Image via WikipediaMy employer is performing the annual round of security training over the next couple of weeks and everyone received an email announcement today about it containing the following advice:

To help protect your personal financial information, you should have a different and unique password for all online services that you use. Remember, the best passwords use a combination of upper and lower case letters and numbers. An easy way to create and remember a unique password is think of a catchy phrase, and then use letters and numbers from the phrase to create your password.

While most would think that’s great advice, my immediate thought was “that’s insane! I have accounts on more than 100 services on the web! How can I possibly remember unique passwords for each one??”

I am a ravenous beta web application junkie, and I probably use at least 10 web services (email, rss, bookmarking, etc.) on a daily basis which all require passwords. And of course there are passwords that I use at work to access various systems, account passwords on the home computers and network, account credentials for my sidework clients (who depend on me to keep up with them!) and many more I’m sure I’m not thinking of right now.

I replied to the email and asked for suggestions of how to apply the advice in my situation. The response: try a password manager. But I’ve looked at those before and there’s a flaw - they can only store and retrieve your passwords on the computer you install them on. It’s not as if I only would only access passworded accounts from one computer. I have a computer at home (actually 4 to choose from at this point!), a computer at work, a Pocket PC phone, and a wi-fi enabled iPodTouch (when I borrow from the hubby), not to mention I do occasionally go places with computers I don’t own like my family’s houses. If I install a password manager on one computer then how am I suppose to use it on any of the others? Passing this on as a reply to the reply got no response.

My applied solution to the password overload problem has not been elegant. I hadn’t planned this method but it’s what I’ve fallen into. I basically have about 4 “levels” of passwords with about 10 total variations. That’s about as many as my brain can keep up with. Whenever I sign up for something I ask myself a few questions and pick a password:

Level 4

• Attributes: Short, very simple
• Variations: 1
• Typical scenario: usually on a beta service signup
• Questions answered “No”: Do I trust this service to keep my password? Will I ever use this service more than a couple of times?

Level 3

• Attributes: Longer, still simple
• Variations: 1
• Typical scenario: on services I’m likely to use more than once or were highly recommended so I “trust” them.
• Questions answered “No”: Will it be the end of the world if someone figures out my password and logs in as me?

Level 2

• Attributes: Longer, with complicated numbers, symbols, capitalization
• Variations: 3: chars with number, no symbols; chars with number and symbol; chars with number, symbol and capital
• Typical scenario: a service that requires me to use passwords that meet their criteria
• Questions answered “No”: Will this dang thing let me sign up already with level 4 or 3 passwords?

Level 1

• Attributes: Relatively unique, using the whole “sentence as a password” thing to make something really strong.
• Variations: about 5
• Typical scenario: work credentials or a service that could expose my financial or other sensitive data
• Question answered “Yes”: Would it be devastating for someone to get access to this info?

But there’s still all the services that insist that you change your password every cycle (especially at work). I’m guilty of putting a number at the end and incrementing those so I don’t have to remember something new.

There has to be a better way to deal with all this stuff. I’ve thought about keeping a list online somewhere but that seems inherently vulnerable. And, no, OpenID can’t fix this for me. So how do you manage account/password hell?

I’ve been inspired recently to resuscitate my months-neglected Twitter account as an experiment because I’ve been seeing a lot of discussion on various blogs and FriendFeed touting all the benefits of being active with Twitter such as crowdsourcing, socialization and meeting new people with common interests. Most of these posters list their favorite Twitter services in a “quickstart” guide and seem to heavily imply that it’s easy to get set up and quickly reap the benefits.

But the Twitter evangelists seem to be either social networking A-listers who generate massive, nearly instant audiences in whatever service they sign up with or they are people who spend several hours a day cultivating their networks by actively monitoring and responding to tweets and putting a lot of original tweets out themselves or both.

The problem is that Twitter can be a pretty lonely and discouraging service if you don’t have any followers and the people you’re interested in don’t follow you back. You can’t have a conversation if no one is listening to respond. How do you even reach out to people that you’d like to have conversations with if they don’t follow you? You can’t direct message them and there’s not even a guarantee that they’ll see your @replies. To be successful at Twitter you have to spend a lot of time making a reputation for yourself and hope that the people you follow notice and return the follow. Chances seem slim unless you put incredible amounts of persistence and ego stroking into it to capture their attention.

