Many people believe that nothing bad can happen to people who only visit safe, well respected sites. They are wrong. Malicious Javascript can be injected into any browser on any system, visiting any web site. Keystroke logging is something that is done by some of these Javacript injections. In most browsers, malicious Javascript can log keystrokes in all open tabs, until the browser is closed. Usernames and passwords entered during the session can be captured this way.

Protection: Keystroke logging via browser is growing more common but is unfortunately one of the more difficult threats to defend against. Defenses include:

• Use Firefox in conjunction with the NoScript extension. While this is a strong defense, the overall complication of using NoScript (popups, whitelists, blacklists) is more of a hassle than the average Joe wants to deal with.
• Some security suites attempt to defend against this threat with browser plug-ins, but these can dramatically slow down browsing.
• A simpler option is to only access the internet using the Google Chrome browser, which is designed so that malicious Javascript can be theoretically contained to a single tab. At least other tabs will be safe.
• Some password managers such as RoboForm enter passwords and usernames in a way which most Javascript keystroke loggers can not intercept.

None of these suggestions is sure to stop browser-based keystroke loggers, but if you implement one or more of these suggestions you’ll at least reduce your chances of getting your usernames and passwords logged by malicious Javascript. The only perfect defense is to not connect to the internet at all.

Damage Control: Your damages are limited to logins captured while browsing, so long as you have a unique password for each account. Immediately change the password of the affected accounts. If using a browser-based or web-based password manager, you should also change your master password.

#6:  Eavesdropping: Public WiFi Monitoring

Passwords are frequently stolen on public computers and over public WiFi connections, using free WiFi traffic monitoring software that is simple to operate.

Protection: Never log in to online accounts using a public computer. When using open WiFi hot spots, you should only log in with your own notebook with services that enforce secure log-ins and sessions (https). It is far safer to access email and other accounts using your phone data service, if you have one.

Damage Control: If you discover that this type of attack has occurred, then you will need to change the password for all of your accounts as well as your master password. If you know exactly when the attack occurred, you can change passwords only for the accounts you used during that session.

#7:  A Thief “Recovers” Your Account

Many accounts provide an automatic “password recovery” system that allows you to recover your account if you forget your password. But armed with basic personal information, a thief can “recover” your account and effectively take it over. An especially rewarding target is your e-mail account, where the attacker can find out all sorts of things to attack you further, such as user names and passwords that were e-mailed to you when you opened other accounts.

Protection: The best defense against this form of attack is to disable the “password recovery” option for all sensitive accounts. This option is not usually provided, so the next best defense is to supply only obscure or false information to the password reset mechanism for each account – don’t use information like your mother’s maiden name or the name of your pet which can be easily obtained by a thief.

Damage Control: Your damages are limited to one account if you have a unique password for each account. Use the password reset mechanism to get back control of your account. If that doesn’t work, you’ll have to contact customer service for that account. Once you get back control, disable the password recovery option. If this is not possible, change the questions/answers needed to verify your identity to something much more obscure or false.

#8:  Eavesdropping: Keystroke Logger on Your System

Malware that manages to install itself on your system will often be able to log every keystroke and thus capture all of your user name and password information over time.

Protection: The best defense is a combination of typical safe computing practices such as never logging in on a public computer, installing software from trusted sources only, avoiding phishing attacks, only connecting safe devices to your computer, and keeping your operating system, browser, and security software all up to date. Using Mac OS X or Linux is also a way to lower risk, because most malware is written for Windows. Some password managers enter passwords and usernames in a way which most keystroke loggers can not intercept.

Damage Control: If you discover that this type of attack has occurred, then you will need to first regain control of your computer with the help of an expert, or use a different computer that you are sure is safe. Then change the password for all of your accounts as well as your master password.

#9:  Malware Searches Your System

One class of malware searches your computer’s hard drive or memory for passwords that are not encrypted. Testing software provided by RoboForm and other password manager vendors demonstrates how Windows computers yield a surprisingly large number of passwords when searched this way.

Protection: Passwords stored and entered from within a password manager (that are protected by a strong master password) are immune from this type of attack.

Damage Control: If you discover that this type of attack has occurred, then you will need to first regain control of your computer with the help of an expert, or use a different computer that you are sure is safe. Then change the password for all of your accounts as well as your master password.

But What About . . .

The remaining ways passwords can be stolen are all rarely employed against home users. Such methods include looking over your shoulder as you type, exploiting vulnerabilities in password-handling software or the operating system, zero day exploits (taking advantage of a security flaw in software or operating systems before it is patched), hardware keystroke loggers, monitoring Bluetooth keyboard activity, acoustic cryptanalysis, wiretapping, dumpster diving, side-channel attacks, and undoubtedly a few more I haven’t mentioned.

If you are well protected against the more common attacks listed above, you’re already doing better than the vast majority of home computer users and partially protected against some of the unusual threats mentioned in this section. While security professionals working at large organizations need to guard against these possibilities, it is not worth the time, cost, or effort for a typical home user to guard against or even think about these more esoteric attack possibilities.

However, one possibility that worries some potential users of password managers is what happens if the master password is somehow stolen due to keystroke logging or some other means. While this is possible, I have been unable to find a single instance of a home user getting a master password stolen when using one of the best password managers. Why spend time worrying about something that hasn’t yet happened when there are tens of millions of passwords being stolen per year for the more common reasons listed above?

For those home users concerned about master password capture, two-factor authentication can insure that a captured master password is useless. It is available as on option with password managers LastPass and KeePass, but is unfortunately a bit complicated to implement for the average Joe.

And the Winner Is . . .

When it comes to security, there is no such thing as winning – it’s a matter of trying to minimize risk with as little effort as possible. For a home user, the amount of effort must be very small or it won’t happen. Correct use of a password manager takes little effort, yet effectively blocks attacks #2, #3, #4, #7, #8, and #9 above, as well as limiting damage to a single account from most other forms of attack. Combine that with typical security procedures and a reasonable amount of “net wisdom” and you get good results—a minimal amount of effort to greatly reduce the chance that your passwords will get stolen.

In this post, I describe the typical home user system for managing passwords and how attackers exploit this system.

The Usual Way to Manage Passwords

Many home users manage their passwords something like this:

• For accounts that are unimportant (forums, news sites, etc.), the same password is used for all of them. This password is likely to be a short, easily remembered word or name, perhaps followed by a single digit.
• For accounts that are somewhat important (Gmail, Facebook, etc.), this same weak password may be used, or perhaps a moderately stronger password that is a little longer and has one or two digits or symbols thrown in. But again, the same password is used for a number of different sites.
• For accounts that involve finance or commerce (banks, brokerage, e-commerce, etc.), most people are more cautious. Some people use (what they believe to be) a stronger password for all of their finance sites, while others may have a separate strong password for each financial site, keeping track of the passwords with a password protected spreadsheet or on a piece of paper.

It is possible my description is too optimistic, as 33% of participants in a Sophos study indicated that they use the same password for every site. Only 19% indicated using a different password for every site. Two-thirds of respondents to a 2010 Consumer Reports Survey use some variation of the same password or personal identification number for all or most accounts. Bruce Schneier’s analysis of actual passwords indicates that many are weak.

