Weak vs Strong Passwords

While moving from one web hosting provider to another, I came across a server log that showed a list of failed login attempts, detailing seven days of attempted break-ins near the end of this last September. Fortunately, my password is reasonably strong, but it could be a lot better.

Of the two dozen or more offending hosts, three of them collectively attempted more than 25,000 attacks. Most of the rapid-firing attacks lasted only a few minutes.

  • vivio.treda.com.tr (Turkey; 1,925 attacks)
  • [fizyk2.fuw.edu.pl] (Poland 11,239 attacks)
  • (China; 12,155 attacks)

Hackers frequently perform dictionary attacks on sites, using readily downloaded lists of commonly known weak passwords, such as admin, 1234, password, abc123, p@$$w0rd, asdf, qwerty, aaaa, and other easily guessed passwords. According to a recent study, 8% of all passwords in use today are a common word found in the dictionary followed by a “1”. With an abundance of word lists available online, dictionary attacks are often very successful. And fast.

I wasn’t too worried about the break-in attempts, because my login password for that website was seven random digits long — somewhat secure, considering that it is not a word contained in any dictionary and had both letters and numbers. But if someone where to obtain a hash of that password, modern computers capable of generating 3 million passwords a second could easily hunt offline through the 78.3 billion combinations (26 letters, 10 numbers, 7 digits = 36^7) in less than eight hours.

Choosing Strong Passwords

How do you choose a strong password to help foil the attackers?

  • Use the entire keyboard, not just the most common characters. Passwords should contain a mix of upper and lower case letters, numerals, special characters, and punctuation. Unfortunately, not all websites allow passwords to contains punctuation or other special characters.
  • Your password must be at least 8 characters long (it should be at least 10, and longer is even better). Even passwords with fewer than 15 digits have their own vulnerabilities. Each character that you add to your password will exponentially increase the protection it provides.
  • Don’t base the password on any personal information (dates, pets, addresses, kid’s names, cities, jobs, schools, ex-girlfriends, cars, etc.) or on any word in any dictionary in any language.
  • Don’t write the actual password down. My one exception to this rule is print a copy of banking, financial, and computer passwords for storage in a safety deposit box at the local bank. Instead, develop a mnemonic for remembering complex passwords. The mnemonic should be created in such a way as to be safe to write down.
  • Don’t otherwise tell your password to anyone. Ever.

Check the strength of your password with an online checker such as Microsoft’s JavaScript Password Checker. Don’t worry, using a password checker on the website of a reputable company doesn’t usually transmit your password over the Internet, only your JavaScript-enabled browser sees it. A word of warning: presented under the guise of providing a free service to the community, password checkers on unknown, remote websites might just be collecting passwords for later use…

In the meantime, I’ve taken my own advice. My passwords to access my web server and my banking websites are now between 15 and 20 digits long. That should continue to keep the bad guys out for the next sixty-four quintillion years.

