Tag Archives: google

I’m published! – Unlike Us Reader out now

I got notification this morning that the new Unlike Us reader is now available. My essay, ‘None of Your Business? Analyzing the Legitimacy and Effects of Gendering Social Spaces Through System Design’ appears on pages 200-219.

You can read the release announcement at the networkcultures.org site here. The short trailer for the reader is also available on vimeo.

There are multiple ways you can get a copy of the reader. If you go to this page you can read it online using issuu. (It should be noted, however, that if you try to download it on the issuu site it requires you to register, and registration requires you to choose your gender as being either ‘male’ or ‘female’, displaying a perfect example of what I argue is a terrible practice in my essay. Needless to say, I don’t recommend downloading it through issuu!) You can also read and download it through scribd without having to register, or download it directly from the networkcultures.org site.

Of course, as the reader is shared using the CC BY-NC-SA 3.0 license, I can host it on my own server, too! (This is especially convenient because it appears the networkcultures.org site is currently down.) However, if you only want to download my essay, I’ve also uploaded an edited (remixed!) version that cuts out most of the other pages. Links to both versions are below.

Unlike Us Reader: Social Media Monopolies and Their Alternatives (3.9MB .pdf)

Andrew McNicol – None of Your Business?: Analyzing the Legitimacy and Effects of Gendering Social Spaces Through System Design (622kB .pdf)

Special thanks to Miriam Rasch and Geert Lovink who have done an amazing job with this release. I’m looking forward to checking out some of the other contributions once I get some free time.

Please share with anyone you think may be interested. And please feel free to comment or email with any constructive feedback you may have – I haven’t read through this in months, but I think there are a few sections I would change slightly.

Marginalisation remains in Google’s ‘more inclusive’ naming policy

In a post on Google+ today, Bradley Horowitz announced that Google+ have revised their handling of names in order to work “toward a more inclusive naming policy”. In itself, this sounds great, but I was right to be hesitant in my celebration.

Previous problems

There were many issues with Google+’s original ‘Real Names’ policy. Put simply, Google tells users they must use their real names on Google+ and, if it is suspected users are not complying with this, they may have their account suspended – unless they happen to be a high-profile celebrity, of course. Disregarding the obvious profitability that comes with accurate user data, we heard the typical arguments about how real names create accountability and make people play nice with one another. (I’m still far from convinced this is the case. Boing Boing has a nice, recent discussion on this debate if you’re interested.)

The Geek Feminism Wiki page, Who is harmed by a “Real Names” Policy?, which I keep linking everyone to, highlights the issues better than I can. Along with the simple technical issues – ‘Um, I don’t have exactly two names so I can’t fill in my real name in your system?’ – comes a long list of people who can not or do not want to use their real name for valid reasons such as safety, avoiding harassment, or not wanting their voice marginalised due to assumptions others make about them from their name.  This is a real issue for a lot of people directly, and for the rest indirectly – we lose their voices in the conversation.

So any improvements on the policy should be positive, right?

The changes

As well as facilitating more languages (this is great!) Google has allowed users to include a desired nickname along with their full, ‘real name’.  To be absolutely clear, there is no indication that users will ever be allowed to hide their real name from others. This is simply a feature that allows users to include additional information.

First and last names are still unable to be hidden on Google+.I admit, this is a step forward, but it certainly is, as Horowitz states, “a small step”. They’re helping people use more complicated real names and they’re helping people be recognised next to their more common pseudonyms. But the people for whom major changes are more urgent are not assisted at all here. Those victims of assault who don’t want do be located by their abusers? Those people who dare to prefer that their social presence is not easily searchable by banks and potential future employers? Citizens who want their words heard for what they say rather than for the gender or colour of the hands that type them? They still need to be comfortable listing their full, legal names or not use the service at all. In short, they’re still not welcome.