What’s Wrong with the Usual Way to Manage Passwords

The key weakness is the use of the same password for many accounts. There are many ways to capture passwords, and once an attacker has the password to one account, it can be used on all other accounts that use the same password. Even worse, an attacker may be able to get additional passwords if able to get into your e-mail account. In my opinion, email accounts should be protected with even greater diligence than your financial accounts, because they have fewer layers of safeguards and offer attackers many more possibilities.

How Attackers Exploit a Weak Password System

Here is an example to illustrate how typical password management fails:

Your name is John Doe. You use the strong password Fm18bIgaP911.$bIli! for all e-commerce, bank, finance accounts, and paid subscriptions including JohnDoe@chase.com, and JohnDoe@burghound.com. You use the weaker password John123 for all the rest, including your Gmail account JohnDoe@gmail.com.

One day, the user list for superduperfastcars.com gets stolen. You posted 3 messages to superduperfastcars.com 2 years ago but then lost interest and forgot all about it. The attacker uses a rainbow table to decrypt over 70% of the hashed passwords from superduperfastcars.com, including your easily crackable John123 password.

The attacker then uses software to automatically try logging in to Gmail, Yahoo mail, and Hotmail using the user information and passwords obtained. One combination that is tried uses the first and last name of the user and the password obtained: JohnDoe@gmail.com using password John123. This one actually logs in.

Next, the attacker searches Gmail for “password.” Many online services automatically e-mail you a user name and password upon sign up. Sure enough, two passwords are found among a number of such e-mails: John123 and Fm18bIgaP911.$bIli!. The stronger password was in a confirmation e-mail you received from burghound.com upon registering for this paid service several years ago.

Now the attacker has your two passwords and can log in to all of your accounts that were discovered in your Gmail archive. Here are some examples of what the attacker can do with this information:

• Transfer funds out of some of your financial accounts
• Copy your contacts’ e-mail addresses into a spam mailing list.
• Send a message to all of your contacts to ask for emergency money to be wired
• Send a message to all of your contacts discussing a really cool site – just click on this link (and if they do, malware is installed)
• Use the information obtained to try to break in to a corporate network, by testing your password on your work account.

The famous Twitter hack of 2009 had many elements in common with this example. An even simpler attack is to capture e-mail login information when someone is logging in using an open WiFi hotspot.

All it takes to limit the damage from these kinds of attacks is to have a different password for each account. If the Sophos survey is accurate, only 1 in 5 people do this. Most people can not remember more than a few passwords, so any approach to password management must take this into account.

Note that attackers are well aware of common password practices and can take advantage of these practices when trying to steal passwords (either automatically or manually). So if whatever approach you take to password security is unusual, that in and of itself is a good defense. Effective use of a password manager is currently one such approach.

AES – Advanced Encryption Standard is a widely used encryption standard adopted by the U.S. Government in 2001. This terrific cartoon is a great tutorial on the inner workings of AES.

Average Joe – American idiom that means a typical person. FilterJoe aims to help typical people (the average Joe) learn key skills for the information age regardless of computer skill level, gender, ethnicity, or nationality.

Encryption – Encryption is the process of transforming information into a form that is unreadable by anyone except those possessing a key. Information encrypted on computers using AES cannot be read without the key, usually a password.

Keystroke Logger – Keystroke logging or keylogging is the action of tracking (or logging) the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored

Malware – Malicious software designed to infiltrate a computer without an owner’s informed consent. Malware includes computer viruses, works, trojan horses, spyware, rootkits, key loggers, and other malicious and unwanted software.

Master Password - Password Managers typically use a user-selected master password or passphrase to form the key used to encrypt the protected passwords. This master password must be strong, because a compromised master password renders all of the protected passwords vulnerable.How to select a Master Password is discussed here.

Password Manager – Desktop or cloud-based software which stores user names and passwords.Also known as password management software.

Phishing – In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Phishing is typically carried out by e-mail or instant messaging.

Sync, synch, or syncing – Keep data identical in two or more locations. Short for file synchronization.

Tabnapping - A combination of the words “tab” and “kidnapping” to describe a type of phishing attack. Malicious software secretly changes already open browser tabs, then collects the username and password when entered. For example, a user wants to log in to her Facebook account and sees an open Facebook tab. She clicks on the tab, and seeing that she needs to log in, she types her user name and password. She thought it was a tab she had left open, but it turns out it was a tab that was changed by malicious software, and it collects her username and password as she enters them.

Two-Factor Authentication – Two-factor authentication requires two different “factors” to validate who you are. This can be done using any two of the three “factors” below:

• Something you know: password, birthday, government ID#
• Something you have: bank card, passport, key
• Something you are: finger print, eye, DNA

A popular use of two-factor authentication is withdrawing cash from an ATM, which requires both a card and a PIN number. Some password managers may be set up with two-factor authentication for the master password, requiring both the password and a USB stick.

Virtual Keyboard – An on-screen keyboard that allows a user to enter characters. Virtual keyboards can be used to reduce the risk of keystroke logging. It is more difficult for malware to capture passwords entered from virtual keyboards than it is to capture passwords from real keystrokes.

For a while I decided that you can’t do password security without putting it into the context of all computer security. After learning a bit about computer security, I returned to passwords, because for the average Joe it is often the weakest link in security while actually being the easiest to correct.

It is hard to write well about password security because it’s a complex topic with various trade-offs, such as security versus usability, and complete versus brief explanations. It’s also preferable for people to become more “net wise” as they read through the material, as opposed to memorizing a bunch of rules they don’t understand.

I believe the following series on password management reasonably navigates these constraints, tying together little bits of good advice that is scattered all over the net. It is targeted at home users, but IT professionals may find some of it useful as educational material for users.

I consider the password series a work in process, so I will greatly appreciate any and all suggestions for improvement.

The first and most important post is:

Password Management for the Average Joe

1. Tinker.
2. Read help files or manual.
3. Call the most knowledgeable person or relative you know.
4. Call Tech Support, if available. Wait on hold a long time then talk to someone who may or may not be able to help you.
5. E-mail Tech Support. Hope that the reply comes soon and actually resolves your issue.

Thankfully, there’s a much faster, more reliable way:  Google it.

Google for help first, and you can save yourself tens of hours per year. In this post, I provide specific examples and helpful tips on how to quickly get tech help using Google.

Examples of Googling for Tech Help

The following examples are all from actual experiences. Note that if you try these searches yourself, the exact results may vary with different search engines or at different times. For each example I’ve created an amusing Google demo using this tool.

Hardware Example

I own a Garmin Nuvi 660 GPS device. Before purchasing a Blackberry Curve 8320, I wanted to know if I could pair these two devices with Bluetooth so I could use my Garmin to have phone conversations in the car. I spent 10-15 minutes searching Garmin’s site, and another 10 minutes on the phone with Garmin tech support, to no avail. I found the answer in less than 1 minute with Google:

1. Google: Garmin nuvi 660 bluetooth blackberry curve
2. Click on the top Google hit, Bluetooth sync problem with Garmin Nuvi 680
3. Done (The clearly explained 11 step procedure explained by ggraves took 10-15 minutes to implement, but it worked.)

For demo, click here.

Web Service Example

My sister Esther Golton is a talented singer–songwriter who wants her music to be listed with Pandora. How? After spending 10-15 minutes looking for the answer on Pandora’s site, she gave up. I found it in less than a minute, as follows:

1. Google: submit pandora music
2. Click on the top Google hit, FAQ (on Pandora’s web site)
3. Use your browser’s find command to find the first instance of the word “submit”
   1. Type control-f
   2. Type “submit”
   3. Enter
4. Done (Esther has the instructions)

For demo, click here.