And that’s why Twitter won’t ever be mainstream. Early adopters are techno masochists but other people aren’t. We’re often willing to put in an amazing amount of time and effort into new services and put up with a lot of frustration from them with even the smallest amount of perceived benefit. But everyone else is more sensible. They don’t have the time or motivation to build a successful Twitter network, and they never will with its current implementation. I see some of the same problems with the social aspect of FriendFeed, despite opinions to the contrary.

I’m going to keep trying for a while, with some good advice on the how instead of the why, and see if I can get my tweets out of the echo chamber, but I couldn’t honestly recommend Twitter to my coworkers or family members at this point because I know they wouldn’t be willing to spend the time and effort to make it benefit them. I see value in the idea of the service. I think eventually, once we get filters and intelligent agents to be our attention guardians we’ll be able to have good two-way conversations without the whole follower/followee model. At that point, Twitter will just have turned into a framework or protocol, but obviously it’s going to be a while before that happens.

Maybe I’m missing something and the Twitter-ken can tell me what I’m doing wrong. Please feel free to enlighten me!

Lesson reinforced this week: If something sounds too good to be true, it probably is. Case in point: Dreamhost’s supposed 500GB hosting plans entice you with the promise of lots of space for cheap (about $11/mo) but you can’t use that space for file storage.

I have been trying to make up my mind about an off-site backup service for more than a year now. I kept looking at Amazon S3 but, as cheap as it is, it still seemed expensive, especially because I have around 350GB of data I need to backup. Most file backup/storage sites only give you a tiny amount of space (who only has 5GB worth of data to back up these days??) or charge you hundreds of dollars a month for as much storage as I needed. The main options that were even partially affordable were hosting by Dreamhost or GoDaddy, or Amazon S3.

We have had an account with Dreamhost now for a few years and while it hasn’t been 100% uptime we hadn’t had many other problems with them in general. We have 5 live websites on the Dreamhost account but we’re only using a tiny fraction of the almost 540GB (growing weekly) of available space. I couldn’t justify paying for S3 if we were already paying for the space on Dreamhost.

So I uploaded about 80GB worth of pictures. Within a few days I got a notice that the files weren’t directly related to website hosting and I had 3 options: remove all the files, change the account to a file storage account for $0.20/mo/GB or do nothing and have the account suspended. Doing a bit of research turned up that there was some fine print in the ToS that says they have the option to charge you extra for files that are hosted and not related to website hosting.

I rolled my eyes and started the week-long process of ftping up to my Amazon S3 account instead. It’s actually cheaper by $0.05/mo for storage than Dreamhost’s rate. But it was a busy week and I forgot to remove my files from the Dreamhost account until about 10pm on the deadline day…

Dreamhost suspended our account, cutting off the live websites we were hosting. Now maybe we deserved that for not making the deadline but their reply system for the support emails kept bouncing back our requests to delete the files and restore our account. We supposedly had call-support with the plan we were on but there’s no phone number on the site for you to get in touch with anyone. We were scrambling till we finally thought of submitting a ticket on the website instead of trying to reply to the original suspension email again. Our sites were down for about 24 hours and we are not happy campers.

I’m disgruntled with Dreamhost for several reasons:

• Not making it completely clear on their hosting plan description pages that you can’t use the space for file storage, which resulted in me wasting my time uploading all those files in the first place. Who the hell has 500+GB of files related to their website to host?? Are they really going to let you do something like your own YouTube on a $11/mo web hosting account? I’m tempted to try it just to see if they suspend me for “legitimate” web hosting of that much material.
• Not having some kind of way to contact them by phone in an emergency, especially when we were supposed to have call support on our plan. We found out that it’s really “call back support” meaning you email or submit a ticket and they’ll call you when they get to it. That doesn’t cut it when your sites are down.
• Not having their email support system working for replies. It was barfing on the format of the subject line that was generated, not something we would know how to fix to make sure the email got through. When email is the only means of contact it’s important that the system be robust enough not to bounce back replies to your support tickets!!
• And, as a side issue, I’m still upset that they consolidated all their hosting plans into one option that is half as expensive as the plan we were on but with only minor differences in features, but they didn’t bother to notify us of those differences or that we could be saving money by switching. Since we just always go directly to panel.dreamhost.com and don’t bother to go look at the plan options on the main site, we didn’t know about the changes. We were paying double what we needed to for almost a year.

It’s frustrating because when we’re actually able to GET support from Dreamhost they’re always nice and helpful. It’s just too hard to get someone to respond in a reasonable timeframe from an email or when the email system is not working.

