Along with a fair amount of other tech journalists, I got an advance on Google’s announcement Monday of changes to warn Chrome users about exposed, reused or easily-guessed passwords. Having seen how a similar feature in the 1Password password manager has helped make me less stupid about site logins, I think this is a good move by Google. But I also expect that many users will freak out when they see Chrome telling them that their password has been compromised in a data breach.
10/3/2019: Twitter suspensions in Egypt, Al Jazeera
I appeared on the Arabic-language news channel to talk about reports of Egyptian dissidents’ Twitter accounts being suspended. My take: Twitter has a serious problem with being fooled by coordinated, bad-faith campaigns to get accounts suspended for alleged-but-not-real violations of Twitter’s rules. The anchor then asked why Twitter hadn’t answered AJ’s questions, and I said that most social-media companies are chronically bad at explaining their own decisions. Many have hangups with just speaking on the record.
After several years using the same password-manager service–and then paying for its premium version–I’ve spent the last few weeks trying an alternative.
I can credit a sales pitch that included the italicized phrase “completely free” for this departure: 1Password’s offer of a free membership to journalists, in celebration of World Press Freedom Day this May 3. But I was also overdue to spend some time in a password manager besides LastPass.
So far, I’m impressed by the elegance of the interface but a little put off by how persnickety 1Password can be to set up. You don’t just create a username and password, you also have to type in a complex and random secret key to get going.
This time has also surfaced one thing I don’t like: an incomplete approach to two-step verification that seems to require choosing between running an authenticator app on your smartphone or employing a weird Yubikey implementation that requires running a separate app instead of just plugging a standard USB security key. That’s no better than LastPass’s inflexible notion of two-step verification.
I’d like to see 1Password improve that and support the WebAuthn standard for security-key confirmation. But I’m prepared to give them some time, based on everything else I’ve seen so far.