Software Example

My father-in-law upgraded to Safari 4.0 Beta at my recommendation. He instantly hated the picture slices of web sites on his bookmark page. He spent 20 minutes tinkering with Safari 4.0 to try to completely get rid of it. I was in the next room and couldn’t stand his pain, so I went to a different computer, and found how to get rid of it in less than 5 minutes, as follows:

1. Google: Safari 4 interface
   None of the top hits mentioned these web site picture slices. My query was not specific enough, as I did not know the name for these picture slices. I figure the feature is so prominent it must be mentioned in a review of Safari 4. So . . .
2. Google: Safari 4 review
3. Click on second Google hit, MacWorld’s First Look: Safari 4 Beta
4. Skim article until I find a picture of the feature—it’s called Cover Flow
5. Google: Safari 4 remove cover flow
6. Click on second Google hit, Safari 4: How to Remove Cover Flow from the Bookmarks View
7. Done (I showed my father-in-law the instructions and 2 minutes later the cover flow was gone.)

For demo, click here.

Searching for Tech Help with Google: Tips

The following collection of tips is geared specifically towards finding tech help using major search engines Google, Bing, or Yahoo!

1. Choose keywords carefully, as follows
   • Provide words that you expect to be in the answer
   • Be specific, not general (cover flow versus interface)
   • Use the model name and/or model number
2. If you can’t find a useful search result in the first 20 hits, then
   • Try additional keywords
   • Try different keywords
   • Try visiting a forum specific to your product, and then conduct the search from there
3. If you hardly know anything about the subject, and need additional ideas for key words, then
   • Read a Wikipedia article
   • Read a review of the product
   • Read the product specifications on the vendor’s web site
   • Ask someone who does know the subject for some keywords to use in a Google search
4. If you land on a long page, use your browser’s find command from the menu (or control-f) to find the key word on the page

For more general help with search, the following two links from Google are good starting places.

Basic Search Help (Google)

More Search Help (Google)

Concluding Words

While most people are used to using Google to search for information in general, I have noticed that people still spend many hours getting tech help using the traditional help filters described at the beginning of this post. Traditional tech help methods have failed to keep up with increasingly complex and feature rich technologies.

FilterJoe is all about replacing old filters (that stop working well) with better filters. Googling for tech help is one such filter. More generally, effectively using search engines is an important skill to master in the new millennium.

When in doubt, google it.

Software on a server . . . in the cloud

This post is an attempt to answer these questions from a balanced perspective.

Here is how I describe desktop versus cloud computing for the purposes of this post:

Desktop Computing is the use of desktop software to create, edit, and store data on your hard drive. The operating system is the primary interface through which you access the software that works with your data.

Cloud Computing is the use of web services to create, edit, and store data on servers located elsewhere. The browser is the primary interface through which you access the various software services that work with your data.

Software on a hard drive . . . on your desktop computer

I realize that there are a variety of definitions for cloud computing. The above definition makes sense in the context of typical users getting work done on a computer, which is what this post is all about—both an introduction and a reference for individuals and small businesses considering migrating work from the desktop to the cloud.

A Typical Morning in the Cloud

6:00 Wake up. My Blackberry shows 3 e-mails in my Gmail inbox. I read and archive one message, leaving the others for later.

6:13 Start home computer, then Firefox, which automatically opens my most frequently used web pages into 7 tabs. Enter my Roboform master password, then open Gmail.

6:15 From the Gmail Inbox page:

1. I quickly read and archive my 2 unread messages
2. I glance at the following for today and tomorrow:
   • To Do list (Remember the Milk Firefox add-on)
   • Calendar (Gmail gadget shows my Google Calendar)
   • Weather (part of my Google Calendar)
3. I add an idea to my web security draft article (Click on “web security” document listed under the Gmail Docs gadget, type in idea, close/save it)

6:25 Check financial news on a number of stocks I either own or am tracking, using the finance sites for Yahoo! and Google.

6:45 Go to the Google Reader tab. Scan titles of 43 unread items. Read three of them. I don’t want to read the other 40, so I click “Mark all as Read.”

7:00 Eat Breakfast.

7:15 Check news, e-mail, Google Reader, etc. one last time then shut down computer and bike to the office.

7:25 Start office computer, then Firefox.

7:30 Open my incomplete web security article (from Google Docs gadget in Gmail). F11 and Control-Shift-F to completely block out distractions while I’m writing.

9:00 I stop writing, and check Gmail. 2 new messages:

1. Transcript of Berkshire Hathaway’s annual meeting. I want to read it later. So I “star” the e-mail, which makes it into a (Remember the Milk) To Do item that links back to the e-mail. I set the due date to Friday, then archive the message to keep my inbox clear.
2. Jim’s reply. This is part of a “conversation” that Gmail automatically grouped together, so I choose “expand all” to see the context. We’ve been going back and forth about a FilterJoe site bug. Jim isolated the issue with this last e-mail. So . . .

9:05 I log in to FilterJoe. I make the needed change, do some testing, and find that the problem is resolved.

9:20 Back to Gmail: I thank Jim and tell him the issue is resolved. I then click on the “send and archive” button, which sends the reply, archives it, then returns me to the inbox.

9:25 I spend time researching Internet security. I clip several web posts into Evernote. I also type my own notes directly into Evernote.

10:00 I turn off my office computer and go to a Doctor’s appointment, taking along my Blackberry and EEE PC netbook.

10:05 While riding BART, I read a message on my Blackberry from my father-in-law requesting flight times for a ticket I purchased a few months ago. So I type Southwest into Gmail on the Blackberry. The second e-mail listed is the Southwest itinerary, which I forward to him.

10:45 I arrive on time, but have to wait half an hour. I continue working right where I left off, using my EEE PC netbook. My Internet connection is slow because it uses Bluetooth tethering (the Blackberry acts as a modem, and accesses the Internet through T-mobile’s EDGE network). But it’s good enough for Gmail, Google Reader, and Google News.

Comments about my cloud use

1. I routinely access my data from 2-4 devices per day.  Storing data on the cloud makes this easy. The Dropbox service makes syncing desktop data just as easy.
2. Gmail has replaced MS Outlook as my coordination center: e-mail, contacts, calendar, and tasks. It also links to documents I’m currently working on.
3. I still use desktop software. Quicken and Excel are examples of desktop software I much prefer over competing web services.
4. Evernote is an example of an app that is a combination of both desktop software and a web service. The desktop software is faster and more flexible, but the web service seamlessly syncs data so that I can access and add to my notes from anywhere.
5. With Evernote, I capture, sync, and find notes I take from any of my computers or smartphones. I prefer using its desktop client, for two reasons:
   • I want a separate window open for note taking as I’m reading.
   • I want to access and add to notes while offline.
6. Before Evernote, I used Google Notebook.  Google ended support for this product, but Google and Evernote made it easy to transfer my data from Google Notebook to Evernote.
7. The title “The Desktop or the Cloud?” implies using one or the other. In reality, you can pick and choose which apps you prefer on the desktop, which on the cloud, and which a hybrid of the two.
8. On the other hand, some benefits of cloud computing happen only if most of your work is on the cloud. I personally experienced reduced computer maintenance time and lower hardware requirements after I replaced MS Outlook with Gmail as my starting point for work.
9. Evaluating and managing each individual cloud service can be time consuming. Life in the cloud is simpler if you use either Google or Zoho as your main service provider, as both of these options cover most of the typical productivity apps.  Thinkfree and Zimbra also cover multiple apps, though not as many.
10. I rarely see the desktop interface. I like Windows XP because it is well supported and doesn’t force me to waste time and money on “upgrades.”

