Profile

Cover photo
Greg Norcie
AboutPostsPhotosVideos

Stream

Greg Norcie

Shared publicly  - 
 
So one of the interns got married...
2

Greg Norcie

Shared publicly  - 
 
"The key to protection is being informed about risks. If you receive a suspicious-looking email, assiduously click on all the links and follow their instructions to learn more about the threat."
Following the recent data breach at retail giant Target, which exposed credit card numbers and personal information of as many as 110 million people, many Americans have grown concerned about their safety and privacy online.
1

Greg Norcie

Shared publicly  - 
 
 
By the ebook
Suzi LeVine has become the first US ambassador to be sworn in to her position using an electronic device. LeVine, the American diplomatic representative for Switzerland and Lichtenstein, laid her...
1

Greg Norcie

Shared publicly  - 
 
Great write up on password reuse
 
Sign Up. Email. Password. Reuse.

Put yourself in the mindset of someone who isn't familiar with the way the Internet works. They have an email address with their ISP. They have their email address and their email password written down on a proverbial post-it.

At some point, they end up on the sign-up page of some popular web site. In many cases, that's the site's home page when the user isn't signed in. The page asks for their name, email address, and password.

What does our hypothetical user do?

They enter their name, their email address, and... their email password. They don't even realize that the password on this site could be different from their email password, so even if they are vaguely aware that they shouldn't reuse their password across sites, they miss that opportunity.

They just did the worst kind of password reuse, i.e. reusing their email password on another site. They're not even stupid. They just got confused by what they saw. A bad design misled them, and poor underlying technology didn't detect that they were doing something that's not advisable.

This isn't entirely a hypothetical scenario. LinkedIn, Pinterest, Tumblr, Twitter, Yelp all have sign-up pages that ask for "Email" or "Email Address" immediately followed by "Password", with no further explanation. So does the NYT. WSJ says "Email (this is your login)" and "Password", adding potentially a bit more confusion. WaPo might be even worse, saying "Enter your password".

A few sites do somewhat better. eBay says "Create your password". Facebook says "New Password". Amazon is even better with "Enter a new password". Skype uses a plain "Password" field, but places it very far away from the email address, in a separate section where the only other field is "Skype Name", so at least there's no visual association between the password field and the email field.

None of those make it clear that this shouldn't be the email password.

As a note, many sites use field labels that are in the background of the text inputs and disappear when the user starts typing. If they user is slow, if they get distracted or interrupted, they won't even know what they're supposed to type. There's almost a perfect correlation between confusingly terse language and disappearing input labels, which might be a hint of a desire for a visually minimalist design.

What can the tech industry do?

I think there are many possible improvements. UIs could be clearer. Email providers could offer services that allow other sites to check for password re-use. Products could rely more on 3rd-party authentication and 2-factor challenges. Those are only starting points.
1
Ivan Jager's profile photo
 
I think the only solution there is to stop having passwords.

Relying on everyone else on the internet to help a user not compromise their own security is bound to fail.

Even the NSA couldn't train their own employees to not hand out their passwords...

Greg Norcie

Shared publicly  - 
2
1
Michael Slomma's profile photo

Greg Norcie

Shared publicly  - 
 
 
Google, Microsoft, and Paypal are plotting to kill the password — the world’s most powerful companies want you to log in with fingerprints and eyescans 

http://bit.ly/1eLVme5
2

Greg Norcie

Shared publicly  - 
 
 
Google apparently decided to simplify app permissions so that an app granted a fine-grained permission (say, approx location) can now just acquire a "related" permission (say, exact location) without asking. How is this not a horrible idea? Oh, and all apps now have Internet access permission.  #WTFGoogle
Google just made a huge change to the way app permissions work on Android. Apps already on your device can now gain dangerous permissions with automatic updates. Future apps can gain dangerous permissions without asking you, too.
1
Ivan Jager's profile photo
 
It's still "all or nothing", you just get less of a chance to change your mind when the meaning of "all" changes.

Greg Norcie

Shared publicly  - 
 
We need a remake of "The Wire" for the social media age.

("The Mini Feed"?)
1

Greg Norcie

Shared publicly  - 
1

Greg Norcie

Shared publicly  - 
 
Cool NPR story on Tor
There's much more to the Internet than what you can stumble upon with Google. Hidden sites can market drugs and weapons illegally, but they also provide anonymity for political dissidents.
1

Greg Norcie

Shared publicly  - 
 
2014 EFF Crypto Usability Prize (EFF CUP) Workshop  https://cups.cs.cmu.edu/soups/2014/workshops/effcup.html
 
The next generation of secure, end-to-end encryption tools must be usable by journalists, activists, and ordinary users. Can an Encryption Usability Prize help? 
1
1
huang lin's profile photo
Story
Tagline
Studying the intersection of usability, security, and public policy