Statistics and justifications

And this is where it pains me to read the justifications for this system change. It is claimed that because users submit three times more appeals to state a nickname than to use a pseudonym primarily, this is a reasonable response. However, if people do not want to declare their real names in the first place, then they would not fall under the category of ‘users’. They are not included as part of this statistic that wants to be included. However, if it’s simply referring to users attempting to create a new account (the wording is a little unclear), this isn’t including those who are aware of the real names policy and do not bother signing up as a result, or join using a fake name that the system happens to let through. They go unrecorded.

Of course, there are other issues with the wording as it stands – just because someone doesn’t submit a name appeal (I haven’t!) it doesn’t mean they have no opinion on this issue or would not be negatively affected by Google doing nothing – but the suggestion that allowing pseudonyms is an unimportant feature request because of some careful number gathering appears to be an indication that they’re just going to keep on avoiding this legitimate concern. They’ve “listened closely to community feedback” but decided to only implement those changes that don’t question the original real names policy.

In short, I believe the stated 0.02% of users who submit a name appeal to use a pseudonym is a strong under-representation of the number of users who would actually prefer this option – not to mention those who would simply like it to be available, even if they don’t change their own name to a pseudonym.

Every time I see Google implementing a new feature, I see ever more clearly who they really are.

I read Alan Moore’s V for Vendetta this afternoon while thinking about social media service exclusions. The following verse from V’s sardonic, “This Vicious Cabaret”, struck me as relevant here:

There’s thrills and chills and girls galore, there’s sing-songs and surprises!

There’s something here for everyone, reserve your seat today!

There’s mischiefs and malarkies . . .

but no queers . . . or yids . . . or darkies . . .

within this bastard’s carnival, this vicious cabaret.

So, I admit it may be a stretch to suggest Google is comparable to the fascist, post-apocalyptic governing body in power throughout most of the story, but the point is, if these services do what they (as corporations) intend to and gain a strong user base, while also refusing service to significant demographics and important voices, they begin erode those democratic elements of communication we were promised at the dawn of the Internet.

And this isn’t the world I want to live in.

Gender and sex interchangeability on Facebook

I heard that Facebook’s ‘sex’ field once said ‘gender’, instead.  This somewhat disturbing interchangeability of two very different words, I feel, helpfully highlights the disconnect between Facebook and the complex individuals it attempts to categorise.  Understanding the difficulties involved in gathering historical information on closed software interfaces, I nevertheless looked for evidence to support the claim that the field name had changed from ‘gender’ to ‘sex’.

‘Sex’ influences gendered pronouns on Facebook.  This is clearly visible on profiles, and just about anywhere users are referred to in some way.  This imposed one-to-one relation is also apparent from the language used in ‘He/She/They: Grammar and Facebook‘, a June 2008 post from The Facebook Blog.  It is claimed that some languages have difficulty with non-gendered pronouns.  “For this reason”, they write,

we’ve decided to request that all Facebook users fill out this information on their profile. If you haven’t yet selected a sex, you will probably see a prompt to choose whether you want to be referred to as “him” or “her” in the coming weeks.

The post goes on to say,

We’ve received pushback in the past from groups that find the male/female distinction too limiting. We have a lot of respect for these communities, which is why it will still be possible to remove gender entirely from your account […].

(Of note is the fact that it is currently impossible to remove gender from your account, like it supposedly was in June 2008.  Hiding your sex status from everyone does not stop Facebook from referring to you using gendered terms (or using a gendered default picture, if you have no profile photos visible) that relate to your declared sex.)

According a a Facebook user (quoted in Emily Rutherford’s June 2009 article ‘Choose One‘) “this is the only peep ever heard from Facebook regarding this issue”.  Two years later, there are still no other mentions of these options in The Facebook Blog.  Google encountered similar issues with non-gendered language translation in Google+, but managed to get around it because they felt user privacy was more important than the discomfort felt by those few who are uncomfortable reading ‘their’ or ‘they’.  (Also of note, Google are not guilty of instituting a culture of sex/gender interchangeability.)