The Pros of Cloud Use

1. Data accessible from anywhere
   • Web apps are easily accessible from any computer
   • Web apps are accessible from smart phones (iPhone, Blackberry, etc.)
   • Web apps can run on any operating system that supports a modern browser (platform independent)
   • Regular desktop apps require complex and expensive solutions such as MS Exchange Server to attain a similar level of accessibility
2. Software upgrades are frequent yet effortless
   • Desktop software requires time and sometimes money to upgrade
   • Web apps get frequent updates, upgrades, and feature additions, usually with no money or time spent by users
   • Cloud users still need to keep upgrading and updating the browser (and its add-ons) when prompted to do so
   • Cloud users must also keep updating (but not upgrading) the operating system in order to stay secure
   • But that’s it—web apps get updated on servers, not your computer
3. Maintaining a computer’s operating system requires less time and effort
   • The more work you move to the cloud, the less time and effort you need to maintain your computer system’s well being
   • If you move everything to the cloud, your computer will essentially play the role of a “dumb terminal” (Back in the 1970s, the primary way computers were accessed were through zero-maintenance dumb terminals that accessed remote computers elsewhere)
   • Customizing your interface still requires tinkering, but with browser settings and add-ons
   • It is far faster and easier to reinstall a browser with add-ons (less than 1 hour) than it is to reinstall an operating system and all the software on a computer (3-12 hours)—so messing up your browser impacts you less than messing up your operating system
4. Computer and operating system upgrades are less frequent
   • Upgrading or buying new computers and/or operating systems takes time, money, expertise, and aggravation
   • Cloud users are never forced to upgrade due to speed or compatibility issues, though hardware failure still forces repair or replacement of computers
   • Windows or Linux computers purchased after 1998 or Macs purchased after 2001 can easily run web services on a modern browser
5. Less expensive hardware
   • Standard computer buying advice: buy at least a mid-range system, so that your system doesn’t get obsoleted too soon by upgrades to the operating system or other software
   • Cloud computer buying advice: buy the cheapest computer that meets your current needs—and you’ll notice that using it for web services gets faster after each browser upgrade
     
   • Cheap and supposedly underpowered netbooks like my EEE PC 1000H run web services at speeds which are not noticeably different than high powered desktops
   • Buying new computers to support upgraded operating systems and software is no longer necessary
6. Less expensive software
   • Many web apps are free
   • Paid web apps can be accessed by any number of devices for a monthly or annual subscription
   • Desktop software purchases and upgrades can be expensive, especially when installed on multiple computers per user
7. More computing power
   • Can rapidly scale up (or down) computing needs without acquiring (or disposing) hardware
   • Complex calculations can be done on servers instead of your computer, enabling new features such as voice dictation on phones or rapidly searching an e-mail archive
8. Collaboration is simpler, yet more powerful
   • Google Apps, Zimbra, Zoho, and other web providers offer collaborative functionality at a fraction of the cost and complication of MS Exchange-based solutions
   • Some forms of web app collaboration are not even possible on desktops (i.e. wikis, blogs, Ning communties)
9. Data backed up automatically and frequently
   • Personal backup systems are usually less regular, less reliable, and less geographically dispersed than backup systems of large web service providers such as Google and Yahoo!
   • If a fire burns down your home, how much data do you lose? (At most a few minutes’ worth if all your data is in the cloud)
   • Even safer are hybrid cloud/desktop backup strategies such as Dropbox, which synchronize data between web servers and multiple computers

This is an incomplete list of benefits to cloud computing, but I believe these are the key benefits for home or small business users. Here are some additional resources on the benefits of cloud computing:

Laptop Logic’s on why cloud computing is the wave of the future

Security benefits of cloud computing

20 reasons web apps are superior to desktop apps

Google’s view of cloud computing

The Cons of Cloud Use

1. Internet connection required
   • When Internet goes down, you can’t work
   • Internet access when traveling is sometimes slow or unavailable
   • Some web service providers are attempting to address this with offline modes, but most current implementations are incomplete or buggy (will likely be less of an issue a few years from now as offline modes improve and the Internet becomes available almost everywhere)
2. Inferior functionality
   • Some types of web services have far fewer features than their desktop counterparts  (i.e. spreadsheets, personal finance, image editing)
   • Graphics intensive software such as fast-paced games work poorly as a web service
   • Some web services are too slow without a fast Internet connection
3. Vendor lock-in and data portability risk
   • Desktop data is clearly your own, but what about cloud data?
   • When proprietary data formats are used, changing service providers can be difficult
   • Some web services make it easy to export or backup your data, but some don’t (hint: sign up only for services with good data export options)
   • Your data is scattered across multiple services, so it is harder to routinely backup to your own hard drive(s)
4. Security
   • The Internet abounds with security threats
   • Some users have reported automatically losing accounts and data with Google or other web services after hacker break-ins
   • Cross-site scripts which install key logging software are especially problematic because passwords can be recorded and stolen as they are being typed (can happen from merely visiting a web site, with the user totally unaware)
   • Hackers routinely break into accounts with simple passwords (names, personal data, words from the dictionary, or anything less than 10 characters)
   • There are several ways to mitigate security risks, but all require user knowledge and diligence.  The most important safeguard is good password management, which I describe here
5. Privacy
   • Some web services do not share your data, some do
   • Some web services use your data to serve you targeted ads (usually in return for a free account)
   • Privacy agreements are often so long and tedious that few people read them
   • Web services must share individual data with the government if subpoenaed as part of a criminal investigation
6. Loss of control (and potential data loss)
   • Upgrades happen whether (and when) you like it or not
   • Upgrades sometimes introduce bugs or undesirable interface changes (you usually have no option to revert a prior version)
   • When service interruptions happen, you have no idea how long they will last
   • What happens to deleted data varies by web service, and is sometimes unclear
   • A web service provider can go out of business without giving you an opportunity to recover data, or without securely erasing data
   • Web services with a sync component can propagate errors across all devices before a user realizes what is going on (mitigated if the service has version and/or deletion histories)
7. Complexity
   • Evaluating and managing web services can be time consuming
   • Choosing the wrong web service provider can lead to one of the problems mentioned earlier in this section

This is an incomplete list of drawbacks to cloud computing, but I believe these are the key concerns of home users or small businesses. Here are some additional resources on the drawbacks of cloud computing:

Wikipedia’s list of cloud concerns

Bernard Golden’s case against cloud computing for the enterprise

Microsoft’s critique of Google Apps

PC World on data loss

Richard Stallman’s critique of cloud computing

Who should move to the cloud?

If some or most of the following apply to your situation, you might consider migrating some of your work to the cloud:

• You routinely access data from multiple devices
• You travel frequently
• You use your phone to access e-mail, calendar, and contacts
• You communicate electronically throughout the day
• You frequently collaborate with others on projects or reports
• You are trying to set up e-mail and other services inexpensively for a new business
• You are trying to keep costs for software and hardware low
• You are not routinely backing up your data

Who should stay with the desktop?