45 Web Design Mistakes

  1. Don’t tease me with a splash or intro page unless you’re running an adult website. They serve no purpose other than wasting my time. Scale it down and add it as a feature on your home page.
  2. Don’t use embedded fonts. Period.
  3. Don’t create your entire website in Flash, especially just to display text. Take a lesson from Adobe, the makers of Flash. Notice that their own website isn’t entirely Flash-based. Shouldn’t that tell you something?
  4. Don’t launch your main website in another window after I’ve visited your home page. Mimicking the behavior of pop-up ads will chase away most people that might have been interested in your website, assuming your site gets past the pop-up blockers in the first place.
  5. Don’t make me use a specific browser, especially not Internet Explorer. If your website doesn’t work in Firefox, it shows that your web designers (or you!) have absolutely no clue about the Internet. This blog sees only 61% of its traffic from IE users, 27% from Firefox, and the remaining 12% split between various other browsers (Safari, Opera, and others) Why alienate a significant percentage of your potential visitors? You think I’m going to fire up Internet Explorer (and the hazards it brings) just to visit your silly little website?! Not!
  6. Don’t underline text unless it’s a link to another page. If I see underlined text, I expect it to be a link. See, isn’t that annoying?
  7. Don’t forget to spell check your pages and check them for grammatical errors. Offering “web desing” services and claiming that delivering “attarctive designs” is part of your “domain experties” is not the most convincing sales pitch.
  8. Don’t offer choices of high bandwidth, low bandwidth, HTML, or Flash. It’s like asking me if I’d like to enter your “crappy” store or your “better” store that requires a special key and a mind-numbing delay at the door.
  9. Don’t start playing music when I visit your home page unless I ask for it. The same rules applies to video streams with audio. If I want your website to make noise, I’ll hit the play button myself.
  10. Don’t make me try to figure out how to navigate your website. I am not going to sit there and try to guess how to get to whatever it is you want me to see.
  11. Don’t resize my browser window. I like it the way it is, thank you.
  12. Don’t put all of your text on one never-ending page so that I have to scroll forever to get to the bottom. The more information there is on a particular page, the less likely it is that I will read it. Plus, it just takes so dåmn long to load.
  13. Don’t make me scroll the browser horizontally because you failed to properly design and test your page. Just because it looks great on your monitor which is set at 1600×1200 doesn’t mean I’m going to see it the same way you do.
  14. Don’t make me rely on a built-in search engine to get me to the information I’m looking for unless your website contains hundreds of textual pages. Spend efforts instead on improving navigation.
  15. Don’t make it hard for me to figure out what the hëll your website is about. Nothing screams “hit the Back button” louder.
  16. Don’t scroll text across the page. It’s really annoying. Unfortunately, there are a few web publishers still trapped in the mid-1990s who think that kind of JavaCrap is cool.
  17. Don’t make text blink. Never. The HTML BLINK tag is evil, and so is anything that mimics it. Contrary to what these folks say, blinking text is NOT back.
  18. Don’t publish most of your text as images. It’s hard to read, search engines can’t pick it up, and it tells the world you have graphic designers that know nothing about producing content for the web.
  19. Don’t forget to add titles to your web pages. The title may be your one and only shot to get me to click to your website from Google.
  20. Don’t lure me to your website, only to show me pages with nothing on them, telling me that they are “under construction”. If your pages aren’t ready to publish, don’t publish them. I don’t need to know what it is you think you might be working on next.
  21. Don’t forget to create index pages in your folders. Web servers expect files such as index.htm, index.html, index.php, or default.htm. Without including those files, you may expose areas of your website you did not intend to. I recently found a set of documents containing a competitor’s entire supposedly confidential marketing strategy just by typing in the right folder name into my browser.
  22. Don’t assume that I have DSL or broadband. I do not want to have to wait six minutes to download your 700K Flash-based website just because I happen to be staying in a hotel in Peoria that does not have high-speed Internet. (see rule #3)
  23. Don’t overload my senses with too many fonts, too many styles, too many weights, too many sizes, or too many colors. It just makes it look like someone vomited on your website.
  24. Don’t use frames. There are good reasons why you might want to use frames but there are no good reasons to actually use them.
  25. Don’t use my browser to resize your images. Size your images in your image editing program before placing them on your pages. Images that are blown up in the browser look crappy and unprofessional, and images that are reduced in the browser increase the loading time of a page. The browser will never do as good a job as any image editing software and it looks terrible.
  26. Don’t use an incorrect image format. JPGs are best for photos, although the more you compress them, the worse they look. GIFs are best for images with large areas of a single solid color, for non-transparent icons, and for transparent images that do not need to blend into their backgrounds. PNGs are great for all types of images, especially transparent images that need to blend smoothly (as long as you apply a JavaScript fix for IE6), but they are often larger in byte size than the other formats.
  27. Don’t host your website with a free service such as Angelfire, GeoCities, or Tripod. They litter your site with banners and pop-up ads that are guaranteed to annoy your visitors and make you look bad. Visit GoDaddy, register a domain name for less than $10 per year, and then splurge on a budget-minded hosting plan that should cost less than $5 per month, you cheapskate!
  28. Don’t justify text because it interferes with readability.
  29. Don’t forget to put navigation links on every page. If I get stuck in your website’s equivalent of Timbuktu and I can’t figure out where to go next, I am more likely to close the browser than click the Back button.
  30. Don’t make it difficult for me to remember your domain name.
  31. Don’t make your domain name easy to remember for the wrong reasons. Graphic Art Sex Change?
  32. Don’t download someone else’s themes, templates, or plugins, call them your own, and then advertise yourself as a web designer. Just because you bought a copy of Photoshop doesn’t make you a graphic artist. Knowing how to use Dreamweaver, FrontPage, or GoLive does not necessary make you a web developer, especially if you can’t code in raw HTML, CSS, and at least one of the following without a GUI IDE: Perl, Python, Ruby, PHP, ASP, JSP, or XSLT (list subject to change as technology expands).
  33. Don’t expect to get a $5000 website for $250. You get what you pay for.
  34. Don’t change the size or weight of text in a link when I hover over it with my mouse. It tends to push everything haphazardly around the page, and it tells me that you really haven’t a clue.
  35. Don’t link images from another website into yours without their permission. That’s called hotlinking or bandwidth stealing. It’s wrong.
  36. Don’t bombard me with endless animation. If you have to have something animated, limit it to one item only. Preferably, have no animation whatsoever, even if it looks like a Monty Python sketch. It is really distracting. It is the “oh… my… god… I’m never coming back to your website ever again” kind of distracting.
  37. Don’t subject me to color combinations that are hard on my eyes or have too little contrast. Blue text on a dark blue background is really hard to read.
  38. Don’t mess with my browser’s Back button. The Back button is the second-most used navigation feature, behind hyperlinks.
  39. Don’t forget to periodically update your website. If your latest news is dated July of 2002, I’m pretty much guessing at this point that nothing else on your website is relevant, timely, or useful either.
  40. Don’t use an image as a background if you plan on displaying text over it. By doing so, your telling me that the picture is more important than the words, and I shouldn’t bother reading them. Not that I can, anyway.
  41. Don’t use an animated background. Ever. Having a completely blank page is better than having one with an animated background. Having a monkey shoved up your åss is more fun than viewing a website with an animated background.
  42. Don’t show me unnecessarily huge images. Use the smallest images necessary for the required detail or impact. Huge images are simply rude. They make you look like an amateur.
  43. Don’t prevent right-clicks on the page or an image. That just encourages me to view your source code so I can laugh at the god-awful mess you’re trying to hide. If I want a copy of that image you’re desperately trying to protect, I can easily get it anyway. So can everyone else. If you don’t want us to have the image, don’t post it on the Internet in the first place.
  44. Don’t use Microsoft Word to create web pages. It spits out code that is not even proper HTML. It’s impossible to maintain. Links often don’t work, stuff appears in strange places, and your content gets lost in a sea of code that search engines won’t bother to wade through. Not even Internet Explorer interprets the code correctly.
  45. Don’t break a bunch of these common-sense rules and then scream to the world that you’re a web designer.