Looking further I found a few interesting conversations and projects people worked on in response to concerns over this limitation.  Sadly, it appears any and all petitions calling for a revision are ignored.  However, I did come across one highly intriguing comment in the Expand Gender Options on Facebook Petition page that claimed setting your language from ‘English (US)’ to ‘English (UK)’ changes references of ‘sex’ to ‘gender’.  That couldn’t be right, I thought, and had to test it out immediately.  But lo and behold, changing the language on your profile options page or the welcome screen, for example, changes the field title.

I have absolutely no idea why this is the case.  Is the gender/sex difference actually considered to be a ‘language difference’ by the Facebook team?  Are different people in charge of the UK translation who happen to have different views on the appropriateness of this field — and hold the power to implement different terminology?

I’m still yet to find any evidence of when — or if — Facebook changed the terminology for all users, but this discovery reveals a situation whereby Facebook is using different terminology to relate to the same field, depending on what settings are used.  I played around with it and confirmed that this difference extends further than self-expression within your own profile — open up the profile page of a user that displays their sex or gender to you and switch your language settings between UK and US English and see what I mean.

This language setting, then, represents a sort of cultural lens through which we understand other users.  What it also represents, however, is a systematic disregard of users’ sex and gender performance.  If I wish to declare my sex in a particular way but others read it as my gender identity (or vice versa), I am being misrepresented.  Some may feel comfortable declaring male or female using one language rather than the other, but the recognition of misrepresentation may destroy any sense of freedom experienced through this act of expression.

In my previous post on sex legitimisation on Facebook I wrote

In the case of Facebook, many of us have lost the power of accurately expressing our identity because we have complied with a system whose context disagrees with our own understanding of sex categorisation.

Now I know there are two systems operating simultaneously I realise it’s actually worse than this.  No one can express their sex or gender identity accurately on Facebook unless they believe, just as Facebook has asserted, gender and sex are exactly the same thing.

Search terms and search times

I started doing some research on search engine results and online identities this morning for a presentation I’m preparing for later in the year.  Like anyone, I was interested to see what comes up when I type in my own name.

Searching ‘Andrew McNicol’ in Duck Duck Go gives many results, but as it’s a common enough name there’s nothing about me until entry 12, which points to a small article about dried papaya that I helped edit once for my local food co-op.  I have no idea why this is deemed of higher relevance than all the other instances of me, using my full name, on the Internet.  The next entry relevant to me is 26 which mentions my participation in my faculty’s three minute thesis competition earlier this year.

I use the Duck duck Go search engine because I appreciate its focus on user privacy.  An effect of this is that results aren’t reordered for an assumed relevance to me.  This helps me to see here what an average person would if they searched the same terms.

More related to me than my full name is the username ‘mcnicolandrew’ which I’ve used for various services.  The first five results in Duck Duck Go relate to me.

Just over two months ago, I wrote about this new blog and how I chose ‘exhipigeonist’ as my new username for various services.  At the time, searching the name in Google returned zero results!  Since then I’ve blogged here a little, and changed account names on Twitter and various software forums.  Right now, google.com returns 218 results for the query; Duck Duck Go returns 5.  I thought this would be an excellent opportunity to see what happens to a username after its recent introduction to the Internet.

Google, obviously, has more thorough and/or intrusive webcrawlers.  For everyday searches this makes little difference to me, but here it it valuable in giving me a picture of what my username has been doing, quietly in the background while I’m not looking.  Twitter is the first result in both search engines.  I’m not certain why, but it’s perhaps safe to say it’s because I had been fairly active there soon after changing my account name.  My blog comes up shortly after, followed by a few forum discussions on OpenOffice.org and Linux Mint.  My new website (not active yet, I’ll keep you updated) appears eventually.  Twitter accounts for even more results because posts are public and are easily cached by services wanting to record conversations (I’ve occasionally participated in the weekly #privchat discussion, which apparently qualifies me to be on ‘legal professionals’ lists) or map user connections.  Then I get a few more unexpected hits.