If some or most of the following apply, then you probably won’t want to migrate much of your work to the cloud:

• You access data from a single device
• Your privacy is very important to you
• You don’t travel much
• You don’t use a computer much
• You rarely collaborate with others on projects or reports
• You routinely back up your data and store some backups in a different building from your computer
• You are part of a mid-sized or larger organization with an entrenched information technology infrastructure

Last Words

Life was definitely simpler when I had a home office with a single computer.  Once I moved to an outside office, life become more complicated. I tried to keep my work computer as my main data repository to keep things simple. But all too often I found that my data, especially e-mail, was not where I needed it when I needed it. And that was what started my move from the desktop to the cloud. Over the course of the next 12 months, I gradually adopted one web service after another until I ended up with Gmail as a launching point for much of my work.

So why are people moving to the cloud? In my case, the need to access data from multiple devices was the most important reason. But you’ll hear different answers depending on who you ask, explaining different benefits and drawbacks. Changing anything you do in life takes time and attention, and moving to the cloud is no exception.

For many people used to desktop computing, there is not yet a compelling reason to migrate to the cloud. For those who have questions about the cloud, this post may be a good starting point. And for those who have already started the move from the desktop to the cloud and would like to hear more about password security, Gmail, Evernote, Dropbox . . . stay tuned.

NOTE: In June 2010 I posted a comparison of the latest browser versions.  Click here to read it.

Most individuals access the web using the browser initially bundled with their computer, and typically don’t update it. Accessing the information superhighway with an outdated browser is like driving today’s roads with a Model T—slow, unsafe, unreliable, and in many places not usable at all.

In this post, I explain why it’s so important to use the latest version of Firefox, Opera, Internet Explorer, Chrome, or Safari—speed, security, reliability, and compatibility. I describe each of these browsers, to help you decide which is best for you. And I lay the groundwork for the next post on cloud computing.

The Browser Upgrade

In general, I’m not very keen on upgrades. Upgrading software and especially operating systems can lead to reduced speed, more bugs, compatibility issues, or the need to purchase a new computer altogether. There may be some enticing new features, but far too often the costs and learning required outweigh the benefits, which is why many people postpone upgrades as long as possible.

Fortunately, with modern browsers, the benefits of upgrading are numerous, while the costs and hassles are few. Major browser upgrades can cause some add-ons to stop working and there may be some learning required to get used to a changed interface. But the learning required is usually modest and the most popular add-ons are typically upgraded in time for a new browser release.

At the time of this writing, there are 5 well maintained browsers with over 0.5% market share. The latest versions of these browsers are:

• Firefox 3.0.x
• Opera 9.6x
• Internet Explorer 8 (IE8)
• Google Chrome 1.0.x
• Safari 3.2.x

Upgrading your browser provides increased speed, security, stability, and compatibility, as follows:

Speed

You can see the speed tests for yourself, here. Or you can subjectively experience how upgrading from Internet Explorer 6 or 7 to a recent browser release feels like getting a newer, faster computer. You can even give a second life to an older computer. I did this recently by installing Opera 9.64 on a 10-year old Dell running Windows 98. It’s fast again!

Security

According to Wikipedia, Web-based vulnerabilities now outnumber traditional computer security concerns, and about one in ten Web pages may contain malicious code. Most Web-based attacks take place on legitimate websites.

Browsers are updated frequently to patch discovered vulnerabilities. Keeping your browser (and operating system) updated is the first and most important step to keeping your system and data secure.

Stability

Older browsers crash more frequently than modern browsers. The multi-process architecture in Google Chrome and IE8 means that a single tab freezing up or crashing has no impact on other tabs—making these two browsers more reliable than the others. Though Firefox is theoretically less reliable, my extensive use of Firefox results in two to four crashes per month, usually when opening a large, in-line PDF file. Older versions of Firefox crash more frequently.

Compatibility

Web standards have evolved over time to support greater speed, more sophisticated capabilities, and easier maintenance for web sites. On older browsers, if a web site looks strange or doesn’t work at all, it is usually because the web site is using techniques that were not possible using older standards. None of the 5 major browsers fully comply with the stringent acid3 standards test. However, the Safari and Opera versions expected later this year will comply with acid3, and the current versions of all 5 browsers display the vast majority of modern web sites properly.

Browser Market Share

According to Net Applications, world wide market share for browsers in March, 2009, was:

• Microsoft Internet Explorer 66.8%
• Mozilla Firefox 22.1%
• Apple Safari 8.2%
• Google Chrome 1.2%
• Opera 0.7%

The more popular browsers benefit from greater web site compatibility testing and a well developed ecosystem of add-ons and plug-ins.  For example:  Chrome or Opera users are currently not able to use the 1Password and Roboform password managers (which I’ll be highlighting in a future post).

However, obscurity confers a security benefit to Opera and Chrome.  According to this report, “they are targeted by attackers far less frequently due to market share.”

Differences among the 5 Major Browsers

In this section, I highlight the strengths and weaknesses of each browser. If you need more than this brief overview to decide which browser is best for you, the following links provide more information:

Maximum PC Browser Battle: Nine Browsers of Today and Tomorrow Compared

Hardware Zone: Browser Wars Showdown

Lifehacker:  Browser Speed Tests

Wikipedia:  Comparison of Browsers

The browsers are presented in order of my personal preference, but all 5 are excellent when kept up-to-date and are likely to be supported and upgraded for years to come.

1. Firefox 3.0.9

A library of thousands of high quality add-ons makes Firefox the most customizable browser. When first installed, Firefox is not as fast, as secure, nor as feature-packed as its competition. But it is fast enough.  With just a few extensions, Firefox becomes more secure, innovative, and customizable than all other browsers by a long shot. Firefox’s availability on Windows, Mac, and Linux allows you to have a similar browsing experience on any machine, regardless of operating system.

Major Upgrade: Firefox version 3.5 is expected by July 2009. It will be much faster at running complex web applications.

2. Opera 9.64

Feature-packed, compliant, secure, extensible, yet fast and small—Opera is a better choice than Firefox for the person who will never install an extension. Opera supports the widest variety of operating systems, including many cell phones with an Opera Mini version. It’s the only major browser still supported for Windows 95 and 98. Opera’s interface makes customization easy yet gets out of your way when you need it to. Opera’s small market share means far fewer add-ons, but also fewer security threats (See Market Share, above).

Major Upgrade: Opera 10 is expected by the end of 2009. It will be much faster at running complex web applications.

3. Internet Explorer 8 (IE8)

IE has always been bundled with the Windows operating system, and that is the primary reason it has been the most popular browser over the past 15 years. Prior to 2009, nearly all versions of IE were slower, much less secure, less web-standards-compliant, less extensible, and less innovative than the competition—which is why Firefox was able to gain over 20% market share. However, IE8 (which Microsoft released in March 2009) catches up to, and in some ways surpasses the competition. It is secure, stable, compliant, fast enough, and innovative. Slices, accelerators, and site suggestions are new features which access information like maps or definitions with fewer clicks and keystrokes. Microsoft only supports IE8 for Windows desktop versions XP, Vista and 7, and for Windows Server versions 2003 and 2008.

Major Upgrade: Users of any IE version prior to IE8 should immediately upgrade to IE8 or switch to another browser in order to experience greatly increased speed, reduced security risks, and numerous other benefits. Microsoft has not yet announced plans for a major new release beyond IE8, which was released March 2009.