Browser-Safe Color Palette

I’ve been creating and publishing content on the Internet for more than a decade.

Back in those early days when I first began, one of the very few fundamental rules of web design was to use a browser-safe color scheme that could be properly displayed with graphics cards and CRT monitors that were limited to displaying a mere 256 colors — a once-common limitation that is in deep contrast to today’s ultra-high-end equipment that can generate in excess of 200 trillion colors.

For new designs, I often consulted online references to help me choose the right colors. Unfortunately the color palette was always presented in rectangular charts, making it difficult to select subtle differences in tonal relationships.

I wanted a better solution. It took over two years (not all at once, mind you!) to create a pure HTML layout that was mathematically sound, visually communicative, useful, and (dare I say) cool. I am proud to say that my visual reorganization of the palette was one of the first published successful attempts to do so, if not the first.

Today, while there is certainly no harm in using the standard web-safe palette, the need for using it seems antiquated and outdated, and many designers ignore the old mandate — assuming they even know about it in the first place. However, there are still valid reasons to stick with the old rules, or at least remember and be aware of them.

As the Internet becomes more and more accessible by devices other than your flat-panel monitor that can handle 16 billion colors, it may still make sense to use the browser-safe versions; it was only a few years ago that Internet-enabled cell phones surpassed the ability to display 256 colors. Both safe mode and the default display settings right out of the box on many Windows machines are still set to 256 colors. Many people don’t know that they can change that setting, let alone know how to do it.

Choose a palette suitable for your visitors. If your website audience is expected to be students, enterprise users, seekers of multimedia, or more high-tech users, stepping outside the palette is fine. Google (targeting all of the world’s users) tends to use browser-safe colors more frequently than sites like Facebook, Flickr, or YouTube.

Another subtle and often-overlooked benefit to using the 256-color palette is that the more common 16.7-million-color palette of today makes it much easier for web designers with absolutely no knowledge of color theory to create horrifically ugly websites just that much easier!

My advice is two-fold: Do what you want, but play it somewhat “safe”. Web-safe colors are still the best choice for large flat surfaces of color, especially when overlaid text is involved. Almost anything else goes for the rest.

The palette in this 2007 posting was a republishing of the original one I finished in 1998. Keep in mind that in order for the colors to be represented properly, my model includes all 256 possible color combinations for symmetry, not just the 216 “safe” colors.