Thursday Threads: Password Managers, DRM coming to the Browser, Personal Data Brokers

Posted on     5 minute read

× This article was imported from this blog's previous content management system (WordPress), and may have errors in formatting and functionality. If you find these errors are a significant barrier to understanding the article, please let me know.

Receive DLTJ Thursday Threads:

by E-mail

by RSS

Delivered by FeedBurner

It is a security/privacy edition of DLTJ Thursday Threads this week. First a link to a 3-page PDF that talks about the use of password managers to keep all of your internet passwords unique and strong. Next a story about how the W3C standards body is looking at standardizing digital rights management for browser content. And finally, a story about a site that one personal data broker put up that gives you a glimpse of what they know about you.

Feel free to send this to others you think might be interested in the topics. If you find these threads interesting and useful, you might want to add the Thursday Threads RSS Feed to your feed reader or subscribe to e-mail delivery using the form to the right. If you would like a more raw and immediate version of these types of stories, watch my Pinboard bookmarks (or subscribe to its feed in your feed reader). Items posted to are also sent out as tweets; you can follow me on Twitter. Comments and tips, as always, are welcome.

A Plug for Password Managers

One solution people often use is to write all their passwords down on a piece of paper, or even worse, write them down and then stick them on their computer monitor. (Ever look in the windows of closed office buildings and seeing monitors plastered with stickies?) This is poor security, as other people can find and read your passwords, especially if you travel and lose them or have them stolen. Instead, what we need is a solution that securely stores all of your passwords in a single location. Even better would be a computer program that simplifies the whole process by automatically retrieving your passwords and logging into websites and applications for you. Better still would be a program that could also generate strong passwords, and perhaps even store other confidential information such as your credit cards. Fortunately such a solution exists: it is called a password manager (or sometimes a password vault).
- Password Managers, OUCH! Security Awareness Newsletter, October 2013

Hardly a month goes by without word of a breach of customer information at a major online site. (This month is was Adobe Systems with 2.9 million accounts compromised.) Not convinced? See this "World's Biggest Data Breaches & Hacks" interactive infographic (via VentureBeat). The biggest problem is not necessarily that the passwords were stolen. The biggest problem isn't necessarily that once the passwords are taken from the site they become easier to crack. No, the biggest problem is reuse of passwords -- if the password you used for your Adobe account is the same as the password for your bank account, you've just simplified the crook's efforts to get into your bank. The conventional wisdom is to use a unique, long, random password (14 characters of mixed case letters plus numbers and special symbols) for each site. No one can hope to remember those kind of unique passwords across the various sites most people use, and that is where a password manager comes in. With one very strong password you can keep safe all of the other passwords to internet sites. This 3-page PDF talks about how to do it. My favorite is LastPass, but there are others out there as well.

Digital Rights Management Coming to Your Browser

Here's the bad news: the World Wide Web Consortium is going ahead with its plan to add DRM to HTML5, setting the stage for browsers that are designed to disobey their owners and to keep secrets from them so they can't be forced to do as they're told. Here's the (much) worse news: the decision to go forward with the project of standardizing DRM for the Web came from Tim Berners-Lee himself, who seems to have bought into the lie that Hollywood will abandon the Web and move somewhere else (AOL?) if they don't get to redesign the open Internet to suit their latest profit-maximization scheme.

It is difficult to see how this ends well. If the content owners exert more control over content flowing through browsers it will become harder to exercise fair use rights on that content. I have some sympathy for rights holders, but only about as far as I can throw the corporate headquarters of some of them.

What the Internet's Advertisers Know About You

The Acxiom Corporation, a marketing technology company that has amassed details on the household makeup, financial means, shopping preferences and leisure pursuits of a majority of adults in the United States, ... is embarking on a novel public relations strategy: openness. On Wednesday, it plans to unveil a free Web site where United States consumers can view some of the information the company has collected about them... The data on the site, called, includes biographical facts, like education level, marital status and number of children in a household; homeownership status, including mortgage amount and property size; vehicle details, like the make, model and year; and economic data, like whether a household member is an active investor with a portfolio greater than $150,000. Also available will be the consumer’s recent purchase categories, like plus-size clothing or sports products; and household interests like golf, dogs, text-messaging, cholesterol-related products or charities.

- A Data Broker Offers a Peek Behind the Curtain, by Natasha Singer, New York Times, August 31, 2013

Now you have a chance to see how accurate the profiling of you is. I'd give it a grade of C- for me. It had the easy stuff -- home data, which was based on my address. It knew my birthdate because that was a required field. Other details were not so correct: marital status, age of children, vehicles, household purchase data, and other fields were pretty far off. Quite honestly, I'm pretty proud that what they think they know about me isn't all that accurate. I take that to mean that they have very little and/or very inconsistent data about me. If you look up your profile at, let me know how accurate you thought it was in this post's comments.