4. Google Chrome

Only 8 months old, this browser is very fast, secure, reliable, and has little interface clutter—which makes it ideal for running web applications heavy in JavaScript (such as Google’s sites). Speed is not a compelling enough reason for users of Firefox 3.0.x, Opera 9.6.4, or IE8 to switch to Chrome, which currently only works on Windows (XP and Vista), lacks a number of common browser features (including full screen mode), and has a very small library of extensions. Given Google’s strong commitment to Chrome, an underlying design optimized for web applications, and a number of new features and add-ons coming soon, Chrome may rapidly gain market share after version 2.0 is released.

Major Upgrade: Version 2.0 (available for beta testing, release date unknown) will be faster and will adopt many features users miss from other browsers (included F11 for full screen mode). Macintosh and Linux versions are under development.

5. Safari 3.2.x

Safari is bundled with Macintosh computers running OS X, and has been gaining market share in proportion to the market share gains of Macintosh computers. It is fast, has an attractive, Mac-like interface, and now runs on Windows (XP and Vista) as well. However, Safari 3.2.x is less flexible, less extensible, and less secure than the other two major browsers available for Macs (Firefox and Opera). It also offers less control over appearance. Though Apple does not actively promote add-ons for Safari, there are actually a number of plug-ins available that provide additional features. For example, full screen mode and many other features are added with Saft and Glims.

Note: The multi-touch version of Safari that runs on the iPhone and iPod Touch is by far the best browser for a handheld device, but is beyond the scope of this post. The Apple Tablet rumored to be released at the end of 2009 will almost surely run a similarly impressive multi-touch version of Safari—and may well become the browser/hardware combination of choice for reading.

Major Upgrade: Safari 4.0 is expected by the end of 2009. It is more secure, 100% compliant with new web standards, and runs complex web applications extremely fast. Apple is currently pushing the seemingly stable 4.0 beta version on its web site. If you intend to stick with Safari, I suggest you upgrade soon to the Safari 4.0 beta (here). The two plug-ins I mentioned above (Saft and Glims) are compatible with Safari 4.0.

The 6th browser:  iCab 3.0.5 for Mac OS 8 or 9

None of the major browsers are maintained for Mac OS 8 or 9, as virtually all Mac users have migrated to newer computers running Max OS X.  iCab 3.0.5 ($25) is the only option.  You can learn more by visiting iCab’s web site. I learned of iCab from a comprehensive listing of all Mac web browsers, here.

Last Words

My next two posts will be on the topics of cloud computing and password security. To safely use the web for any purpose, an up-to-date browser is required.

IBM reported that 637 million users surf the web with an insecure, out-of-date browser (July 2008). Net Applications reported worldwide market share of 46.5% for IE7 and 18.4% for IE6 (March 2009). IE7 and IE6 are less secure and less functional than any of the 5 browsers featured in this post. So spread the word to anyone you know who uses an older browser: Upgrade!

Is the pen mightier than the computer?

Distraction-free reading is not a fully solved problem–which is why the last article was so long. Distraction-free writing is a solved problem, which is why this article is short.

As mentioned previously (here), FilterJoe aims to be a starting point for anyone wanting to enhance their ability to effectively focus, process information, and get work done. Some content will be original, while other content (like this post) will summarize and reference the great work others have already done.

The Key

For many people, the key to being able to write something lengthy or complex is to eliminate distractions, just as with reading. For some people, using pen and paper in a room without a computer or telephone may be the best answer. It doesn’t get much simpler than that.

For those who can type faster than they write, or just plain prefer word processors over paper, read on.

Get Rid of the Interface with Full Screen Mode

Full screen mode is the answer to many computer distraction issues, and so it is with writing on a computer. Most major word processors have a full screen mode which gets rid of all toolbars and menus. Use it. Avoid formatting, spelling correction, researching fine points, etc. until the first draft is done. Just keep your word processor in full screen mode and keep writing.

To elaborate, here’s a simple checklist:

1. Research until ready to write a first draft
2. Invoke full screen mode of your word processor
3. Write, and then . . .
   • Don’t style your text: stay in full screen mode
   • Do not research: stay in full screen mode
   • Write zzz to mark places that need further research
4. When done first draft, revise (replace each zzz)

Word Processors that Support Full Screen Mode

Following is a link to a post with many different products that support full screen mode:

Full Screen Text Editors from techmalaya

Note that Microsoft Word is on the list – choose “full screen” from the view menu to blank out everything except the text area.

I personally use Google Docs’ word processor (with fixed-width page view selected from the view menu), so I can access the document from home, work, or elsewhere. Control-Shift-F, F11, and I’m ready to write.

Get Rid of External Distractions

Getting rid of external distractions can be the hardest part to implement, as it may involve habit change for some – such as not answering the phone.  Here are two articles with a number of good suggestions:

Lifehack Tips and Tricks for Distraction-Free Writing

Writetodone on How to Write Without Distraction

The Lure of Research

A common reason for writers to take so long to write (myself included) is the need for research when writing. The research is necessary, but even a simple look-up can lead to endless surfing once you’re on the web. Here’s a way to keep working, while noting the need for research:

One more thing to look up before getting back to writing . . .

Do enough research to get a decent amount of background. Then write your first draft. Do not look up anything while doing this draft. If you’re unsure of a fact, mark “tk” or “zzz” or some other nonsense letters where you need to do further research or revision to a certain part of your text. After the draft is finished, you can look up every instance of “zzz” and research or revise as necessary.

That’s It

I didn’t mention how to block out every possible source of distraction. I didn’t tell you about a piece of software that automatically writes for you. But for those who haven’t yet worked out their own system for staying focused while writing, perhaps some ideas in this post and in the above-mentioned articles will help reduce distraction.

If you have any further thoughts, questions, or links to other great articles, please leave a comment – that will help make this post an even better starting point for people just learning to write without distraction.

Will reading on the web ever be as good as reading a book?

Will reading lengthy text on the web ever be as comfortable as curling up in your favorite chair with a paperback? In theory, computers offer some reading advantages such as fast look-up and infinite storage. In practice, conflicting priorities of site design and current display technology get in the way.

For people like me who read hours per day, there has to be a better way. Luckily, there is.

Why Reading on the Web is so Difficult

The paperback novel is the easiest of all formats for me to read and the benchmark against which I compare all forms of reading. Currently, reading text on the web is not even close. Here is how I classify the various reading issues on the web that make it so much more difficult to read than a paperback:

1. Typography choices
   • fonts
   • type size and line spacing
   • colors (too bright, over-contrast, under-contrast)
   • page layout
2. Distracting web page elements
   • ads (blinking text, pictures, animations)
   • branding
   • links
   • site navigation
3. Distracting interface (browser and operating system)
   • tabs, icons and buttons
   • menus and search boxes
   • windows, title bars, and scroll bars
   • status and tool bars
   • pop-up messages
4. Hardware
   • light emitting monitors unnatural for human eyes
   • monitor resolution lower than print resolution
   • reading at a desk for long periods is uncomfortable

Some people address these problems by reformatting and printing most long articles. This is fairly easy to implement and comes close to addressing all four reading issues, though the 8.5 x 11 format is not as good for sustained reading as the paperback book. More of a problem is the act of printing, which uses up paper, ink, time, money, and storage space. This is not for me.

How to Vastly Improve Reading on the Web: Three Filters

If you suffer from distraction, eyestrain, or reduced concentration while reading on the web, the following three filters should help. If you spend a lot of time reading on the web, the combination of all three is best:

1. Readability button from arc90
2. F11 key on your browser (Windows and Linux only)
3. Small device or small screen size

Continue reading for more detail on each filter and additional help for wide screen monitors.