Perhaps the strangest is a post on us.hotmai.org that has copied the content of one of my entries and posted it.  I don’t know if I’m comfortable with that, even if they did credit me at the top.  I guess it’s alright, but notice would have been nice.  (Do I have trackbacks enabled?  I’ll have to check.)  There does not appear to be a way to easily contact the blog owner about it if I wanted to.

I also see many results from sites which appear to cache blogs which talk about Dell computers, linking to my post about my home computer setup.

Lastly, there appears to be a very specific WordPress category entitled ‘Community Paranoia Surveillance Socialengagement Unsw Computers’ which highlights a recent entry of mine as a ‘featured blog’.  I have no idea how these categories are decided on and this appears more than a little odd.

Most of these hits and the order they appear are unsurprising.  It’s a recently created pseudonym and it fairly accurately describes my Internet activity and relevance using this name over the past two months.  What will be more interesting to watch is how these results change over time, and how easily older activity gets lost in the results pages to prioritise current activity.  How relevant does Google consider temporality to be when calculating search term result order?  This is what is going to be integral to my research.


I begged for an invite and have thus sacrificed part of my dignity to become one of the (temporarily) exclusive group of people with Google+ accounts!

I had read a bit about the service already so much of it wasn’t new to me. I was more interested in the privacy side of things so once I had access I dove straight into reading the privacy policy and playing around with user settings. What follows are a few initial reactions.


People have written a lot about how this feature is either confusing or a breakthrough in social networking. I actually think it’s neither. I’ve been using a similar feature in livejournal for years (functionality to define and choose groups who can read individual posts has been around for almost a decade now – or more than that, as I’m not sure when livejournal first implemented it) and perhaps because of this experience I view such features to be a minimum standard of user empowerment and privacy. If I can’t define my audience on a post-by-post basis, I may fall into the habit of either censoring myself or not being as careful with my message content as I should.

In short, Circles are great and everyone should get in the habit of using them. I feel it’s important for this kind of thing to become a standard feature of social networking sites.

The ‘Gender’ field

Gender identity in a social media context is a strong interest of mine. I’ve written on this previously, but to put it simply, I don’t feel comfortable with the focus technological systems tend to put on gender (or sex) and hate it even more when they are restrictive and prescriptive.

Google+ earns a few points with me because, unlike Facebook, users have the option of choosing ‘Other’ rather than being limited to ‘Male’ or ‘Female’. However, Google+ loses a lot of points because users only have the option of choosing ‘Other’ if they don’t wish to pick ‘Male’ or ‘Female’.

Both services make this choice a mandatory one. All users must define themselves in relation to an out-of-date – and in many cases offensive – gender binary. Yes, I am aware that gender is viewed as a highly important field for marketing purposes, and that companies such as Google and Facebook find this information valuable, but for many users on social networking sites gender is either irrelevant or, at least, of no more importance than other, optional fields.

Of course, it can also be argued that gender status is important from a technical perspective, making it possible to use gendered pronouns throughout the system. However, Google+ appears to handle the ‘Other’ option’s syntax quite well. If this is a major reason, it should be clear to users so they can make an informed choice about their user experience. If they prefer gendered pronouns to be associated with their alerts, their profiles can be altered.

It’s about this point in conversations surrounding gender status in social media that I usually link to two great discussions from last year, on this topic in relation to Diaspora.

Sarah Dopp “‘Gender is a Text Field’ (Diaspora, backstory, and context)

Sarah Mei “Disalienation: Why Gender is a Text Field on Diaspora

Gender and privacy

Perhaps helped by my interest in both gender and privacy, I immediately recognised an issue with the Google+ profiles that conflicted with the Google+ Privacy Policy (28 June 2011 version) which states,

In order to use Google+, you need to have a public Google Profile visible to the world, which at a minimum includes the name you chose for the profile.