I’m using S3 for backup and after this experience we’ll be looking for a new host soon as well. For all those people who have debated about whether you should use Dreamhost or S3 for backup, the answer lies in a new take on another old addage: “You don’t get what you don’t pay for”. Amazon S3 is the way to go.

Yesterday a friend of mine coined a new term that will be one of my favorite words for a while. I was doing some testing of a functional area of the website we’re working on and found some unexpected behavior that at first I thought was a bug but on more thought, and realizing that it had some benefits, determined it might actually be a feature that we just didn’t document very well for the user.

I IMed my friend who’s managing the project and explained my thoughts…

Friend: interesting… what’s the cross between a bug and a feature? beature? fugture?
Lindsay: heh.
Lindsay: I like fugture
Lindsay: or fug for short
Lindsay: beature is too much like beautiful… and a fugture is anything but beautiful!!

So it’s all Fugtures now, baby!

New terminology can make old problems into their own solutions! Instead of spending hours working out the fixes for the mile long list of change requests you inherited with maintaining someone else’s old code, just tell the client that it’s fine the way it is…call it Fugture-Rich!

Too bad it doesn’t really work that way… oh well, back to searching for some more fugs to squash.

I read a great article by Kathy Sierra of “Creating Passionate Users” fame this morning. She brought up the point of how glib talking people usually get their way more often then their less-articulate counterparts. While it is not always true that the fast-talkers are wrong, the problem comes in when the deep-thinkers are overlooked when they might be right.

Kathy’s article was in the context of making business decisions, having meetings about development issues and deciding on a course of action. But the discussion made me think about another conversation I had recently with a developer friend about interviews for development jobs.

It seems as if technical interviews are definitely stacked in favor of the glib. Considering the fact that many of the best developers (at least in my experience) are often the introverts and don’t like to rush into things headfirst, they are at a disservice with the typical method of interviewing.

It usually goes like this:

• You get the “Tech Screen”: a 30-45 minute phone barrage of very specific (to the point of “Trivial Pursuit”) questions on code syntax, platform terminology and even IDE menu options. Under pressure, its often difficult to recall that kind of information, and questionable whether much of it is worth knowing off the top of your head. That’s what Google, intellisense and your ability to point and click are for. Frankly, I’d be suspicious of people who do know the name of the 3rd item under the Tools->Debug menu as either being obsessive compulsive or “cheating”. And just because you do know all of the trivia doesn’t mean you have problem solving skills.
• If you can get past that stage you’re typically brought in to interview in a conference room with one or more people warily (or wearily, depending on how many interviews they’ve already done that day) staring at you from across the table who briefly explain some super difficult business problem that has plagued them for several years and expect you to come up with a watertight solution with about 10 seconds of forethought. Either that or you get the “Mensa from hell” type of “logic” problems involving gas stations and blenders that you may or may not have the worldly experience to figure out in the limited amount of time you have to spit out your answer. Cross your fingers, turn on the glib and buzzwords and hope your stream of consciousness answer is somewhat acceptable.

It’s amazing that any introvert developers get hired!

A developer’s job is about solving problems, but not instantly. Its about learning new technologies and methodologies to solve those problems if you don’t already have the appropriate knowledge. Its about becoming aware of your environment and working within those constraints. And its about efficiency: using whatever tools you can find to save you time, reusing things you and other people have developed to keep you from reinventing the wheel and leveraging whatever knowledge resources (search, books, friends) you have available to you to get the job done. But all of that takes time, and those skills are not accurately measured in the typical kinds of interviews that I and other developers I know have been exposed to (or given!).

Wouldn’t it make more sense if you were given a set of reasonable project requirements with the tools and environment you’d be using at your potential employer (see virtualization) and access to whatever personal tools you’d use if you were working there (ie, internet access, IM, phone, your library of code snippets, your favorite books), and allowed to take 8-24 hours to complete the project to the best of your ability. Then your potential employer could review your work and call you in for a code review so you could justify your choices. Someone who got through that process in good standing would stand a lot better chance of being successful in your company in the long run. It would give people a chance to be judged on what they DO and not what they SAY. And it would get rid of the fast-talking BSers.