Reformat with the Readability button

Before installing the Readability button, your bookmarks toolbar must be enabled. On Firefox Menu: View > Toolbars > Bookmarks Toolbar. Then you can follow the instructions here to install the Readability button. Before installing the Readability button, choose the style, size, and margins you think will be most readable for you. On a vertically aligned, 19 inch monitor, I like Style: Novel, Size: Large, Margin: Medium.

After installing, click on the Readability button in the Bookmarks Toolbar. It will extract the main body text from the current web page, formatted beautifully. There are no drawbacks (except that it doesn’t work on all web sites). If you don’t like the formatting style, delete the button and reinstall with different style, size and margin choices.

I love the Readability button approach and use it extensively – with one click, the issues of typography and distracting page elements go away.

Eliminate distractions with F11

There’s a very simple and effective method for Windows and Linux users to eliminate all interface distractions:

Press the F11 key to put Firefox, Internet Explorer, or Opera into full screen mode. Read.

F11 works terrifically on small screens, especially on a narrow display. F11 completely gets rid of all interface clutter from the browser and the operating system. If used in combination with the Readability button, it cleanly and easily takes care of the first three web reading issues. Just click Readability then press F11.

F11 used alone does not always work so well for reading on large and/or wide screen monitors. It does work well for sites like FilterJoe where the main page width is fixed and there is a dull colored background color outside the main page. But most web sites are not designed this way. Pressing F11 may cause text to stretch wide, may expand a distracting background, or may cause the menu or other elements to slide far to the left.

For F11 to improve reading on a wide screen monitor, you’ll want to create a second Readability button designed to work in combination with F11. Here’s how:

1. Right click on the Readability button you installed
2. Choose properties
3. Rename to something else, perhaps “read” in small letters
4. Go to arc90’s Readability site again, here
5. Choose Style: Novel, Size: Large, and Margin: Extra Large
6. Drag this Readability button to your toolbar
7. Rename it to something else, perhaps “READ”, that will help you remember that this version of the Readability button will produce very large type with very wide margins.

Now click the new button you created followed by F11. The browser will fill the screen and you’ll see very large text with a very wide margin.

While the above procedure works, a preferable solution would not require jumbo fonts. Effectively using large monitors is a topic in and of itself with benefits far beyond reading. A forthcoming post on effective large monitor use will describe useful techniques to help reading, distraction elimination, and other issues. The techniques described will also help Mac users who are unable to benefit from the F11 key.

Use a small screen or better yet a small device

Many people now use large, wide monitors with their desktop computers. As described in the prior section, such monitors are not very well suited for reading lengthy text. A 19 inch or smaller monitor in the vertical orientation is a big improvement, and is what I recommend for online reading at a desk. Those of you with a large or wide screen monitor can hook up a second, smaller monitor to your computer for reading. Alternatively, a second computer with small monitor can be used.

The first two filters work well with any device whose width is 1024 or fewer pixels. Unfortunately, this still doesn’t take care of the fourth reading issue, “Hardware.” I’m not yet aware of a hardware solution as simple and effective as the filters I’ve mentioned so far.

What I would really like to see is all four reading issues go away with one click. Can someone please make the following a reality?

Go to web page. Click. The text appears on a piece of E-paper (Electronic Paper), well formatted for reading. You can carry it with you and therefore read it anywhere.

There are a number of small, portable devices that are superior to reading at a desk, but they all have shortcomings. Briefly expressed, here is my opinion regarding current portable choices for reading:

• E-book readers by Sony and Amazon–easy to read but slow, restricted web access
• Nokia tablet–too small, no rotation
• iPhone and iPod Touch–great interface but even smaller
• Netbooks–currently best–see below

Until a better device is released (like my E-paper idea or the oft-rumored Apple tablet), the best full computing experience for reading is a 9 or 10 inch netbook, in my opinion. For example, owners of an Asus EEE PC netbook with EEErotate and the Readability button installed, can read a web site as follows:

1. Click on Readability button
2. F11
3. Control-Alt-RightArrow

The last step rotates the screen 90 degrees, which means the text display is similar to a book. To return to the original state:

1. Control-Alt-UpArrow
2. F11
3. F5 (refresh)

The following screenshots show a New York Times article. The first image shows the article on a 24 inch monitor before any filtering. The next image shows two screen shots from an EEE PC 1000h netbook, after all three filters are applied.

Before: 24 inch monitor (no reading filters applied)

After: 10" EEE PC after all 3 filters applied, pages 1-2

This combination is not as good as a paperback book. The netbook is far heavier, emits light, and takes three actions to get into a highly readable format, and another three actions to return to the regular browser window. But I’ve found it to be the simplest and most effective method for using a computer to read lengthy text off the web at this point in time.

The Future

Thanks to rapid innovation on several fronts, reading on the web could soon approach the experience of reading a book. E-paper displays are as easy to read as regular paper and are perhaps a year or two away from mass adoption.

While devices like the Amazon Kindle and the Sony Reader already use E-paper, they will likely remain a niche product if data access and connectivity continues to be purposefully restricting.  (NOTE:  Kindle connectivity has improved enough since this post was written that I bought one and wrote about it here)

Safari on an iPod Touch combines unlimited web access with a great interface for reading on the web. If Apple comes out with a moderately larger model, I think it would do for reading what the iPod did for music. If my print-to-E-paper idea becomes reality, that would be even better.

I know there are many other tricks out there to increase readability and reduce distraction. I’ve found most to be excessively complicated or not effective enough for the average person. Be sure to let me know in the comments if you’ve found anything as simple and effective as Readability, F11, and using a small screen.

Typical Priorities for Site Design

To be fair, there are many conflicting priorities behind site design. Priorities usually include most of the following:

• Look great
• Draw attention to the brand
• Draw attention to online ads to generate revenue
• Draw attention to other page elements, as needed
• Be sure to include links to affiliates or other parts of the site
• Take care of necessary chores like navigation, RSS, credits, contact information, etc.
• Make it readable

While readability is usually a part of the mix, I suspect it is not usually the top priority for site design. The overall design philosophy which permeates the web seems to encourage skimming and rapid movement through many pages, not lengthy reading and contemplation. The end result of all these competing priorities reminds me of the following hilarious video about packaging design.

Microsoft Design Philosophy Applied to iPod Packaging

The Goal

The site design for FilterJoe is driven by one overriding goal: make it easy to read content. Make reading so easy, that a user with a default browser setting has no temptation to print it out, copy/reformat text, or use some other trick to make it more readable, even if it’s a long article. Make the medium on which the words are written so unnoticeable, that the only thing a reader notices is the content, which he or she can stay with and contemplate. Just like a book. Or at least a lot closer to a book than the typical blog. And it should remain readable on any size screen, any type of device, with any amount of scaling.

The Realization

With thousands of themes in existence, I thought it would be a simple matter to pick an existing theme that had been designed with reading as the top priority.

How wrong I was. I rejected first dozens, then hundreds of potential WordPress themes. With surprise, shock, and dismay, I realized I’d have to design my own theme!

What? Say again?

I Must be Missing Something . . .