As I was playing around with the privacy settings in my profile, I noticed that I could not change the visibility of my Gender status. This meant that my Google Profile, at minimum, includes my stated gender as well as the name I chose for my profile. Not only does this conflict with the statement that “You can control the privacy of the content that appears in your profile tabs”; it also directly conflicts with Google+’s Privacy Policy.

One great feature of Google+ is that it has a ‘Send feedback’ button in the bottom right-hand corner of the interface. I was sure to send off some feedback about this conflict – but not before I had a chance to post about it on Google+ and Twitter. To my surprise, on Friday Morning (~8am, +10 GMT), less than 48 hours since I sent my feedback, I noticed that it was now possible to hide Gender from public profiles! I received no reply (hey, they’re probably quite busy this week!) so I can’t be certain this is a result of my work, but I like to think it could have been.

(EDIT: Apparently this change may more likely be a result of a previous campaign, helped by a widely discussed post from Randall Monroe.  Though there is no mention of the Privacy Policy conflict.)

Another issue here is that, because Gender is mandatory – there is no ‘opt-out’ – and, by default, profiles are optimised for search engine results, all users give permission for their stated Gender to be associated with their chosen profile name – at least at the initial stage – and for this to be accessed and archived by searched engines. I can’t test for certain without creating a new account, but I suspect Gender is likely set to public by default. If so, despite them making its visibility alterable, I still feel this is a potential privacy issue.

(It should probably be noted that Facebook is worse in dealing with new user data. Names, gender, birthday and email addresses are public by default, and thus allowable to be used by third-party entities. All the information you provide Facebook during registration is ‘post-opt-out’, a term I plan to write about soon.)

I feel systems such as this should be privacy by default. I feel all publication of personal details should be opt-in. I don’t know if this would be considered a good business model, though, so I’m not holding my breath for corporate players to adopt better practices in this regard. Privacy is still not a large enough issue for that to happen.

Google+ good – Privacy Policy

Google certainly wins points when it comes to simply explaining what it does with user data, and in making it simple to understand how to customise privacy settings. (Though I’m an experienced ‘power user’, so not everyone would feel this is as clear as I do.) However, as Google+ is in very early days, it’s unfair to compare this to Facebook and the regular changes made to its privacy settings. Still, the Google+ package doesn’t have to deal with third-party applications and advertisers (at least ones not already part of Google) so it has a much easier job in this regard.

For now, at least. There is already speculation that Google+ may incorporate other features such as third-party games and applications.

Google – the bad and the ugly

I trust Google to use my data in a way I have consented to. I trust them not to change privacy settings in a way that leaves my personal information temporarily vulnerable. But at the same time, I’m very conscious that the system is there to collect information about me that will be used for marketing purposes. Though I recognise that I’ve registered for a ‘free’ service from a company that needs to make money, reminders about the business relationship we have make me feel uncomfortable.

I was surprised to see recently that pseudonyms are not allowed on Google+ profiles. Facebook does something similar and Mark Zuckerberg has publicly stated it is because accountability guides people to act nicer on the Internet. When people hide behind an anonymous identity they are more likely to act like arseholes to each other. While this may be a correct (though simplistic) observation, there is a strong privacy case for using pseudonyms.

Again, livejournal is a great example here. The system allows users to create an identity that links back to their meatspace identity as much or as little as they like – technical experience permitting. Users may also create multiple identities to better hide interests and, say, membership to support communities from other online friends. When a user loses interest in the content discussed in particular communities, they may leave at any time without their actions being easily attributable back to them in meatspace. My five years as a Sailor Moon fan*, taking part in public discussion with a secret identity can be safely ignored, believed never to come back and haunt me when I run for president.

