Wednesday, August 25, 2010

The Weakest Link: Password Reminders

Security vs. Ease of Use...always is a tradeoff.

I always use an example of a car security system in class. If I could GUARANTEE that no one could steal your car, and it wouldn't be expensive to install, you'd probably go for it, right?

What if I then told you it would take 90 minutes to get in to the car? At that point, the security isn't worth it.

Generally, when you sign up for accounts, you are given very few choices for password hints. For example, what is your mother's maiden name? Or, where were you born?

The problem is that some of these things can be found out from social networking sites or even from personal knowledge. For example, if you friend your mother, everyone who is a friend of yours now knows the answer to that security question, especially if you use the Facebook "related to" option to show she is your mother. Where were you born can be guessed many times as well, even without Facebook. Where I went to high school, I would guess that most of the students were born in the same hospital. In more rural areas, that isn't as tough of a question as you might think. A good private investigator might chat you up in a bar to find out the answer to the question "what was the name of your first pet", if the answer to that question is valuable enough. In divorce cases, this sort of information can be a gold mine. If you are going through a divorce, remember that things like birthdays and anniversaries are things your future ex may know, and they can circumvent your password that way. Even things like "what is your blood type" aren't great, because how many possible choices are there? (A, B, AB, and O, I think). Even questions like "who is your favorite actor/actress" is tough, because answers change.

On the other hand, no one wants the question to be "pick your favorite number between 122 and 488".

Some sites will let you create your own questions, which present their own problems. People may tend to make even easier questions ("what is your middle name"), or really poor questions ("what color shirt are you wearing"). Yes, I've seen questions like this when helping people.

One of the better questions I have seen is "what is your father's middle name". I couldn't tell you the middle name of my friend's fathers, so this would require a little more work. Other good questions might be "what was the first bone you ever broke" - certainly something you would remember, but still vague.

Another clever idea that hasn't taken off is "Passfaces", where people use visual reminders as a password. Clever idea either as a replacement for a password or as something to augment password reminder security, but not mainsteam yet.

The best defense is to pair sets of questions together, asking people to answer multiple questions to get access. Another way would be to give people a checklist, for example, ask "which of the following statements are true about you", give a list of 15 things, and have the person check off which they have done. For example, give statements like:
I have shoplifted something worth more than $10.
I have been to Cincinnati.
My first car was white, yellow, brown, or green.

Have the person check off yes or no for each, and they are only granted access if all 15 questions are correct. Even if someone tries to guess their way through that, that is hundreds of possible responses. The problem here is that the best questions are the deeply personal ones that no one else knows the answer to. These are also the questions people might be shy about answering honestly. For example, the "shoplifted" question is good, but would I really check off "Yes" if this were a password reminder for a company I work for?

Or, you can do what I do, and give fake answers to the questions in a way that you will still remember it. Or, just use your mother's maiden name everywhere and wonder how all your accounts got hacked on the same day.

Tuesday, August 17, 2010

A Vision of Students Today

Students learn differently today than they did even 10 years ago when I was in college. I've been at a number of meetings at PCCC where they emphasize this. It's never easy to change teaching habits.

A few years ago, a professor at Kansas State University put together a video that describes some of these things. Writing on the blackboard should be replaced by more entertaining ways of learning. I grew up on Nintendo, and I personally was bored in college by straight lecture. I think that education is changing, and I think a lot of professors feel like if they are paid to lecture for three hours, they should be lecturing for three hours. I saw this video for the first time last week at an adjunct orientation at Bergen.

I feel like online classes has helped create some momentum in education reform. Professors have had to find ways to redesign education, and this is a good thing.

This video definitely gave me something to think about.

http://www.youtube.com/watch?v=dGCJ46vyR9o

Friday, August 13, 2010

My Fall Plans

As I mentioned earlier, I am taking a leave from PCCC in the Fall semester. I mentioned earlier that I wanted to recharge. However, that doesn't mean I am going to do nothing with my time.

One thing students do not always get to see is how active some professors are outside the classroom. I know it took me three years at Montclair State to figure out that my professors actually had other obligations besides teaching and office hours and course development. I guess it just never crossed my mind that all sorts of things need attending to.

For example, who approves changes to courses and programs? There should be some sort of process where other people in the college can discuss proposed changes. One of my duties has been to prepare some of our curriculum changes, filling out the appropriate paperwork, and getting my department on board. This also involved presenting the changes to our Curriculum Committee (ably chaired by another member of my department, Professor Bamkole). If there were changes suggested by that committee, I would then incorporate them. I would need to present them again at the Academic Council - this is the entire College community. Again, people could make suggestions and I would need to incorporate them. Any small change to a course required at least three meetings and a number of possible revisions. In other words, rewriting a course description might take 30 minutes to rewrite and then 5 hours to document, present, revise, re-present, and revise.

Point being, there are a lot of responsibilities of being a full-time faculty member that are not necessarily obvious. I wanted to update you on my fall plans.

First of all, I will be teaching two classes at Bergen Community College. I am scheduled to teach INF-101-004 (similar to PCCC's CIS 101) and INF-163-001 (similar to PCCC's CIS 152 class, but with more technology and less business. The courses both meet in the late afternoon, which is interesting, since we generally have problems filling classes in those time slots at PCCC. Bergen does things a little differently, so I am working on getting fluent in their WebCT/Blackboard system, as well as learning the INF-101 textbook. It's a book that is taking a really interesting approach to things, and I look forward to trying it out.

I am also working on a few side projects.

I am working on doing some of the supplements for a new edition of the Exploring Access 2010 textbook (test bank questions, etc). I am also working on a manuscript for an Office textbook.

I also will be doing some work with teachers and possibly students through the PRISM program at Montclair.

Should be an interesting semester, to say the least.

Wednesday, August 04, 2010

Microsoft Digital Literacy

Microsoft has a new program available called Digital Literacy. This is part of their efforts to help educate America.

As part of it, they have a set of free trainings available on their Web site. One is a basic computer literacy training, and the other is a slightly more advanced Microsoft Office and Windows training.

For free, why not right?

Link to Site