The idea of me designing my own theme is crazy. Here’s why:

• Everything I know about design was learned during the past two weeks. Prior to that I knew nothing.
• Surely some blogs are easy to read? Yes, I found some. But all were proprietary, custom designs.
• Starting a free blog using WordPress.com as host is really easy. Going with an independent host and designing your own theme is not so easy if you’re new to this.  Couldn’t any of the 74 themes available on WordPress.com suffice? No.
• Were there any other themes, anywhere, that were close? Yes, I gave serious consideration to a few, especially a number of themes that described themselves as minimalist. However, virtually all of them had white backgrounds for the main content area (including Contemp and Day Dream from wordpress.com which I seriously considered using in order to save myself 10-20 hours of research and 30-50 hours to build a theme). My eyes tire quickly from maximum contrast (black print on bright white background). There were a number of other shortcomings, but the black on white in and of itself was a deal killer.

In the end, I discovered the fantastic Thematic framework, which is the parent theme to my custom designed child theme, FilterJoe.

Blog Design Elements for Easier Reading

After straining my eyes looking at hundreds of themes and websites (and reading about site design), I identified the following elements that contribute to easier reading for me:

General

• Page navigation menus should be just words in a title bar
• Ample white space helps readers focus on content
• Needs to remain readable when scaled up or down using browser commands like control+
• Two column (main text left, sidebar right) makes scaling work better than 3 column (One column design also possible, if navigation can be gracefully handled)
• Outside of the content area, there should be very little clutter (This means no ads, graphics, bright color, boxes, etc. -- only the absolute minimum needed by the user)
• In general, use of color should be restrained (This means no bright colors anywhere, not even traditional uses like the bright orange RSS icon)
• Link color cannot be in high contrast to the background color (Make it easy to continue reading and contemplating without distraction, as opposed to getting lost in an exploratory journey)
• Outside the web page, there should be an unnoticeable bordering color such as gray (This makes it easier to stay focused on reading, especially after hitting the f11 key which causes most browsers to fill up the screen)
• If ads are present, they need to be very unobtrusive

Main Text

• Font: veranda at <=10pt, Ariel or Veranda at >10pt (Among widely installed fonts, these are the most readable)
• Black or very dark text
• Ample line spacing
• Background color a light, neutral color, but not bright white
• No more than 66 characters wide for content, because:
  • Paperback width is 45-65 characters
  • This is conventional typographic wisdom
  • Works well on rotated netbook screens (600px)
  • Works well on cell phones

Sidebar

• Insure sidebar is less noticeable than content
  • dimmer is better
  • perhaps background a different color
  • perhaps no color unless mouse hovers over sidebar
• Bullets or dots or arrows to help see where items start
• Keep as little as possible in this area

Banner

• Banner should both recede from and set off content.
  • Dark color (Blue? Green? Dark Grey?)
  • Slim
  • Site name and tag line in light color
  • No pictures
• Menu needs to be part of the banner.

None of this should be taken as gospel.  It’s just a list of what makes various sites more readable for me, based on careful observation.  I fully expect to stumble across a site that does it far better than FilterJoe, motivating me to overhaul the site interface.

The End Result

Stanza e-book reader on iPhone

Interestingly, the end result is similar to the Stanza e-book reader’s iPhone interface. I didn’t consciously start with that in mind -- but I now see why reading with a dedicated e-book reader on the iPhone is easier than reading on a computer, despite the much smaller screen. The site design of FilterJoe is easy for me to read (though I’m not yet satisfied with the right sidebar interface -- I’d prefer that to be less noticeable). However, it may not be so easy to read for others. So please comment below with both praise and constructive criticism -- the more specific you can be, the better.

What About Other Sites?

While there are quite a few blogs out there that are easy to read -- and I hope this is one of them -- what about the vast majority of sites out there that aren’t? Thankfully, there are 3 very simple steps which make nearly any text heavy web site easy to read. That will be the subject of the next article.

email, facebook, RSS, IM, SMS, twitter . . .

To this point, many articles on the subjects of information overload, Internet distractions, and declines in reading and focusing abilities have appeared during the past few years. Some of the more interesting ones are here, here and here.

Where is the Information Overload Blog?

Despite all the attention the topic of information overload has been getting lately, I was unable to find any forum, blog, or other resource dedicated to addressing the issue. Sure, there are a few blogs one can point to for getting tips on improving the situation. My favorite is zenhabits, devoted to simplifying your life so that you can focus on the relevant. And there are a number of quality blogs with productivity tips, such as lifehacker and mashable. But no blog or forum specializes in the specific issues I have in mind, so far as I know.

It’s Here!

So I hereby launch FilterJoe. The aim of this blog is to be a starting point for anyone wanting to enhance their ability to effectively focus, process information, and get work done: Joe’s filters for the average Joe. Initially, content will relate to the following subjects:

• reducing Internet/computer distractions
• wise gadget use
• improving online reading, writing, email, etc.
• staying focused
• finding/filtering information

Rapidly Changing Technologies

The passion I’ve developed for this topic brings together ideas I’ve had for years, and especially the last year, about how rapid technological progress can lead to unintended, undesirable consequences. Case in point: the car alarm. An extra theft deterrent is a great idea, but unfortunately most car alarms are so easy to set off that they are now routinely ignored. Thanks to insurance company incentives, most cars now have them, so the net effect of this new technology is to cause much more noise pollution in return for a slight decrease in auto theft. Probably not what was initially envisioned.

The technology with the largest impact that is changing the most rapidly is the proliferation of ways to get information on the Internet. There are many ways this is obviously good, such as instantly accessing encyclopedic reference information or the solution to an obscure technical issue. But the ease of accessing and generating information has also led to an explosion of new content and methods of access. It is much easier to waste time and lose focus than it is to harness all this information efficiently and productively. Better filters are needed.

So Why does the World Need FilterJoe?

The inspiration for both the title of this blog, and the motivation to start it, comes from a thought provoking interview with Clay Shirky (Part 1, Part 2). There is much of interest in this lengthy transcript, but the key piece for me was the relationship between information overload and how people filter information.

Library of Alexandria Reconstruction

Shirky correctly points out that there has been more information than any single human being could possibly know since the creation of the library of Alexandria. But over the ages, filtering mechanisms have developed which allow people to get relevant information, without getting overloaded by details. Examples of useful information filters are:

• card catalogs
• news publishers
• social networks

Shirky argues that the best way to view the difficulties arising from recent rapid technological change is not “information overload,” but rather “filter failure.” Filtering mechanisms have not yet caught up with the last decades’ worth of innovations in generating and delivering information.  Card catalogs and traditional news publishing now only cover a fraction of available information.

So what we need is not less information, but better filters. This blog is an effort to provide one such set of filters, “Joe’s filters,” that will hopefully be of use to a broad audience of anyone who is hoping to make better use of today’s technology without getting overwhelmed or overloaded.

How Can FilterJoe Help?

To help be part of the solution, rather than the problem, I will attempt to:

• Present filters that are both effective and simple to set up and use
• Avoid complex solutions such as greasemonkey scripts
• Avoid solutions that require big habit change
• Keep this blog easy to read and free of distraction
• Emphasize content quality over quantity
• Harness group wisdom from comments and emails I receive to drive improvements to the site and ideas for future content

How Can You Help?

Initially, I will be the sole editor and moderator, generating the most content. But I welcome on-topic guest posts and ideally this will turn into a group with many active discussions and contributions from others. Social networks have always been one of the most effective information filters, and are likely to continue to be so for the foreseeable future.