Google and Facebook, on the other hand, rely on ‘real’ names. This has obvious marketing potential. But it also has not-quite-as-obvious ramifications for identity. Jacob Appelbaum has stated, “Everything you do on the Internet paints a picture that tells a story about you tomorrow.” This is a great quote I keep coming back to because it helps highlight the relation between contemporary action and future ramifications. While it can be argued that all online actions can be tracked back to their source, Facebook and Google make this simple. If I used Facebook rather than livejournal when I expressed my love for the world of Sailor Moon, I’d have that associated with my real name forever. Now imagine how much more concerning this situation is when we start discussing mental health support groups or discussions about illegal actions.

Eric Schmidt once suggested teenagers change their names when they turn eighteen to distance themselves from their youthful hijinks. Realistically, though, a name change is not enough to bury your online activities from anyone if you used your real name to begin with.

But perhaps my biggest issue with Google+ is that it’s ‘like Facebook, but better!’ It’s a step forward in terms of user privacy, but it’s not actually a big step. We’re still being asked to allow a walled garden to mediate our social interaction so they can make money from our personal details through advertising. On the one hand, Google could have done much better and released something revolutionary. On the other hand, this could never have happened if it needed to consider the profitability of such a system. It doesn’t make good business sense to allow Google+ users to easily communicate with other social media platforms.

And this is where we stand. No closer to seeing the mass adoption of a federated social media system that grants users complete control over who holds their data, “just as you now choose your e-mail provider, and yet still connect with friends who use other services.” (Ariel Bleicher, “The Making of Diaspora”)

Also, Google+ does not (yet?) use nested comments. So that’s an automatic minus fifty points from Googfyndor!


Google+ is better than Facebook for various reasons, mostly to do with user privacy. Facebook is still better in practice because Google+ doesn’t have the large user adoption – yet.

But I still don’t like the shared, basic premise of either system. I’ll definitely play around with Google+ for a while longer, and keep submitting feedback every five minutes when I have an idea for improvement (sorry, extremely busy Google developers – it’s just that you’ve got a button right there and it tempts me so!), but I’m going to continue using email to have conversations and organise social engagements because it’s easier, safer, and (among the people I associate with) email raises fewer problems of accessibility.

Until I can use a service to communicate with everyone without requiring them to join a new, commercial service that may not be around forever, it is a broken social networking system.

* I’m only kidding**.

** . . . Or am I? Perhaps that is the point!

What’s in a blog name

I’m terrible at naming things.  There’s a lot about the arbitrary nature of names that makes me uncomfortable, and the part of me that does believe they can have positive value can never be satisfied that a name is ‘just right’ for its use.

In short: I’m a perfectionist, and a philosopher.  (A terrible pair of traits to have!)

So when it came to starting a new blog I loved the fact that I could just start writing in WordPress and change its name later on.  I could produce posts and easily move it to a different address once I think of the perfect handle!  I started with my real name because, while boring, it’s just a simple, obvious place to begin.  As long as I don’t care about anonymity it’s a good way to use an existing brand in a new setting.  But I also feel my real name is an inadequate representation for who I am.  Yes, its meaning grew with my actions, but it encompasses the sum total of these actions over my lifetime.  I wanted something else, something that represented who I am right now.  The easiest way to do that is to start from scratch, create a new pseudonym and just start participating.

One of my best qualities is that I am quite good with puns.  While this helps with picking out a cool name, I encountered issues of relevance and originality.  My first new blog from last year was called ‘eTheChange‘ (it’s still alive), a take on the oft-quoted Gandhi phrase, and this wasn’t too bad except that I felt limited in content.  I would happily write about activism and social change using digital media (my research focus in 2010) but anything else just felt out of place.  I then recently began a new blog with the working name ‘dailyontology’.  It sounds like paleontology (I wanted to dedicate my life to this when I was young, like every other kid) and I could use it to post about my own, daily existence (or something).  Still, I wasn’t happy with it – not everyone understands what ontology means, and I didn’t want to suggest that I’d post daily.

