Entropy is a hard concept

Posted

Glenn Fleishman just published a really great article on Fast Company about the difficulty of creating truly strong passwords. This is something we struggle to explain in layman's terms on our site so I'm glad we can link to something like this now. A strong password is surprisingly hard for humans to create without tools. Even worse, most passwords that people (including the tech-savvy) believe are strong are actually weak. For example, Glenn outlines in the article how seemingly secure, long passwords can be cracked easily using modern techniques. The term used to describe the strength of password is called entropy - what's that?

entropy |ˈentrəpē|

  1. Physics a thermodynamic quantity representing the unavailability of a system's thermal energy for conversion into mechanical work, often interpreted as the degree of disorder or randomness in the system.
  2. lack of order or predictability; gradual decline into disorder: a marketplace where entropy reigns supreme.
  3. (in information theory) a logarithmic measure of the rate of transfer of information in a particular message or language.

The second definition, "lack of predictability", is the key one here - we want passwords that are hard for others to guess. Most password rules evaluate entropy by counting the length of a password and the number of kinds of characters without taking into account the fact that Glenn highlights in the article: humans use a lot of mnemonic patterns in their passwords, which have much lower entropy than their length would imply. This is why Meldium uses a realistic password strength meter, which was created and open-sourced by Dropbox. The entropy estimator we use knows that "Password11!!" isn't any better than "password" - both can be guessed in microseconds by an attacker. I look forward to Glenn's article teaching more people that the only way to have a truly secure & unique passwords is to use a password generator!

Why your password is the next to get nabbed

Posted

Without a doubt businesses today are being run in the cloud -- many emerging businesses are even 100% cloud. Goodbye file servers and hardware, and hello cloud applications and web services. With the rise of cloud applications, comes a headache for individuals attempting to remember numerous user names and passwords and even greater complications for businesses managing new security vulnerabilities.

How did this problem sneak up on us so quickly? Are our businesses really at risk? With this move to the cloud, passwords take center stage. Poor employee password habits or a lack of business processes can leave organizations deeply vulnerable in more than a number of ways:

  1. Forgetting to remove employee access to an application when an employee leaves
  2. Writing passwords down on paper
  3. Keeping passwords in an unsecure spreadsheet or file folder

It’s easy to fall prey to these bad habits. With so many passwords to remember we default to simple and often repeated passwords. We choose the worst ones, with our names, numeric patterns, and personally identifiable (and easily guessable) details. Users share passwords over e-mail to share an account to get things done faster. Admins forget to disable unused accounts or accounts of terminated employees because they just don’t find the time. The reality is these bad habits, of both individuals and businesses, put company data at high risk and can be costly in the aftermath.

Check out the infographic below for some quick password security highlights.

The State of Password Practices

Posted

This past year we've seen many high-profile security breaches. In light of these events, businesses often question their password policies (or lack thereof). After all, duplicated or poor passwords in the hands of employees may be an the weakest link in an enterprise.

The risks may seem obvious, but the behaviors of employees and businesses are what’s more troubling. Knowledge workers are mobile, cloud-savvy and use dozens of different applications to get work done. This means, businesses are trusting their sensitive data to our (in)ability to remember strong unique passwords!

We commissioned a study with ESG Research earlier this month to learn about password practices businesses use today. Our survey included over 500 respondents ranging from IT staff to corporate knowledge workers. We surveyed companies of all sizes (small, midmarket, and enterprise) across North America, UK, Ireland, Australia and New Zealand.

We're going to share the results of our research in early 2015 and below is a sneak peek of what's to come!

The Web Setup: BuildZoom

Posted

In this installment of the Web Setup, we spoke with David Petersen of BuildZoom a fast, easy and safe way to hire a contractor. Here’s a look at how they run a fast growing, collaborative start-up.

David, tell me about your team; what kind of office setup do you have?

Our core team is 20 people, 5 working in Customer Support in Oklahoma City and 15 here in San Francisco in Sales and Engineering.

We share an office with my brother’s company, Flexport, so we’ve got two fast growing start-ups in one space. 50 people in 100 square feet – it’s slightly insane. We’re moving next January but right now it’s definitely San Francisco start-up life, running on mostly MacBook Pros with some non-programmers using PCs, 50 desks and completely open space.

What web apps can your team not live without? How do you pick them?

I personally am extremely price sensitive; I have an aversion to signing up for new apps because I crave simplicity. Each one is something new to worry about – but there are so many apps that provide great services that we need.

Each app adds complexity, something new thing to worry about – but so many provide great services that we need.

Usually we’ll hear about one 2-3 times and realize it’s something we can use. Most, like Meldium, once we started using, we realize we can’t live without it. One of the biggest stressors in my entire life used to be keeping track of 50 passwords. Every site has different requirements: Numbers, upper case letters, lower case, punctuation, no punctuation – it caused me serious stress! I couldn’t get into my accounts and then I started using Meldium.

Slack is the number one thing we use – we love it. It’s helpful and reduces e-mail. We use Trello for roadmap items, GitHub for tracking bugs, HelloSign to sign something (it’s a God send), Bugsnag lets users tell us when our site as a bug, Amazon Web Services (AWS) for all of our hosting, and HelpScout is how we communicate with the world.

We use a number of others as well: FedEx, Instacart, oDesk, RingCentral, MailGun, Mandrill, SauceLabs, MailChimp, BizSpark, Authorize.net, Optimizely, Olark, New Relic, Twilio, ZenPayroll, Zenefits – it’s a lot.

How do you hire and onboard new people?

Meldium makes it easy to get everyone onboard quickly with all of our shared apps most our employees all have their own sign-ins since they all use Meldium for their individual apps. We don’t do any firing – so don’t have to use it to de-provision or offboard anyone.

What would be your dream setup? What would you wish were easier or better?

I would love to be in an office where we had 360 degree views of the San Francisco Bay area, from the 40th floor. I want my employees to be able to work together very collaboratively, sit near each other and not be interrupted.

In every way, with apps we use or the stuff we build, I would rather do fewer things better.

For me, I want everything in my life to be simpler, more minimalist. From personal investments, to my work, to the apps we use. You can get very tempted to add complexity with different tools and services and the toll of managing so many different things and sneak up on you. In every way, with apps we use or the stuff we build, I would rather do fewer things better.