“But what if you had your buddy code the whole thing for you?”, the interviewers might say. It doesn’t really matter if the code review process is implemented well. Since one more aspect of development is to be able to understand code that other people write, its still an appropriate test of someone’s ability. Who cares if you really wrote it if you can step through each part and thoroughly explain it to the interviewer’s satisfaction. If there’s still a question of aptitude, the interviewee could expand some functionality during the course of the interview. I have a whole network of developer friends with different areas of expertise that I call on when I need help with some concept I haven’t had to deal with before. And they call on me when I have knowledge that they need as well. We share code snippets all the time. It’s another tool. It’s another method. It’s just part of being a good developer. But in the end it’s all about whether the interviewee really understand the code that they’re presenting. If they didn’t write it this time but they understand and can explain it, they’ll be able to write it next time.

I would rather have someone come onboard at my company who had already demonstrated their capability with problems similar to what they will be expected to work with in my environment than take the chance that the silver-tounged person who knew all the answers can’t produce. That’s the risk you take with the standard tech interview process that’s all based on talk. Time for a newer approach!

I’ve been thinking about the Geek Divide after Pete’s post yesterday on it (from which I found Scott Karp’s geek qualification list list that inspired me to create my own).

This is a subject close to my heart, being what I am. But I often wonder, why can’t everyone just be geeky?? How come everyone doesn’t get excited about new technology? Why does the world have so many oblivious, uninterested or just plain ludditious people in it?

Yes, I am firmly entrenched in my little reality tunnel, but I often honestly wonder how people in this day and age can even avoid being geeky. I think it’s an age thing. Maybe things just move too fast for most folks over the age of 25…

I believe that most of the kids 16 and under will be geeks by default. Exposure to computers, the internet, cell phones and gaming consoles for their entire life can’t help but make it so. And it doesn’t phase them that it changes wholly in a matter of months. From their perspective, that rate of change is a normal part of life. And I think that’s a good thing because the rate of change is only going to accelerate.

TAD and I were very entertained by two “popular looking” high school aged kids at the Apple store the other night that were playing with an iLife on an iBook and had to call their friends on their cell and tell them to come see all the awesome stuff it could do. That never would have happened even 5 years ago. Every time we go there are gaggles of teenage girls ohhing and ahhing over iPods and cameras and laptops. It’s become fashionable to have geeky tendencies.

So maybe I’m biased (of course I am), but I’m thinking the Geek Divide, being more of an age issue, will resolve itself as the younger generation matures and starts becoming financially independent. These kids are used to putting time and effort into the things they use, they’re willing to endure the pain of the complexity over lack of features that most of us early adopters willingly go through now and they’ll take it for granted that it’s part of the experience. The issues that people have been talking about lately with “commercializing” Web 2.0 offerings will eventually just kind of fade away.

I’m not saying that “commercializing” isn’t important because it is, especially right now. Usability and feature value should always be major factors in the development of applications. Currently, and over the course of the next few years, the Geek Divide will still be a large chasm. But, I think that the level of user sophistication is going to go up radically after that. We’ll just have to be conscious of the needs of the geek-deficient and hold their hands until then.

I discovered Scott Karp’s blog today and the Top 10 List he created to evaluate yourself and discover whether you’re a geek or not…

Well, I definitely qualify if that’s the total criteria, but I think there are levels of geekness. Scott’s quiz defines the entry level. Here’s a quiz for the next rung of “You might just be a geek if…”

1. You have ever installed an open source blogging framework on a server and then proceeded to customize themes and write plugins for it
2. You have written a custom RSS aggregator and integrated it into your website projects and/or blog
3. You have arguments about what Web 2.0 is and what it isn’t with your friends. Bonus points if you argue with your non-techie family about it anyway.
4. You have ever stayed up past midnight playing with coding your new todo list with expandable priority sections just to say that “yeah, I can do AJAX”
5. You have ever done a happy dance when someone on your “A-list” blog roll left a comment on one of your blog posts, your digged article hit the front page, or your blog post got listed on del.icio.us/popular
6. You have 10 or more links in your del.icio.us archive that have the tag “daily” or “infodiscovery” (or eqivalent).
7. You have attempted to sell your attention data on eBay (ok, I haven’t done this one, but it’s an idea!)
8. You have made a podcast
9. You subscribe to RSS feeds that alert you to brand new beta sites and sign up for every beta you can. Bonus points if you try to contact the developers to discuss enhancements!
10. You were ever picked on by your tech-savvy friends for being a geek

Admittedly, two of these I haven’t done, so I’ll say if you score an 8, you’re at least as geeky as me and that’s pretty dang geeky. I’ll leave the next tier list to someone else!!