Then, reading some Asimov the next week, I thought I could use the pseudonym ‘andrewoid’!  Robotics is cool, and my first name is Andrew . . . but it made me worry that it created associations between me and a particular mobile operating system by Google that I have never actually seen let alone have a well informed opinion on.  And it appears a few others are using the name already on various social media sites.  I know it’s becoming increasingly difficult to have a simple and original name, but I didn’t want to encroach on somebody else’s established brand.

The next day I came up with the best name so far: ‘threadpoet’!  But this didn’t feel relevant to my planned content unless I got back into regular sewing projects.  I’ll happily settle altering it for a sewing group name, however: ‘The Thread Poet Society’!

The final, and current name comes from a conversation I was part of.  A friend was recounting an adventure that led them to a park bench where they were subjected to the not-so-modest actions of very public pigeons.  Being especially quick that day I said, ‘They were exhipigeonists!’

It didn’t immediately seem right for a blog name, but it began to grow on me.  I’m researching networked publics and I’m making an effort to be more open than I have been in the past, so it actually had some relevance.  And besides, doesn’t everybody like birds?  (And didn’t they used to be dinosaurs?!)  The final persuasion came when I did a quick google search for ‘exhipigeonist’ and it came up with zero results!

I think I’m set on it, at least for the time being.  The name’s not as important as what you do with it.  And even if it’s not ‘just right’, my actions will inform a new identity around it, forcing it to cohere.

So the next big question is where to begin.  Luckily, I already have a list of topics!

A few quick notes on passwords and security

I recently read through Thomas Baekdal’s ‘The Usability of Passwords’, a great piece on the relative strength of passwords under various methods of hacking attacks. (Also check out the updated FAQ!) Rather than seeing mixed case passwords with random symbols as the epitome of secure, we find that, in fact, passwords “can be made both highly secure and user-friendly”.

The 3 common word password ‘this is fun’ can last 2537 years under a common word attack. In contrast, the 6 random character, mixed case, symbol and number password ‘J4fS<2’ only lasts up to 219 years under a brute force attack. Obviously, the difference between them is negligible in practice – how long can such attempts realistically proceed before being noticed and stopped? – but the point is that being forced to use the latter within various IT services is partially unjustified. (I say ‘partially’ because some people would still use ‘god’, one of the top-five most common passwords according to Hackers, if given the opportunity.)

So, really, there’s not too much need for a ‘Ultra High Security Password Generator‘. Yeah, it’s a secure password, but it’s probably more secure in practice to have a random set of words you remember than to require a written down (or typed!) string of 63/64 characters you need to have constantly accessible (read: actually not secure).

Relevant side note: incorporating complex rules for passwords (at least one vowel, up to three digits, two consonants in the second half of the alphabet, two letters that rhyme with but don’t appear within eight places of ‘J’ in the alphabet, &c) actually makes a password less secure because there exist (publicised) rules to limit the iterations needed for cracking. This is why I felt smugly but probably irrationally secure using my original 6-character password for my old Hotmail account years after they revised the password requirements to 8-characters minimum – if it was a password that did not comply with the rules, then it would probably not be attempted. Yeah, I was probably naive, but the account is closed now so w’evs.

A few days ago I was also linked to a PC World article that talked about Google’s new(ish), optional two-step login process. I don’t know why I wasn’t aware of this earlier! The standard authentication model relies on “something you know–and that something is often easily guess[ed], cracked, or otherwise compromised”. Google’s two-step login, however, requires two pieces of information, “both something you know–your username and password–and something that only you should have–your phone”. Every time I go to a new computer and log into Google I have to type my password and also include content from a text message they send to my mobile. On my work and home computers I just need to go through this process again every 30 days – an added security measure just in case I accidentally leave myself logged on at another computer.

A bonus side-effect of this added step is that I can change my Google password to something more fun – like ‘fluffy bunnies’ – and not concern myself with the associated, potential security risks! (Of course, I probably shouldn’t now that I’ve said it publicly. Damn you, blog readers!)

If anyone out there is interested in setting this up, you can find instructions on the gmail blog.

Anyone have annoying password anecdotes to share?